diff --git a/app.te b/app.te
index e9dd7b39ad62f4f0c4c48f3030d0a975ba19f163..b15c69a57193a115e30b20d30167dc30ce896b77 100644
--- a/app.te
+++ b/app.te
@@ -274,7 +274,8 @@ allow appdomain cache_file:dir getattr;
 
 # Superuser capabilities.
 # bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
+# iot_wifi requires net_admin.
+neverallow { appdomain -bluetooth -iot_wifi } self:capability *;
 neverallow { appdomain -bluetooth } self:capability2 *;
 
 # Block device access.
@@ -441,6 +442,7 @@ neverallow appdomain {
 # Blacklist app domains not allowed to execute from /data
 neverallow {
   bluetooth
+  iot_wifi
   isolated_app
   nfc
   radio
diff --git a/iot_wifi.te b/iot_wifi.te
new file mode 100644
index 0000000000000000000000000000000000000000..47b38ac360c07316c0a5f5a9884081b1099052db
--- /dev/null
+++ b/iot_wifi.te
@@ -0,0 +1,4 @@
+# IoTWifiService app
+# TODO(bryanhenry,b/64616008): Move this domain type into device/google/iot
+# once we no longer need to modify the self:capability neverallow
+type iot_wifi, domain;