diff --git a/private/app.te b/private/app.te
index 25dbdb70b6c98dc93dc8b15bacd78437792aca4f..bbd4b9269c8240fe166f0ece144c002355a3ac78 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,9 +69,6 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
-# Query whether a Surface supports wide color
-allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
 # App sandbox file accesses.
 allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
 allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3595ee426c67b0923bff62f5ba8a4024aa77fbae..b33035e8ea9d51ec1422b6105c9acba6e1330e7c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,7 +14,6 @@ read_runtime_log_tags(surfaceflinger)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
 allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
 
 # Perform Binder IPC.
diff --git a/private/system_server.te b/private/system_server.te
index 99dc66314f2310ef033cbc31fc4948f122e972d3..3c3f82d9707b8cb1e06229982b6c34b15b342186 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -177,6 +177,7 @@ binder_service(system_server)
 
 # Use HALs
 hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 4bf6cfd522748f0d4db61f771e737059dec4e18a..66a168e407fd99bc9b46095b69224010334367e7 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,6 +1,8 @@
 # HwBinder IPC from client to server
 binder_call(hal_configstore_client, hal_configstore_server)
 
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
 add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # As opposed to the rules of most other HALs, the different services exposed by
 # this HAL should be restricted to different clients. Thus, the allow rules for