diff --git a/app.te b/app.te
index 48aebbf0a00cf09661cff0e2bb99063367a4c02c..fef3c3a95aaa8793e38a0bd88ca03bdbefc9ea30 100644
--- a/app.te
+++ b/app.te
@@ -205,6 +205,9 @@ use_keystore({ appdomain -isolated_app })
 
 allow appdomain console_device:chr_file { read write };
 
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/isolated_app.te b/isolated_app.te
index 1e40a7f57911a2f8f3f32d0fd712f1466f3d3438..6b9450a40d8bd835aee146e43da34e86c97eb7d5 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
diff --git a/priv_app.te b/priv_app.te
index 4a25787ab3f7163baec048c75d7da12555ef82e6..27551d0dc513494c9736d9aa89eddf34ac7339af 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -77,6 +77,9 @@ allow priv_app fuse_device:chr_file { read write };
 allow priv_app sysfs_zram:dir search;
 allow priv_app sysfs_zram:file r_file_perms;
 
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
 ###
 ### neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 9e418731c2a0c7a9dd65dfcfa42c8ec0bdfc8912..3f9d39cedd7f488031b3db66146610137aa70190 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,9 +87,6 @@ allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.