diff --git a/app.te b/app.te
index 91210f57182539f2b2c9844629b904186f851527..491e785b885b172b94c0b5d189eacf609208f156 100644
--- a/app.te
+++ b/app.te
@@ -185,9 +185,9 @@ use_keystore(appdomain)
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin.
+# bluetooth requires net_admin and wake_alarm.
 neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { appdomain -unconfineddomain } self:capability2 *;
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability2 *;
 
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
diff --git a/bluetooth.te b/bluetooth.te
index 4e274c492f5bcd9b83f23275995176bd9ed075c1..619ce7f7cca6c63efef76dd7d4ea91842da98bc4 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -28,6 +28,7 @@ allow bluetoothdomain self:socket create_socket_perms;
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
 
 # Allow clients to use a socket provided by the bluetooth app.
 # TODO:  See if this is still required under bluedroid.
@@ -55,5 +56,6 @@ allow bluetooth ctl_dhcp_pan_prop:property_service set;
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin.
+# bluetooth requires net_admin and wake_alarm.
 neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
+neverallow { bluetooth -unconfineddomain } self:capability2 ~wake_alarm;