diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 447ca76c5f..677bad4809 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1497,6 +1497,7 @@ template(`userdom_admin_user_template',`
 #
 interface(`userdom_security_admin_template',`
 	allow $1 self:capability { dac_override dac_read_search };
+	allow $1 self:capability2 mac_admin;
 
 	corecmd_exec_shell($1)