diff --git a/private/storaged.te b/private/storaged.te
index c6276a31c934496d80c2e2038c7c90d1980a3aa9..1d87251fd128a6dab19893f4ef062d5da74dd9e7 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -24,7 +24,7 @@ userdebug_or_eng(`
 ')
 
 # Binder permissions
-allow storaged storaged_service:service_manager add;
+add_service(storaged, storaged_service)
 
 binder_use(storaged)
 binder_call(storaged, system_server)
diff --git a/public/audioserver.te b/public/audioserver.te
index 676b04e321329dd841c730be128c1649503cec79..bc0b989ff0c23411b8c1e871a1b3467be8bf2f87 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -30,7 +30,7 @@ userdebug_or_eng(`
 allow audioserver audio_device:dir r_dir_perms;
 allow audioserver audio_device:chr_file rw_file_perms;
 
-allow audioserver audioserver_service:service_manager { add find };
+add_service(audioserver, audioserver_service)
 allow audioserver appops_service:service_manager find;
 allow audioserver batterystats_service:service_manager find;
 allow audioserver permission_service:service_manager find;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 41359261ef3aaed2bbd4892b70c369f7abd2a67d..13c289021d9b158ebc7d649c47da49d3f3b6c0fd 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -21,11 +21,11 @@ allow cameraserver camera_device:chr_file rw_file_perms;
 allow cameraserver ion_device:chr_file rw_file_perms;
 allow cameraserver hal_graphics_allocator:fd use;
 
+add_service(cameraserver, cameraserver_service)
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;
 allow cameraserver batterystats_service:service_manager find;
 allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver cameraserver_service:service_manager add;
 allow cameraserver mediaserver_service:service_manager find;
 allow cameraserver processinfo_service:service_manager find;
 allow cameraserver scheduling_policy_service:service_manager find;
diff --git a/public/drmserver.te b/public/drmserver.te
index ab42696d2dbc1b6ec79c6373c621f0eb0c2d7c00..453ce12135d2a56bbc2b34fe657ed9d832f827a2 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -50,7 +50,7 @@ allow drmserver radio_data_file:file { read getattr };
 allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;
 
-allow drmserver drmserver_service:service_manager { add find };
+add_service(drmserver, drmserver_service)
 allow drmserver permission_service:service_manager find;
 
 selinux_check_access(drmserver)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a495211361c0edbeee2073e203d6a38127398b2e..c120736e850f1b046216010d5486ea6718c83115 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -188,17 +188,14 @@ allow dumpstate proc_interrupts:file r_file_perms;
 allow dumpstate proc_zoneinfo:file r_file_perms;
 
 # Create a service for talking back to system_server
-allow dumpstate dumpstate_service:service_manager add;
+add_service(dumpstate, dumpstate_service)
 
 ###
 ### neverallow rules
 ###
 
-# only dumpstate can add the dumpstate service
-neverallow { domain -dumpstate } dumpstate_service:service_manager add;
-
-# only system_server and shell can find the dumpstate service
-neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
+# only system_server, dumpstate and shell can find the dumpstate service
+neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
 
 # Dumpstate should not be writing to any generically labeled sysfs files.
 # Create a specific label for the file type
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index b27f014cf3dfc233e8e44ca9a83c9ece2a6f5719..57cde1db053fc2b4271aadf4c22fed6afa8310d0 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -7,7 +7,7 @@ binder_use(fingerprintd)
 allow fingerprintd system_file:dir r_dir_perms;
 
 # need to find KeyStore and add self
-allow fingerprintd fingerprintd_service:service_manager { add find };
+add_service(fingerprintd, fingerprintd_service)
 
 # allow HAL module to read dir contents
 allow fingerprintd fingerprintd_data_file:file { create_file_perms };
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 88a2e00fc118548325de7ab79bbcbcff10899e67..e842cd26cac4691fae27a7b8dca02a1ad170e736 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -8,7 +8,7 @@ binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 
 # need to find KeyStore and add self
-allow gatekeeperd gatekeeper_service:service_manager { add find };
+add_service(gatekeeperd, gatekeeper_service)
 
 # Scan through /system/lib64/hw looking for installed HALs
 allow gatekeeperd system_file:dir r_dir_perms;
@@ -32,5 +32,3 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 allow gatekeeperd hardware_properties_service:service_manager find;
 
 r_dir_file(gatekeeperd, cgroup)
-
-neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/public/healthd.te b/public/healthd.te
index fcc5afc4073727e0a7b9b986d93c01ec0b911900..2f26b9e28e58af01406e5246cc482c9c527465eb 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -57,7 +57,7 @@ allow healthd ashmem_device:chr_file execute;
 allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
 
-allow healthd batteryproperties_service:service_manager { add find };
+add_service(healthd, batteryproperties_service)
 
 # Healthd needs to tell init to continue the boot
 # process when running in charger mode.
diff --git a/public/inputflinger.te b/public/inputflinger.te
index 14cfdc73f60cc7f3f5d8f7ab7769b3bb27428e24..e5f12a0c154fdc398a898dfdc1dde1f9d11c5ec5 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -9,7 +9,7 @@ binder_call(inputflinger, system_server)
 
 wakelock_use(inputflinger)
 
-allow inputflinger inputflinger_service:service_manager { add find };
+add_service(inputflinger, inputflinger_service)
 allow inputflinger input_device:dir r_dir_perms;
 allow inputflinger input_device:chr_file rw_file_perms;
 
diff --git a/public/installd.te b/public/installd.te
index bf83b9d824a30ebc001e5052a83eddacef02821c..08255a4c07c33ab3e0d07f37b4c17529a0fdc630 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -121,7 +121,7 @@ allow installd toolbox_exec:file rx_file_perms;
 
 # Allow installd to publish a binder service and make binder calls.
 binder_use(installd)
-allow installd installd_service:service_manager add;
+add_service(installd, installd_service)
 allow installd dumpstate:fifo_file  { getattr write };
 
 # Allow installd to call into the system server so it can check permissions.
@@ -136,7 +136,7 @@ allow installd labeledfs:filesystem { quotaget quotamod };
 ### Neverallow rules
 ###
 
-# only system_server and dumpstate may interact with installd over binder
-neverallow { domain -system_server -dumpstate } installd_service:service_manager find;
+# only system_server, installd and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
 neverallow { domain -system_server -dumpstate } installd:binder call;
 neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/keystore.te b/public/keystore.te
index 42150176ae459d93aa961909639fee95ffbc7228..457ff376b4d4bf9956190324620918ced542b435 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -12,7 +12,7 @@ allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
 
-allow keystore keystore_service:service_manager { add find };
+add_service(keystore, keystore_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 
 # Check SELinux permissions.
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 27b27e0d1fe9c6757e905b990f46370dc003bebf..9f07d8564ac4df721d855ff17954f710ca83f263 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -9,7 +9,7 @@ binder_call(mediacodec, binderservicedomain)
 binder_call(mediacodec, appdomain)
 binder_service(mediacodec)
 
-allow mediacodec mediacodec_service:service_manager add;
+add_service(mediacodec, mediacodec_service)
 allow mediacodec mediametrics_service:service_manager find;
 allow mediacodec surfaceflinger_service:service_manager find;
 allow mediacodec gpu_device:chr_file rw_file_perms;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 781229b7242d3590f4b1f768e139b71c1956e490..f93cf4545e728e0d93e324f022c5b73c3ec86980 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -10,8 +10,8 @@ binder_call(mediadrmserver, binderservicedomain)
 binder_call(mediadrmserver, appdomain)
 binder_service(mediadrmserver)
 
-allow mediadrmserver mediadrmserver_service:service_manager { add find };
-allow mediadrmserver mediaserver_service:service_manager { add find };
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
 allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 7187c220ab3cfa91950913090b355b8e25a64ef3..deecc00ba393b3cabceac23d2b20d34fb0f085b1 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -9,7 +9,7 @@ binder_call(mediaextractor, binderservicedomain)
 binder_call(mediaextractor, appdomain)
 binder_service(mediaextractor)
 
-allow mediaextractor mediaextractor_service:service_manager add;
+add_service(mediaextractor, mediaextractor_service)
 allow mediaextractor mediametrics_service:service_manager find;
 
 allow mediaextractor system_server:fd use;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 9b4409be2c2c9e2a832325b69d018741a565ff42..84d184bd9ceffc511b47c2821981bfdf0451b07a 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -7,7 +7,7 @@ binder_use(mediametrics)
 binder_call(mediametrics, binderservicedomain)
 binder_service(mediametrics)
 
-allow mediametrics mediametrics_service:service_manager add;
+add_service(mediametrics, mediametrics_service)
 
 allow mediametrics system_server:fd use;
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 56654e509586625682e55b787563ca8ae3d81b4e..16b8013288aa19530e33547c616156ca260677cf 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -78,6 +78,7 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
 # Connect to tee service.
 allow mediaserver tee:unix_stream_socket connectto;
 
+add_service(mediaserver, mediaserver_service)
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
 allow mediaserver audioserver_service:service_manager find;
@@ -86,7 +87,6 @@ allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediacodec_service:service_manager find;
-allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver mediametrics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index 45a19525cc4e95c1b727b614cd637c7683683474..df1820361b0675fda0f09c7c2d0b53cbf54df4ca 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@ set_prop(netd, ctl_mdnsd_prop)
 
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
-allow netd netd_service:service_manager add;
+add_service(netd, netd_service)
 allow netd dumpstate:fifo_file  { getattr write };
 
 # Allow netd to call into the system server so it can check permissions.
@@ -92,7 +92,7 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server and dumpstate may interact with netd over binder
-neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
+# only system_server, dumpstate and netd  may interact with netd over binder
+neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
 neverallow { domain -system_server -dumpstate } netd:binder call;
 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/nfc.te b/public/nfc.te
index 9a8b47183cc89c9f7aade47adc1528012d3e5fdb..866180bdbb5675da8e45aa0846f104357e56cedb 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -25,7 +25,7 @@ allow nfc mediametrics_service:service_manager find;
 allow nfc mediaextractor_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 
-allow nfc nfc_service:service_manager { add find };
+add_service(nfc, nfc_service)
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
 allow nfc app_api_service:service_manager find;
diff --git a/public/radio.te b/public/radio.te
index eb52f099f4ef7dacaf6b4deb55b1a81405196340..953b59ca246a519276fe7f7d09b12f42dadbc0e6 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -24,12 +24,12 @@ set_prop(radio, net_radio_prop)
 # ctl interface
 set_prop(radio, ctl_rildaemon_prop)
 
+add_service(radio, radio_service)
 allow radio audioserver_service:service_manager find;
 allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio nfc_service:service_manager find;
-allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
 allow radio app_api_service:service_manager find;
 allow radio system_api_service:service_manager find;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 2b1faec10f6db1390cd7c90aeed36b9b29ef0365..68e86b1070a98992a349be84c3e03ba3eacd8ec3 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -57,11 +57,12 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 
 # media.player service
+add_service(surfaceflinger, gpu_service)
+add_service(surfaceflinger, surfaceflinger_service)
+
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger gpu_service:service_manager { add find };
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
 allow surfaceflinger window_service:service_manager find;
 
 # allow self to set SCHED_FIFO
diff --git a/public/system_server.te b/public/system_server.te
index 84854807ee0df1e717f10d5d5ac65e7ae93cfd60..1dfdafaf7da300ef76fd9c48331ce6e47521e5c6 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -482,6 +482,7 @@ allow system_server pstorefs:file r_file_perms;
 allow system_server sysfs_zram:dir search;
 allow system_server sysfs_zram:file r_file_perms;
 
+add_service(system_server, system_server_service);
 allow system_server audioserver_service:service_manager find;
 allow system_server batteryproperties_service:service_manager find;
 allow system_server cameraserver_service:service_manager find;
@@ -500,7 +501,6 @@ allow system_server mediadrmserver_service:service_manager find;
 allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
-allow system_server system_server_service:service_manager { add find };
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server wificond_service:service_manager find;
 
diff --git a/public/te_macros b/public/te_macros
index d4e1324309598858cf1c1888108b64eb50aa1489..0eba3ff3fd5fe8fd4dccc743a54dfe281729e0d4 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -371,6 +371,16 @@ define(`use_drmservice', `
   allow drmserver $1:process getattr;
 ')
 
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+  allow $1 $2:service_manager { add find };
+  neverallow { domain -$1 } $2:service_manager add;
+')
+
 ##########################################
 # print a message with a trailing newline
 # print(`args')
diff --git a/public/update_engine.te b/public/update_engine.te
index 2c6e585b6c7e50706739207893af2efeb65576ec..3a33407197ad786c48751db30d0738472ccd4d0e 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -25,7 +25,7 @@ dontaudit update_engine kernel:system module_request;
 
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
-allow update_engine update_engine_service:service_manager { add };
+add_service(update_engine, update_engine_service)
 
 # Allow update_engine to call the callback function provided by priv_app.
 binder_call(update_engine, priv_app)
diff --git a/public/wificond.te b/public/wificond.te
index 0fcc3ae9b1605e67e7e6a75e8d6c958be3cab0e3..dd22d26b12a9792c9e4342819b6b89fe472c44f2 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -5,7 +5,7 @@ type wificond_exec, exec_type, file_type;
 binder_use(wificond)
 binder_call(wificond, system_server)
 
-allow wificond wificond_service:service_manager { add find };
+add_service(wificond, wificond_service)
 
 # wificond writes firmware paths to this file.
 # wificond also changes the owership of this file on startup.