diff --git a/domain.te b/domain.te
index 45569de4cb40901bc52014f01254e6d763a1a5bb..023eac303feef62816f10641d9e737b8c4c4c331 100644
--- a/domain.te
+++ b/domain.te
@@ -243,7 +243,7 @@ neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };
 
 # No domain should be allowed to ptrace init.
 neverallow * init:process ptrace;
diff --git a/genfs_contexts b/genfs_contexts
index 31794a1e834096abc55a76c71a647ba187a826e3..965d3f05e8f03b0e60d4f5915406c1a97b406619 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -22,6 +22,8 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0