diff --git a/public/domain.te b/public/domain.te
index 3ca05b6e7fbeed9362974cad010b93d59afb80ac..8acbd11a6a87528e3ba197e737a70a603cbbc681 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -462,8 +462,8 @@ neverallow {
   domain
   -adbd
   -dumpstate
-  -hal_drm
-  -hal_cas
+  -hal_drm_server
+  -hal_cas_server
   -init
   -mediadrmserver
   -recovery
@@ -503,7 +503,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 neverallow {
   domain
   userdebug_or_eng(`-domain') # exclude debuggable builds
-  -hal_bootctl
+  -hal_bootctl_server
   -init
   -uncrypt
   -update_engine
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 0665e2618e9f2521c605fe72502e939bac0a77f5..dd7b140c84f64e35f298b07ac8e8fb87c3448e0d 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,11 +23,11 @@ allow hal_audio dumpstate:fifo_file write;
 ###
 
 # Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
 
 # Should never need network access.
 # Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only audio HAL may directly access the audio hardware
 neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index d0824c347375009b5e6bd450b2aeba0c4dffad5c..4265b8a7c19345b681f9d5af295eb9c96fef34b7 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -23,10 +23,10 @@ allow hal_camera hal_allocator_server:fd use;
 
 # hal_camera should never execute any executable without a
 # domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
 
 # hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only camera HAL may directly access the camera hardware
 neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index b4801c5c3a9ce1fbafb222d64b9982d8b35865b7..7f653585815bd79e4ea13b198747a37b8525d3e9 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -7,7 +7,7 @@ allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 
 # Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
+get_prop(hal_cas_server, serialno_prop)
 
 # Read files already opened under /data
 allow hal_cas system_data_file:file { getattr read };
@@ -29,7 +29,7 @@ allow hal_cas tee_device:chr_file rw_file_perms;
 
 # hal_cas should never execute any executable without a
 # domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
 
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 666b1ba82d0712f861db5ab75861c01133de78a9..30742d7c7d4d78d23ebc576bebf95483a8881bf1 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -52,7 +52,7 @@ allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
 
 # hal_drm should never execute any executable without a
 # domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
 
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/te_macros b/public/te_macros
index aad29499bca085e34f5f0c7fd039995eafe733e9..18e5e61a4f27bc2e3deb8fb18cb67472c11ef5bb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,6 @@ expandattribute hal_$1_client true;
 attribute hal_$1_server;
 expandattribute hal_$1_server false;
 
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
 neverallow { hal_$1_server -halserverdomain } domain:process fork;
 ')
 
diff --git a/public/vold.te b/public/vold.te
index b4469150f21d8325ec42c91cf64f568d81cc7313..9dbf8dd90c56321c16fbee4225934b72ee6dd483 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -210,7 +210,7 @@ neverallow { domain -vold -init } restorecon_prop:property_service set;
 neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
 neverallow vold {
   domain
-  -hal_keymaster
+  -hal_keymaster_server
   -healthd
   -hwservicemanager
   -servicemanager