diff --git a/private/file_contexts b/private/file_contexts
index 2f009ac6b3a26c868710b86e890d292048f9eb6c..1e7345ae4b41f4aaf187d1b5007190fb94c17f08 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -18,6 +18,9 @@
 /init               u:object_r:init_exec:s0
 /sbin(/.*)?         u:object_r:rootfs:s0
 
+# For kernel modules
+/lib(/.*)?          u:object_r:rootfs:s0
+
 # Empty directories
 /lost\+found        u:object_r:rootfs:s0
 /acct               u:object_r:cgroup:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 7873367142314d65eab627a7dbebb56ba6d33737..c2cfa2cceff4a8a38cd571fdd00ed342a94241f4 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@ genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/init.te b/private/init.te
index 8a6dcea77a510447c8edb9a70b03a5fa444f8307..f491d00f3f18f6cb15d1ea2ac4e210bed9b750c1 100644
--- a/private/init.te
+++ b/private/init.te
@@ -13,6 +13,7 @@ recovery_only(`
 domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, watchdogd)
+domain_trans(init, rootfs, modprobe)
 # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/public/file.te b/public/file.te
index 5b99344e0c6d59070f7489ee4a048f4c54300f23..a13f39634404319dfe3bcbac88d98ad8a086a40b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -17,6 +17,7 @@ type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
+type proc_modules, fs_type;
 type proc_net, fs_type;
 type proc_perf, fs_type;
 type proc_stat, fs_type;
diff --git a/public/modprobe.te b/public/modprobe.te
new file mode 100644
index 0000000000000000000000000000000000000000..0fc173df65cc5237e5507c83970f8a39094cb9e0
--- /dev/null
+++ b/public/modprobe.te
@@ -0,0 +1,8 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:capability sys_module;
+recovery_only(`
+  allow modprobe rootfs:system module_load;
+  allow modprobe rootfs:file r_file_perms;
+')