diff --git a/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java b/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java
index 06e51b3a7ea..9db66ca9c14 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java
@@ -37,19 +37,19 @@ final class ESPolicy extends Policy {
     
     /** template policy file, the one used in tests */
     static final String POLICY_RESOURCE = "security.policy";
+    /** limited policy for groovy scripts */
+    static final String GROOVY_RESOURCE = "groovy.policy";
     
     final Policy template;
+    final Policy groovy;
     final PermissionCollection dynamic;
-    final PermissionCollection groovy;
 
     public ESPolicy(PermissionCollection dynamic) throws Exception {
-        URI uri = getClass().getResource(POLICY_RESOURCE).toURI();
-        this.template = Policy.getInstance("JavaPolicy", new URIParameter(uri));
+        URI policyUri = getClass().getResource(POLICY_RESOURCE).toURI();
+        URI groovyUri = getClass().getResource(GROOVY_RESOURCE).toURI();
+        this.template = Policy.getInstance("JavaPolicy", new URIParameter(policyUri));
+        this.groovy = Policy.getInstance("JavaPolicy", new URIParameter(groovyUri));
         this.dynamic = dynamic;
-        this.groovy = new Permissions();
-        // groovy IndyInterface bootstrap requires this property
-        groovy.add(new PropertyPermission("groovy.indy.logging", "read"));
-        groovy.setReadOnly();
     }
 
     @Override @SuppressForbidden(reason = "fast equals check is desired")
@@ -63,7 +63,7 @@ final class ESPolicy extends Policy {
             if (location != null) {
                 // run groovy scripts with no permissions (except logging property)
                 if ("/groovy/script".equals(location.getFile())) {
-                    return groovy.implies(permission);
+                    return groovy.implies(domain, permission);
                 }
             }
         }
diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/groovy.policy b/core/src/main/resources/org/elasticsearch/bootstrap/groovy.policy
new file mode 100644
index 00000000000..4e1275827d9
--- /dev/null
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/groovy.policy
@@ -0,0 +1,31 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+ 
+/*
+ * Limited security policy for groovy scripts.
+ * This is what is needed for its invokeDynamic functionality to work.
+ */
+grant {
+  
+  // groovy IndyInterface bootstrap requires this property for indy logging
+  permission java.util.PropertyPermission "groovy.indy.logging", "read";
+  
+  // needed IndyInterface selectMethod (setCallSiteTarget)
+  permission java.lang.RuntimePermission "getClassLoader";
+};