diff --git a/file.te b/file.te
index 623bb8df3ad53075942777a25458b931b2e222ba..d3b09796ed407d3c5b84a7e2341386bd2e7284aa 100644
--- a/file.te
+++ b/file.te
@@ -21,6 +21,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
diff --git a/system_server.te b/system_server.te
index 2a166421030a7c299d47d79887cdf7738b05cedc..0c4df43b794c10ac1c4d0d6cd11e32436a071393 100644
--- a/system_server.te
+++ b/system_server.te
@@ -417,6 +417,9 @@ allow system_server sdcard_type:dir { getattr search };
 # Traverse into expanded storage
 allow system_server mnt_expand_file:dir r_dir_perms;
 
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 72d0a1bbf4b7acbfe7d77ee9595633e6019b33d0..bcadc5209c195ba291d81d04b80e254776581d81 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -142,3 +142,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;