diff --git a/public/domain.te b/public/domain.te
index 4b41c7e640e2f37f5149fcb2c39b29c86fcd206f..ea63d1c65f0ce7895650c2fc537680ec9a5ac492 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -491,6 +491,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 neverallow {
   domain
   userdebug_or_eng(`-domain') # exclude debuggable builds
+  -hal_bootctl
   -init
   -uncrypt
   -update_engine