diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index b19870368fa22a837c42214f5c5e596e08c11ce9..a8320b51d8c2dfac0c3ea3592b589a30ce3b48d1 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -27,6 +27,7 @@ allow domain_deprecated system_file:file r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain
+  -fingerprintd
   -init
   -installd
   -rild
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index b541e34ef49da73ad05802c2589ab22377be58f4..b27f014cf3dfc233e8e44ca9a83c9ece2a6f5719 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -3,6 +3,9 @@ type fingerprintd_exec, exec_type, file_type;
 
 binder_use(fingerprintd)
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
 # need to find KeyStore and add self
 allow fingerprintd fingerprintd_service:service_manager { add find };
 
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 13d2db729312d85b29c5a2763b99f945245caaaa..f6ec1abbf1c9751d806dcae1f584147d405233a9 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -10,6 +10,9 @@ allow gatekeeperd ion_device:chr_file r_file_perms;
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow gatekeeperd system_file:dir r_dir_perms;
+
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index cbb47e525c8392366c687a24925688a8dc6a6d11..f179599b2970b09ce58b32ba6c78c158e354a7c4 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -13,6 +13,9 @@ allow hwservicemanager { domain -init }:binder transfer;
 
 set_prop(hwservicemanager, hwservicemanager_prop)
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
 # TODO once hwservicemanager checks whether HALs are
 # allowed to register a certain service, add policy here
 # for allowing to check SELinux permissions.