diff --git a/app.te b/app.te
index 22a393e24..b3cd7ccfb 100644
--- a/app.te
+++ b/app.te
@@ -24,8 +24,6 @@ allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
-# Read /dev/xt_qtaguid
-allow platform_app qtaguid_device:chr_file r_file_perms;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
@@ -43,8 +41,6 @@ allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
-# Read /dev/xt_qtaguid
-allow media_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -69,8 +65,6 @@ net_domain(release_app)
 bluetooth_domain(release_app)
 # Read logs.
 allow release_app log_device:chr_file read;
-# Read /dev/xt_qtaguid
-allow release_app qtaguid_device:chr_file r_file_perms;
 
 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -185,6 +179,9 @@ allow appdomain anr_data_file:file { open append };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Use the Binder.
 binder_use(appdomain)