diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 8f574f24cbe1ece5645f45d8f9427238e68f0416..6a51e617e8385454b7f3d182621c02cabd7e3dd0 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -158,25 +158,6 @@ auditallow {
 } cache_file:lnk_file r_file_perms;
 ')
 
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -keystore
-  -surfaceflinger
-  -system_server
-  -tee
-  -vold
-  -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9b54329773228a4e91250270f64a8c6d8d3f291d..ee27cbee7c78ea966b420b59ebe5a471f585ab76 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -194,6 +194,9 @@ allow dumpstate proc_zoneinfo:file r_file_perms;
 # Create a service for talking back to system_server
 add_service(dumpstate, dumpstate_service)
 
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
 ###
 ### neverallow rules
 ###