Restore system_server ioctl socket access.

Bug: 32290392
Test: Builds.
Change-Id: I46e8af202b41131cfc9bb280f04a214859c9b0de
(cherry picked from commit ec3285cde08a7ecb8de1beae7a2ec6ddf1efe5ba)
diff --git a/public/domain.te b/public/domain.te
index bbf4d68..68e81ed 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -175,7 +175,7 @@
 ###
 
 # All socket ioctls must be restricted to a whitelist.
-neverallowxperm domain domain:socket_class_set ioctl { 0 };
+neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
 
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
diff --git a/public/system_server.te b/public/system_server.te
index a728c15..82bd00b 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -81,7 +81,7 @@
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be
 # whitelisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
+allow system_server self:socket create_socket_perms;
 
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;