diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4e8ec2b46eb4c13c6e90153bcee6d240dd051159..bcfbf39f55cc2861a8058625a6cc2a65a54a0529 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,4 +27,4 @@ neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
 
-dontaudit bpfloader self:capability sys_admin;
+dontaudit bpfloader self:global_capability_class_set sys_admin;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 5d80f7e8b172939e748ae03c0a0469d0a796d8e6..ef5a3960f83646afc71574475dac7dd0a6015deb 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,7 +35,7 @@ allow traced_probes kmsg_device:chr_file write;
 allow traced_probes system_file:dir { open read };
 
 # Allow traced_probes to list some of the data partition.
-allow traced_probes self:capability dac_read_search;
+allow traced_probes self:global_capability_class_set dac_read_search;
 
 allow traced_probes apk_data_file:dir { getattr open read search };
 allow traced_probes dalvikcache_data_file:dir { getattr open read search };
diff --git a/private/zygote.te b/private/zygote.te
index ac1ef008788618420a842af113199493534b9790..3a8e793c58b8c5d1e7ff84e885e0849b4dfd4e3b 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@ get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)
 
 # ingore spurious denials
-dontaudit zygote self:capability sys_resource;
+dontaudit zygote self:global_capability_class_set sys_resource;
 
 ###
 ### neverallow rules
diff --git a/public/domain.te b/public/domain.te
index 3afbe7ed61e0c6086d52fdd24f449d45c42db90f..c8b0bc137f5d2675b4c0a948bf270466ac84a422 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1397,8 +1397,8 @@ neverallow {
   -vold
   -vold_prepare_subdirs
   -zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+} self:global_capability_class_set dac_override;
+neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
 
 # If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 9c13f5584ba8e8bab63ab033e88d4db8254e11b2..2491734f7ad367ad99f64f5cf2d98a70dc92379a 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,4 +4,4 @@ binder_call(hal_bootctl_server, hal_bootctl_client)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
 
-dontaudit hal_bootctl self:capability sys_rawio;
+dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
diff --git a/public/update_engine.te b/public/update_engine.te
index 2075985d3b662a0a440b05664ce6cd3e107c8188..26b0581d1086ff2dc9dd5e5d59392a76172c1670 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,7 +19,7 @@ wakelock_use(update_engine);
 
 # Ignore these denials.
 dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:capability sys_rawio;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
 
 # Allow using persistent storage in /data/misc/update_engine.
 allow update_engine update_engine_data_file:dir create_dir_perms;