diff --git a/app.te b/app.te
index e2cdcc22de26264a55892df6e9675f7990fd7784..9a86d1c1e3ac8f2943217d03d4d9942bb40c001d 100644
--- a/app.te
+++ b/app.te
@@ -219,8 +219,8 @@ selinux_check_access(appdomain)
 selinux_check_context(appdomain)
 
 # appdomain should not be accessing information on /sys
-auditallow appdomain sysfs:dir { open getattr read ioctl };
-auditallow appdomain sysfs:file r_file_perms;
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 
 ###
 ### Neverallow rules
diff --git a/su.te b/su.te
index f263821ab8cd7854598bcb0ded567f6b1d898542..f58f7a3050ac2580122e94a0242439b2b85c5444 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@ userdebug_or_eng(`
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, domain_deprecated, mlstrustedsubject;
+  type su, domain, mlstrustedsubject;
   domain_auto_trans(shell, su_exec, su)
 
   # Allow dumpstate to call su on userdebug / eng builds to collect