diff --git a/private/init.te b/private/init.te
index 546486508daed965db8671a38338739d958ef624..50b1c94c049d241ff958b17fc4feb7a2f5650533 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dceed56d711362b40a602d956b06a74954..ab707f1555acc3b5881103b80adb37dbfcbd72b7 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
diff --git a/public/domain.te b/public/domain.te
index 0027efa37828d4dd44081833ce47e6addd6f4fe6..065264824d04332966090c5057c5b745c5fc0d09 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1331,6 +1331,13 @@ neverallow domain {
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;