diff --git a/file.te b/file.te
index 59a2cc5c08b369671d2db60d974526d7aaddf41b..bbd098e8bcd83dffaf3fce39cfe629eb41321be0 100644
--- a/file.te
+++ b/file.te
@@ -25,6 +25,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
 # /sys/module/lowmemorykiller
diff --git a/system_server.te b/system_server.te
index 905f12744d70d4fa39d1ba30ecb61f56f62523f4..79a495ab5003309ee0b18139953c5974ec51ce07 100644
--- a/system_server.te
+++ b/system_server.te
@@ -153,6 +153,7 @@ selinux_check_access(system_server)
 allow system_server sysfs:file rw_file_perms;
 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
 
 # Access devices.
 allow system_server device:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 693a13cd697b254c11f0d53bd1608104a80e7fad..eb518e32c45ee670948f9cfea6530eb1c48e0ed7 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -154,3 +154,6 @@ neverallow untrusted_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure untrusted_app never has this
 # capability.
 neverallow untrusted_app file_type:file link;
+
+# Do not allow untrusted_app to access network MAC address file
+neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;