diff --git a/healthd.te b/healthd.te
index 224090edf88799b180fc20319f30cc8d206771c5..dd49e4e9b121fa8b879ea3d228b8bf5a04d62dfd 100644
--- a/healthd.te
+++ b/healthd.te
@@ -9,7 +9,7 @@ write_klog(healthd)
 allow healthd tmpfs:chr_file { read write };
 
 allow healthd self:capability { net_admin mknod sys_tty_config };
-allow healthd self:capability2 block_suspend;
+wakelock_use(healthd)
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
 binder_use(healthd)
 binder_service(healthd)
diff --git a/rild.te b/rild.te
index 6d2cd38843230c6e5e473cb4eb8c844bf1b032e9..f272862caafc0c7b8e0e93ff4260f2e1db6abdfe 100644
--- a/rild.te
+++ b/rild.te
@@ -39,6 +39,6 @@ allow rild self:netlink_socket create_socket_perms;
 allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Access to wake locks
-allow rild sysfs_wake_lock:file rw_file_perms;
+wakelock_use(rild)
 
 allow rild self:socket create_socket_perms;
diff --git a/system_server.te b/system_server.te
index 81e31fcfcd914fed589e0eb1d6bd9c889da1559f..4b8e38490b4b6cac657548b8111808cecb0f37d4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -53,7 +53,7 @@ allow system_server self:capability {
     sys_tty_config
 };
 
-allow system_server self:capability2 block_suspend;
+wakelock_use(system_server)
 
 # Triggered by /proc/pid accesses, not allowed.
 dontaudit system_server self:capability sys_ptrace;
@@ -316,9 +316,6 @@ allow system_server sensors_device:chr_file rw_file_perms;
 # Read from HW RNG (needed by EntropyMixer).
 allow system_server hw_random_device:chr_file r_file_perms;
 
-# Access to wake locks
-allow system_server sysfs_wake_lock:file rw_file_perms;
-
 # Read and delete files under /dev/fscklogs.
 r_dir_file(system_server, fscklogs)
 allow system_server fscklogs:dir { write remove_name };
diff --git a/te_macros b/te_macros
index ecdf8b4f8dbd0cd1941b92b87fe9b3b6f53369f1..fb6cdae1c00a866f59c4bf3906868828ca772a56 100644
--- a/te_macros
+++ b/te_macros
@@ -173,6 +173,16 @@ define(`binder_service', `
 typeattribute $1 binderservicedomain;
 ')
 
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:capability2 block_suspend;
+')
+
 #####################################
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
diff --git a/vold.te b/vold.te
index 7fbba76ed1f2f01bcecee9c5d524f0e4940c6fb1..30cd9d2b533725151a61272a834aff9aebcfb8cd 100644
--- a/vold.te
+++ b/vold.te
@@ -77,8 +77,7 @@ allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
 allow vold asec_public_file:file { relabelto setattr };
 
 # Handle wake locks (used for device encryption)
-allow vold sysfs_wake_lock:file rw_file_perms;
-allow vold self:capability2 block_suspend;
+wakelock_use(vold)
 
 # talk to batteryservice
 binder_use(vold)