diff --git a/private/crosvm.te b/private/crosvm.te
index 5971b91ee..9c4513127 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,9 +10,6 @@ neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
 neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
 
-# Let crosvm mlock VM memory and page tables.
-allow crosvm self:capability ipc_lock;
-
 # Let crosvm create temporary files.
 tmpfs_domain(crosvm)
 
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3e057fe07..f41e7ccf7 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,6 +22,9 @@ add_service(virtualizationservice, virtualization_service)
 # When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
 domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
 
+# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+allow virtualizationservice self:capability sys_resource;
+
 # Let virtualizationservice kill crosvm.
 allow virtualizationservice crosvm:process sigkill;