diff --git a/private/app.te b/private/app.te
index 7dceaaa37377ed338f2a885cdd6fb5cf066739f6..f3e1e2a09c3f1600e5f956ff7b5434e4928c71ff 100644
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
 allow appdomain zygote_tmpfs:file read;
 
 neverallow appdomain system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
+        accept append bind create ioctl listen lock name_bind
+        relabelfrom relabelto setattr shutdown };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6e5e971d5f75ba8695f89d4cf864643b28..75a6317651e2def3f83ad5f047bec1354d927e14 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@ unix_socket_connect(ephemeral_app, traced_producer, traced)
 
 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules
diff --git a/private/platform_app.te b/private/platform_app.te
index 67a9c33177bc3fe3ccc999659ade20d2ed5e0e3a..80b20e1454e0cb8cd5efba77de2c2ad9e3c2796c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@ read_runtime_log_tags(platform_app)
 
 # allow platform apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### Neverallow rules
diff --git a/private/priv_app.te b/private/priv_app.te
index 80425dd8ad7dc25c5a99e2d687d353e99096a0fd..887f5be0f2677097187c0ab4615ac74e814fbe20 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,8 @@ dontaudit priv_app net_dns_prop:file read;
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules
diff --git a/private/system_app.te b/private/system_app.te
index d6be5a301007b50b063daa62e588bf7e87857fb7..b2f83764f88a171dc3acf36dfb3c6956135ca72b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@ get_prop(system_app, device_logging_prop)
 
 # allow system apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### Neverallow rules
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index feac216eff42139bfe12d3111917fe9299cf70a1..fbf59893b406d3cbd77167014a0d1d6d9e9a6713 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)
 
 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;