diff --git a/private/system_server.te b/private/system_server.te
index 0d9f72c1703ab50d1c0537c36fa7b4820477985a..ee5786700af42827f624028bb1d16b002787b813 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -122,10 +122,6 @@ allow system_server hal_audio_server:file w_file_perms;
 # for dumping stack traces of native processes.
 r_dir_file(system_server, domain)
 
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
 # Write /proc/uid_cputime/remove_uid_range.
 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index f0c94edc0ba89f2cd8c6ad55fa7b42db7b439070..b20835a2555e44cd8b965c6b9458dc57e30dafd8 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -60,10 +60,6 @@ r_dir_file(mediaserver, media_rw_data_file)
 # Grant access to read files on appfuse.
 allow mediaserver app_fuse_file:file { read getattr };
 
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
 unix_socket_connect(mediaserver, drmserver, drmserver)
diff --git a/public/update_engine.te b/public/update_engine.te
index 6e97aa919290ad8f7b9fe2cedc2e3ff1d5612bbd..00f70bc4a8eb288cfd3250aaf044145ae67ae94a 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -4,11 +4,6 @@ type update_engine_exec, exec_type, file_type;
 
 net_domain(update_engine);
 
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
-# sockets.
-allow update_engine qtaguid_proc:file rw_file_perms;
-allow update_engine qtaguid_device:chr_file r_file_perms;
-
 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
 allow update_engine self:global_capability_class_set { fowner sys_admin };