diff --git a/private/coredomain.te b/private/coredomain.te
index bac494f75..4e3d6fd9d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -49,7 +49,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
-        userdebug_or_eng(`-heapprofd')
+        -heapprofd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
@@ -66,7 +66,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
-        userdebug_or_eng(`-heapprofd')
+        -heapprofd
         userdebug_or_eng(`-profcollectd')
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
@@ -93,7 +93,7 @@ full_treble_only(`
         -app_zygote
         -webview_zygote
         -zygote
-        userdebug_or_eng(`-heapprofd')
+        -heapprofd
     } vendor_overlay_file:dir { getattr open read search };
 ')
 
@@ -113,7 +113,7 @@ full_treble_only(`
         -app_zygote
         -webview_zygote
         -zygote
-        userdebug_or_eng(`-heapprofd')
+        -heapprofd
         userdebug_or_eng(`-profcollectd')
     } vendor_overlay_file:file open;
 ')
diff --git a/private/domain.te b/private/domain.te
index d4f9e0e2e..e6b26f4cc 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@ allow domain crash_dump:process sigchld;
 # necessary SELinux permissions.
 get_prop(domain, heapprofd_prop);
 # Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_central({
+userdebug_or_eng(`can_profile_heap({
   domain
   -bpfloader
   -init
@@ -307,7 +307,7 @@ neverallow ~{
   iorap_prefetcherd
   traced_perf
   traced_probes
-  userdebug_or_eng(`heapprofd')
+  heapprofd
 } self:global_capability_class_set dac_read_search;
 
 # Limit what domains can mount filesystems or change their mount flags.
@@ -414,7 +414,7 @@ full_treble_only(`
     -iorap_inode2filename
     -iorap_prefetcherd
     -kernel # loads /vendor/firmware
-    userdebug_or_eng(`-heapprofd')
+    -heapprofd
     userdebug_or_eng(`-profcollectd')
     -shell
     -system_executes_vendor_violators
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 5f1476ec4..50039c2e1 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -39,19 +39,14 @@ perfetto_producer(heapprofd)
 
 # When handling profiling for all processes, heapprofd needs to read
 # executables/libraries/etc to do stack unwinding.
-userdebug_or_eng(`
-  r_dir_file(heapprofd, nativetest_data_file)
-  r_dir_file(heapprofd, system_file_type)
-  r_dir_file(heapprofd, apk_data_file)
-  r_dir_file(heapprofd, dalvikcache_data_file)
-  r_dir_file(heapprofd, vendor_file_type)
-  r_dir_file(heapprofd, shell_data_file)
-  # Some dex files are not world-readable.
-  # We are still constrained by the SELinux rules above.
-  allow heapprofd self:global_capability_class_set dac_read_search;
-
-  allow heapprofd proc_kpageflags:file r_file_perms;
-')
+r_dir_file(heapprofd, nativetest_data_file)
+r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apk_data_file)
+r_dir_file(heapprofd, dalvikcache_data_file)
+r_dir_file(heapprofd, vendor_file_type)
+# Some dex files are not world-readable.
+# We are still constrained by the SELinux rules above.
+allow heapprofd self:global_capability_class_set dac_read_search;
 
 # For checking profileability.
 allow heapprofd packages_list_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index cc16e9787..df398e665 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1204,7 +1204,6 @@ neverallow {
   domain
   -shell
   userdebug_or_eng(`-uncrypt')
-  userdebug_or_eng(`-heapprofd')
   -installd
 } shell_data_file:lnk_file read;
 
@@ -1233,7 +1232,6 @@ neverallow {
   -simpleperf_app_runner
   -system_server # why?
   userdebug_or_eng(`-uncrypt')
-  userdebug_or_eng(`-heapprofd')
 } shell_data_file:dir { open search };
 
 # Same as above for /data/local/tmp files. We allow shell files
@@ -1245,7 +1243,6 @@ neverallow {
   -dumpstate
   -installd
   userdebug_or_eng(`-uncrypt')
-  userdebug_or_eng(`-heapprofd')
 } shell_data_file:file open;
 
 # servicemanager and vndservicemanager are the only processes which handle the
diff --git a/public/te_macros b/public/te_macros
index 467ac4441..1966f2058 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -693,40 +693,9 @@ define(`hal_attribute_service', `
 
 ###################################
 # can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd.
-#
-# Note that profiling is performed differently between debug and user builds.
-# There are two modes for profiling:
-# * forked
-# * central.
-# On user builds, the default is to allow only forked mode. If it is desired
-# to allow central mode as well for a domain, use can_profile_heap_central.
-# On userdebug, this macro allows both forked and central.
-define(`can_profile_heap', `
-  # Allow central daemon to send signal for client initialization.
-  allow heapprofd $1:process signal;
-
-  # Allow executing a private heapprofd process to handle profiling on
-  # user builds (also debug builds for testing & development purposes).
-  allow $1 heapprofd_exec:file rx_file_perms;
-
-  # Allow directory & file read to the central heapprofd daemon, as it scans
-  # /proc/[pid]/cmdline for by-process-name profiling configs.
-  # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
-  allow heapprofd $1:file r_file_perms;
-  allow heapprofd $1:dir r_dir_perms;
-
-  # Profilability on user implies profilability on userdebug and eng.
-  userdebug_or_eng(`
-    can_profile_heap_central($1)
-  ')
-')
-
-###################################
-# can_profile_heap_central(domain)
 # Allow processes within the domain to have their heap profiled by central
 # heapprofd.
-define(`can_profile_heap_central', `
+define(`can_profile_heap', `
   # Allow central daemon to send signal for client initialization.
   allow heapprofd $1:process signal;
   # Allow connecting to the daemon.