diff --git a/private/system_server.te b/private/system_server.te
index c5b83ecc85925d53c4d12ddd6791a1cdeaf171aa..045acc6d131eba861c7dc61057396be2e2f6a4c3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -773,9 +773,14 @@ allow system_server netd:bpf map_read;
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
 # to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+  allow system_server user_profile_data_file:file create_file_perms;
+')
+
 userdebug_or_eng(`
   # Allow system server to notify mediaextractor of the plugin update.
   allow system_server mediaextractor_update_service:service_manager find;