diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index dd0daeb8821aa90f34f86f55b9d8aa0eca4b17ec..280649e0a11b9008a4277b4394c9b8d98f10aa86 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -108,7 +108,15 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+neverallow all_untrusted_apps {
+  proc
+  proc_asound_cards
+  proc_kmsg
+  proc_loadavg
+  proc_pagetypeinfo
+  proc_version
+  proc_vmallocinfo
+}:file { no_rw_file_perms no_x_file_perms };
 
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index c847a2f39a9ce0244fd06690e5da506fe01e875f..5571357179eb29a324e691a2616027b91cd77d36 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,7 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_uid_time_in_state proc_kmsg))
+(typeattributeset proc_26_0 (proc proc_asound_cards proc_kmsg proc_loadavg proc_pagetypeinfo proc_uid_time_in_state proc_version proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0375d158d86857e7a5366555a1da7d1eb341c0f..01c63698f5a46f2811edf2554e368f42785f6999 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,16 +2,19 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
 genfscon proc /softirqs u:object_r:proc_timer:s0
 genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
@@ -42,6 +45,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
diff --git a/private/system_server.te b/private/system_server.te
index e49385740bab420cd76b4d1a0cba417bce8daa3c..0376e15dc704b6bf01d2b37f6e8598bea1213242 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -674,9 +674,13 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
-r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_asound_cards)
+r_dir_file(system_server, proc_loadavg)
 r_dir_file(system_server, proc_meminfo)
 r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_pagetypeinfo)
+r_dir_file(system_server, proc_version)
+r_dir_file(system_server, proc_vmallocinfo)
 r_dir_file(system_server, rootfs)
 r_dir_file(system_server, sysfs_type)
 
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3abf7500054faa1d4bae13b90875ba7f2df9511c..d0204a50b4458c1a2048ec81703c220104e4ead1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -153,6 +153,9 @@ read_runtime_log_tags(dumpstate)
 # Read files in /proc
 allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
+allow dumpstate proc_pagetypeinfo:file r_file_perms;
+allow dumpstate proc_version:file r_file_perms;
+allow dumpstate proc_vmallocinfo:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
 # Read network state info files.
diff --git a/public/file.te b/public/file.te
index f3d3dfda6c2ff6457fc2c8e6af0943ff9bc73db1..20e534a9eee07a22b4fa5e6870f7f6c86d13308c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,14 +13,17 @@ type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_asound_cards, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_kmsg, fs_type;
+type proc_loadavg, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
 type proc_modules, fs_type;
 type proc_net, fs_type;
+type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
 type proc_stat, fs_type;
 type proc_sysrq, fs_type;
@@ -31,6 +34,8 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_version, fs_type;
+type proc_vmallocinfo, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 33330bf6bdf859c7fa2c5539f39924f9aa346b5d..be7e23550abac0a1eb68fcbdf83d9427d8958f7d 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
 ')
 
 r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound_cards)
 allow hal_audio audio_device:dir r_dir_perms;
 allow hal_audio audio_device:chr_file rw_file_perms;
 
diff --git a/public/init.te b/public/init.te
index 9c2bea74e00601e8e3dc9c3873616e02eacfdc0e..51b07e27ac4430703a47880f15f2677ffa58d626 100644
--- a/public/init.te
+++ b/public/init.te
@@ -271,6 +271,9 @@ allow init proc_sysrq:file w_file_perms;
 # Read /proc/stat for bootchart.
 allow init proc_stat:file r_file_perms;
 
+# Read /proc/version.
+allow init proc_version:file r_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;