diff --git a/attributes b/attributes
index 485b3e9a91ba9b2a14436ed534526e0ddd5473e3..42eb547212278becf0f2f0e716d46f6eb0f73d11 100644
--- a/attributes
+++ b/attributes
@@ -100,3 +100,8 @@ attribute bluetoothdomain;
 
 # All domains used for binder service domains.
 attribute binderservicedomain;
+
+# All domains that access the boot_control HAL. The permissions the HAL
+# requires are specific to the implementation provided in each device, but
+# common daemons need to be aware of those when calling into the HAL.
+attribute boot_control_hal;
diff --git a/boot_control_hal.te b/boot_control_hal.te
new file mode 100644
index 0000000000000000000000000000000000000000..2a670b39bf1c6e34cef08c56d594d5e44e2769ed
--- /dev/null
+++ b/boot_control_hal.te
@@ -0,0 +1,2 @@
+# Allow read/write bootctrl block device, if one is defined.
+allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/update_engine.te b/update_engine.te
index cf614e6a0883399a1c60b8155a6351d6267b9067..33e81342a54ec6ea5ddbdcdc86b61fd7c8003329 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -1,5 +1,6 @@
 # Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated;
+# update_engine uses the boot_control_hal.
+type update_engine, domain, domain_deprecated, boot_control_hal;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
@@ -55,6 +56,3 @@ allow update_engine update_engine_service:service_manager { add };
 
 # Allow update_engine to call the callback function provided by priv_app.
 binder_call(update_engine, priv_app)
-
-# Allow read/write bootctrl block device.
-allow update_engine bootctrl_block_device:blk_file rw_file_perms;
diff --git a/update_verifier.te b/update_verifier.te
index 42567fec91ffc3d55b01e0bf8d67c0ff793db503..65438d34219e1d13e612fa163a6c6fc8d969d5f6 100644
--- a/update_verifier.te
+++ b/update_verifier.te
@@ -1,10 +1,8 @@
 # update_verifier
-type update_verifier, domain;
+# update_verifier uses the boot_control_hal.
+type update_verifier, domain, boot_control_hal;
 type update_verifier_exec, exec_type, file_type;
 
 init_daemon_domain(update_verifier)
 
-# Raw writes to bootctrl block device
-allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
-
 # TODO: Add rules to allow update_verifier to read system_block_device.