diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 693a1f417a350c767f7a566316f47cc8d0c6d354..8c6f5bfa209e9c92aefbaceee3a24d8168096c93 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -156,25 +156,6 @@ auditallow {
 } cache_file:lnk_file r_file_perms;
 ')
 
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -keystore
-  -surfaceflinger
-  -system_server
-  -tee
-  -vold
-  -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index e069fd27c5ff7f806f1f301e9623a0e45fef068d..27832b09a5fbb7dbe721427ad9e62757e9ce0f58 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -200,6 +200,9 @@ allow dumpstate proc_zoneinfo:file r_file_perms;
 # Create a service for talking back to system_server
 add_service(dumpstate, dumpstate_service)
 
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
 ###
 ### neverallow rules
 ###