diff --git a/public/domain.te b/public/domain.te
index c09ee505f0d6086655c3fa0d32cf94f39dd42c10..24514bf0f619b62d790e2c8348a25be264f1ab62 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1222,3 +1222,29 @@ full_treble_only(`
     -perfprofd
   } vendor_file:file { create_file_perms x_file_perms };
 ')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+  domain
+  -dnsmasq
+  -dumpstate
+  -init
+  -installd
+  -install_recovery
+  -lmkd
+  -netd
+  -perfprofd
+  -postinstall_dexopt
+  -recovery
+  -sdcardd
+  -tee
+  -ueventd
+  -uncrypt
+  -vendor_init
+  -vold
+  -vold_prepare_subdirs
+  -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;