diff --git a/private/system_server.te b/private/system_server.te
index fa55ada294d5cb3f264adae7594e0dbe9120a3c6..1d505ab832a0dade35b0cb6e070d695fb1e5500e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -68,16 +68,13 @@ allow system_server self:capability {
     net_raw
     sys_boot
     sys_nice
-    sys_resource
+    sys_ptrace
     sys_time
     sys_tty_config
 };
 
 wakelock_use(system_server)
 
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
 # Trigger module auto-load.
 allow system_server kernel:system module_request;
 
@@ -697,3 +694,11 @@ neverallow system_server system_server_tmpfs:file execute;
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;