diff --git a/native/src/sepolicy/rules.rs b/native/src/sepolicy/rules.rs
index 9fe918dba..f34c315cb 100644
--- a/native/src/sepolicy/rules.rs
+++ b/native/src/sepolicy/rules.rs
@@ -52,7 +52,8 @@ impl SepolicyMagisk for sepolicy {
         set_log_level_state(LogLevel::Warn, false);
         rules! {
             use self;
-            allow(all, ["kernel"], ["security"], ["load_policy"]);
+            // Prevent anything to change sepolicy except ourselves
+            deny(all, ["kernel"], ["security"], ["load_policy"]);
             type_(proc, ["domain"]);
             typeattribute([proc], ["mlstrustedsubject", "netdomain", "appdomain"]);
             type_(file, ["file_type"]);