diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f56e8d8618f8cb267938a882f1d6925caee6af31..ea58814e1a353444ca8311c01feae94260f1abc5 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -33,3 +33,9 @@ domain_auto_trans({
     -coredomain
     -appdomain
 }, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dceed56d711362b40a602d956b06a74954..0a1a7c6b97a8d446d3074abf547c12f9a82669bd 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -114,6 +114,9 @@ allow zygote tmpfs:dir r_dir_perms;
 get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)
 
+# ingore spurious denials
+dontaudit zygote self:capability sys_resource;
+
 ###
 ### neverallow rules
 ###