diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 2130351153cdf9cd3af52ea209996f8194b21d57..ec478d1596b7ac82080c923fc90a7c6d97f64a28 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -149,25 +149,6 @@ auditallow {
 } cache_file:lnk_file r_file_perms;
 ')
 
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -keystore
-  -surfaceflinger
-  -system_server
-  -tee
-  -vold
-  -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4f66ffb4a7daca1ce0d5ade9aff15219678781e8..9bc1ce5af57bbe38d2299ac5a2d51f068cef8508 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -199,6 +199,9 @@ allow dumpstate proc_zoneinfo:file r_file_perms;
 # Create a service for talking back to system_server
 add_service(dumpstate, dumpstate_service)
 
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
 ###
 ### neverallow rules
 ###