diff --git a/private/init.te b/private/init.te
index 546486508daed965db8671a38338739d958ef624..50b1c94c049d241ff958b17fc4feb7a2f5650533 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dceed56d711362b40a602d956b06a74954..ab707f1555acc3b5881103b80adb37dbfcbd72b7 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
diff --git a/public/domain.te b/public/domain.te
index 7835e3a2e2663152f6e2f11ca3d046c530e8ae7c..d6bc6ef8b84bb17746d30632a010b6df58c0398b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1333,6 +1333,13 @@ neverallow domain {
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;