diff --git a/domain.te b/domain.te
index b60e5e0483141269c1ca3438f82a6f3e36802e77..15594ef6ae91306b2a2ea83e401e5c1770e15fb7 100644
--- a/domain.te
+++ b/domain.te
@@ -508,3 +508,9 @@ neverallow domain ~property_type:property_service set;
 # $ grep mydaemon file_contexts
 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
 neverallow domain domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 9d80bd8eaca52c51de43008711434f62539dfb3f..12a629de8098f4049bbdb061de6675aab5695b3a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -112,7 +112,7 @@ neverallow untrusted_app domain:netlink_socket *;
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs:file read;
+neverallow untrusted_app debugfs_type:file read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering