diff --git a/public/domain.te b/public/domain.te
index 8f63624e811984bec2ae9dcfece5c4036584d1df..34cbadcfcd395cf659977ceeb822c76747acc91a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -489,6 +489,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 neverallow {
   domain
   userdebug_or_eng(`-domain') # exclude debuggable builds
+  -hal_bootctl
   -init
   -uncrypt
   -update_engine