diff --git a/sepolicy/vendor/mediacodec_google.te b/sepolicy/vendor/mediacodec_google.te
index 43613d23..d4bd1e5f 100644
--- a/sepolicy/vendor/mediacodec_google.te
+++ b/sepolicy/vendor/mediacodec_google.te
@@ -17,6 +17,7 @@ allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow mediacodec_google gpu_device:chr_file rw_file_perms;
 allow mediacodec_google video_device:chr_file rw_file_perms;
 
-neverallow mediacodec_google domain:{ rawip_socket tcp_socket udp_socket } *;
+neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediacodec_google domain:{ rawip_socket udp_socket } *;
 neverallow mediacodec_google file_type:file execute_no_trans;
 neverallow mediacodec_google fs_type:file execute_no_trans;
diff --git a/sepolicy/vendor/mediacodec_samsung.te b/sepolicy/vendor/mediacodec_samsung.te
index 82de3950..93929a80 100644
--- a/sepolicy/vendor/mediacodec_samsung.te
+++ b/sepolicy/vendor/mediacodec_samsung.te
@@ -25,6 +25,7 @@ allow mediacodec_samsung sysfs_mfc:dir r_dir_perms;
 allow mediacodec_samsung sysfs_mfc:file r_file_perms;
 allow mediacodec_samsung video_device:chr_file rw_file_perms;
 
-neverallow mediacodec_samsung domain:{ rawip_socket tcp_socket udp_socket } *;
+neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediacodec_samsung domain:{ rawip_socket udp_socket } *;
 neverallow mediacodec_samsung file_type:file execute_no_trans;
 neverallow mediacodec_samsung fs_type:file execute_no_trans;
diff --git a/sepolicy/vendor/uwb_vendor_app.te b/sepolicy/vendor/uwb_vendor_app.te
index f7724ee2..a2ad6ea3 100644
--- a/sepolicy/vendor/uwb_vendor_app.te
+++ b/sepolicy/vendor/uwb_vendor_app.te
@@ -1,9 +1,15 @@
+not_recovery(`
 binder_call(uwb_vendor_app, hal_uwb_vendor_default)
+')
 
 get_prop(uwb_vendor_app, vendor_secure_element_prop)
 
+not_recovery(`
 hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
+')
 
 set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code)
 
+not_recovery(`
 allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
+')