diff --git a/shelldomain.te b/shelldomain.te
index e894d9daf..0a8642656 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -25,3 +25,10 @@ allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
 allow shelldomain debug_prop:property_service set;
 allow shelldomain powerctl_prop:property_service set;
+
+# systrace support - allow atrace to run
+# debugfs doesn't support labeling individual files, so we have
+# to grant read access to all of /sys/kernel/debug.
+# Directory read access and file write access is already granted
+# in domain.te.
+allow shelldomain debugfs:file r_file_perms;