diff --git a/domain.te b/domain.te
index 9d377e50a..6aa69add0 100644
--- a/domain.te
+++ b/domain.te
@@ -38,7 +38,8 @@ userdebug_or_eng(`
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
 
-  binder_call({ domain -init }, su)
+  allow { domain -init } su:binder { call transfer };
+  allow { domain -init } su:fd use;
 
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes
diff --git a/dumpstate.te b/dumpstate.te
index f7a84f6bc..ce099131e 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -113,7 +113,7 @@ allow dumpstate tombstone_data_file:file r_file_perms;
 allow dumpstate cache_recovery_file:dir r_dir_perms;
 allow dumpstate cache_recovery_file:file r_file_perms;
 
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/netd.te b/netd.te
index 98a1a2a3c..e3df2ba45 100644
--- a/netd.te
+++ b/netd.te
@@ -57,7 +57,6 @@ set_prop(netd, ctl_mdnsd_prop)
 
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
-binder_service(netd)
 allow netd netd_service:service_manager add;
 
 # Allow netd to call into the system server so it can check permissions.
@@ -84,3 +83,8 @@ neverallow netd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server may interact with netd over binder
+neverallow { domain -system_server } netd_service:service_manager find;
+neverallow { domain -system_server } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/shell.te b/shell.te
index 8076d460b..d1c385b94 100644
--- a/shell.te
+++ b/shell.te
@@ -83,7 +83,7 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
 
 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)
diff --git a/system_app.te b/system_app.te
index 5e66acd73..a07a9b9d8 100644
--- a/system_app.te
+++ b/system_app.te
@@ -43,7 +43,7 @@ allow system_app anr_data_file:file create_file_perms;
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
+allow system_app { service_manager_type -netd_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state