diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 32ffc928bd462ea788bc1d10d25067d07c15cfc2..8f4db87ab2d14707aa73c2d197f4675241ec38f9 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -498,6 +498,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index f6b45836fb05b55069ddc6a063d5423df417c07e..a329389cd9202e144d19925d86795cd7c5264838 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1213,6 +1213,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 053b25442e9ab8ec2dba7a1b3bc9506aa8fd0654..eca489c28fb71e7f316552fd84354c90419671f0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 96259e2986258cd4381fbc117d06e6e91aa99c5f..943f9794cf451c3e7317c5c3c15e3ff54b20c985 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -9,4 +9,4 @@ init_daemon_domain(mdnsd)
 net_domain(mdnsd)
 
 # Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ea58814e1a353444ca8311c01feae94260f1abc5..fc01999c95cd9c668477785946d2d8dd43c86679 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -6,7 +6,7 @@ r_dir_file(netutils_wrapper, system_file);
 allow netutils_wrapper self:global_capability_class_set net_raw;
 
 allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
 allow netutils_wrapper self:global_capability_class_set net_admin;
diff --git a/private/platform_app.te b/private/platform_app.te
index 31c5741a8f1301720696e814ee401a4f364fd6e7..eec503a743beee583218ee9a39c3cb97a0628222 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,13 @@ allow platform_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index d81f8d58d4af33e9ba8168f4818380158c44c6c4..3355502cea4c97249d0597a76cc271216cf342a1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -88,6 +88,28 @@ allow priv_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+  auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
 allow priv_app sysfs_type:dir search;
 # Read access to /sys/class/net/wlan*/address
 r_dir_file(priv_app, sysfs_net)
diff --git a/private/storaged.te b/private/storaged.te
index 7fe62868ecb34f12aca5c0d0c9ecac24da6a0610..ff5390a1dcecc28a202002dcefddd0b609d3b7cc 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,10 @@ type storaged_exec, exec_type, file_type;
 init_daemon_domain(storaged)
 
 # Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+  auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 r_dir_file(storaged, domain)
 
 # Read /proc/uid_io/stats
diff --git a/private/system_app.te b/private/system_app.te
index efb768b9811919e3ed4cf696d1b6013ec02fdece..7a7411f4c9c979689d2112a0b033410e2fff1ffc 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -110,6 +110,13 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 # settings app reads /proc/version
 allow system_app {
   proc_version
diff --git a/private/system_server.te b/private/system_server.te
index 8e07d3f224cefc2d0bf7df4e12e3893c1e8293b3..72d408aa6eafbe64b837eb6907f83cd9bac945bc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -730,7 +730,7 @@ r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
   proc_loadavg
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index ba2c1e1c7df3ef46087b52580cd0e5ea6b8277cd..09207e2545b9c97ea65fa7d0a28cced77627b3fc 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -40,3 +40,9 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c776287f5f1766d4543d140cf242871a17bbf0..22a9343f2dc45c4e2acce9e624c687ab67ca1d88 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,3 +26,9 @@ app_domain(untrusted_app_27)
 untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fbf59893b406d3cbd77167014a0d1d6d9e9a6713..b2c4f407c5ab46204606f5eecd944d333567375c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -138,3 +138,15 @@ dontaudit untrusted_app_all proc_uptime:file read;
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app_all)
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+  auditallow untrusted_app_all {
+    proc_net_type
+    -proc_net_vpn
+  }:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/zygote.te b/private/zygote.te
index 4f26bd0157e10be20e4a06ca01cccb3a6008f115..281097643607ef22e04ada66cb0c96617fec7bff 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -93,7 +93,10 @@ allow zygote storage_file:dir { search mounton };
 allow zygote zygote_exec:file rx_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+  auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Root fs.
 r_dir_file(zygote, rootfs)
diff --git a/public/app.te b/public/app.te
index 52b46803855166c8bec7d76ac3256c46ff00f6e2..0c5008ddb4dea5594aee29acc35f6f5ad669e535 100644
--- a/public/app.te
+++ b/public/app.te
@@ -178,30 +178,33 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
 r_dir_file({
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} qtaguid_device:chr_file r_file_perms;
+  appdomain
+  -ephemeral_app
+  -isolated_app
+  -platform_app
+  -priv_app
+  -shell
+  -system_app
+  -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+  auditallow {
+    appdomain
+    -ephemeral_app
+    -isolated_app
+    -platform_app
+    -priv_app
+    -shell
+    -system_app
+    -untrusted_app_all
+  } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
diff --git a/public/attributes b/public/attributes
index 75679c73d7f05726acae3ccf31655f7181edbd3d..0d191201338abd929419c3751f2a3f924d8ba536 100644
--- a/public/attributes
+++ b/public/attributes
@@ -40,6 +40,13 @@ attribute vendor_file_type;
 attribute proc_type;
 expandattribute proc_type false;
 
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
 # All types used for sysfs files.
 attribute sysfs_type;
 
diff --git a/public/clatd.te b/public/clatd.te
index ee44abf7c6d02a949d729dfc1b9c77f991278f30..53d6582c1525d577676237c40504c765b456bbd1 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -4,7 +4,10 @@ type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
 
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+  auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Access objects inherited from netd.
 allow clatd netd:fd use;
diff --git a/public/dhcp.te b/public/dhcp.te
index 1f1ef2b48ccc7155392047812f5139ac6a12a83a..6ed983260c9f877f2494d2c15a080bdab338f04b 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -15,7 +15,7 @@ not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 allow dhcp toolbox_exec:file rx_file_perms;
 
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
 
 set_prop(dhcp, dhcp_prop)
 set_prop(dhcp, pan_result_prop)
diff --git a/public/domain.te b/public/domain.te
index 43890e4e897313229e47d177764ecfdc3284ca2f..7e41e964e5f5a6eaace272b6e490463f969e3d7a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -23,7 +23,7 @@ allow domain self:process {
 };
 allow domain self:fd use;
 allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
 r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2857caef8de32c411c397d618dbe393c0d7f8343..62762d3e5ca8183269979b0fd6fe02383b7431d3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -161,7 +161,7 @@ allow dumpstate {
   proc_cmdline
   proc_meminfo
   proc_modules
-  proc_net
+  proc_net_type
   proc_pipe_conf
   proc_pagetypeinfo
   proc_qtaguid_ctrl
diff --git a/public/file.te b/public/file.te
index 73ba5fe7e4f6d2104d8951788261e2059985987c..47beab632dbbb44c99ccff9c58398e12e6840106 100644
--- a/public/file.te
+++ b/public/file.te
@@ -35,7 +35,8 @@ type proc_meminfo, fs_type, proc_type;
 type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_vpn, fs_type, proc_type, proc_net_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 5f8cc41ca10a3b1cba2db638ffce849b014a0933..21b6e02081bd7f6a2a7d9ca85f1089bfcb9c6880 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -38,7 +38,7 @@ allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perm
 # Access to wake locks
 wakelock_use(hal_telephony_server)
 
-r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, proc_net_type)
 r_dir_file(hal_telephony_server, sysfs_type)
 r_dir_file(hal_telephony_server, system_file)
 
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 7cea7c7401125ad367e85de8545267ead0002021..8f5b77b86b2c6af601643703929102ada8119300 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@ binder_call(hal_wifi_server, hal_wifi_client)
 add_hwservice(hal_wifi_server, hal_wifi_hwservice)
 allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
 
-r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
 
 set_prop(hal_wifi, exported_wifi_prop)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 03a554674d4c9277a54ba5f554c3969e70dcaa85..73bf037b11732329e8eda024fdffaae1e6245169 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -10,7 +10,7 @@ allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_r
 allow hal_wifi_hostapd_server sysfs_net:dir search;
 
 # Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
 
 # Various socket permissions.
 allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dc0cf5a7316beb41d563c1627b923a8d48eb048d..f74ed05ffe37be5d4e9f8aa247b4b37b18ad7751 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -5,5 +5,5 @@ binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
 add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
 allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
 
-r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, proc_net_type)
 r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d32659c7a666d8c36a5e194d97f48a88e95a..3d617661f7678beff644cace59f4899da2eb4af8 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -9,7 +9,7 @@ allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
 
 r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
 
 allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
diff --git a/public/init.te b/public/init.te
index bcff07fb51346fd8a912d1bae8ddb8be909bac89..51a991b68890e440c34d5c9b35c7fcb4a76cc734 100644
--- a/public/init.te
+++ b/public/init.te
@@ -278,7 +278,7 @@ allow init kernel:system syslog_mod;
 allow init self:global_capability2_class_set syslog;
 
 # init access to /proc.
-r_dir_file(init, proc_net)
+r_dir_file(init, proc_net_type)
 
 allow init {
   proc_cmdline
@@ -296,7 +296,7 @@ allow init {
   proc_hostname
   proc_hung_task
   proc_extra_free_kbytes
-  proc_net
+  proc_net_type
   proc_max_map_count
   proc_min_free_order_shift
   proc_overcommit_memory
diff --git a/public/logd.te b/public/logd.te
index 817a7059fc716e7ec61f87ff7878c61310a77b07..23318b0f932cdd6676b7565d1e569e8d327730f1 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,7 +6,10 @@ type logd_exec, exec_type, file_type;
 r_dir_file(logd, cgroup)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
+r_dir_file(logd, proc_net_type)
+userdebug_or_eng(`
+  auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
 allow logd self:global_capability2_class_set syslog;
diff --git a/public/netd.te b/public/netd.te
index 7262072338a8363886bcb2a95faf61202f2389ab..faf7cacddf471a23ff346db411d8a566f32a63be 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -41,9 +41,9 @@ allow netd proc_qtaguid_ctrl:file rw_file_perms;
 # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
 allow netd qtaguid_device:chr_file r_file_perms;
 
-r_dir_file(netd, proc_net)
+r_dir_file(netd, proc_net_type)
 # For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net_type:file rw_file_perms;
 
 # Enables PppController and interface enumeration (among others)
 allow netd sysfs:dir r_dir_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 9340dee87db4d5610858c169ae8d8fdb58f44544..8d79477c229d49466a1c2575926212d7d2d10611 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,7 +5,7 @@ type ppp_exec, exec_type, file_type;
 
 net_domain(ppp)
 
-r_dir_file(ppp, proc_net)
+r_dir_file(ppp, proc_net_type)
 
 allow ppp mtp:socket rw_socket_perms;
 
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 49df647250f0f26cfd7b26052b0effc88f67c0c2..514100fdcd267117d4ed868c3b0732849ce1a074 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -10,4 +10,7 @@ allow preopt2cachename cppreopts:fd use;
 allow preopt2cachename cppreopts:fifo_file { getattr read write };
 
 # Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+  auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/public/shell.te b/public/shell.te
index 887e50833d049e217d0c3052887b2e7540c85e74..2be6da6f99316d88b50fe780c71964119fcb29e7 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -118,7 +118,7 @@ hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 
 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc_net)
+r_dir_file(shell, proc_net_type)
 
 allow shell {
   proc_asound
diff --git a/public/vendor_init.te b/public/vendor_init.te
index d079873252583e0c820de9920a8ef1a8106f3d0f..ad69437a6cf6bf756f3f3539bc1c61ca9784f993 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,8 +129,8 @@ allow vendor_init {
 allow vendor_init dev_type:blk_file getattr;
 
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net)
-allow vendor_init proc_net:file w_file_perms;
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;
 
 # Write to /proc/sys/vm/page-cluster
diff --git a/public/vold.te b/public/vold.te
index 0b0c7663b641ed10a44c26226f22e3c5476c1dd4..6817482bb91bfa852748030aff8cbb5121a08688 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,11 @@ allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(vold, proc_net)
+r_dir_file(vold, proc_net_type)
+userdebug_or_eng(`
+  auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
diff --git a/public/wificond.te b/public/wificond.te
index 96668f3a885ee6de732e2eb40088cfeef5198dcc..fd2ed4fdd728d91fde0f628b6b1e3ea13d77b9bc 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -21,7 +21,7 @@ allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
 allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
 
-r_dir_file(wificond, proc_net)
+r_dir_file(wificond, proc_net_type)
 
 # wificond writes out configuration files for wpa_supplicant/hostapd.
 # wificond also reads pid files out of this directory