diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 5d539e951..9c9db71bf 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -388,6 +388,11 @@ class process
 	getrlimit
 }
 
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
 
 #
 # Define the access vector interpretation for ipc-related objects
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index ce3268da0..3ff1b72d2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -188,4 +188,6 @@ class kcm_socket
 class qipcrtr_socket
 class smc_socket
 
+class process2
+
 # FLASK
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 78484a91e..4f2a97afb 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -83,3 +83,11 @@ policycap open_perms;
 # Requires libsepol 2.7+ to build policy with this enabled.
 #
 policycap extended_socket_class;
+
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+#policycap nnp_nosuid_transition;