diff --git a/audioserver.te b/audioserver.te
index ea7f6d95e1b3c40fa587bdeb7450e7f137e29e49..da12649e303b305b749b5f264490fb38efb89eab 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -51,3 +51,5 @@ unix_socket_connect(audioserver, bluetooth, bluetooth)
 # domain transition
 neverallow audioserver { file_type fs_type }:file execute_no_trans;
 
+# audioserver should never need network access. Disallow network sockets.
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/cameraserver.te b/cameraserver.te
index 6520969a7f4e99195521a2cd9402e53b079156da..4f50f8d9400500f0b3a96c32f09c5ad2e9780983 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -34,3 +34,6 @@ allow cameraserver surfaceflinger_service:service_manager find;
 # cameraserver should never execute any executable without a
 # domain transition
 neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# cameraserver should never need network access. Disallow network sockets.
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediacodec.te b/mediacodec.te
index adba40be8cea6a994318da2d622472f033e0d8c6..3d3625ab73b1077a839d5fc6edfc847fb56d2a59 100644
--- a/mediacodec.te
+++ b/mediacodec.te
@@ -26,6 +26,5 @@ allow mediacodec ion_device:chr_file rw_file_perms;
 # domain transition
 neverallow mediacodec { file_type fs_type }:file execute_no_trans;
 
-# mediacodec should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediacodec should never need network access. Disallow network sockets.
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediaextractor.te b/mediaextractor.te
index 5936eb6ea289a750c00d350dbc811d8ffea87b7d..3ebb5b70ffd8dcc7745958156f84f6da016218e4 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -21,6 +21,5 @@ allow mediaextractor mediaextractor_service:service_manager add;
 # domain transition
 neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
 
-# mediaextractor should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediaextractor { domain -debuggerd -dumpstate -adbd -mediaextractor -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediaextractor should never need network access. Disallow network sockets.
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;