diff --git a/bluetooth.te b/bluetooth.te
index 146c0e5110d746eefb5d7567f8142ae0dea3a501..2b99c3e927db2c7587e5d62c5ffae7261b73f117 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -2,6 +2,8 @@
 type bluetooth, domain, domain_deprecated;
 app_domain(bluetooth)
 net_domain(bluetooth)
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
 
 wakelock_use(bluetooth);
 
diff --git a/system_server.te b/system_server.te
index 71a45cde998ac72c7a06bc532fea743ef3657500..ee6bd2d0b830aad4cae3313be1ff8bebe3f6fdf2 100644
--- a/system_server.te
+++ b/system_server.te
@@ -42,8 +42,8 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 # in addition to ioctls whitelisted for all domains, also allow system_server
-# to use:
-allowxperm system_server self:udp_socket ioctl SIOCSIFFLAGS;
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
 bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the