diff --git a/vold.te b/vold.te
index e7996e162b5d814162a08d65f587fcab6524b655..8416531685293cf1c4feb7cc2b1200ab4e2b489f 100644
--- a/vold.te
+++ b/vold.te
@@ -168,6 +168,9 @@ allow vold fuse_device:chr_file rw_file_perms;
 allow vold sysfs_zram:dir r_dir_perms;
 allow vold sysfs_zram_uevent:file rw_file_perms;
 
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;