diff --git a/access_vectors b/access_vectors
index 4de34631cf3a901c6e38bcc05a56ce4fbde66bc4..b039b0b6776fe73bf6abdc230109b958c384a494 100644
--- a/access_vectors
+++ b/access_vectors
@@ -871,7 +871,6 @@ class binder
 	call
 	set_context_mgr
 	transfer
-	receive
 }
 
 class zygote
diff --git a/app.te b/app.te
index 65d710a07887e7614663805dee48664e42d96647..de7b7d05daadadbb408a60cb8815f137e6eb5d15 100644
--- a/app.te
+++ b/app.te
@@ -188,10 +188,8 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
-binder_transfer(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
-binder_transfer(appdomain, appdomain)
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)
diff --git a/mediaserver.te b/mediaserver.te
index f5274d95c3ee7a45a80dcf34ce6cffe5cab4e8c6..f941c6a63ebd279e261736e4028eb0529a3b3a16 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -13,7 +13,6 @@ r_dir_file(mediaserver, sdcard)
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
-binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 
 allow mediaserver kernel:system module_request;
diff --git a/servicemanager.te b/servicemanager.te
index fefbe080d88699e13f3402640f9898a47caa2dd2..a78a485bb4273f2a099ddca232fcab1912bec428 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -11,4 +11,4 @@ init_daemon_domain(servicemanager)
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder { receive transfer };
+allow servicemanager domain:binder transfer;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 10a57ee9311fcce6920539683ce2fb4a670ec38f..30b18168894d2af809c83b37ee5dd7b94247a59c 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -12,6 +12,7 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system)
 binder_service(surfaceflinger)
+allow surfaceflinger init:binder transfer;
 
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;
diff --git a/system.te b/system.te
index 192b14fbe8606597dbfc6aef30ecd546fabb31e4..7e207c3ae85d18dfc5afcbde3bb0c800e9c9379f 100644
--- a/system.te
+++ b/system.te
@@ -8,7 +8,6 @@ app_domain(system_app)
 
 # Perform binder IPC to any app domain.
 binder_call(system_app, appdomain)
-binder_transfer(system_app, appdomain)
 
 # Read and write system data files.
 # May want to split into separate types.
@@ -121,9 +120,6 @@ binder_use(system)
 binder_call(system, binderservicedomain)
 binder_call(system, appdomain)
 binder_service(system)
-# Transfer other Binder references.
-binder_transfer(system, binderservicedomain)
-binder_transfer(system, appdomain)
 
 # Read /proc/pid files for Binder clients.
 r_dir_file(system, appdomain)
diff --git a/te_macros b/te_macros
index 6354496ad7abf546efde2a96e850fcaae1717502..7883c40ec7177b5a1705a704db80af154c65ed4b 100644
--- a/te_macros
+++ b/te_macros
@@ -152,10 +152,8 @@ allow $1 $3:unix_dgram_socket sendto;
 # binder_use(domain)
 # Allow domain to use Binder IPC.
 define(`binder_use', `
-# Get Binder references from the servicemanager.
-allow $1 servicemanager:binder call;
-# Transfer and receive own Binder references.
-allow $1 self:binder { transfer receive };
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
 # Map /dev/ashmem with PROT_EXEC.
 allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
@@ -166,19 +164,14 @@ allow $1 ashmem_device:chr_file execute;
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
 define(`binder_call', `
-# First we receive a Binder ref to the server, then we call it.
-allow $1 $2:binder { receive call };
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
 # Receive and use open files from the server.
 allow $1 $2:fd use;
 ')
 
-#####################################
-# binder_transfer(clientdomain, serverdomain)
-# Allow clientdomain to transfer Binder references created by serverdomain.
-define(`binder_transfer', `
-allow $1 $2:binder transfer;
-')
-
 #####################################
 # binder_service(domain)
 # Mark a domain as being a Binder service domain.
diff --git a/unconfined.te b/unconfined.te
index ff5359577d058199d067cffc1e3af1bf05f67005..e016584a3bc29ec6ff58dfcbeaf72b216e7e2319 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,5 +20,5 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain domain:binder { call transfer };
 allow unconfineddomain property_type:property_service set;