diff --git a/app.te b/app.te
index 7896b9ac75a73dd7ea9e19443f6d7cf8bbe7ed31..3400836f8fb047187b5d0f3da40839aa50626645 100644
--- a/app.te
+++ b/app.te
@@ -222,8 +222,8 @@ selinux_check_access(appdomain)
 selinux_check_context(appdomain)
 
 # appdomain should not be accessing information on /sys
-auditallow appdomain sysfs:dir { open getattr read ioctl };
-auditallow appdomain sysfs:file r_file_perms;
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 
 ###
 ### Neverallow rules
diff --git a/su.te b/su.te
index f263821ab8cd7854598bcb0ded567f6b1d898542..f58f7a3050ac2580122e94a0242439b2b85c5444 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@ userdebug_or_eng(`
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, domain_deprecated, mlstrustedsubject;
+  type su, domain, mlstrustedsubject;
   domain_auto_trans(shell, su_exec, su)
 
   # Allow dumpstate to call su on userdebug / eng builds to collect