diff --git a/native/src/sepolicy/rules.rs b/native/src/sepolicy/rules.rs
index df6715db4..9fe918dba 100644
--- a/native/src/sepolicy/rules.rs
+++ b/native/src/sepolicy/rules.rs
@@ -100,8 +100,9 @@ impl SepolicyMagisk for sepolicy {
                 "system_app", "priv_app", "untrusted_app", "untrusted_app_all"],
                 [proc], ["unix_stream_socket"], ["connectto", "getopt"]);
 
-            // Let everyone access tmpfs files (for SAR sbin overlay)
-            allow(["domain"], ["tmpfs"], ["file"], all);
+            // Let selected domains access tmpfs files
+            // For tmpfs overlay on 2SI, Zygisk on lower Android versions and AVD scripts
+            allow(["init", "zygote", "shell"], ["tmpfs"], ["file"], all);
 
             // Allow magiskinit daemon to handle mock selinuxfs
             allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]);