diff --git a/domain.te b/domain.te
index adc7b2983878b6d9a733a343f5d83b8a65ac2909..d905a61b96446576dc630057671ddd066797de2b 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,7 @@ r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
 allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
 
 # Inherit or receive open files from others.
 allow domain init:fd use;
diff --git a/ioctl_macros b/ioctl_macros
index 12326f8230efd7471f1f408ab8b54ef2ba39adc2..2b5db3175e0a7b586e5c3c536d1b9a6fcfbb1857 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -40,5 +40,8 @@ SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
 SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
 
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCSWINSZ FIONREAD }')
+
 # commonly used TTY ioctls
 define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/isolated_app.te b/isolated_app.te
index 05c4ac50ae4c7df1f1f61362512c7cd695d1d6f2..978982aa5efab29f61ae513dbb93d69cd7599aa4 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -63,6 +63,16 @@ neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };
 
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
diff --git a/net.te b/net.te
index 6aa12f23a5a5695906a3bb15c504e9f67874f74b..4616eb170d941cf490f8a69585b26882741e107a 100644
--- a/net.te
+++ b/net.te
@@ -13,7 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
 allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/te_macros b/te_macros
index 84af301eb022db894fcbf41dd2cc5163690d13ba..d2fdfd3e7a892c035a2784ad71281634ad083240 100644
--- a/te_macros
+++ b/te_macros
@@ -221,7 +221,7 @@ allow $1 self:capability2 block_suspend;
 define(`selinux_check_access', `
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
 ')
 
 #####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index 22b18aba13bbe0096b26eabbf6486ea840fc1d7c..26b6d0ca12952da903f67de5a9097e87ab47517c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -149,8 +149,19 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
 neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow untrusted_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
 
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };