diff --git a/plugin/src/main/plugin-metadata/plugin-security.policy b/plugin/src/main/plugin-metadata/plugin-security.policy
index 974c7b373a9..9157c2fab47 100644
--- a/plugin/src/main/plugin-metadata/plugin-security.policy
+++ b/plugin/src/main/plugin-metadata/plugin-security.policy
@@ -21,10 +21,6 @@ grant {
   permission java.security.SecurityPermission "getPolicy";
   permission java.security.SecurityPermission "setPolicy";
 
-  // Netty SelectorUtil wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854
-  // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
-  permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
-
   // needed for multiple server implementations used in tests
   permission java.net.SocketPermission "*", "accept,connect";
 
@@ -32,6 +28,17 @@ grant {
   permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";
 };
 
+grant codeBase "${codebase.netty-common}" {
+   // for reading the system-wide configuration for the backlog of established sockets
+   permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
+};
+
+grant codeBase "${codebase.netty-transport}" {
+   // Netty NioEventLoop wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854
+   // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
+   permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
+};
+
 grant codeBase "${codebase.elasticsearch-rest-client}" {
   // rest client uses system properties which gets the default proxy
   permission java.net.NetPermission "getProxySelector";