diff --git a/microdroid/sepolicy/system/private/audioserver.te b/microdroid/sepolicy/system/private/audioserver.te
index 2d0b46d..feda8d4 100644
--- a/microdroid/sepolicy/system/private/audioserver.te
+++ b/microdroid/sepolicy/system/private/audioserver.te
@@ -95,7 +95,8 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # Allow using wake locks
 wakelock_use(audioserver)
diff --git a/microdroid/sepolicy/system/private/mediatranscoding.te b/microdroid/sepolicy/system/private/mediatranscoding.te
index 2a43cf9..d812525 100644
--- a/microdroid/sepolicy/system/private/mediatranscoding.te
+++ b/microdroid/sepolicy/system/private/mediatranscoding.te
@@ -61,4 +61,5 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/public/cameraserver.te b/microdroid/sepolicy/system/public/cameraserver.te
index 7a29240..d7451df 100644
--- a/microdroid/sepolicy/system/public/cameraserver.te
+++ b/microdroid/sepolicy/system/public/cameraserver.te
@@ -53,7 +53,8 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # Allow shell commands from ADB for CTS testing/dumping
 allow cameraserver adbd:fd use;
diff --git a/microdroid/sepolicy/system/public/iorapd.te b/microdroid/sepolicy/system/public/iorapd.te
index b970699..b772af8 100644
--- a/microdroid/sepolicy/system/public/iorapd.te
+++ b/microdroid/sepolicy/system/public/iorapd.te
@@ -94,4 +94,5 @@
 }:binder call;
 
 neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/microdroid/sepolicy/system/public/mediaextractor.te b/microdroid/sepolicy/system/public/mediaextractor.te
index 06f7928..a29e5dc 100644
--- a/microdroid/sepolicy/system/public/mediaextractor.te
+++ b/microdroid/sepolicy/system/public/mediaextractor.te
@@ -59,7 +59,8 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # mediaextractor should not be opening /data files directly. Any files
 # it touches (with a few exceptions) need to be passed to it via a file
diff --git a/microdroid/sepolicy/system/public/mediametrics.te b/microdroid/sepolicy/system/public/mediametrics.te
index 468c0d0..76f819e 100644
--- a/microdroid/sepolicy/system/public/mediametrics.te
+++ b/microdroid/sepolicy/system/public/mediametrics.te
@@ -42,4 +42,5 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;