diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7638d368fd332ab968653d072866569b7c3dcd16..53638f7df2aec1934a5a5044ab199398af09a159 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -57,6 +57,9 @@ neverallow all_untrusted_apps file_type:file link;
 # Do not allow untrusted apps to access network MAC address file
 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
 
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;