diff --git a/public/domain.te b/public/domain.te
index 2bf0be312..af4d03e35 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -383,6 +383,7 @@ neverallow {
   -init
   -mediadrmserver
   -recovery
+  -shell
   -system_server
 } serialno_prop:file r_file_perms;
 
diff --git a/public/shell.te b/public/shell.te
index 2fe0fc741..5f7af0b48 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -72,6 +72,9 @@ userdebug_or_eng(`
   set_prop(shell, persist_debug_prop)
 ')
 
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service