diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 1f117d22d02a4775ab308edb7de37c83a0eee39d..7c5600b5dd55f0ef4556dde0b743529f3d126abe 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,8 +5,8 @@ type hal_wifi_exec, exec_type, file_type;
 ## hwbinder access
 hwbinder_use(hal_wifi)
 
-## call into wificond process (callbacks)
-binder_call(hal_wifi, wificond)
+## call into system_server process (for invoking callbacks)
+binder_call(hal_wifi, system_server)
 
 r_dir_file(hal_wifi, proc_net)
 r_dir_file(hal_wifi, sysfs_type)
@@ -20,3 +20,5 @@ allow hal_wifi self:capability { net_admin net_raw };
 allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
 allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
+# hal_wifi writes firmware paths to this file.
+allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
diff --git a/public/system_server.te b/public/system_server.te
index 36e95ab8b456737cff5f44ab2298ebf8360b3ce5..146e55735e0e57cf7f4a4e7d1d5c82dfccf7ab69 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -146,13 +146,6 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
 # Perform Binder IPC.
 binder_use(system_server)
-binder_call(system_server, hal_boot)
-binder_call(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
-binder_call(system_server, hal_power)
-binder_call(system_server, hal_thermal)
-binder_call(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
 binder_call(system_server, { appdomain ephemeral_app })
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
@@ -163,6 +156,18 @@ binder_call(system_server, netd)
 binder_call(system_server, wificond)
 binder_service(system_server)
 
+# Perform HwBinder IPC.
+hwbinder_use(system_server)
+binder_call(system_server, hal_boot)
+binder_call(system_server, hal_light)
+binder_call(system_server, hal_memtrack)
+binder_call(system_server, hal_power)
+binder_call(system_server, hal_thermal)
+binder_call(system_server, hal_vibrator)
+binder_call(system_server, hal_vr)
+binder_call(system_server, hal_wifi)
+binder_call(system_server, wpa)
+
 # Ask debuggerd to dump backtraces for native stacks of interest.
 #
 # This is derived from the list that system server defines as interesting native processes
diff --git a/public/wificond.te b/public/wificond.te
index c6b85fccfe9baac0b3367ca1dfdd3cdb550830f3..0fcc3ae9b1605e67e7e6a75e8d6c958be3cab0e3 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -5,10 +5,6 @@ type wificond_exec, exec_type, file_type;
 binder_use(wificond)
 binder_call(wificond, system_server)
 
-hwbinder_use(wificond)
-binder_call(wificond, hal_wifi)
-binder_call(wificond, wpa)
-
 allow wificond wificond_service:service_manager { add find };
 
 # wificond writes firmware paths to this file.
diff --git a/public/wpa.te b/public/wpa.te
index 83276c80cc77541d9954afaaa42e91e52b2a3d0e..20fcd536853859d3b318b09e32bd61d36f0a47bf 100644
--- a/public/wpa.te
+++ b/public/wpa.te
@@ -26,7 +26,7 @@ binder_use(wpa)
 
 # HIDL interface exposed by WPA.
 hwbinder_use(wpa)
-binder_call(wpa, wificond)
+binder_call(wpa, system_server)
 
 # Create a socket for receiving info from wpa
 allow wpa wpa_socket:dir create_dir_perms;