diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index 5c2335e7f1cc74be71ab0440825b278cea2ddfb7..7e2f266549afb6c0b23add139c5b7bd7f174d4b7 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -772,9 +772,14 @@ allow system_server netd:bpf map_read;
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
 # to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+  allow system_server user_profile_data_file:file create_file_perms;
+')
+
 userdebug_or_eng(`
   # Allow system server to notify mediaextractor of the plugin update.
   allow system_server mediaextractor_update_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 5c2335e7f1cc74be71ab0440825b278cea2ddfb7..7e2f266549afb6c0b23add139c5b7bd7f174d4b7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -772,9 +772,14 @@ allow system_server netd:bpf map_read;
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
 # to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+  allow system_server user_profile_data_file:file create_file_perms;
+')
+
 userdebug_or_eng(`
   # Allow system server to notify mediaextractor of the plugin update.
   allow system_server mediaextractor_update_service:service_manager find;