diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a78b6572fc95e8bc4ca7592e3333a9bc9e5e6086..ef5017cdc256a9b913de4dd5d0d725a76b3596e1 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -499,6 +499,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 2ccf70918dff1c0e45a32e757d5fbab34a540b27..e1b30a5a28255cbaf391af3c7fae125d0480f051 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1213,6 +1213,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
+    proc_net_vpn
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f2b96990224f50a5b39a8d2b10023b6fa13c8266..6590d191ee2c45da52a28d69b5e91f6acc54610c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 96259e2986258cd4381fbc117d06e6e91aa99c5f..943f9794cf451c3e7317c5c3c15e3ff54b20c985 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -9,4 +9,4 @@ init_daemon_domain(mdnsd)
 net_domain(mdnsd)
 
 # Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ea58814e1a353444ca8311c01feae94260f1abc5..fc01999c95cd9c668477785946d2d8dd43c86679 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -6,7 +6,7 @@ r_dir_file(netutils_wrapper, system_file);
 allow netutils_wrapper self:global_capability_class_set net_raw;
 
 allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
 allow netutils_wrapper self:rawip_socket create_socket_perms;
 allow netutils_wrapper self:udp_socket create_socket_perms;
 allow netutils_wrapper self:global_capability_class_set net_admin;
diff --git a/private/platform_app.te b/private/platform_app.te
index 80b20e1454e0cb8cd5efba77de2c2ad9e3c2796c..97d3035cf12cc6559e6bd5571e5679a429124625 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -45,6 +45,13 @@ allow platform_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5bc418448733678c4b1c56f813d9af4468..6c28ae8ff55e1376854d1578d945fe1174d015b1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -85,6 +85,28 @@ allow priv_app {
   proc_vmstat
 }:file r_file_perms;
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+  auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+  auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+  auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
 allow priv_app sysfs_type:dir search;
 # Read access to /sys/class/net/wlan*/address
 r_dir_file(priv_app, sysfs_net)
diff --git a/private/storaged.te b/private/storaged.te
index 8ad872f61035767556ac7fe198103163aeac730d..663de004f76fa11653497d89e767d35481db75f3 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,10 @@ type storaged_exec, exec_type, file_type;
 init_daemon_domain(storaged)
 
 # Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+  auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 r_dir_file(storaged, domain)
 
 # Read /proc/uid_io/stats
diff --git a/private/system_app.te b/private/system_app.te
index eb7e050522a8c9695fdd3f2ae14f3674dd3140be..4ed19824e1b0790917d46b38cccb54ab788f0180 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -107,6 +107,13 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+  auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 # settings app reads /proc/version
 allow system_app {
   proc_version
diff --git a/private/system_server.te b/private/system_server.te
index 79260b24d4583b222148609a6bf0f4211d7a900b..f5aafe3645658746c1c7a838baa3424a90cfe57b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -726,7 +726,7 @@ r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
   proc_loadavg
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index ba2c1e1c7df3ef46087b52580cd0e5ea6b8277cd..09207e2545b9c97ea65fa7d0a28cced77627b3fc 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -40,3 +40,9 @@ allow untrusted_app_25 proc_misc:file r_file_perms;
 # https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
 # This will go away in a future Android release
 allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c776287f5f1766d4543d140cf242871a17bbf0..22a9343f2dc45c4e2acce9e624c687ab67ca1d88 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,3 +26,9 @@ app_domain(untrusted_app_27)
 untrusted_app_domain(untrusted_app_27)
 net_domain(untrusted_app_27)
 bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6cf1668275d38b14e4cbc0c2fca5999b0c9fe89a..926a49b8b3db13a7333b1977ee369f1f40f41550 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -138,3 +138,15 @@ dontaudit untrusted_app_all net_dns_prop:file read;
 dontaudit untrusted_app_all proc_stat:file read;
 dontaudit untrusted_app_all proc_vmstat:file read;
 dontaudit untrusted_app_all proc_uptime:file read;
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+  auditallow untrusted_app_all {
+    proc_net_type
+    -proc_net_vpn
+  }:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/zygote.te b/private/zygote.te
index 4f26bd0157e10be20e4a06ca01cccb3a6008f115..281097643607ef22e04ada66cb0c96617fec7bff 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -93,7 +93,10 @@ allow zygote storage_file:dir { search mounton };
 allow zygote zygote_exec:file rx_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+  auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Root fs.
 r_dir_file(zygote, rootfs)
diff --git a/public/app.te b/public/app.te
index 580311ae793b5582ae56a87ebb279a820a676108..ffc2d11b8bde010bd3a90e311f6a9ce1265aa6c9 100644
--- a/public/app.te
+++ b/public/app.te
@@ -174,30 +174,33 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
 r_dir_file({
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
-    untrusted_app_25
-    untrusted_app_27
-    ephemeral_app
-    priv_app
-} qtaguid_device:chr_file r_file_perms;
+  appdomain
+  -ephemeral_app
+  -isolated_app
+  -platform_app
+  -priv_app
+  -shell
+  -system_app
+  -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+  auditallow {
+    appdomain
+    -ephemeral_app
+    -isolated_app
+    -platform_app
+    -priv_app
+    -shell
+    -system_app
+    -untrusted_app_all
+  } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
diff --git a/public/attributes b/public/attributes
index 159d28e4e700c87694604a33a665b17eae5e1307..f530752302250b53bd9cb6d980709d5fb733e11d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -39,6 +39,13 @@ attribute vendor_file_type;
 # All types used for procfs files.
 attribute proc_type;
 
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
 # All types used for sysfs files.
 attribute sysfs_type;
 
diff --git a/public/clatd.te b/public/clatd.te
index ee44abf7c6d02a949d729dfc1b9c77f991278f30..53d6582c1525d577676237c40504c765b456bbd1 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -4,7 +4,10 @@ type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
 
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+  auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 # Access objects inherited from netd.
 allow clatd netd:fd use;
diff --git a/public/dhcp.te b/public/dhcp.te
index 1f1ef2b48ccc7155392047812f5139ac6a12a83a..6ed983260c9f877f2494d2c15a080bdab338f04b 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -15,7 +15,7 @@ not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 allow dhcp toolbox_exec:file rx_file_perms;
 
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
 
 set_prop(dhcp, dhcp_prop)
 set_prop(dhcp, pan_result_prop)
diff --git a/public/domain.te b/public/domain.te
index f0867a4c4b803496a4d87090620d7041b362a1df..4e04a088255cfa47638d7b0dbc6e450b0df89513 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -23,7 +23,7 @@ allow domain self:process {
 };
 allow domain self:fd use;
 allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
 r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
 allow domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 6cece1d76c234a3bbc37457e2a43a157afcd3629..049155c37fe7abe5dd7a520b4d27451762efcc09 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -161,7 +161,7 @@ allow dumpstate {
   proc_cmdline
   proc_meminfo
   proc_modules
-  proc_net
+  proc_net_type
   proc_pipe_conf
   proc_pagetypeinfo
   proc_qtaguid_ctrl
diff --git a/public/file.te b/public/file.te
index 6e755e49dd8d3ae8ab7254720fb91bc3dcb8c7b3..dd7fdeb636ba838c273973d9272f25a83b2b1fd9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -35,7 +35,8 @@ type proc_meminfo, fs_type, proc_type;
 type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_vpn, fs_type, proc_type, proc_net_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 31859aa5179608b03c9d7687faf3b675a09e2a3f..8456c1537a5d82ecaf1fea100d98e45e98cdc752 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -39,7 +39,7 @@ allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perm
 # Access to wake locks
 wakelock_use(hal_telephony_server)
 
-r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, proc_net_type)
 r_dir_file(hal_telephony_server, sysfs_type)
 r_dir_file(hal_telephony_server, system_file)
 
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 7cea7c7401125ad367e85de8545267ead0002021..8f5b77b86b2c6af601643703929102ada8119300 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@ binder_call(hal_wifi_server, hal_wifi_client)
 add_hwservice(hal_wifi_server, hal_wifi_hwservice)
 allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
 
-r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
 
 set_prop(hal_wifi, exported_wifi_prop)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 03a554674d4c9277a54ba5f554c3969e70dcaa85..73bf037b11732329e8eda024fdffaae1e6245169 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -10,7 +10,7 @@ allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_r
 allow hal_wifi_hostapd_server sysfs_net:dir search;
 
 # Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
 
 # Various socket permissions.
 allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dc0cf5a7316beb41d563c1627b923a8d48eb048d..f74ed05ffe37be5d4e9f8aa247b4b37b18ad7751 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -5,5 +5,5 @@ binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
 add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
 allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
 
-r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, proc_net_type)
 r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d32659c7a666d8c36a5e194d97f48a88e95a..3d617661f7678beff644cace59f4899da2eb4af8 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -9,7 +9,7 @@ allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
 
 r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
 
 allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
diff --git a/public/init.te b/public/init.te
index c34e02842d367d7d4b1b94772c35b73bfe4f7a59..84b58119028c00acf320d77149e6b4ad3e0905b7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,7 @@ allow init kernel:system syslog_mod;
 allow init self:global_capability2_class_set syslog;
 
 # init access to /proc.
-r_dir_file(init, proc_net)
+r_dir_file(init, proc_net_type)
 
 allow init {
   proc_cmdline
@@ -293,7 +293,7 @@ allow init {
   proc_hostname
   proc_hung_task
   proc_extra_free_kbytes
-  proc_net
+  proc_net_type
   proc_max_map_count
   proc_min_free_order_shift
   proc_overcommit_memory
diff --git a/public/logd.te b/public/logd.te
index 817a7059fc716e7ec61f87ff7878c61310a77b07..23318b0f932cdd6676b7565d1e569e8d327730f1 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,7 +6,10 @@ type logd_exec, exec_type, file_type;
 r_dir_file(logd, cgroup)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
+r_dir_file(logd, proc_net_type)
+userdebug_or_eng(`
+  auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
 
 allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
 allow logd self:global_capability2_class_set syslog;
diff --git a/public/netd.te b/public/netd.te
index 545ad7c1a9befbb586233538832dd7f856bbcab2..433761c70e1cf685c1c9ec588311e63f833ad834 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -41,9 +41,9 @@ allow netd proc_qtaguid_ctrl:file rw_file_perms;
 # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
 allow netd qtaguid_device:chr_file r_file_perms;
 
-r_dir_file(netd, proc_net)
+r_dir_file(netd, proc_net_type)
 # For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net_type:file rw_file_perms;
 
 # Enables PppController and interface enumeration (among others)
 allow netd sysfs:dir r_dir_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 9340dee87db4d5610858c169ae8d8fdb58f44544..8d79477c229d49466a1c2575926212d7d2d10611 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,7 +5,7 @@ type ppp_exec, exec_type, file_type;
 
 net_domain(ppp)
 
-r_dir_file(ppp, proc_net)
+r_dir_file(ppp, proc_net_type)
 
 allow ppp mtp:socket rw_socket_perms;
 
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 49df647250f0f26cfd7b26052b0effc88f67c0c2..514100fdcd267117d4ed868c3b0732849ce1a074 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -10,4 +10,7 @@ allow preopt2cachename cppreopts:fd use;
 allow preopt2cachename cppreopts:fifo_file { getattr read write };
 
 # Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+  auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/public/shell.te b/public/shell.te
index 66415978659ed214b227965319d2fa95c306d4e1..9bd437177e124eafae14cb157756c2d6642ca47f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -115,7 +115,7 @@ hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 
 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc_net)
+r_dir_file(shell, proc_net_type)
 
 allow shell {
   proc_asound
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244ee756c349aa1f18ae94fea497f53585a5a..22b01df130552e2769eb6d055555250578e9dadd 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -123,8 +123,8 @@ allow vendor_init {
 allow vendor_init dev_type:blk_file getattr;
 
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net)
-allow vendor_init proc_net:file w_file_perms;
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;
 
 # Write to /proc/sys/vm/page-cluster
diff --git a/public/vold.te b/public/vold.te
index 95847cf648c8ad64d7f3537884a71431f4f7eb13..b414846237dcb5efe798e6bedc1d793e959095eb 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,11 @@ allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(vold, proc_net)
+r_dir_file(vold, proc_net_type)
+userdebug_or_eng(`
+  auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
diff --git a/public/wificond.te b/public/wificond.te
index 9e4dc7d32478f63a00631cf42d7f5c66260ea7c7..c62a8d72cc6b608a209dc82d7160cd06c8235a81 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -21,7 +21,7 @@ allow wificond self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
 allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
 
-r_dir_file(wificond, proc_net)
+r_dir_file(wificond, proc_net_type)
 
 # allow wificond to check permission for dumping logs
 allow wificond permission_service:service_manager find;