diff --git a/assert.te b/assert.te
index 85cb48be87f219869af3f1f79676698ba83ef72f..6e43519c86c01616314bacec200f295f188a6c38 100644
--- a/assert.te
+++ b/assert.te
@@ -5,7 +5,8 @@
 
 # Superuser capabilities.
 # Only exception is sys_nice for binder, might not be necessary.
-neverallow appdomain self:capability ~sys_nice;
+neverallow { appdomain -bluetooth } self:capability ~sys_nice;
+neverallow bluetooth self:capability ~{ sys_nice net_admin };
 neverallow appdomain self:capability2 *;
 
 # Block device access.
diff --git a/bluetooth.te b/bluetooth.te
index ac7233f10518518691fbbb9d1ea53e2dc4f825e9..102ee20e804c9d81397eee19983537ed8637a616 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -15,7 +15,7 @@ allow bluetooth input_device:chr_file write;
 
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-dontaudit bluetooth self:capability net_admin;
+allow bluetooth self:capability net_admin;
 
 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for