diff --git a/te_macros b/te_macros
index 404222ad7609b2e72639b6bfc45c47519b13dd80..3d170f4fb5d9a45d582bb9a7b01a39547b6ac144 100644
--- a/te_macros
+++ b/te_macros
@@ -11,7 +11,7 @@ define(`domain_trans', `
 allow $1 $2:file { getattr open read execute };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint read execute };
+allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
 allow $3 $1:process sigchld;
 # Enable AT_SECURE, i.e. libc secure mode.