diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index 7e2f266549afb6c0b23add139c5b7bd7f174d4b7..b037fe4a605a4bc40cf15f12df8b31fbe99dc6f7 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
index 2c6ce4430d6e7066a2b5f31625871eb5036dae68..307e10342f8fa9981f96d9bf2b395e9bf61cf98a 100644
--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };
 
 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
 
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
diff --git a/private/system_server.te b/private/system_server.te
index 7e2f266549afb6c0b23add139c5b7bd7f174d4b7..b037fe4a605a4bc40cf15f12df8b31fbe99dc6f7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 2c6ce4430d6e7066a2b5f31625871eb5036dae68..307e10342f8fa9981f96d9bf2b395e9bf61cf98a 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };
 
 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
 
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`