diff --git a/private/bluetooth.te b/private/bluetooth.te
index b2369c1c9487f67ed8b293fb90749dd637bcc827..9c7182e6c7aa8beb042d1e4212512d799d19cc95 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -58,6 +58,7 @@ allow bluetooth shell_data_file:file read;
 
 hal_client_domain(bluetooth, hal_bluetooth)
 binder_call(bluetooth, hal_telephony)
+hal_client_domain(bluetooth, hal_telephony)
 
 read_runtime_log_tags(bluetooth)
 
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5f7549d1634633a7aac4eaf604582411dc9421eb..0aff9f5052489e55554b85df73847cf1124048f1 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -10,8 +10,11 @@ read_runtime_log_tags(surfaceflinger)
 # Perform HwBinder IPC.
 hwbinder_use(surfaceflinger)
 binder_call(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
 binder_call(surfaceflinger, hal_graphics_composer)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
 binder_call(surfaceflinger, hal_configstore)
+hal_client_domain(surfaceflinger, hal_configstore)
 
 # Perform Binder IPC.
 binder_use(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
index 516ace48b1fa8aaeca923f2fac4efd3c07097f28..58a25e29cfd8a9ad653e056665ccd8cfb03f0bf4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -176,18 +176,28 @@ hwbinder_use(system_server)
 hwallocator_use(system_server)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss)
+hal_client_domain(system_server, hal_gnss)
 binder_call(system_server, hal_graphics_allocator)
 binder_call(system_server, hal_ir)
+hal_client_domain(system_server, hal_ir)
 binder_call(system_server, hal_light)
+hal_client_domain(system_server, hal_light)
 binder_call(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_memtrack)
 binder_call(system_server, hal_power)
+hal_client_domain(system_server, hal_power)
 hal_client_domain(system_server, hal_sensors)
 binder_call(system_server, hal_thermal)
+hal_client_domain(system_server, hal_thermal)
 binder_call(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb)
 binder_call(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
+hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
 hal_client_domain(system_server, hal_wifi_supplicant)
 
diff --git a/public/attributes b/public/attributes
index d26f7eee8a9ee5a4cb2de0552451060a11167684..a0c1f9397bc3f3d294983de22cb4fa0f081a97d6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -136,7 +136,11 @@ attribute hal_camera;
 attribute hal_camera_client;
 attribute hal_camera_server;
 attribute hal_configstore;
+attribute hal_configstore_client;
+attribute hal_configstore_server;
 attribute hal_contexthub;
+attribute hal_contexthub_client;
+attribute hal_contexthub_server;
 attribute hal_drm;
 attribute hal_drm_client;
 attribute hal_drm_server;
@@ -147,26 +151,56 @@ attribute hal_fingerprint;
 attribute hal_fingerprint_client;
 attribute hal_fingerprint_server;
 attribute hal_gatekeeper;
+attribute hal_gatekeeper_client;
+attribute hal_gatekeeper_server;
 attribute hal_gnss;
+attribute hal_gnss_client;
+attribute hal_gnss_server;
 attribute hal_graphics_allocator;
+attribute hal_graphics_allocator_client;
+attribute hal_graphics_allocator_server;
 attribute hal_graphics_composer;
+attribute hal_graphics_composer_client;
+attribute hal_graphics_composer_server;
 attribute hal_health;
+attribute hal_health_client;
+attribute hal_health_server;
 attribute hal_ir;
+attribute hal_ir_client;
+attribute hal_ir_server;
 attribute hal_keymaster;
 attribute hal_keymaster_client;
 attribute hal_keymaster_server;
 attribute hal_light;
+attribute hal_light_client;
+attribute hal_light_server;
 attribute hal_memtrack;
+attribute hal_memtrack_client;
+attribute hal_memtrack_server;
 attribute hal_nfc;
+attribute hal_nfc_client;
+attribute hal_nfc_server;
 attribute hal_power;
+attribute hal_power_client;
+attribute hal_power_server;
 attribute hal_sensors;
 attribute hal_sensors_client;
 attribute hal_sensors_server;
 attribute hal_telephony;
+attribute hal_telephony_client;
+attribute hal_telephony_server;
 attribute hal_thermal;
+attribute hal_thermal_client;
+attribute hal_thermal_server;
 attribute hal_usb;
+attribute hal_usb_client;
+attribute hal_usb_server;
 attribute hal_vibrator;
+attribute hal_vibrator_client;
+attribute hal_vibrator_server;
 attribute hal_vr;
+attribute hal_vr_client;
+attribute hal_vr_server;
 attribute hal_wifi;
 attribute hal_wifi_client;
 attribute hal_wifi_server;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 80161deb04814917c42ed6bc4c2f73b130b0977b..8e645b9db9d271169d117e68cf3be3830df392a1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -91,6 +91,7 @@ binder_call(dumpstate, { appdomain netd wificond })
 # For binderized mode:
 hal_client_domain(dumpstate, hal_dumpstate)
 binder_call(dumpstate, hal_vibrator)
+hal_client_domain(dumpstate, hal_vibrator)
 # For passthrough mode:
 allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
 
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 94fb2b93702401c70d0ce1e08e35bfa878b08a86..abecbda24051b9123a2d2f763eb1cf29bd638884 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -16,6 +16,7 @@ allow gatekeeperd system_file:dir r_dir_perms;
 ### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
 ### These rules should eventually be granted only when needed.
 hwbinder_use(gatekeeperd)
+hal_client_domain(gatekeeperd, hal_gatekeeper)
 ###
 
 # need to find KeyStore and add self
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index a17dbcd568daceab25020a52a899770773dd42de..c428ebaf0fdb165726f73f139fe384ba21d6ad4d 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,4 +1,6 @@
 # call into gatekeeperd process (callbacks)
+# TODO: This rules is unlikely to be needed because Gatekeeper HIDL
+# says there are no callbacks
 binder_call(hal_gatekeeper, gatekeeperd)
 
 # TEE access.
diff --git a/public/healthd.te b/public/healthd.te
index 2f26b9e28e58af01406e5246cc482c9c527465eb..8737dbe5f5b2b9064775cd6a10929aaac8262835 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -26,6 +26,7 @@ binder_service(healthd)
 binder_call(healthd, system_server)
 binder_call(healthd, hwservicemanager)
 binder_call(healthd, hal_health)
+hal_client_domain(healthd, hal_health)
 
 # Write to state file.
 # TODO:  Split into a separate type?
diff --git a/public/nfc.te b/public/nfc.te
index 866180bdbb5675da8e45aa0846f104357e56cedb..cb6a7819846f2677b6002d80912fe37280191110 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -38,3 +38,4 @@ allow nfc shell_data_file:file read;
 
 # allow NFC process to call into the NFC HAL
 binder_call(nfc, hal_nfc)
+hal_client_domain(nfc, hal_nfc)
diff --git a/public/radio.te b/public/radio.te
index 953b59ca246a519276fe7f7d09b12f42dadbc0e6..a8966599b99e1c31f2359c1c147f112180997f37 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -37,4 +37,4 @@ allow radio system_api_service:service_manager find;
 # Perform HwBinder IPC.
 hwbinder_use(radio)
 binder_call(radio, hal_telephony)
-
+hal_client_domain(radio, hal_telephony)
diff --git a/public/rild.te b/public/rild.te
index fd1eccaa4595653c23fceb0f05323b4913bce3ca..e4b01869064be3858275b2f1c5237c9ceb34e1d1 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,6 +1,6 @@
 # rild - radio interface layer daemon
 type rild, domain, domain_deprecated;
-hal_impl_domain(rild, hal_telephony)
+hal_server_domain(rild, hal_telephony)
 
 net_domain(rild)
 allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
index b3ca6c2ffc0dc306307d8345c1b0b44ff9dfbe98..e8930ca8da3a3c27875fd9e03ada0f3163b41760 100644
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@@ -1,5 +1,5 @@
 type hal_configstore_default, domain;
-hal_impl_domain(hal_configstore_default, hal_configstore)
+hal_server_domain(hal_configstore_default, hal_configstore)
 
 type hal_configstore_default_exec, exec_type, file_type;
 init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
index abf5b0e3be3c93b327662d6eed1a4b325f3eacfc..67dd5302032b2af6c88907b6072011b11e358951 100644
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@@ -1,5 +1,5 @@
 type hal_contexthub_default, domain;
-hal_impl_domain(hal_contexthub_default, hal_contexthub)
+hal_server_domain(hal_contexthub_default, hal_contexthub)
 
 type hal_contexthub_default_exec, exec_type, file_type;
 init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
index 3c84b1378c2e98773b2a888d842aaa3dae6d3431..d48af1650dc7f869f1c811f8e08461d299caee74 100644
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@@ -1,5 +1,5 @@
 type hal_gatekeeper_default, domain;
-hal_impl_domain(hal_gatekeeper_default, hal_gatekeeper)
+hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
 
 type hal_gatekeeper_default_exec, exec_type, file_type;
 init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 78f85bcf1fce7baa74c3b72c118534f84a1c6e06..18da090804852b11cb8b556755025cdb877ed875 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -1,5 +1,5 @@
 type hal_gnss_default, domain;
-hal_impl_domain(hal_gnss_default, hal_gnss)
+hal_server_domain(hal_gnss_default, hal_gnss)
 
 type hal_gnss_default_exec, exec_type, file_type;
 init_daemon_domain(hal_gnss_default)
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 6b3672cf953ff8b650b62bea6e0695a563f401b1..f47a60477abe285c2c1eaf2860645566644e66f0 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,5 +1,5 @@
 type hal_graphics_allocator_default, domain;
-hal_impl_domain(hal_graphics_allocator_default, hal_graphics_allocator)
+hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
 
 type hal_graphics_allocator_default_exec, exec_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 99bf690fccef63167ed993c177606a292d0aa4dc..b65b8fe14851864dbc53207d333d9a5b1f3a8b3f 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -1,5 +1,5 @@
 type hal_graphics_composer_default, domain;
-hal_impl_domain(hal_graphics_composer_default, hal_graphics_composer)
+hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
 
 type hal_graphics_composer_default_exec, exec_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 0496cdf0157c7ef7a98b8ebd7b948c8e877b9b2e..3add20bcaec9ac43dd4ec26aa1e0e61a94da54d3 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -1,6 +1,6 @@
 # health info abstraction
 type hal_health_default, domain;
-hal_impl_domain(hal_health_default, hal_health)
+hal_server_domain(hal_health_default, hal_health)
 
 type hal_health_default_exec, exec_type, file_type;
 init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
index 2de1b9285269fa5ed01b7fbf8ba372c23299a79d..e43bf076a16695ccb64d79666aa30924bdc165f3 100644
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@@ -1,5 +1,5 @@
 type hal_ir_default, domain;
-hal_impl_domain(hal_ir_default, hal_ir)
+hal_server_domain(hal_ir_default, hal_ir)
 
 type hal_ir_default_exec, exec_type, file_type;
 init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
index bee7c8a533d1386097df92c2647a96d8348377b4..8c1bfb6908e2b8e228d94328a421546f4a0b6315 100644
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@@ -1,5 +1,5 @@
 type hal_light_default, domain;
-hal_impl_domain(hal_light_default, hal_light)
+hal_server_domain(hal_light_default, hal_light)
 
 type hal_light_default_exec, exec_type, file_type;
 init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
index 1c5ca99de64fe0467f6f606d0b6f1e3c9fbcf26b..0e3ba21a0e4c3fc10ef794c470aab3d434c10aae 100644
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@@ -1,5 +1,5 @@
 type hal_memtrack_default, domain;
-hal_impl_domain(hal_memtrack_default, hal_memtrack)
+hal_server_domain(hal_memtrack_default, hal_memtrack)
 
 type hal_memtrack_default_exec, exec_type, file_type;
 init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index b6abb1958303937d27c80e8f36952e7e1f10a481..b155f27d3030da1a70f3c4648e1619007b79dabd 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -1,5 +1,5 @@
 type hal_nfc_default, domain;
-hal_impl_domain(hal_nfc_default, hal_nfc)
+hal_server_domain(hal_nfc_default, hal_nfc)
 
 type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
index c8977eedb183b626c76643d54e50bf7e005f705f..47065ea45cc38f978d90bee0472997cf0af69930 100644
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@@ -1,5 +1,5 @@
 type hal_power_default, domain;
-hal_impl_domain(hal_power_default, hal_power)
+hal_server_domain(hal_power_default, hal_power)
 
 type hal_power_default_exec, exec_type, file_type;
 init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
index baa3b97ab39ed0fabb0806f5c84ab49191361ec8..9a777e062785c4d02acfc0e2546c85ea53785739 100644
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@@ -1,5 +1,5 @@
 type hal_thermal_default, domain;
-hal_impl_domain(hal_thermal_default, hal_thermal)
+hal_server_domain(hal_thermal_default, hal_thermal)
 
 type hal_thermal_default_exec, exec_type, file_type;
 init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
index 24017f9e05a03718aa35b17772ef2b78287ba02b..cc28a65f3d2f3cc658a7ec6bb2cd592d9186e1ca 100644
--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@@ -1,4 +1,5 @@
 type hal_usb_default, domain;
-hal_impl_domain(hal_usb_default, hal_usb)
+hal_server_domain(hal_usb_default, hal_usb)
+
 type hal_usb_default_exec, exec_type, file_type;
 init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
index c185e0862e56821a104bf87b582b2e6f13bdd111..8bc8a724c6d4cf24ed2c01b30dea60210de791ce 100644
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@@ -1,5 +1,5 @@
 type hal_vibrator_default, domain;
-hal_impl_domain(hal_vibrator_default, hal_vibrator)
+hal_server_domain(hal_vibrator_default, hal_vibrator)
 
 type hal_vibrator_default_exec, exec_type, file_type;
 init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
index f32c737c18132508a1b45b48f195263094481b0c..7475524a18b0c608ae6331771fec949840bcee8f 100644
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@@ -1,5 +1,5 @@
 type hal_vr_default, domain;
-hal_impl_domain(hal_vr_default, hal_vr)
+hal_server_domain(hal_vr_default, hal_vr)
 
 type hal_vr_default_exec, exec_type, file_type;
 init_daemon_domain(hal_vr_default)