diff --git a/src/port1.0/port_autoconf.tcl.in b/src/port1.0/port_autoconf.tcl.in
index 328c820da6..3cbc735463 100644
--- a/src/port1.0/port_autoconf.tcl.in
+++ b/src/port1.0/port_autoconf.tcl.in
@@ -79,4 +79,5 @@ namespace eval portutil::autoconf {
 	variable prefix "@prefix_expanded@"
 	variable tcl_package_path "@TCL_PACKAGE_PATH@"
 	variable trace_sipworkaround_path "@DARWINTRACE_SIP_WORKAROUND_PATH@"
+	variable clonebin_path "@CLONEBIN_PATH@"
 }
diff --git a/src/port1.0/porttrace.tcl b/src/port1.0/porttrace.tcl
index 1bd0fc767a..daf4866d43 100644
--- a/src/port1.0/porttrace.tcl
+++ b/src/port1.0/porttrace.tcl
@@ -266,6 +266,8 @@ namespace eval porttrace {
 
         # Grant access to the directory we use to mirror binaries under SIP
         allow trace_sandbox ${portutil::autoconf::trace_sipworkaround_path}
+        # Grant access to MacPorts' clonebin utilities
+        allow trace_sandbox ${portutil::autoconf::clonebin_path}
         # Defer back to MacPorts for dependency checks inside $prefix. This must be at the end,
         # or it'll be used instead of more specific rules.
         ask trace_sandbox $prefix