diff --git a/domain.te b/domain.te
index c75d0d87bd2cc067b744180124392b6500eb6209..d86ac0cc2a485cf335d313894353d1b7a76935da 100644
--- a/domain.te
+++ b/domain.te
@@ -493,3 +493,9 @@ neverallow {
   userdebug_or_eng(`-uncrypt')
   -installd
 } shell_data_file:lnk_file read;
+
+# servicemanager is the only process which handles list request
+neverallow domain ~servicemanager:service_manager list;
+
+# only service_manager_types can be added to service_manager
+neverallow domain ~service_manager_type:service_manager { add find };
diff --git a/init.te b/init.te
index 34b010cf3ce1dd9cad4a50f3cae6c1c2ce1fac52..9fdfd222a3cd27a569828a37989a3180e44deb35 100644
--- a/init.te
+++ b/init.te
@@ -282,3 +282,7 @@ neverallow init app_data_file:lnk_file read;
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;