diff --git a/private/atrace.te b/private/atrace.te
index fc2751764dc51f27fefb9c17a3880e9f42a71c71..3d7902fe982ad866862344bb71603242ddf27553 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
   # Allow atrace to access tracefs.
   allow atrace debugfs_tracing:dir r_dir_perms;
   allow atrace debugfs_tracing:file rw_file_perms;
+  allow atrace debugfs_tracing_debug:dir r_dir_perms;
   allow atrace debugfs_tracing_debug:file rw_file_perms;
   allow atrace debugfs_trace_marker:file getattr;
 
diff --git a/private/domain.te b/private/domain.te
index 46d3189130595d3ed35e332fceb001b74bde7c86..aa35ff9bb02a010808bd418e6282be066a34f4d9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -17,6 +17,13 @@ neverallow {
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
 
+neverallow {
+  domain
+  -init
+  -vendor_init
+  userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
 # Core domains are not permitted to use kernel interfaces which are not
 # explicitly labeled.
 # TODO(b/65643247): Apply these neverallow rules to all coredomain.
@@ -60,7 +67,7 @@ full_treble_only(`
     userdebug_or_eng(`-perfprofd')
     userdebug_or_eng(`-traced_probes')
     -shell
-    userdebug_or_eng(`-traceur_app')
+    -traceur_app
   } debugfs_tracing:file no_rw_file_perms;
 
   # inotifyfs
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0eafca6e7789906b025c66e0dddc0576ed37f498..8b72457e3f93e5fb26eca09acef44a4bbc07e815 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -14,6 +14,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
 # systrace support - allow atrace to run
 allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
 allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate storaged_exec:file rx_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8f0d489ab7291d8db144f5ba06a3e2703be7d3c1..986e415c47d96f07f80a1299206c157634acc969 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,7 +123,12 @@ genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
 
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing                             u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /                                    u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace                               u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/instances                   u:object_r:debugfs_tracing_instances:s0
 genfscon tracefs /instances                           u:object_r:debugfs_tracing_instances:s0
 genfscon debugfs /tracing/instances/wifi              u:object_r:debugfs_wifi_tracing:s0
@@ -148,7 +153,6 @@ genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable    u:object_r:
 genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable     u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/block/block_rq_issue/enable         u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/block/block_rq_complete/enable      u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/saved_cmdlines_size                        u:object_r:debugfs_tracing_debug:s0
 
 genfscon tracefs /events/sync/enable                         u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/workqueue/enable                    u:object_r:debugfs_tracing_debug:s0
@@ -166,12 +170,62 @@ genfscon tracefs /events/ext4/ext4_sync_file_enter/enable    u:object_r:debugfs_
 genfscon tracefs /events/ext4/ext4_sync_file_exit/enable     u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/block/block_rq_issue/enable         u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/block/block_rq_complete/enable      u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /saved_cmdlines_size                        u:object_r:debugfs_tracing_debug:s0
+
+genfscon tracefs /trace_clock                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb                                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite                                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid                                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/enable                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/enable                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/enable               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/enable                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/enable                                   u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/enable                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/enable                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/enable                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/enable               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/enable                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/enable                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/enable       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/enable                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/enable                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/enable                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/enable                          u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb                                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite                                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid                                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/enable                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/enable                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable                  u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/enable                                   u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/enable                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/enable                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/enable                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/enable                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/enable                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/enable       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/enable                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/enable                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/enable                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/enable                          u:object_r:debugfs_tracing:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
 genfscon sdcardfs / u:object_r:sdcardfs:s0
diff --git a/private/shell.te b/private/shell.te
index 7a7ebf462cfa185f07f69f60ee16d8a04d589872..9b7235b8a0721daa9393d4067a81438fc8214624 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,18 +4,19 @@ typeattribute shell coredomain;
 allow shell uhid_device:chr_file rw_file_perms;
 
 # systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
 allow shell debugfs_tracing:dir r_dir_perms;
 allow shell debugfs_tracing:file rw_file_perms;
 allow shell debugfs_trace_marker:file getattr;
 allow shell atrace_exec:file rx_file_perms;
 
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
 userdebug_or_eng(`
   allow shell debugfs_tracing_debug:file rw_file_perms;
 ')
 
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
 # Run app_process.
 # XXX Transition into its own domain?
 app_domain(shell)
diff --git a/private/statsd.te b/private/statsd.te
index a51a547a8c702e7bb9a229e3dfa9488f54eeda9f..7221cba60b7b1a34234c906e7869b7b0216b1e14 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -86,7 +86,7 @@ neverallow {
   -statsd
   -system_app
   -system_server
-  userdebug_or_eng(`-traceur_app')
+  -traceur_app
 } stats_service:service_manager find;
 
 # Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 539e8bc5b4a1a031fd5cc12ea62dd013f4347fea..c9e6be1b7cb00f1b4319a6e6a64ed13da1b5c01e 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -1,10 +1,15 @@
 typeattribute traceur_app coredomain;
 
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
+
 userdebug_or_eng(`
-  app_domain(traceur_app);
-  allow traceur_app debugfs_tracing:file rw_file_perms;
   allow traceur_app debugfs_tracing_debug:file rw_file_perms;
-  allow traceur_app trace_data_file:file create_file_perms;
-  allow traceur_app trace_data_file:dir { add_name getattr search write };
-  allow traceur_app atrace_exec:file rx_file_perms;
 ')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir { add_name getattr search write };
+allow traceur_app atrace_exec:file rx_file_perms;
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
diff --git a/public/domain.te b/public/domain.te
index 24514bf0f619b62d790e2c8348a25be264f1ab62..b175ed436c7cc873d85ba80170b5be6af42614c8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -241,6 +241,7 @@ allow domain cgroup:file w_file_perms;
 # The reason behind this is documented in b/6513400
 allow domain debugfs:dir search;
 allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
 # Filesystem access.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5f6e5f79c2dee9cedf2c0b8adca17aeae5fa17a8..9166deba856e23c17812b8a2b1d07dd3511efaae 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -283,6 +283,6 @@ neverallow {
   domain
   -system_server
   -shell
-  userdebug_or_eng(`-traceur_app')
+  -traceur_app
   -dumpstate
 } dumpstate_service:service_manager find;
diff --git a/public/file.te b/public/file.te
index f45de90cb94be5594297cd55e9ef92c1f4455d7a..d1feb3acedcc227f402fb8a60822db351fb4f824 100644
--- a/public/file.te
+++ b/public/file.te
@@ -379,7 +379,7 @@ allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
 allow cgroup_bpf tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index c3e36eaf2230babc8d5f44c58fa60b93974c5fdd..afdc10ed195225431ae029b636ba7a1cdfb5388f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,7 +199,7 @@ allow init {
 allow init cache_file:lnk_file r_file_perms;
 
 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 46826d48612919bd2c8194a72d2fff146f05c885..7113fa7ce9143d9e389100f402d0c625002cd99a 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,23 +1,21 @@
 type traceur_app, domain;
 
-userdebug_or_eng(`
-  allow traceur_app servicemanager:service_manager list;
-  allow traceur_app hwservicemanager:hwservice_manager list;
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
 
-  set_prop(traceur_app, debug_prop)
+set_prop(traceur_app, debug_prop)
 
-  allow traceur_app {
-    service_manager_type
-    -gatekeeper_service
-    -incident_service
-    -installd_service
-    -netd_service
-    -virtual_touchpad_service
-    -vold_service
-    -vr_hwc_service
-  }:service_manager find;
+allow traceur_app {
+  service_manager_type
+  -gatekeeper_service
+  -incident_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 
-  dontaudit traceur_app service_manager_type:service_manager find;
-  dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-  dontaudit traceur_app domain:binder call;
-')
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;