diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index feadcdadb95e19cf838efc4b60da1974712fb84d..036e1d2dca7cb2dbca35b58a897c4465bb3fd8e1 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,10 +8,11 @@ neverallow {
   -rild
 } self:capability { net_admin net_raw };
 
-# Unless a HAL's job is to manage network hardware, it should not be
-# using network sockets.
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
 neverallow {
   halserverdomain
+  -hal_tetheroffload_server
   -hal_wifi_server
   -hal_wifi_supplicant_server
   -rild