diff --git a/private/domain.te b/private/domain.te
index c03da55ee79448634f770dabf57af7da6127f015..850635b64f14e57c58cdea186f8954706ef4e83f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -48,7 +48,6 @@ neverallow {
   -adbd
   -appdomain
   -dexoptanalyzer
-  -init
   -installd
   userdebug_or_eng(`-perfprofd')
   -profman
@@ -56,12 +55,11 @@ neverallow {
   -system_server
 } { privapp_data_file app_data_file }:dir *;
 
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
   domain
   -appdomain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
@@ -80,7 +78,6 @@ neverallow {
 
 neverallow {
   domain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
diff --git a/public/init.te b/public/init.te
index c06e538536d072d115c8d03a191dea53a30f33bd..770922a1b9e52cecf51a83c9a100853eeac10ec8 100644
--- a/public/init.te
+++ b/public/init.te
@@ -223,9 +223,15 @@ allow init {
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-# does init really need to relabel app data?
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+allow init {
+  file_type
+  -system_file_type
+  -vendor_file_type
+  -exec_type
+  -app_data_file
+  -privapp_data_file
+}:dir_file_class_set relabelto;
+
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;