diff --git a/whitechapel_pro/convert-to-ext4-sh.te b/whitechapel_pro/convert-to-ext4-sh.te
deleted file mode 100644
index d64382df..00000000
--- a/whitechapel_pro/convert-to-ext4-sh.te
+++ /dev/null
@@ -1,34 +0,0 @@
-type convert-to-ext4-sh, domain, coredomain;
-type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  permissive convert-to-ext4-sh;
-
-  init_daemon_domain(convert-to-ext4-sh)
-
-  allow convert-to-ext4-sh block_device:dir search;
-  allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
-  allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
-  allow convert-to-ext4-sh kernel:process setsched;
-  allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
-  allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
-  allow convert-to-ext4-sh shell_exec:file rx_file_perms;
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
-  allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
-  allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
-  allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
-  allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
-  allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
-  allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
-
-  allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
-    BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
-  };
-
-  dontaudit convert-to-ext4-sh labeledfs:filesystem  { mount unmount };
-  dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
-  dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
-  dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
-  dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
-')
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index e528d458..929ea63c 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
 
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
+
+# /system_ext/bin/convert_to_ext4.sh
+type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te
index 3175db8c..a9d3ac0e 100644
--- a/whitechapel_pro/init.te
+++ b/whitechapel_pro/init.te
@@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
 # Workaround for b/193113005 that modem_img unlabeled after disable-verity
 dontaudit init overlayfs_file:file rename;
 dontaudit init overlayfs_file:chr_file unlink;
+
+# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
+# filesystem into an ext4 filesystem. This script is executed on
+# debuggable devices only. As it is a one-shot script which
+# has run in permissive mode since 2022, we transition to the
+# su domain to avoid unnecessarily polluting security policy
+# with rules which are never enforced.
+# This script was added in b/239632964
+userdebug_or_eng(`
+  domain_auto_trans(init, convert-to-ext4-sh_exec, su)
+')