diff --git a/assert.te b/assert.te
index 1f12c5eed..85cb48be8 100644
--- a/assert.te
+++ b/assert.te
@@ -16,7 +16,7 @@ neverallow appdomain kmem_device:chr_file { read write };
 
 # Setting SELinux enforcing status or booleans.
 # Conditionally allowed to system_app for SEAndroidManager.
-neverallow { appdomain -system_app } kernel:security { setenforce setbool };
+neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
 
 # Load security policy.
 neverallow appdomain kernel:security load_policy;