diff --git a/bootanim.te b/bootanim.te
index 159fd9ea45ce59c4866e55d9c726b427e0d5df64..550c6dc2aece0d0856f5ea89183142b9405198e2 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -28,9 +28,7 @@ allow bootanim ion_device:chr_file rw_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(bootanim, proc)
 r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, sysfs_devices_system_cpu)
 r_dir_file(bootanim, cgroup)
-allow bootanim proc_cpuinfo:file r_file_perms;
 
 # System file accesses.
 allow bootanim system_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index 15594ef6ae91306b2a2ea83e401e5c1770e15fb7..79fb9c6be575cc4fe4f3984e4395c8869337cd9e 100644
--- a/domain.te
+++ b/domain.te
@@ -109,6 +109,9 @@ allow domain system_data_file:lnk_file read;
 # required by the dynamic linker
 allow domain proc:lnk_file read;
 
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
 # toybox loads libselinux which stats /sys/fs/selinux/
 allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index cd1a08c3b20072829b96e107a452e67aa8bc477a..7be9a3e8c7f9d874cf2792ceea282ee30917fc3a 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -66,7 +66,6 @@ r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
-allow domain_deprecated proc_cpuinfo:file r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/shell.te b/shell.te
index 9622905b4400103177033687b75da466f1c20f5d..1ae7169e5af0ebc6cdccac55a2c9928c1bf9ff87 100644
--- a/shell.te
+++ b/shell.te
@@ -96,6 +96,13 @@ r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;