diff --git a/target/board/generic/sepolicy/dhcpclient.te b/target/board/generic/sepolicy/dhcpclient.te
index 9c5833f185..df71fca386 100644
--- a/target/board/generic/sepolicy/dhcpclient.te
+++ b/target/board/generic/sepolicy/dhcpclient.te
@@ -1,6 +1,6 @@
 # DHCP client
-type dhcpclient, domain, domain_deprecated;
-type dhcpclient_exec, exec_type, file_type;
+type dhcpclient, domain;
+type dhcpclient_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(dhcpclient)
 net_domain(dhcpclient)
@@ -9,8 +9,12 @@ allow dhcpclient execns:fd use;
 
 set_prop(dhcpclient, net_eth0_prop);
 allow dhcpclient self:capability { net_admin net_raw };
-allow dhcpclient self:packet_socket { create bind ioctl read write };
-allow dhcpclient self:udp_socket { ioctl create };
+allow dhcpclient self:udp_socket create;
 allow dhcpclient self:netlink_route_socket { write nlmsg_write };
 allow dhcpclient varrun_file:dir search;
-
+allow dhcpclient self:packet_socket { create bind write read };
+allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
+                                              SIOCSIFADDR
+                                              SIOCSIFNETMASK
+                                              SIOCSIFMTU
+                                              SIOCGIFHWADDR };
diff --git a/target/board/generic/sepolicy/dhcpserver.te b/target/board/generic/sepolicy/dhcpserver.te
index 742bfb8f3b..7e8ba263ac 100644
--- a/target/board/generic/sepolicy/dhcpserver.te
+++ b/target/board/generic/sepolicy/dhcpserver.te
@@ -1,6 +1,6 @@
 # DHCP server
-type dhcpserver, domain, domain_deprecated;
-type dhcpserver_exec, exec_type, file_type;
+type dhcpserver, domain;
+type dhcpserver_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(dhcpserver)
 net_domain(dhcpserver)
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index 9f3af4ec41..d1e373e895 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -1,11 +1,12 @@
 # Network namespace transitions
-type execns, domain, domain_deprecated;
-type execns_exec, exec_type, file_type;
+type execns, domain;
+type execns_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(execns)
 
 allow execns varrun_file:dir search;
 allow execns self:capability sys_admin;
+allow execns proc:file { open read };
 
 #Allow execns itself to be run by init in its own domain
 domain_auto_trans(init, execns_exec, execns);
@@ -19,8 +20,3 @@ domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
 # Allow hostapd to be run by execns in its own domain
 domain_auto_trans(execns, hostapd_exec, hostapd);
 allow hostapd execns:fd use;
-
-# Allow dnsmasq to be run by execns in its own domain
-domain_auto_trans(execns, dnsmasq_exec, dnsmasq);
-allow dnsmasq execns:fd use;
-
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index cc54517036..41a319e76e 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -17,11 +17,12 @@
 /dev/ttyS2                   u:object_r:console_device:s0
 /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
+/vendor/bin/init\.wifi\.sh   u:object_r:goldfish_setup_exec:s0
 /vendor/bin/qemu-props       u:object_r:qemu_props_exec:s0
-/system/bin/execns           u:object_r:execns_exec:s0
-/system/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0
-/system/bin/dhcpclient       u:object_r:dhcpclient_exec:s0
-/system/bin/dhcpserver       u:object_r:dhcpserver_exec:s0
+/vendor/bin/execns           u:object_r:execns_exec:s0
+/vendor/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0
+/vendor/bin/dhcpclient       u:object_r:dhcpclient_exec:s0
+/vendor/bin/dhcpserver       u:object_r:dhcpserver_exec:s0
 
 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
 
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index 34ac4d13a8..31d35e68a3 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -16,10 +16,23 @@ allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
 set_prop(goldfish_setup, ctl_default_prop);
 
 # Set up WiFi
-allow goldfish_setup self:netlink_route_socket nlmsg_write;
-allow goldfish_setup self:netlink_socket create_socket_perms;
+allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
+allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl;
 allow goldfish_setup self:capability { sys_module sys_admin };
 allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
 allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
 allow goldfish_setup execns_exec:file rx_file_perms;
-allow goldfish_setup proc_net:file w_file_perms;
+allow goldfish_setup proc_net:file rw_file_perms;
+allow goldfish_setup proc:file r_file_perms;
+set_prop(goldfish_setup, ctl_default_prop);
+allow goldfish_setup system_data_file:dir getattr;
+allow goldfish_setup kernel:system module_request;
+# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
+allow goldfish_setup system_file:file execute_no_trans;
+# Allow goldfish_setup to run init.wifi.sh
+allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
+# iw
+allow goldfish_setup sysfs:file { read open };
+# iptables
+allow goldfish_setup system_file:file lock;
+allow goldfish_setup self:rawip_socket { create getopt setopt };
diff --git a/target/board/generic/sepolicy/ipv6proxy.te b/target/board/generic/sepolicy/ipv6proxy.te
index 009d545f2b..22976fe9b6 100644
--- a/target/board/generic/sepolicy/ipv6proxy.te
+++ b/target/board/generic/sepolicy/ipv6proxy.te
@@ -1,6 +1,6 @@
 # IPv6 proxying
-type ipv6proxy, domain, domain_deprecated;
-type ipv6proxy_exec, exec_type, file_type;
+type ipv6proxy, domain;
+type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(ipv6proxy)
 net_domain(ipv6proxy)
@@ -13,3 +13,4 @@ allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
 allow ipv6proxy self:packet_socket { bind create read };
 allow ipv6proxy self:netlink_route_socket nlmsg_write;
 allow ipv6proxy varrun_file:dir search;
+allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };