diff --git a/wificond.te b/wificond.te
index 7a80ac2ac9f7dffb37a87d5bc23d853464770977..ae12e07e0e4f3a2923d3a0262bed854133e9e68a 100644
--- a/wificond.te
+++ b/wificond.te
@@ -17,7 +17,10 @@ set_prop(wificond, ctl_default_prop)
 
 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
 allow wificond self:capability { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
 allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 
 r_dir_file(wificond, proc_net)
@@ -31,12 +34,6 @@ allow wificond wifi_data_file:file create_file_perms;
 #       files, which are owned by system or wifi (not wificond's root).
 allow wificond self:capability { chown fowner };
 
-# wificond tries to gracefully kill hostapd by sending it a signal.
-# wificond checks for hostapd liveliness with signull.
-allow wificond hostapd:process { signal signull };
-# wificond needs kill to drop mad signals on hostapd.
-allow wificond self:capability kill;
-
 # wificond cleans up sockets created by wpa_supplicant and framework
 allow wificond wpa_socket:dir rw_dir_perms;
 allow wificond system_wpa_socket:sock_file unlink;