diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf582789fa52cc7a846f634fd37e6f32a1f55484..5c4aa4093dc8a1810d61afd62866f4c5adca302e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
 
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow all_untrusted_apps *:{
   socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
-  netlink_rdma_socket netlink_crypto_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
 } *;
 
 # Do not allow untrusted apps access to /cache
diff --git a/private/net.te b/private/net.te
index f16daf94cf468a1b23c0e58f55dec3ad90b7d667..2e6ced37747b96e1c3e370d4e8899457a08e9c51 100644
--- a/private/net.te
+++ b/private/net.te
@@ -4,7 +4,8 @@
 
 # Use network sockets.
 allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
diff --git a/public/domain.te b/public/domain.te
index 9dc3c184d22bf76bc8de49022ca37377e783a9f8..3d35fabf0f760d35acc98293956a42cc9dd6ff4e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
 # defaults for all processes. Note that granting this whitelist to domain does
 # not grant the ioctl permission on these socket types. That must be granted
 # separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 # default whitelist for unix sockets.
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }