diff --git a/audioserver.te b/audioserver.te
index 28da2939baed5705a048f75260672cf13c0be2e7..61cb382a8aa357ecc90aee31ff2e3a800d65c5b6 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -110,6 +110,9 @@ allow audioserver drmserver:drmservice {
     pread
 };
 
+# only allow unprivileged socket ioctl commands
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### neverallow rules
 ###
@@ -117,3 +120,6 @@ allow audioserver drmserver:drmservice {
 # audioserver should never execute any executable without a
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm audioserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/mediaserver.te b/mediaserver.te
index c23cda1dee76ebdbe4860a396dc34be7643a67a6..cdc90d17bdbbc8739d3c243c00d50e17e05719db 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -110,6 +110,9 @@ allow mediaserver drmserver:drmservice {
     pread
 };
 
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### neverallow rules
 ###
@@ -117,3 +120,6 @@ allow mediaserver drmserver:drmservice {
 # mediaserver should never execute any executable without a
 # domain transition
 neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;