diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 20f3c1d..7353f3b 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,6 +1,6 @@
 allow system_app sysfs_mdnie:file rw_file_perms;
 
+# TimeKeep Java service
 allow system_app time_data_file:dir search;
 allow system_app time_data_file:file rw_file_perms;
-
 set_prop(system_app, timekeep_prop)
diff --git a/sepolicy/timekeep.te b/sepolicy/timekeep.te
index 19cbe2d..8191118 100644
--- a/sepolicy/timekeep.te
+++ b/sepolicy/timekeep.te
@@ -1,16 +1,10 @@
 type timekeep, domain;
 type timekeep_exec, exec_type, vendor_file_type, file_type;
 
-# Started by init
 init_daemon_domain(timekeep)
 
-allow timekeep self:capability {
-    fowner
-    fsetid
-    sys_time
-    dac_override
-    dac_read_search
-};
+# Grant permission to set system time and to set the real-time lock
+allow timekeep self:capability { fowner sys_time };
 
 allow timekeep time_data_file:file create_file_perms;
 allow timekeep time_data_file:dir create_dir_perms;