diff --git a/adbd.te b/adbd.te
index 7ca63d69559e0fb4c644e0f47d9746459c8180b6..cf6928a3698660419e2e99d047c6ec6fe2323e0f 100644
--- a/adbd.te
+++ b/adbd.te
@@ -49,6 +49,10 @@ set_prop(adbd, ffs_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow adbd toolbox_exec:file rx_file_perms;
+auditallow adbd toolbox_exec:file rx_file_perms;
+
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)
diff --git a/app.te b/app.te
index a78fad16a690a34b811696e2a5cfd523bb00fcb1..583495eaba086ba482a2b874aef8000831d49d44 100644
--- a/app.te
+++ b/app.te
@@ -74,6 +74,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
+allow appdomain toolbox_exec:file rx_file_perms;
 
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/dhcp.te b/dhcp.te
index cbf105c65629329aeefd8f62ece8648a862a70e2..078e5125dce854503ba2d5046215b99ee0ba8819 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -11,6 +11,9 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow dhcp toolbox_exec:file rx_file_perms;
+auditallow dhcp toolbox_exec:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
 
diff --git a/domain.te b/domain.te
index 085b319243fa32cda9ca763c4bc79d5b15c95c04..8a802229498ff0fa69c3686a41b08d923263f29e 100644
--- a/domain.te
+++ b/domain.te
@@ -109,10 +109,6 @@ allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;
 
-# Run toolbox.
-# Kernel, init, and mediaserver never run anything without changing domains.
-allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
-
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };
diff --git a/dumpstate.te b/dumpstate.te
index f2aab81b46640756ab3f34c9b744c3d278a08159..963f8cde3d7f50314f5aeec8833e901c7f01aa22 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -21,6 +21,7 @@ allow dumpstate self:capability kill;
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+allow dumpstate toolbox_exec:file rx_file_perms;
 
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
diff --git a/gpsd.te b/gpsd.te
index 2e050920d9363123bbf698814b0dd1e1610aee4a..4b22223142825d9ee7345752422737f719b1a9ec 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,6 +18,7 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+allow gpsd toolbox_exec:file rx_file_perms;
 
 ###
 ### neverallow
diff --git a/install_recovery.te b/install_recovery.te
index 2d80b0874f92d228b1d3ec34282867e914604b2f..cd9dd3b8dc9d5686cffe0feb797527a4f6e2b5d2 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -13,6 +13,10 @@ allow install_recovery shell_exec:file rx_file_perms;
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
 
+# XXX Execute toolbox.  Might not be needed.
+allow install_recovery toolbox_exec:file rx_file_perms;
+auditallow install_recovery toolbox_exec:file rx_file_perms;
+
 # Update the recovery block device based off a diff of the boot block device
 allow install_recovery block_device:dir search;
 allow install_recovery boot_block_device:blk_file r_file_perms;
diff --git a/netd.te b/netd.te
index d4c51531732bda959472115bd652eb2a7b36588c..81d76c37ed2a1a16e9932eca2103607f14c2678b 100644
--- a/netd.te
+++ b/netd.te
@@ -20,6 +20,9 @@ allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow netd toolbox_exec:file rx_file_perms;
+auditallow netd toolbox_exec:file rx_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
diff --git a/perfprofd.te b/perfprofd.te
index 58cb3e2de103e60df81aa635e5de4ccf4fff548b..433b2b8ed8c9a8b08019abf791c43a35c8180bbd 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -48,7 +48,7 @@ userdebug_or_eng(`
   allow perfprofd exec_type:file r_file_perms;
 
   # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file x_file_perms;
+  allow perfprofd toolbox_exec:file rx_file_perms;
 
   # needed for simpleperf on some kernels
   allow perfprofd self:capability ipc_lock;
diff --git a/ppp.te b/ppp.te
index af7062b0e572f8e3777a8b9e2c906699e209be5e..c9b27af55360c1459815709180c675dc5bb37d1d 100644
--- a/ppp.te
+++ b/ppp.te
@@ -11,6 +11,9 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow ppp toolbox_exec:file rx_file_perms;
+auditallow ppp toolbox_exec:file rx_file_perms;
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;
diff --git a/racoon.te b/racoon.te
index 8b09cdfe4739bb3e917f85ea89aae656f8120ea0..6447a3dbc84e027deb5af3747943b2edfb5694e8 100644
--- a/racoon.te
+++ b/racoon.te
@@ -19,6 +19,9 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow racoon toolbox_exec:file rx_file_perms;
+auditallow racoon toolbox_exec:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
 
diff --git a/recovery.te b/recovery.te
index 8d6fd627533576cbcf71cec171ac8a140bc8265c..d5f6c6beec4f95840b39cc27c833914ce9a00ce5 100644
--- a/recovery.te
+++ b/recovery.te
@@ -15,6 +15,7 @@ recovery_only(`
   # Run helpers from / or /system without changing domain.
   allow recovery rootfs:file execute_no_trans;
   allow recovery system_file:file execute_no_trans;
+  allow recovery toolbox_exec:file rx_file_perms;
 
   # Mount filesystems.
   allow recovery rootfs:dir mounton;
diff --git a/rild.te b/rild.te
index 549a4aa1745f8a287333259b2a15ff35e3e886fc..ea0e4eddd9cc4ea5c0aa1b82b7dbcce19e551946 100644
--- a/rild.te
+++ b/rild.te
@@ -23,6 +23,9 @@ allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir r_dir_perms;
 allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow rild toolbox_exec:file rx_file_perms;
+auditallow rild toolbox_exec:file rx_file_perms;
 
 # property service
 set_prop(rild, radio_prop)
diff --git a/shell.te b/shell.te
index 28f79d6b9e356b46c34a5f63f136dc0777c14c3c..84e1802742f3c629a5e2acf6b2a6d3e06b0b234a 100644
--- a/shell.te
+++ b/shell.te
@@ -38,6 +38,7 @@ allow shell console_device:chr_file rw_file_perms;
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
 allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;
 
diff --git a/system_server.te b/system_server.te
index af58248f0d0bc8531394c98ef8bce3f856bb38f3..ffb2750b316c3a16138bad95f8709ac454f2b592 100644
--- a/system_server.te
+++ b/system_server.te
@@ -320,6 +320,10 @@ allow system_server cache_file:fifo_file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
 
+# XXX Run toolbox.  Might not be needed.
+allow system_server toolbox_exec:file rx_file_perms;
+auditallow system_server toolbox_exec:file rx_file_perms;
+
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;
diff --git a/vold.te b/vold.te
index b22436f3f30b6e11986fcf09f0e785c1c5ea2560..5abb2f95eefd19b191d0198381d6b0e00687bb14 100644
--- a/vold.te
+++ b/vold.te
@@ -24,6 +24,9 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow vold toolbox_exec:file rx_file_perms;
+auditallow vold toolbox_exec:file rx_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold block_device:blk_file create_file_perms;
 auditallow vold block_device:blk_file create_file_perms;