diff --git a/file.te b/file.te
index 59a2cc5c08b369671d2db60d974526d7aaddf41b..bbd098e8bcd83dffaf3fce39cfe629eb41321be0 100644
--- a/file.te
+++ b/file.te
@@ -25,6 +25,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
diff --git a/system_server.te b/system_server.te
index 905f12744d70d4fa39d1ba30ecb61f56f62523f4..bb8c6ef97b983612874addd5e2f9b2eab1e032c3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -430,6 +430,9 @@ allow system_server mnt_expand_file:dir r_dir_perms;
 # Allow system process to relabel the fingerprint directory after mkdir
 allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
 
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 693a13cd697b254c11f0d53bd1608104a80e7fad..eb518e32c45ee670948f9cfea6530eb1c48e0ed7 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -154,3 +154,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;