diff --git a/private/domain.te b/private/domain.te
index 2f107dde0..3454fd108 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -179,6 +179,35 @@ get_prop(domain, log_file_logger_prop)
 # Allow all processes to connect to PRNG seeder daemon.
 unix_socket_connect(domain, prng_seeder, prng_seeder)
 
+# Allow calls to system(3), popen(3), ...
+allow {
+  domain
+  # Except domains that explicitly neverallow it.
+  -kernel
+  -init
+  -vendor_init
+  -app_zygote
+  -webview_zygote
+  -system_server
+  -artd
+  -audioserver
+  -cameraserver
+  -mediadrmserver
+  -mediaextractor
+  -mediametrics
+  -mediaserver
+  -mediatuner
+  -mediatranscoding
+  -ueventd
+  -hal_audio_server
+  -hal_camera_server
+  -hal_cas_server
+  -hal_codec2_server
+  -hal_configstore_server
+  -hal_drm_server
+  -hal_omx_server
+} {shell_exec toolbox_exec}:file rx_file_perms;
+
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using