diff --git a/private/app.te b/private/app.te
index 7dceaaa37377ed338f2a885cdd6fb5cf066739f6..f3e1e2a09c3f1600e5f956ff7b5434e4928c71ff 100644
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
 allow appdomain zygote_tmpfs:file read;
 
 neverallow appdomain system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };
+        accept append bind create ioctl listen lock name_bind
+        relabelfrom relabelto setattr shutdown };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6e5e971d5f75ba8695f89d4cf864643b28..75a6317651e2def3f83ad5f047bec1354d927e14 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@ unix_socket_connect(ephemeral_app, traced_producer, traced)
 
 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules
diff --git a/private/platform_app.te b/private/platform_app.te
index 67a9c33177bc3fe3ccc999659ade20d2ed5e0e3a..80b20e1454e0cb8cd5efba77de2c2ad9e3c2796c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@ read_runtime_log_tags(platform_app)
 
 # allow platform apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### Neverallow rules
diff --git a/private/priv_app.te b/private/priv_app.te
index 565aa4aa5c36b13e86a2a20f59aea412c3d0f4b2..b13e3f6b7b42ee60f793815739e92d6e45024a70 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,7 +147,8 @@ dontaudit priv_app net_dns_prop:file read;
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### neverallow rules
diff --git a/private/system_app.te b/private/system_app.te
index d6be5a301007b50b063daa62e588bf7e87857fb7..b2f83764f88a171dc3acf36dfb3c6956135ca72b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@ get_prop(system_app, device_logging_prop)
 
 # allow system apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 ###
 ### Neverallow rules
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 949c87acf8d122435d8295d1041e6f500db4dae3..6cf1668275d38b14e4cbc0c2fca5999b0c9fe89a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@ unix_socket_connect(untrusted_app_all, traced_producer, traced)
 
 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm