diff --git a/dhcp.te b/dhcp.te
index 5856a260fdfea72631a8b854a4c52f454ad6ca63..e7103608f112ce6b198173255c2318978d2f9ba9 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,8 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
-allow dhcp proc:file write;
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 allow dhcp dhcp_system_file:file rx_file_perms;
 allow dhcp dhcp_system_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index 4aa9c10e6af118035676c1e43e12f2f1963ed94a..a498980486a015a1c2fd39cfe604817b70656c16 100644
--- a/domain.te
+++ b/domain.te
@@ -106,6 +106,7 @@ r_dir_file(domain, sysfs)
 r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
 
 # debugfs access
 allow domain debugfs:dir r_dir_perms;
diff --git a/file.te b/file.te
index 3ca9fd7b22963707735ca64b7b6745a5ea067f99..e255ae9495644b8582b64e08964aa39a12cdb282 100644
--- a/file.te
+++ b/file.te
@@ -10,6 +10,7 @@ type proc_security, fs_type;
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_net, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 8560e38d348a430a8fe2216b6e51a7e4ff1278a8..99d4400eeaf92dfdf31ab049fb949b2d1aab10f4 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@ genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
diff --git a/netd.te b/netd.te
index 72784da8b0ca5145af1f3f0ebafb2e3671395228..f8c9ffbbc7311e22e3df26669fba1444154eec53 100644
--- a/netd.te
+++ b/netd.te
@@ -16,8 +16,7 @@ allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
-# XXX Split /proc/sys/net into its own type.
-allow netd proc:file write;
+allow netd proc_net:file write;
 
 # For /sys/modules/bcmdhd/parameters/firmware_path
 # XXX Split into its own type.