diff --git a/public/domain.te b/public/domain.te
index 0f17fab1355910ce6f6d252afb303fc3e51a0270..c105a4714821ba027280806f871dbdf67245d862 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -277,15 +277,19 @@ allow {
   -untrusted_app_all
   -priv_app
 } cgroup:file w_file_perms;
-auditallow appdomain cgroup:file w_file_perms;
+userdebug_or_eng(`
+  auditallow appdomain cgroup:file w_file_perms;
+')
 
 # TODO(b/110043362): Clean up cgroup access from non-system domains.
 allow { domain -coredomain } cgroup:file w_file_perms;
-auditallow {
-  domain
-  -coredomain
-  -vendor_init
-} cgroup:file w_file_perms;
+userdebug_or_eng(`
+  auditallow {
+    domain
+    -coredomain
+    -vendor_init
+  } cgroup:file w_file_perms;
+')
 
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker