diff --git a/public/runas.te b/public/runas.te
index 19e30e8005328088a5ca1f483ff5a9249248a9cb..046165d4bfb6f212950ae224f99ff5fa84674947 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -23,6 +23,10 @@ selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
 
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
 ###
 ### neverallow rules
 ###