diff --git a/private/init.te b/private/init.te
index 50b1c94c049d241ff958b17fc4feb7a2f5650533..e9959d3d27aecafc2843fc541d6f0fe661e19c02 100644
--- a/private/init.te
+++ b/private/init.te
@@ -20,13 +20,3 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
 ')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
-
-# Suppress false positives when using O_CREAT
-# to open a file that already exists.
-# There's a neverallow rule for this in domain.te
-dontaudit init cgroup:file create;
diff --git a/private/zygote.te b/private/zygote.te
index ab707f1555acc3b5881103b80adb37dbfcbd72b7..4ea401dceed56d711362b40a602d956b06a74954 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,8 +134,3 @@ neverallow zygote {
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
-
-# Suppress false positives when using O_CREAT
-# to open a file that already exists.
-# There's a neverallow rule for this in domain.te
-dontaudit zygote cgroup:file create;
diff --git a/public/domain.te b/public/domain.te
index 89e58ed1edff1c042822f8e043d9e1c189113d02..1b7bbd4abf30f44bd89fd48c49205344feabc822 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1329,23 +1329,23 @@ neverallow {
 } self:capability dac_override;
 neverallow { domain -traced_probes } self:capability dac_read_search;
 
-# If an already existing file is opened with O_CREATE, the kernel might generate
+# If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
 # inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
 neverallow domain {
   proc_type
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
-# cgroupfs directories can be created, but not files within them
-# TODO(b/74182216): Remove the installd allow when we're sure it's not used
-neverallow {
-  domain
-  -installd
-} cgroup:file create;
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
 
 # These are only needed in permissive mode - in enforcing mode the
 # directory write check fails and so these are never attempted.
diff --git a/public/init.te b/public/init.te
index 254d8e080f1d6588724084040662926c0a0cf06a..c34e02842d367d7d4b1b94772c35b73bfe4f7a59 100644
--- a/public/init.te
+++ b/public/init.te
@@ -326,11 +326,6 @@ allow init {
 # Allow init to write to vibrator/trigger
 allow init sysfs_vibrator:file w_file_perms;
 
-# Creating files on sysfs is impossible so this isn't a threat.
-# We may write to a non-existent file to avoid conditional
-# init behavior.
-dontaudit init sysfs_vibrator:dir write;
-
 # init chmod/chown access to /sys files.
 allow init {
   sysfs_android_usb
diff --git a/public/installd.te b/public/installd.te
index fad4562addb48ee5abb4be5f2dc6f6645f53c291..6aba962ddbf81e4b3c1bc75058d5634e9d8bc5a2 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -19,7 +19,6 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)