diff --git a/update_engine.te b/update_engine.te
index 5542b489863735e55c3b0332a1136f0ceae01391..9f942430bcb7d807a1fd3a7d2cfff3d07ae1d7cf 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -55,6 +55,9 @@ domain_auto_trans(update_engine, postinstall_file, postinstall)
 # to execute those.
 allow update_engine shell_exec:file rx_file_perms;
 
+# Allow update_engine to suspend, resume and kill the postinstall program.
+allow update_engine postinstall:process { signal sigstop };
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };