diff --git a/debuggerd.te b/debuggerd.te
index 66eac1cea510ce058afdc429a8f0d05a7a99a285..0443aef189f4f1aff171f829b53584e7333090fe 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -8,7 +8,7 @@ allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
 allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
diff --git a/domain.te b/domain.te
index 2b7c0a676f3d626578ecd973a455b8e601f502cf..701297f9d9a0ba04a05234c7f0c49df938b89dc4 100644
--- a/domain.te
+++ b/domain.te
@@ -156,3 +156,6 @@ neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;
diff --git a/unconfined.te b/unconfined.te
index d6c8598b0c7a517798272f5f1467bcc0c9dea541..daa6849828c3f6a839c1ecccaa1d62ffa1c4c459 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,7 +20,7 @@ allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
-allow unconfineddomain domain:process *;
+allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;