diff --git a/public/system_server.te b/public/system_server.te
index 61f640dffb3923bfbc9e8886f6c6dd56c3c67c41..aef97b54eb154d29c3794660f597afd67e1ac53a 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,9 +4,6 @@
 #
 type system_server, domain, domain_deprecated, mlstrustedsubject;
 
-# Attributes for passthrough hals
-typeattribute system_server hal_light;
-
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -610,6 +607,13 @@ r_dir_file(system_server, sysfs_type)
 # Allow system_server to make binder calls to hwservicemanager
 binder_call(system_server, hwservicemanager)
 
+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
 userdebug_or_eng(`
   # Allow WifiService to start, stop, and read wifi-specific trace events.
   allow system_server debugfs_tracing_instances:dir search;