diff --git a/private/bpfloader.te b/private/bpfloader.te
index f8da1eba3433267f745bb2a2b22f43535ed12868..d9b29ce8a6eeb0dbf7953f33a66b15470ae5a52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,23 +8,23 @@ allow bpfloader fs_bpf:dir  create_dir_perms;
 allow bpfloader fs_bpf:file create_file_perms;
 allow bpfloader devpts:chr_file { read write };
 
-allow bpfloader netd:fd use;
-
 # Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
 # for retrieving a pinned map when bpfloader do a run time restart.
 allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
 
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:global_capability_class_set sys_admin;
 
 ###
 ### Neverallow rules
 ###
 neverallow { domain -bpfloader } *:bpf prog_load;
 neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 569ea1eefbded91024ad53563fabfeb741bce648..57e6876c46d91c91d4b6af7617c32ed1c3aec05d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
     apexd_prop
     apexd_tmpfs
     biometric_service
+    bpf_progs_loaded_prop
     content_capture_service
     content_suggestions_service
     cpu_variant_prop
diff --git a/private/init.te b/private/init.te
index b8b0066d049cc1cf1f21dd7f5ac435d6785acb41..5b1ebc8c33538e0124a2798d1f8bb7ed4b5a97df 100644
--- a/private/init.te
+++ b/private/init.te
@@ -7,6 +7,8 @@ domain_trans(init, rootfs, charger)
 domain_trans(init, rootfs, healthd)
 domain_trans(init, rootfs, slideshow)
 domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
 recovery_only(`
   domain_trans(init, rootfs, adbd)
   domain_trans(init, rootfs, fastbootd)
diff --git a/private/netd.te b/private/netd.te
index 711d569a0788cced016f786bd741898347814dd0..65c74ceb86702ef7e48c1caa6640e2b437da1571 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -8,9 +8,8 @@ domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 # Allow netd to start clatd in its own domain
 domain_auto_trans(netd, clatd_exec, clatd)
 
-# Allow netd to start bpfloader_exec in its own domain
-domain_auto_trans(netd, bpfloader_exec, bpfloader)
-
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader
 allow netd bpfloader:bpf { prog_run map_read map_write };
+
+get_prop(netd, bpf_progs_loaded_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 66c98bcf097fff54eb45cb197c1c2e4e15f7b1e1..06c28220d3a4dd3cf79adbcab44f96f6fa4d2d50 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -173,3 +173,5 @@ persist.device_config.global_settings.native_flags_health_check_enabled u:object
 
 apexd.                  u:object_r:apexd_prop:s0
 persist.apexd.          u:object_r:apexd_prop:s0
+
+bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0
diff --git a/public/property.te b/public/property.te
index 6ee568c84b30ceb8124204f24b14fda47c9e1c98..5a22340cd7617ade3526ad8ce5dc18dcafd17312 100644
--- a/public/property.te
+++ b/public/property.te
@@ -3,6 +3,7 @@ type audio_prop, property_type, core_property_type;
 type boottime_prop, property_type;
 type bluetooth_a2dp_offload_prop, property_type;
 type bluetooth_prop, property_type;
+type bpf_progs_loaded_prop, property_type;
 type bootloader_boot_reason_prop, property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
@@ -342,6 +343,7 @@ compatible_property_only(`
     -bluetooth_prop
     -bootloader_boot_reason_prop
     -boottime_prop
+    -bpf_progs_loaded_prop
     -config_prop
     -cppreopt_prop
     -ctl_adbd_prop