diff --git a/app.te b/app.te
index 89c81cf89..40ec61079 100644
--- a/app.te
+++ b/app.te
@@ -119,11 +119,6 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app system_app_data_file:file { read write getattr };
-
 # Access SDcard via the fuse mount.
 allow appdomain fuse:dir create_dir_perms;
 allow appdomain fuse:file create_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 91cb46ac6..92d2cf40b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -47,6 +47,11 @@ create_pty(untrusted_app)
 allow untrusted_app shell_data_file:file r_file_perms;
 allow untrusted_app shell_data_file:dir r_dir_perms;
 
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app system_app_data_file:file { read write getattr };
+
 #
 # Rules migrated from old app domains coalesced into untrusted_app.
 # This includes what used to be media_app, shared_app, and release_app.