diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7c266a524fef6870400a2c1d1070b87d7a43e194..6f92ef5bb8189bccbb84f6470eae02c20134c4bd 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 # for targetApi<=25. This is also allowed for targetAPIs 26, 27,
 # and 28 in untrusted_app_27.te.
 allow untrusted_app_25 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
 
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b8fd22eb49e06077712a579feab41fe362abada4..be155c9739ca37d73b38b93b138332d3f85aac0a 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@ bluetooth_domain(untrusted_app_27)
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
 
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.