diff --git a/private/system_server.te b/private/system_server.te
index 48ec63499650611880804e2ec5ef510bda5da2ca..60d3718bfc491b7834899c910e61ae4b76dcd7a7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -778,6 +778,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 2be6da6f99316d88b50fe780c71964119fcb29e7..4293f529abd62bbc0f9c1b18fb6cad9c79550bbd 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };
 
 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
 
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`