diff --git a/bluetooth.te b/bluetooth.te
index d1fed20e6ba99dc26c207213dfa9518fecd1a236..16e7b0b85d91415e79eb6fc76fd3e7e788cb473e 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -20,17 +20,21 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms
 # Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-allow bluetoothdomain self:socket *;
+# TODO: This should no longer be needed with bluedroid for bluetooth
+# but may be getting used for other non-bluetooth sockets that has no
+# specific class defined.  Consider taking to specific domains.
+allow bluetoothdomain self:socket create_socket_perms;
 
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
 
 # Allow clients to use a socket provided by the bluetooth app.
+# TODO:  See if this is still required under bluedroid.
 allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
 
 # tethering
-allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth efs_file:dir search;
 
 # Talk to init over the property socket.
diff --git a/clatd.te b/clatd.te
index ec2df7e044be169f7212ac9efcdffb866007f4c3..4971102933e9991e85ebd0aff76ba6cbdc1c12b9 100644
--- a/clatd.te
+++ b/clatd.te
@@ -19,7 +19,7 @@ allow clatd self:capability { net_admin setuid setgid };
 # TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
 allow clatd self:capability dac_override;
 
-allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow clatd self:netlink_route_socket nlmsg_write;
 allow clatd self:tun_socket create_socket_perms;
 allow clatd tun_device:chr_file rw_file_perms;
 allow clatd proc_net:file rw_file_perms;;
diff --git a/dhcp.te b/dhcp.te
index c930b0fecf77ca7cde4fc3ade197bf6387eafef4..89346d5a254ba84d1701c45093f4910d8f0df138 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -9,8 +9,7 @@ net_domain(dhcp)
 allow dhcp cgroup:dir { create write add_name };
 allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
-allow dhcp self:rawip_socket create_socket_perms;
+allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
diff --git a/dnsmasq.te b/dnsmasq.te
index 0e16580802c5783b70dff59e861e9416dc5f6a79..fcf7c6d3d77796625539dce261d84037440fac31 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -3,10 +3,9 @@ type dnsmasq, domain;
 permissive_or_unconfined(dnsmasq)
 type dnsmasq_exec, exec_type, file_type;
 
+net_domain(dnsmasq)
+
 allow dnsmasq self:capability { net_bind_service setgid setuid };
-allow dnsmasq self:tcp_socket create_socket_perms;
 
 allow dnsmasq dhcp_data_file:dir w_dir_perms;
 allow dnsmasq dhcp_data_file:file create_file_perms;
-allow dnsmasq port:tcp_socket name_bind;
-allow dnsmasq node:tcp_socket node_bind;
diff --git a/domain.te b/domain.te
index 878ac9f0519ecc73818246382ff6e53936791358..013126baa08a652a1a1c6b84cf92534e50e50387 100644
--- a/domain.te
+++ b/domain.te
@@ -16,7 +16,8 @@ allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
 
 # Inherit or receive open files from others.
 allow domain init:fd use;
diff --git a/drmserver.te b/drmserver.te
index eb050a2cd1ec5db4240d2f41c1592efdbd80f85e..a11700c1b9cee3750e25e3f2f365b4ded1cd15cc 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -5,6 +5,8 @@ type drmserver_exec, exec_type, file_type;
 init_daemon_domain(drmserver)
 typeattribute drmserver mlstrustedsubject;
 
+net_domain(drmserver)
+
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system_server)
@@ -17,8 +19,6 @@ binder_call(drmserver, mediaserver)
 allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
 allow drmserver tee_device:chr_file rw_file_perms;
 allow drmserver platform_app_data_file:file { read write getattr };
 allow drmserver app_data_file:file { read write getattr };
diff --git a/dumpstate.te b/dumpstate.te
index 8ecb6cc247ac3b2a73dd83fc62aa7ef7a5979b16..749cc469e263e4df8760a3b0a2713ec67df5cfe1 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -47,9 +47,6 @@ allow dumpstate { appdomain system_server }:process signal;
 # This list comes from native_processes_to_dump in dumpstate/utils.c
 allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
 
-# The /system/bin/ip command needs this for routing table information.
-allow dumpstate self:netlink_route_socket { write getattr setopt };
-
 # The vdc command needs to talk to the vold socket.
 unix_socket_connect(dumpstate, vold, vold)
 
diff --git a/hostapd.te b/hostapd.te
index e6e88e958987e58ed5e652314294d1cd4fd96644..184b26f28234622d04448e73d8f24358db5ada61 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -3,11 +3,12 @@ type hostapd, domain;
 permissive_or_unconfined(hostapd)
 type hostapd_exec, exec_type, file_type;
 
+net_domain(hostapd)
+
 allow hostapd self:capability { net_admin net_raw setuid setgid };
 allow hostapd self:netlink_socket create_socket_perms;
-allow hostapd self:packet_socket { create write read };
-allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
-allow hostapd self:udp_socket { create ioctl };
+allow hostapd self:packet_socket create_socket_perms;
+allow hostapd self:netlink_route_socket nlmsg_write;
 
 allow hostapd wifi_data_file:file rw_file_perms;
 allow hostapd wifi_data_file:dir create_dir_perms;
diff --git a/logd.te b/logd.te
index a1e3a53ec185fa06d9fbbc2eb882311512a3e143..796f7bbee7c8997d12065fd93e775a0311a0b9fd 100644
--- a/logd.te
+++ b/logd.te
@@ -3,7 +3,6 @@ type logd, domain;
 type logd_exec, exec_type, file_type;
 
 init_daemon_domain(logd)
-allow logd self:unix_stream_socket *;
 
 allow logd self:capability { setuid setgid sys_nice };
 
diff --git a/mtp.te b/mtp.te
index 9681daf493dad971ec5ab87e30fb99fdf64984d2..320f4af61558a57a7873b069024bb141cdfc9e8a 100644
--- a/mtp.te
+++ b/mtp.te
@@ -7,10 +7,7 @@ init_daemon_domain(mtp)
 net_domain(mtp)
 
 # pptp policy
-allow mtp self:tcp_socket create_socket_perms;
 allow mtp self:socket create_socket_perms;
-allow mtp self:rawip_socket create_socket_perms;
 allow mtp self:capability net_raw;
 allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
 allow mtp vpn_data_file:dir search;
diff --git a/net.te b/net.te
index c67f456fd19e16449482461207d5678e1f69db27..9942efe4a5b12f710f86cadf9a62fe1b5eace375 100644
--- a/net.te
+++ b/net.te
@@ -13,18 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket {
-    read
-    bind
-    create
-    nlmsg_read
-    ioctl
-    getattr
-    setattr
-    getopt
-    setopt
-    shutdown
-};
+allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/netd.te b/netd.te
index b8d26f9577b18e5ce1220b9e1c933873ca36013e..19fcad22eacad8adb844b79e6057caf16424df93 100644
--- a/netd.te
+++ b/netd.te
@@ -15,11 +15,9 @@ allow netd self:capability { net_admin net_raw kill };
 # sufficient testing of the fsetid removal.
 # dontaudit netd self:capability fsetid;
 
-allow netd self:netlink_kobject_uevent_socket *;
-allow netd self:netlink_route_socket *;
-allow netd self:netlink_nflog_socket *;
-allow netd self:rawip_socket *;
-allow netd self:unix_stream_socket *;
+allow netd self:netlink_kobject_uevent_socket create_socket_perms;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
diff --git a/ppp.te b/ppp.te
index 21838f16d2fcdef8d4a3c2dc55c79ce7404d24d2..bcab339091b7bebaf665687e7e240e8f4798e16e 100644
--- a/ppp.te
+++ b/ppp.te
@@ -5,10 +5,11 @@ type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 domain_auto_trans(mtp, ppp_exec, ppp)
 
+net_domain(ppp)
+
 allow ppp mtp:socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
-allow ppp self:udp_socket create_socket_perms;
 allow ppp system_file:file rx_file_perms;
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
diff --git a/racoon.te b/racoon.te
index 596cf7ee3a697c72c88e6f17188ab4e3fc0d5fd2..1fbdb07fa240b3d0bb7d4056b21ab3a9d37e610e 100644
--- a/racoon.te
+++ b/racoon.te
@@ -6,17 +6,17 @@ type racoon_exec, exec_type, file_type;
 init_daemon_domain(racoon)
 typeattribute racoon mlstrustedsubject;
 
+net_domain(racoon)
+
 binder_call(racoon, servicemanager)
 binder_call(racoon, keystore)
 
 allow racoon tun_device:chr_file r_file_perms;
 allow racoon cgroup:dir { add_name create };
 allow racoon kernel:system module_request;
-allow racoon port:udp_socket name_bind;
-allow racoon node:udp_socket node_bind;
 
-allow racoon self:{ key_socket udp_socket } create_socket_perms;
-allow racoon self:tun_socket create;
+allow racoon self:key_socket create_socket_perms;
+allow racoon self:tun_socket create_socket_perms;
 allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
diff --git a/rild.te b/rild.te
index 8de5c59adfa1caf5702e98554eb74ef7db5769f7..ea4d34f6283811288cd16acfdaaa3bf0e51cd7a9 100644
--- a/rild.te
+++ b/rild.te
@@ -5,7 +5,7 @@ type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
 net_domain(rild)
-allow rild self:netlink_route_socket { setopt write };
+allow rild self:netlink_route_socket nlmsg_write;
 allow rild kernel:system module_request;
 unix_socket_connect(rild, property, init)
 unix_socket_connect(rild, qemud, qemud)
@@ -38,10 +38,9 @@ allow rild gps_device:chr_file rw_file_perms;
 
 allow rild tty_device:chr_file rw_file_perms;
 
-# Allow rild to create, bind, read, write to itself through a netlink socket
-allow rild self:netlink_socket { create bind read write };
-
-allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
+# Allow rild to create and use netlink sockets.
+allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Access to wake locks
 allow rild sysfs_wake_lock:file rw_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 2a3087b6f9f6648272c5f31a26868c68f6149bf1..7d73696ab653f9560a008e15bc9f9b4b2fc95182 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -28,7 +28,7 @@ allow surfaceflinger video_device:dir r_dir_perms;
 allow surfaceflinger video_device:chr_file rw_file_perms;
 
 # Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket *;
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Set properties.
 allow surfaceflinger system_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index ca95abf4afccee62a6c7fd1a4867983340548efe..2d5c331e6ea2af09ed22708077a38a987ebcdadd 100644
--- a/system_server.te
+++ b/system_server.te
@@ -21,10 +21,6 @@ allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
 
-# Needed to close the zygote socket, which involves getopt / getattr
-# This should be deleted after b/12061011 is fixed
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 bluetooth_domain(system_server)
@@ -54,7 +50,7 @@ dontaudit system_server self:capability sys_ptrace;
 allow system_server kernel:system module_request;
 
 # Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket *;
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
@@ -75,10 +71,10 @@ allow system_server qtaguid_device:chr_file rw_file_perms;
 allow system_server debugfs:file r_file_perms;
 
 # WifiWatchdog uses a packet_socket
-allow system_server self:packet_socket *;
+allow system_server self:packet_socket create_socket_perms;
 
 # 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create;
+allow system_server self:tun_socket create_socket_perms;
 
 # Notify init of death.
 allow system_server init:process sigchld;
diff --git a/tee.te b/tee.te
index a0d0d9830a824589824754ca2cf41244186bd742..7cf6ecd8d37d062a65262412f0956fee235cf74d 100644
--- a/tee.te
+++ b/tee.te
@@ -11,4 +11,4 @@ allow tee self:capability { dac_override };
 allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket { create bind read };
+allow tee self:netlink_socket create_socket_perms;
diff --git a/ueventd.te b/ueventd.te
index 2af8e94bb79dc0d845474d989f0833f1a4e35295..e80fa32b8517f80d4e86059b0232819bb040cf97 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -19,6 +19,6 @@ allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;
diff --git a/vold.te b/vold.te
index 18c909de650d3aa2fcf1c1f80c85a8dbe1bf5740..d434b5e1a7072f71e30a2a7c248bb1897ea1f927 100644
--- a/vold.te
+++ b/vold.te
@@ -19,7 +19,7 @@ allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
 allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket *;
+allow vold self:netlink_kobject_uevent_socket create_socket_perms;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
 allow vold loop_device:blk_file rw_file_perms;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index fd454bf957e4d4fe93455795ad492a30093ac32d..5961f981f59fd18d0fd20be1ee2b2c1ba9e754cd 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -3,13 +3,15 @@ type wpa, domain;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)
+
+net_domain(wpa)
+
 allow wpa kernel:system module_request;
 allow wpa self:capability { setuid net_admin setgid net_raw };
 allow wpa cgroup:dir create_dir_perms;
-allow wpa self:netlink_route_socket *;
-allow wpa self:netlink_socket *;
-allow wpa self:packet_socket *;
-allow wpa self:udp_socket *;
+allow wpa self:netlink_route_socket nlmsg_write;
+allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)