diff --git a/app.te b/app.te
index 1c8ad5925fae8d6d056d4b371a5b90d05532a8c3..13900b192ea3d2ddec586a9da3c9af90aab25ce6 100644
--- a/app.te
+++ b/app.te
@@ -219,9 +219,13 @@ neverallow appdomain
         netlink_audit_socket
         netlink_ip6fw_socket
         netlink_dnrt_socket
-        netlink_kobject_uevent_socket
     } *;
 
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain self:netlink_kobject_uevent_socket { write append };
+
 # Sockets under /dev/socket that are not specifically typed.
 neverallow appdomain socket_device:sock_file write;
 
diff --git a/untrusted_app.te b/untrusted_app.te
index ea20e56279f34db12e097c03ecf6cc7df209fb5b..7e67ea8c1460c026a778770d7b5084dd55a39bef 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,6 +81,9 @@ auditallow untrusted_app {
 ### neverallow rules
 ###
 
+# Receive or send uevent messages.
+neverallow untrusted_app self:netlink_kobject_uevent_socket *;
+
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow untrusted_app debugfs:file read;