diff --git a/private/network_stack.te b/private/network_stack.te
index 4fd31bda1..6db7d8fbb 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -67,3 +67,6 @@ allow network_stack debugfs_wifi_tracing:file rw_file_perms;
 # dumpstate support
 allow network_stack dumpstate:fd use;
 allow network_stack dumpstate:fifo_file write;
+
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
diff --git a/public/app.te b/public/app.te
index ea3cf159d..030aba582 100644
--- a/public/app.te
+++ b/public/app.te
@@ -390,7 +390,7 @@ neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
 neverallow appdomain tee_device:chr_file { read write };
 
 # Privileged netlink socket interfaces.
-neverallow appdomain
+neverallow { appdomain -network_stack }
     domain:{
         netlink_tcpdiag_socket
         netlink_nflog_socket