diff --git a/public/logpersist.te b/public/logpersist.te
index 7fb3ccfea0d70843f60b8489acdafe26f6f4be85..7536cb84d853fd5abe88d8b65faee0ba18b5d942 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -15,6 +15,12 @@ neverallow logpersist domain:process ptrace;
 # Write to files in /data/data or system files on /data except misc_logd_file
 neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
 
-# Only init is allowed to enter the logpersist domain via exec()
-#neverallow { domain -init } logpersist:process transition;
-#neverallow * logpersist:process dyntransition;
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+#   domain
+#   -init       # goldfish, logcatd, raft
+#   -mmi        # bat, mtp8996, msmcobalt
+#   -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;