diff --git a/private/android_hardware_audio_2_0_service.te b/private/android_hardware_audio_2_0_service.te
new file mode 100644
index 0000000000000000000000000000000000000000..8a29255f253cd9d9df6f17e6e0d61a256b1f02b4
--- /dev/null
+++ b/private/android_hardware_audio_2_0_service.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(android_hardware_audio_2_0_service)
diff --git a/private/file_contexts b/private/file_contexts
index c24d2f991b23b685712650e09895b2308fea806e..a53c5b166ffa895b81c76768443567810608493c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -169,6 +169,7 @@
 /system/bin/wificond	u:object_r:wificond_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
+/system/bin/hw/android\.hardware\.audio@2\.0-service	u:object_r:android_hardware_audio_2_0_service_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
@@ -274,6 +275,7 @@
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
 /data/misc/audioserver(/.*)?    u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)?       u:object_r:audiohal_data_file:s0
 /data/misc/bootstat(/.*)?       u:object_r:bootstat_data_file:s0
 /data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
 /data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
diff --git a/public/android_hardware_audio_2_0_service.te b/public/android_hardware_audio_2_0_service.te
new file mode 100644
index 0000000000000000000000000000000000000000..9da62c8b1468b9c4b61896cc6dffa61065c3635c
--- /dev/null
+++ b/public/android_hardware_audio_2_0_service.te
@@ -0,0 +1,36 @@
+# android_hardware_audio_2_0_service - audio services daemon
+type android_hardware_audio_2_0_service, domain;
+type android_hardware_audio_2_0_service_exec, exec_type, file_type;
+
+hwbinder_use(android_hardware_audio_2_0_service)
+binder_call(android_hardware_audio_2_0_service, audioserver)
+
+allow android_hardware_audio_2_0_service ion_device:chr_file r_file_perms;
+
+allow android_hardware_audio_2_0_service system_file:dir { open read };
+
+userdebug_or_eng(`
+  # used for pcm capture for debug.
+  allow android_hardware_audio_2_0_service audiohal_data_file:dir create_dir_perms;
+  allow android_hardware_audio_2_0_service audiohal_data_file:file create_file_perms;
+')
+
+r_dir_file(android_hardware_audio_2_0_service, proc)
+allow android_hardware_audio_2_0_service audio_device:dir r_dir_perms;
+allow android_hardware_audio_2_0_service audio_device:chr_file rw_file_perms;
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(android_hardware_audio_2_0_service, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# android_hardware_audio_2_0_service should never execute any executable without
+# a domain transition
+neverallow android_hardware_audio_2_0_service { file_type fs_type }:file execute_no_trans;
+
+# android_hardware_audio_2_0_service should never need network access.
+# Disallow network sockets.
+neverallow android_hardware_audio_2_0_service domain:{ tcp_socket udp_socket rawip_socket } *;
\ No newline at end of file
diff --git a/public/audioserver.te b/public/audioserver.te
index b1a84a239a77daa1e2930ec347ab2e433db36cf8..5dea1b3ccdb8252319d581dca9e161a46a7fb5c9 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -9,6 +9,9 @@ binder_call(audioserver, binderservicedomain)
 binder_call(audioserver, { appdomain ephemeral_app })
 binder_service(audioserver)
 
+hwbinder_use(audioserver)
+binder_call(audioserver, android_hardware_audio_2_0_service)
+
 r_dir_file(audioserver, proc)
 allow audioserver ion_device:chr_file r_file_perms;
 allow audioserver system_file:dir r_dir_perms;
diff --git a/public/file.te b/public/file.te
index b622c875a750105f228a1d3c561c89e2e91bb738..4867b6710f9b2b1db6ccd6c76e190076bbc7dac6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -142,6 +142,7 @@ type postinstall_file, file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
+type audiohal_data_file, file_type, data_file_type;
 type audioserver_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type bluetooth_logs_data_file, file_type, data_file_type;