diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index a773f96f9..ca3b51585 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -15,8 +15,10 @@ allow netutils_wrapper self:netlink_route_socket ~ioctl;
 allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
 
 # For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
-allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+allow netutils_wrapper netd_service:service_manager find;
+allow netutils_wrapper dnsresolver_service:service_manager find;
+binder_use(netutils_wrapper);
+binder_call(netutils_wrapper, netd);
 
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
diff --git a/public/netd.te b/public/netd.te
index 859cb65d3..c4a913632 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -138,6 +138,7 @@ neverallow {
     -dumpstate
     -network_stack
     -netd
+    -netutils_wrapper
 } netd_service:service_manager find;
 
 # only system_server, dumpstate and network stack app may find dnsresolver service
@@ -147,6 +148,7 @@ neverallow {
     -dumpstate
     -network_stack
     -netd
+    -netutils_wrapper
 } dnsresolver_service:service_manager find;
 
 # only netd can create the bpf maps