diff --git a/private/isolated_app.te b/private/isolated_app.te
index 37935c39597df2d60048bd8ad135998f3d70509f..951a0df2553419a8e23a957d4155e64f25212456 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -27,12 +27,9 @@ allow isolated_app self:process ptrace;
 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
 # by other processes. Open should never be allowed, and is blocked by
 # neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the