diff --git a/app.te b/app.te
index dd2fbe0548a01b77cd44ba1fc431344e75c5effa..d90185c39d9102b3a67d8f128ff527f36254bb57 100644
--- a/app.te
+++ b/app.te
@@ -138,7 +138,7 @@ neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
 neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
 
 # Load security policy.
-neverallow { appdomain -unconfineddomain } kernel:security load_policy;
+neverallow appdomain kernel:security load_policy;
 
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }
diff --git a/domain.te b/domain.te
index 95c2423438431f80121bd9c9ab1fc747b3b335d6..291c562466bd58a36d2ed085d393b69674066d5b 100644
--- a/domain.te
+++ b/domain.te
@@ -135,3 +135,10 @@ allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
 allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+
+###
+### neverallow rules
+###
+
+# Only init should be able to load SELinux policies
+neverallow { domain -init } kernel:security load_policy;
diff --git a/init.te b/init.te
index 2cbf14d86a80c5d3fcc516984d8685f726220c59..9be5955dd992e41c4739d39587b1dfaa5f3ce7fc 100644
--- a/init.te
+++ b/init.te
@@ -9,3 +9,4 @@ relabelto_domain(init)
 allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow init kernel:security load_policy;
diff --git a/unconfined.te b/unconfined.te
index a3af7d771320f36a1e9fccfeed084ca5fb171e9c..9b1b992e58d6a9d279826b8354572133f200b45d 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,5 +1,5 @@
 allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security *;
+allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
 allow unconfineddomain domain:process *;