diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index def87599ffdf931e4068d669fcc1518d1ff598ed..4e511a81908db79a52dea340725f7c771efa9c7e 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,8 @@
 typeattribute mediadrmserver coredomain;
 
 init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4b510a54a4e1271be7dc3ebbabda6ccecb0e6ba2..08c3f9b2c7b1013da64e8c861be8f4b4b2529585 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,6 @@
 typeattribute mediaserver coredomain;
 
 init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 2d9ec8bcadb13a964d3e3e1b3ace6e55e9d4ec30..abc21a7581b272255138271c24672ffe1332c5e5 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -11,3 +11,8 @@
 ;     typeattribute hal_allocator_client halclientdomain;
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/public/mediacodec.te b/public/mediacodec.te
index ecbe2802cf02c418020fa4ef5605c7ff5dc9f145..721f624b50f1cfcf422ec122432b038c68be7a7f 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -22,13 +22,15 @@ allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_graphics_allocator:fd use;
 allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
 hal_client_domain(mediacodec, hal_allocator)
 
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
 # Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
 # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
 # between those two: it talks to mediacodec via Binder and talks to bufferhubd