diff --git a/app.te b/app.te
index cb6ecbc4eac24d92b5de45f6badab20565710362..53349140ed7399acf4338eb9b2a8e9f99a915062 100644
--- a/app.te
+++ b/app.te
@@ -113,37 +113,12 @@ allow appdomain system_data_file:lnk_file getattr;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
 
-# Allow applications to communicate with netd via /dev/socket/dnsproxyd
-# to do DNS resolution
-unix_socket_connect(appdomain, dnsproxyd, netd)
-
 # Allow applications to communicate with drmserver over binder
 binder_call(appdomain, drmserver)
 
 # Allow applications to communicate with mediaserver over binder
 binder_call(appdomain, mediaserver)
 
-# Allow applications to make outbound tcp connections to any port
-allow appdomain port_type:tcp_socket name_connect;
-
-# Allow apps to see changes to the routing table.
-allow appdomain self:netlink_route_socket {
-    read
-    bind
-    create
-    nlmsg_read
-    ioctl
-    getattr
-    setattr
-    getopt
-    setopt
-    shutdown
-};
-
-# Allow apps to use rawip sockets. This is needed for apps which execute
-# /system/bin/ping, for example.
-allow appdomain self:rawip_socket create_socket_perms;
-
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
diff --git a/bluetooth.te b/bluetooth.te
index 81c229848d0a8a3cb3d0984f7d3a42fc49664719..d1fed20e6ba99dc26c207213dfa9518fecd1a236 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,6 +1,7 @@
 # bluetooth subsystem
 type bluetooth, domain;
 app_domain(bluetooth)
+net_domain(bluetooth)
 
 # Data file accesses.
 allow bluetooth bluetooth_data_file:dir create_dir_perms;
diff --git a/global_macros b/global_macros
index 2f9b4fa6b5ed30782d3588c71c78168c24e54a38..b4a934d6e5b74e482518259457de28b2510765af 100644
--- a/global_macros
+++ b/global_macros
@@ -43,3 +43,5 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
 # Common socket permission sets.
 define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
 define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/isolated_app.te b/isolated_app.te
index f1ddb37c98cb0d528830f042efd6e7e3ea20288e..7e51d309c996dbba6e26e157dbe190025f655d90 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -11,6 +11,7 @@
 
 type isolated_app, domain;
 app_domain(isolated_app)
+net_domain(isolated_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
diff --git a/net.te b/net.te
index 32b9fb7476c6c5695932ef4f212cea0501f6e26b..c67f456fd19e16449482461207d5678e1f69db27 100644
--- a/net.te
+++ b/net.te
@@ -4,15 +4,27 @@ type netif, netif_type;
 type port, port_type;
 
 # Use network sockets.
-allow netdomain self:{ tcp_socket udp_socket } *;
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
 allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
-# Get route information.
-allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket {
+    read
+    bind
+    create
+    nlmsg_read
+    ioctl
+    getattr
+    setattr
+    getopt
+    setopt
+    shutdown
+};
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/nfc.te b/nfc.te
index d0e4d83fd28e3538f379253c72c7b1271be704b3..0522c52a99042afdb564d1f01187adc2a78fa13c 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,7 @@
 # nfc subsystem
 type nfc, domain;
 app_domain(nfc)
+net_domain(nfc)
 binder_service(nfc)
 
 # NFC device access.
diff --git a/system_app.te b/system_app.te
index 4f5492cff54331d4f832f7b05a4fe59ab71bf496..702c5563540422645da6416b169ed09e47977fc2 100644
--- a/system_app.te
+++ b/system_app.te
@@ -6,6 +6,7 @@
 type system_app, domain;
 permissive_or_unconfined(system_app)
 app_domain(system_app)
+net_domain(system_app)
 binder_service(system_app)
 
 # Perform binder IPC to any app domain.