diff --git a/app.te b/app.te
index 13900b192ea3d2ddec586a9da3c9af90aab25ce6..7700ab7c3a2960fffea8e33875ab8544bdfd8848 100644
--- a/app.te
+++ b/app.te
@@ -314,8 +314,8 @@ neverallow appdomain
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
 
 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }