diff --git a/private/domain.te b/private/domain.te
index 6a71a140b813eaaafa5512218f95f55f05bb3066..65688b20f17d88c8dc2ca89e60b8d728fa7351d2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -10,6 +10,18 @@ allow domain crash_dump:process sigchld;
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
+userdebug_or_eng(`can_profile_heap({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+})')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
diff --git a/private/system_server.te b/private/system_server.te
index 4ec68021f4115662c1a9d859775605bbbcafc08e..4cf8ae02bc3baf2bdc02d6929a2c0077bc2278fc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,7 +5,6 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
-can_profile_heap(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
diff --git a/public/domain.te b/public/domain.te
index 09eb3e6cb389f8fdcadd201e5248ca91e215b314..67002c93fe8bf5b163957dc0b197cd98b096e4b4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -776,6 +776,7 @@ full_treble_only(`
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ userdebug_or_eng('-heapprofd`)
});
')
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 2931cb582d34b517b381fc6563ccf17073c31f43..8fe6bbe1a71f6d536cebc7b86f7468ef3ac8307d 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -33,6 +33,7 @@ neverallow hal_configstore_server {
-logd
userdebug_or_eng(`-su')
-tombstoned
+ userdebug_or_eng(`-heapprofd')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data