diff --git a/bluetoothdomain.te b/bluetoothdomain.te
index 9626e4b4b0c7196df4349ce0572802fd3a32654c..a84ddf88d8e2f0f7898407647205aca21e41f52c 100644
--- a/bluetoothdomain.te
+++ b/bluetoothdomain.te
@@ -3,9 +3,11 @@
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 # TODO: This should no longer be needed with bluedroid for bluetooth
 # but may be getting used for other non-bluetooth sockets that has no
-# specific class defined.  Consider taking to specific domains.
+# specific class defined.  Consider taking to specific domains. (b/25768265)
 allow bluetoothdomain self:socket create_socket_perms;
+auditallow { bluetoothdomain -system_server } self:socket create_socket_perms;
 
 # Allow clients to use a socket provided by the bluetooth app.
-# TODO:  See if this is still required under bluedroid.
+# TODO:  See if this is still required under bluedroid. (b/25767747)
 allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
+auditallow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/system_server.te b/system_server.te
index 476a6be6282cdd278b7cb48f68baa31439ad682a..96d8773f7149454ac3188b0ec253add9b0113149 100644
--- a/system_server.te
+++ b/system_server.te
@@ -65,6 +65,10 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 # Use generic netlink sockets.
 allow system_server self:netlink_socket create_socket_perms;
 
+# Use generic "sockets" where the address family is not known
+# to the kernel.
+allow system_server self:socket create_socket_perms;
+
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;