diff --git a/app.te b/app.te
index 2ac243a61f1d802699e0593678933deb04815ae0..0617e739002cf1e03c82c9b2fe7f74e16a14bcab 100644
--- a/app.te
+++ b/app.te
@@ -239,7 +239,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow { appdomain -isolated_app } ion_device:chr_file { write append };
+auditallow appdomain ion_device:chr_file { write append };
+# TODO audit ion ioctl usage by apps
+auditallow appdomain ion_device:chr_file ioctl;
 
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;