diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index fa7f12c98..ac81c90c9 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -15,12 +15,6 @@ allow microdroid_manager vd_device:blk_file r_file_perms;
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)
 
-# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
-# TODO(b/189706019) we need to a domain for the app process.
-allow microdroid_manager system_file:file execute_no_trans;
-# Until then, allow microdroid_manager to execute the shell or other system executables.
-allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
-
 # Let microdroid_manager kernel-log.
 allow microdroid_manager kmsg_device:chr_file w_file_perms;
 
@@ -28,11 +22,12 @@ allow microdroid_manager kmsg_device:chr_file w_file_perms;
 set_prop(microdroid_manager, vmsecret_keymint_prop);
 
 # Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below two rules
+# TODO(b/188400186) remove the below rule
 userdebug_or_eng(`
-  allow microdroid_manager fuse:dir r_dir_perms;
-  allow microdroid_manager fuse:file rx_file_perms;
+  r_dir_file(microdroid_manager, fuse)
 ')
 
 # Let microdroid_manager to create a vsock connection back to the host VM
 allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+
+neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;