diff --git a/bluetooth.te b/bluetooth.te
index 2b99c3e927db2c7587e5d62c5ffae7261b73f117..146c0e5110d746eefb5d7567f8142ae0dea3a501 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -2,8 +2,6 @@
 type bluetooth, domain, domain_deprecated;
 app_domain(bluetooth)
 net_domain(bluetooth)
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
 
 wakelock_use(bluetooth);
 
diff --git a/system_server.te b/system_server.te
index 5ccc05f05a68e86c2fc28ddf80304e34805ec574..9fbc66a9ae29dc8c3552700b3ee7f3d66a9e706a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -42,8 +42,8 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 # in addition to ioctls whitelisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+# to use:
+allowxperm system_server self:udp_socket ioctl SIOCSIFFLAGS;
 bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the