diff --git a/adbd.te b/adbd.te
index a74d10bd477db9324390b738e900edd5f9447dfc..cac234359afa51ff6fe107ace4a4bbe1d2473704 100644
--- a/adbd.te
+++ b/adbd.te
@@ -49,6 +49,10 @@ set_prop(adbd, ffs_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow adbd toolbox_exec:file rx_file_perms;
+auditallow adbd toolbox_exec:file rx_file_perms;
+
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)
diff --git a/app.te b/app.te
index a78fad16a690a34b811696e2a5cfd523bb00fcb1..583495eaba086ba482a2b874aef8000831d49d44 100644
--- a/app.te
+++ b/app.te
@@ -74,6 +74,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
+allow appdomain toolbox_exec:file rx_file_perms;
 
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/dhcp.te b/dhcp.te
index cbf105c65629329aeefd8f62ece8648a862a70e2..078e5125dce854503ba2d5046215b99ee0ba8819 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -11,6 +11,9 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow dhcp toolbox_exec:file rx_file_perms;
+auditallow dhcp toolbox_exec:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
 
diff --git a/domain.te b/domain.te
index e7e0d7d6792545ee34c01ee1529ff8c2362a614e..bfbceabc6fec62a26477996e1ee662c2f07b5c41 100644
--- a/domain.te
+++ b/domain.te
@@ -109,10 +109,6 @@ allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;
 
-# Run toolbox.
-# Kernel, init, and mediaserver never run anything without changing domains.
-allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
-
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };
diff --git a/dumpstate.te b/dumpstate.te
index f2aab81b46640756ab3f34c9b744c3d278a08159..963f8cde3d7f50314f5aeec8833e901c7f01aa22 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -21,6 +21,7 @@ allow dumpstate self:capability kill;
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+allow dumpstate toolbox_exec:file rx_file_perms;
 
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
diff --git a/gpsd.te b/gpsd.te
index 2e050920d9363123bbf698814b0dd1e1610aee4a..4b22223142825d9ee7345752422737f719b1a9ec 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,6 +18,7 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+allow gpsd toolbox_exec:file rx_file_perms;
 
 ###
 ### neverallow
diff --git a/install_recovery.te b/install_recovery.te
index 138522036e9c164ca19dc4d0c62f5485748ef576..cbc86342555ad51cc3c25f15275e33f142085553 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -13,6 +13,10 @@ allow install_recovery shell_exec:file rx_file_perms;
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
 
+# XXX Execute toolbox.  Might not be needed.
+allow install_recovery toolbox_exec:file rx_file_perms;
+auditallow install_recovery toolbox_exec:file rx_file_perms;
+
 # Update the recovery block device based off a diff of the boot block device
 allow install_recovery block_device:dir search;
 allow install_recovery boot_block_device:blk_file r_file_perms;
diff --git a/netd.te b/netd.te
index d4c51531732bda959472115bd652eb2a7b36588c..81d76c37ed2a1a16e9932eca2103607f14c2678b 100644
--- a/netd.te
+++ b/netd.te
@@ -20,6 +20,9 @@ allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow netd toolbox_exec:file rx_file_perms;
+auditallow netd toolbox_exec:file rx_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
diff --git a/perfprofd.te b/perfprofd.te
index 58cb3e2de103e60df81aa635e5de4ccf4fff548b..433b2b8ed8c9a8b08019abf791c43a35c8180bbd 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -48,7 +48,7 @@ userdebug_or_eng(`
   allow perfprofd exec_type:file r_file_perms;
 
   # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file x_file_perms;
+  allow perfprofd toolbox_exec:file rx_file_perms;
 
   # needed for simpleperf on some kernels
   allow perfprofd self:capability ipc_lock;
diff --git a/ppp.te b/ppp.te
index af7062b0e572f8e3777a8b9e2c906699e209be5e..c9b27af55360c1459815709180c675dc5bb37d1d 100644
--- a/ppp.te
+++ b/ppp.te
@@ -11,6 +11,9 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow ppp toolbox_exec:file rx_file_perms;
+auditallow ppp toolbox_exec:file rx_file_perms;
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;
diff --git a/racoon.te b/racoon.te
index 8b09cdfe4739bb3e917f85ea89aae656f8120ea0..6447a3dbc84e027deb5af3747943b2edfb5694e8 100644
--- a/racoon.te
+++ b/racoon.te
@@ -19,6 +19,9 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow racoon toolbox_exec:file rx_file_perms;
+auditallow racoon toolbox_exec:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
 
diff --git a/recovery.te b/recovery.te
index 1441db1fd3667f75e19beacae9437f8928e4e322..b11213ffe9a2cb7690a0f1a8948beddaf20dd787 100644
--- a/recovery.te
+++ b/recovery.te
@@ -15,6 +15,7 @@ recovery_only(`
   # Run helpers from / or /system without changing domain.
   allow recovery rootfs:file execute_no_trans;
   allow recovery system_file:file execute_no_trans;
+  allow recovery toolbox_exec:file rx_file_perms;
 
   # Mount filesystems.
   allow recovery rootfs:dir mounton;
diff --git a/rild.te b/rild.te
index 549a4aa1745f8a287333259b2a15ff35e3e886fc..ea0e4eddd9cc4ea5c0aa1b82b7dbcce19e551946 100644
--- a/rild.te
+++ b/rild.te
@@ -23,6 +23,9 @@ allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir r_dir_perms;
 allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow rild toolbox_exec:file rx_file_perms;
+auditallow rild toolbox_exec:file rx_file_perms;
 
 # property service
 set_prop(rild, radio_prop)
diff --git a/shell.te b/shell.te
index 28f79d6b9e356b46c34a5f63f136dc0777c14c3c..84e1802742f3c629a5e2acf6b2a6d3e06b0b234a 100644
--- a/shell.te
+++ b/shell.te
@@ -38,6 +38,7 @@ allow shell console_device:chr_file rw_file_perms;
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
 allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;
 
diff --git a/system_server.te b/system_server.te
index 5f07f65135d212c13523c4f4fe7a7a4df0b540db..6737783dacfcc1a2ff32d78ee94bc8994d232b40 100644
--- a/system_server.te
+++ b/system_server.te
@@ -311,6 +311,10 @@ allow system_server cache_file:fifo_file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow system_server toolbox_exec:file rx_file_perms;
+auditallow system_server toolbox_exec:file rx_file_perms;
+
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;
diff --git a/vold.te b/vold.te
index a1aef72fd742917b8c2c8849b6143caafb180d6e..b50e39916e2c06cc6c7a129da86e052ff0910c97 100644
--- a/vold.te
+++ b/vold.te
@@ -24,6 +24,9 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow vold toolbox_exec:file rx_file_perms;
+auditallow vold toolbox_exec:file rx_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold block_device:blk_file create_file_perms;
 auditallow vold block_device:blk_file create_file_perms;