diff --git a/public/domain.te b/public/domain.te
index 19243a698e7c5ba3db3507238149e4b668a6ceeb..9631c9c76a580eaa52295131e287ead5b8c653da 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -452,8 +452,17 @@ neverallow {
   -crash_dump
   -dumpstate
   -system_server
+
+  # Processes that can't exec crash_dump
+  -mediacodec
+  -mediaextractor
 } tombstoned:unix_stream_socket connectto;
-neverallow { domain -crash_dump } tombstoned_crash_socket:sock_file write;
+neverallow {
+  domain
+  -crash_dump
+  -mediacodec
+  -mediaextractor
+} tombstoned_crash_socket:sock_file write;
 neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
 
 # Android does not support System V IPCs.
diff --git a/public/mediacodec.te b/public/mediacodec.te
index a7d780793727023eec43598beb765ef94c42bb4d..99ebdb1e436509a2cf5798a2a1e521cfd49f3d46 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -19,6 +19,7 @@ allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
 allow mediacodec hal_camera:fd use;
 
+crash_dump_fallback(mediacodec)
 
 # hidl access
 hwbinder_use(mediacodec)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 43d511c181f473dfda7e87ffc6709248ea3ec658..398d413b2e9b2dbc2587ced33bb4836b27001b6f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -18,6 +18,8 @@ allow mediaextractor system_server:fd use;
 r_dir_file(mediaextractor, cgroup)
 allow mediaextractor proc_meminfo:file r_file_perms;
 
+crash_dump_fallback(mediaextractor)
+
 ###
 ### neverallow rules
 ###
diff --git a/public/te_macros b/public/te_macros
index d6bdf61dcc0c7206a6ae3f25577f9616652b7181..f70d791fd3c952db16fb92c15134f0375ceefb13 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -390,6 +390,18 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
 
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+  allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned_crash_socket:sock_file write;
+')
+
 #####################################
 # WITH_DEXPREOPT builds
 # SELinux rules which apply only when pre-opting.