diff --git a/private/app.te b/private/app.te
index 9c4461cc5a9288e0a745628c55171a4aeb221491..7dceaaa37377ed338f2a885cdd6fb5cf066739f6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,7 @@
 # TODO: deal with tmpfs_domain pub/priv split properly
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
+
+neverallow appdomain system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index dbfbcf9e8531c2042233f8bc7ddb10b2b7beda3c..e0547b6e5e971d5f75ba8695f89d4cf864643b28 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -41,6 +41,10 @@ allow ephemeral_app traced:fd use;
 allow ephemeral_app traced_tmpfs:file { read write getattr map };
 unix_socket_connect(ephemeral_app, traced_producer, traced)
 
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### neverallow rules
 ###
diff --git a/private/platform_app.te b/private/platform_app.te
index ee0590cad458462d79205b61a891f1cfb30d0f12..2596a8e1686685dbed3e95b7179ea175ac932c13 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,10 @@ allow platform_app preloads_media_file:dir r_dir_perms;
 
 read_runtime_log_tags(platform_app)
 
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### Neverallow rules
 ###
diff --git a/private/priv_app.te b/private/priv_app.te
index 92bfc570aa5e1f297068ace3ec03d772c1333947..9909e067ddf9a4aef11b33e89d6ecbe47d5c90cc 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -128,6 +128,10 @@ dontaudit priv_app device:dir read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
 
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### neverallow rules
 ###
diff --git a/private/system_app.te b/private/system_app.te
index 7b8f3bfb55fe484f342977a94886506633549afd..c849aeaf30c9e78e9eeb971b8177195a7166d8f1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -114,6 +114,10 @@ allow system_app {
 control_logd(system_app)
 read_runtime_log_tags(system_app)
 
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### Neverallow rules
 ###
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 93a73f143b75eaabcb03925b62f73767d1a0acc5..68c1a41bd19c50f3e2e9d8bc3c0d7d6f9e52b155 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,14 +24,6 @@ untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
-
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)
-
-neverallow untrusted_app system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index e76407bc0b2fd8b2c0a05c4df1552c4ab92d7ded..a43f04c358a9fcd8834ede63996c6bd63b2530d6 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -111,3 +111,7 @@ allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
 allow untrusted_app_all traced:fd use;
 allow untrusted_app_all traced_tmpfs:file { read write getattr map };
 unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };