diff --git a/public/domain.te b/public/domain.te
index 38cd275eb4309813f46d7c77d83485c15f20290a..7835e3a2e2663152f6e2f11ca3d046c530e8ae7c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1335,3 +1335,12 @@ neverallow domain {
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+  dontaudit domain proc_type:dir add_name;
+  dontaudit domain sysfs_type:dir add_name;
+  dontaudit domain proc_type:file create;
+  dontaudit domain sysfs_type:file create;
+')