diff --git a/app.te b/app.te
index 615b39e2bac37c1d9c6328ab6ce22618a0faf576..dbe3dc2b3a2923e8a7062855b1d395a86f176458 100644
--- a/app.te
+++ b/app.te
@@ -227,9 +227,13 @@ neverallow appdomain
         netlink_audit_socket
         netlink_ip6fw_socket
         netlink_dnrt_socket
-        netlink_kobject_uevent_socket
     } *;
 
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain self:netlink_kobject_uevent_socket { write append };
+
 # Sockets under /dev/socket that are not specifically typed.
 neverallow appdomain socket_device:sock_file write;
 
diff --git a/untrusted_app.te b/untrusted_app.te
index 5af4e954a9a04dee8e424e0c2f73b03b6ecfffb2..2a8c170a2d13f9b32634914add3796cb70b7c4b5 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -68,6 +68,9 @@ allow untrusted_app cache_file:file create_file_perms;
 ### neverallow rules
 ###
 
+# Receive or send uevent messages.
+neverallow untrusted_app self:netlink_kobject_uevent_socket *;
+
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow untrusted_app debugfs:file read;