diff --git a/public/app.te b/public/app.te
index a443bbce0d35b05b37d1444f7c5f1ba360787514..6cb3382cc322c600cb6334649f2a48a8b4041341 100644
--- a/public/app.te
+++ b/public/app.te
@@ -239,9 +239,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow appdomain ion_device:chr_file { write append };
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO audit ion ioctl usage by apps
-auditallow appdomain ion_device:chr_file ioctl;
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;