diff --git a/domain.te b/domain.te
index 3db35d7c5aac1463f188d6aa4fad3fe6cb3d70ef..215c1a3cfe6643eecfcd8b8697edd307c98fa0e3 100644
--- a/domain.te
+++ b/domain.te
@@ -10,9 +10,6 @@ allow domain tmpfs:file { read getattr };
 # Search /storage/emulated tmpfs mount.
 allow domain tmpfs:dir r_dir_perms;
 
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
 # Intra-domain accesses.
 allow domain self:process ~{ execstack execheap ptrace };
 allow domain self:fd use;
diff --git a/system.te b/system.te
index b096b68b8b1b1e1853c8b400ebcec607d83b5d6a..3dda4b4bd409883808f419fa64ee80401787b48d 100644
--- a/system.te
+++ b/system.te
@@ -8,6 +8,22 @@ permissive system;
 unconfined_domain(system);
 relabelto_domain(system);
 
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system self:capability {
+    kill
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    sys_boot
+    sys_module
+    sys_nice
+    sys_resource
+    sys_time
+    sys_tty_config
+};
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };