diff --git a/domain.te b/domain.te
index 23c5997e2e99e3e128e88f710bfa2dbf0c49a86e..b10bee8bba876f3032bc71d810b60abee9bd7fac 100644
--- a/domain.te
+++ b/domain.te
@@ -110,8 +110,8 @@ allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;
 
 # Run toolbox.
-# Kernel and init never run anything without changing domains.
-allow { domain -kernel -init } toolbox_exec:file rx_file_perms;
+# Kernel, init, and mediaserver never run anything without changing domains.
+allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
 
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
diff --git a/mediaserver.te b/mediaserver.te
index 6effd0a96f0505757217392301b19955ea7a114d..22fbe87f9789101253a5e5c621d36d841bb9de69 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -106,3 +106,11 @@ allow mediaserver drmserver:drmservice {
     finalizeDecryptUnit
     pread
 };
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;