diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6470b0ef57a8e4d8a05cf03d4af58119f422aefc..560367733360b5989deb746b29c5aa94f3203640 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -98,6 +98,9 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 # Create a more specific label if needed
 neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
 
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;