diff --git a/private/system_server.te b/private/system_server.te
index c2033dbbdad67d7bb97164d3a154babfba5c7b86..d8a67c3745a7a516ac4c5b84da91914021b63396 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -142,8 +142,6 @@ allow system_server stats_data_file:dir { open read remove_name search write };
 allow system_server stats_data_file:file unlink;
 
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
diff --git a/public/domain.te b/public/domain.te
index 13f52dc2349cb006c6b0561c55c2a2267682a1a6..20ae4a9f127026291f1e8cf082b6ab1837f984f2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1387,8 +1387,8 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # Do not allow access to the generic debugfs label. This is too broad.
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
 
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.