diff --git a/private/app.te b/private/app.te
index 3c6e5d02d..3f838a6b9 100644
--- a/private/app.te
+++ b/private/app.te
@@ -176,7 +176,6 @@ allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccesso
 control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
 
 # application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
 
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 21349df17..62be63c1e 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,7 +18,6 @@ allow binderservicedomain appdomain:fifo_file write;
 # allow all services to run permission checks
 allow binderservicedomain permission_service:service_manager find;
 
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 allow binderservicedomain keystore:keystore2 { get_state };
 allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
 
diff --git a/private/domain.te b/private/domain.te
index 1ecb7b6d7..0861fa50e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@ neverallow {
 } self:global_capability_class_set sys_ptrace;
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
 neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
 neverallow { domain -system_server } *:keystore2_key use_dev_id;
 neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b662f4fe5..859c2ec67 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@ allow gmscore_app perfetto:fd use;
 allow gmscore_app perfetto_traces_data_file:file { read getattr };
 
 # Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
 allow gmscore_app keystore:keystore2_key gen_unique_id;
 
 # Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76d5..73961ac06 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,7 +26,7 @@ get_prop(keystore, device_config_remote_key_provisioning_native_prop)
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
 allow keystore keystore2_key_contexts_file:file r_file_perms;
 
 # Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971fc..868bf15e4 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
 # <namespace> <label>
 #
 # <namespace> must be an integer in the interval [0 ...  2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
 0              u:object_r:su_key:s0
 
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
 1              u:object_r:shell_key:s0
 
 # vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/system_app.te b/private/system_app.te
index d0d88e90e..4f344cc64 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -120,26 +120,6 @@ dontaudit system_app debugfs_tracing:file rw_file_perms;
 # Ignore access to zram when Debug.getMemInfo is called.
 dontaudit system_app sysfs_zram:dir search;
 
-allow system_app keystore:keystore_key {
-    get_state
-    get
-    insert
-    delete
-    exist
-    list
-    reset
-    password
-    lock
-    unlock
-    is_empty
-    sign
-    verify
-    grant
-    duplicate
-    clear_uid
-    user_changed
-};
-
 allow system_app keystore:keystore2_key {
     delete
     get_info
diff --git a/private/system_server.te b/private/system_server.te
index c3a56b509..a09dd44e6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -973,27 +973,6 @@ userdebug_or_eng(`
 
 add_service(system_server, batteryproperties_service)
 
-allow system_server keystore:keystore_key {
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-};
-
 allow system_server keystore:keystore2 {
 	add_auth
 	change_password
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf24111b..eab38ddc3 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -17,7 +17,6 @@ allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
 
 # Need to add auth tokens to KeyStore
 use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
 allow fingerprintd keystore:keystore2 { add_auth };
 
 # For permissions checking
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f82d..0035bc6bf 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -22,7 +22,6 @@ add_service(gatekeeperd, gatekeeper_service)
 
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
 allow gatekeeperd keystore:keystore2 { add_auth };
 allow gatekeeperd authorization_service:service_manager find;
 
diff --git a/public/racoon.te b/public/racoon.te
index 00d10a46b..b0383f060 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -25,10 +25,3 @@ allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
 
 use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
-	get
-	sign
-	verify
-};
diff --git a/public/su.te b/public/su.te
index bcdc32285..28877409c 100644
--- a/public/su.te
+++ b/public/su.te
@@ -48,7 +48,6 @@ userdebug_or_eng(`
   dontaudit su servicemanager:service_manager list;
   dontaudit su hwservicemanager:hwservice_manager list;
   dontaudit su vndservicemanager:service_manager list;
-  dontaudit su keystore:keystore_key *;
   dontaudit su keystore:keystore2 *;
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;
diff --git a/public/wificond.te b/public/wificond.te
index 98db0d728..1bd89f5a6 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -33,11 +33,8 @@ hwbinder_use(wificond)
 typeattribute wificond wifi_keystore_service_server;
 add_hwservice(wificond, system_wifi_keystore_hwservice)
 
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
 # Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
 allow wificond wifi_key:keystore2_key {
     get_info
     use