diff --git a/private/system_server.te b/private/system_server.te
index 27ad51c41..a2aa2590b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -770,9 +770,6 @@ allow system_server cache_private_backup_file:file create_file_perms;
 allow system_server usb_device:chr_file rw_file_perms;
 allow system_server usb_device:dir r_dir_perms;
 
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
 # Read and delete files under /dev/fscklogs.
 r_dir_file(system_server, fscklogs)
 allow system_server fscklogs:dir { write remove_name };
diff --git a/public/domain.te b/public/domain.te
index 6b29595fc..81163d109 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -403,13 +403,11 @@ neverallow * kernel:security setbool;
 # that could be set from init.rc.
 neverallow { domain -init } kernel:security setsecparam;
 
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
-  -init
-  -shell # For CTS and is restricted to getattr in shell.te
-  -system_server
-  -ueventd
+  -shell # For CTS, restricted to just getattr in shell.te
+  -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;
 # b/78174219 b/64114943
 neverallow {
diff --git a/public/init.te b/public/init.te
index e546ecea3..069f17d7f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -309,7 +309,6 @@ allow init {
   devpts
   dm_device
   hwbinder_device
-  hw_random_device
   input_device
   kmsg_device
   null_device
@@ -324,6 +323,7 @@ allow init {
 # chown/chmod on devices.
 allow init {
   dev_type
+  -hw_random_device
   -keychord_device
   -port_device
 }:chr_file setattr;
@@ -533,10 +533,6 @@ allow init kernel:process { getsched setsched };
 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
 allow init swap_block_device:blk_file rw_file_perms;
 
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
 # Create and access /dev files without a specific type,
 # e.g. /dev/.coldboot_done, /dev/.booting
 # TODO:  Move these files into their own type unless they are