diff --git a/prebuilts/api/202404/public/fsck_untrusted.te b/prebuilts/api/202404/public/fsck_untrusted.te
index 0975d3f10..7e981bf27 100644
--- a/prebuilts/api/202404/public/fsck_untrusted.te
+++ b/prebuilts/api/202404/public/fsck_untrusted.te
@@ -51,7 +51,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
 
 ###
 ### dontaudit rules
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 682831ff2..36ea05f98 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -50,7 +50,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
-neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
 
 ###
 ### dontaudit rules