diff --git a/file.te b/file.te
index 833e41a4f2dbd905019348b8dbca3382edbe0360..b789e36e53fa436aff0506c750754a70681aaa28 100644
--- a/file.te
+++ b/file.te
@@ -117,7 +117,7 @@ type storage_stub_file, file_type;
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
+type postinstall_file, file_type, exec_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/update_engine.te b/update_engine.te
index 06ae5212df83f3de68478c5b47684ce64abcb007..cf614e6a0883399a1c60b8155a6351d6267b9067 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -36,13 +36,19 @@ allow update_engine postinstall_mnt_dir:dir mounton;
 allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine labeledfs:filesystem relabelfrom;
 
-# Allow update_engine to read and execute postinstall_file, which is what the
-# postinstall program is relabeled to regardless of its attributes in the new
-# system. The postinstall program will run in the "postinstall" domain.
+# Allow update_engine to read and execute postinstall_file.
 allow update_engine postinstall_file:file rx_file_perms;
 allow update_engine postinstall_file:lnk_file r_file_perms;
 allow update_engine postinstall_file:dir r_dir_perms;
 
+# The postinstall program is run by update_engine and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine, postinstall_file, postinstall)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine shell_exec:file rx_file_perms;
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };