diff --git a/public/wpantund.te b/public/wpantund.te
index 2993e6d6e8b832c344d2600de8a8b8f5c2a11d6b..a97481eb2ce010e94fd5b3a5b35f2ee6093738b8 100644
--- a/public/wpantund.te
+++ b/public/wpantund.te
@@ -10,6 +10,13 @@ binder_call(wpantund, system_server)
 # wpantund needs to be able to check in with the lowpan_service
 allow wpantund lowpan_service:service_manager find;
 
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
 # create sockets to set interfaces up and down, add multicast groups, etc.
 allow wpantund self:udp_socket create_socket_perms;