diff --git a/untrusted_app.te b/untrusted_app.te
index 35b32487e11a285684edff81459bd8bf6ea494e8..720e8f27b4ba304493b7c78df196e638564b49aa 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -76,3 +76,9 @@ neverallow untrusted_app debugfs:file read;
 # Only trusted components of Android should be registering
 # services.
 neverallow untrusted_app service_manager_type:service_manager add;
+
+# Don't allow untrusted_apps to connect to the property service
+# or set properties. b/10243159
+neverallow untrusted_app property_socket:sock_file write;
+neverallow untrusted_app init:unix_stream_socket connectto;
+neverallow untrusted_app property_type:property_service set;