diff --git a/private/init.te b/private/init.te
index fb4335a0908e3698f22e213821f5a0f2c56a3275..f84d87ebb32d0682feb087d30d7afc070d245ed0 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@ domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
 domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/public/domain.te b/public/domain.te
index 2487419c6cdcf3082b08e3f36e0a28a4cc9f661d..66029f8120c20343df76efa550bc4175e19ecad7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -998,7 +998,7 @@ neverallow {
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173df65cc5237e5507c83970f8a39094cb9e0..24a6b3b6379c4d366d56432956c022fea95d4423 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,5 @@ recovery_only(`
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;
 ')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })