diff --git a/clatd.te b/clatd.te
index 5c52bdbdf06fa7a4a311f43287b3a6fffbc49ee7..21c9ca9ed2e93cd1f7576199077ad3f37a2c233c 100644
--- a/clatd.te
+++ b/clatd.te
@@ -19,11 +19,12 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
 
 # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
 # capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
-# does not need CAP_IPC_LOCK, so we suppress any denials we see
-# from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940
-dontaudit clatd self:capability ipc_lock;
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;
 
 allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;