diff --git a/public/domain.te b/public/domain.te
index 88cc6afa9ec2307b7b5556c603b2412ead000dae..8eb8936c6b1bd75f801692ab731c32103c24a175 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -489,6 +489,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 neverallow {
   domain
   userdebug_or_eng(`-domain') # exclude debuggable builds
+  -hal_bootctl
   -init
   -uncrypt
   -update_engine