diff --git a/app.te b/app.te
index 438e01f466255b4617e6f36507eb7e924ee15afc..5927eb94ea43ceec3864d7cf712bd63b7f79977a 100644
--- a/app.te
+++ b/app.te
@@ -212,7 +212,8 @@ use_keystore({ appdomain -isolated_app })
 allow appdomain console_device:chr_file { read write };
 
 # only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 
diff --git a/audioserver.te b/audioserver.te
index eeed9856506fbb7ce68fa17ccdd8d87d06127305..f53b82445846e0533ff76475cf9bfc0b33eafdba 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -113,7 +113,8 @@ allow audioserver drmserver:drmservice {
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules
diff --git a/ioctl_macros b/ioctl_macros
index 73458798fa6b7c8058a0ac0e23749d1848593dfe..466870e8e2df051539a37a6721e392a03150f86a 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@ SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
 SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
 SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
 SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
 }')
 
 # socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 # Dev private ioctl i.e. hardware specific ioctls
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/mediadrmserver.te b/mediadrmserver.te
index f4b5ecceafea3c847d3ba514ea32bfe19d863948..bd2264db85d966d2b3b778ea0fb16e247bdb4ded 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -49,7 +49,8 @@ allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules
diff --git a/mediaserver.te b/mediaserver.te
index a305060402e204a82215cf30027f07ef9ac5d824..7aa6ec7e0add90ba355b9407657f063b9fa869b6 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -120,7 +120,8 @@ allow mediaserver drmserver:drmservice {
 };
 
 # only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 ###
 ### neverallow rules