diff --git a/public/domain.te b/public/domain.te
index d666362dbb02c39e51cd96de7a07c4ac491d66fb..bdb87fe590cc5019efec58ba89cea9fceea457d8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1224,3 +1224,29 @@ full_treble_only(`
     -perfprofd
   } vendor_file:file { create_file_perms x_file_perms };
 ')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+  domain
+  -dnsmasq
+  -dumpstate
+  -init
+  -installd
+  -install_recovery
+  -lmkd
+  -netd
+  -perfprofd
+  -postinstall_dexopt
+  -recovery
+  -sdcardd
+  -tee
+  -ueventd
+  -uncrypt
+  -vendor_init
+  -vold
+  -vold_prepare_subdirs
+  -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;