diff --git a/domain.te b/domain.te
index cf8907607a728986191e7f5d77814cbc9e0ff295..4297badcbf16e5416dc4ece9e5b2e1ce290c62d5 100644
--- a/domain.te
+++ b/domain.te
@@ -142,3 +142,8 @@ neverallow domain { file_type -exec_type }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
 neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append write };
diff --git a/file.te b/file.te
index 9bd88c70ae7d3d9d4191011039687a09dec6979c..39d139c4026075acc256e6b4ad08569802f4361b 100644
--- a/file.te
+++ b/file.te
@@ -4,6 +4,10 @@ type pipefs, fs_type;
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type selinuxfs, fs_type;
diff --git a/file_contexts b/file_contexts
index 7f0486d3653c167b2c1111d4da96dd1493dc74a8..2907183e2b2f1dfb42ba93b7c784d24949035d70 100644
--- a/file_contexts
+++ b/file_contexts
@@ -206,6 +206,7 @@
 /sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
+/sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index 2607b9dabf9e1a9cedb8ba9ea8688297d2a9d627..2aed2bc1c90664d21e21f7ccc60d8bb7b05585e4 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,18 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
diff --git a/init.te b/init.te
index 93098e1757ff539b82beaf4f1a0e461e7c4e7bb4..b2d99fbcef58d0b6c0cba8fd19e71dadb239f88f 100644
--- a/init.te
+++ b/init.te
@@ -9,3 +9,5 @@ allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security { load_policy setenforce };
+allow init usermodehelper:file rw_file_perms;
+allow init proc_security:file rw_file_perms;
diff --git a/unconfined.te b/unconfined.te
index f6899c27a0a039758c8819d7526eb6bb69090edf..d6c8598b0c7a517798272f5f1467bcc0c9dea541 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -30,7 +30,9 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;