diff --git a/public/domain.te b/public/domain.te
index 8eb8936c6b1bd75f801692ab731c32103c24a175..51385dd9981d23cc2bd029d6065407a55f1b999b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -497,6 +497,7 @@ neverallow {
   -recovery
   -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
 
 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -555,6 +556,7 @@ full_treble_only(`
     -appdomain
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } servicemanager:binder { call transfer };
+  neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
 ')
 
 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -613,6 +615,7 @@ full_treble_only(`
     -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
     -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
   });
+  neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
 
   # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
   neverallow_establish_socket_comms({
@@ -644,6 +647,10 @@ full_treble_only(`
     -pdx_endpoint_socket_type # used by VR layer
     -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
+  neverallow {
+    pdx_endpoint_socket_type
+    pdx_channel_socket_type
+  } unlabeled:service_manager list; #TODO: b/62658302
 
   # Core domains are not permitted to create/open sockets owned by vendor domains
   neverallow {
@@ -728,6 +735,7 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+    neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/te_macros b/public/te_macros
index b1937d85d7395033f245e7757222c660d9ed3872..d65eb889ca28da46c9f285780e9df1c7facd049a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -550,6 +550,7 @@ define(`use_drmservice', `
 define(`add_service', `
   allow $1 $2:service_manager { add find };
   neverallow { domain -$1 } $2:service_manager add;
+  neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
 ')
 
 ###########################################
@@ -561,6 +562,7 @@ define(`add_hwservice', `
   allow $1 $2:hwservice_manager { add find };
   allow $1 hidl_base_hwservice:hwservice_manager add;
   neverallow { domain -$1 } $2:hwservice_manager add;
+  neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
 ')
 
 ##########################################