diff --git a/private/file_contexts b/private/file_contexts
index 05b67311ee80e7158123f1e53ac758f596f5a585..95b27820bd1cc95cf38e1a3a95ef4f19383b6cda 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -245,6 +245,7 @@
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
diff --git a/private/hal_drm_default.te b/private/hal_drm_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..6e4df5b8ba2fb964c703f7695eff08e29fab691a
--- /dev/null
+++ b/private/hal_drm_default.te
@@ -0,0 +1,5 @@
+type hal_drm_default, domain;
+hal_impl_domain(hal_drm_default, hal_drm)
+
+type hal_drm_default_exec, exec_type, file_type;
+init_daemon_domain(hal_drm_default)
diff --git a/public/attributes b/public/attributes
index 299532b369c1415dee994f71faa994a9065701fb..1aacd9e33aeccb34c223b2f8c673086f9e752d65 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,7 @@ attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_camera;
 attribute hal_contexthub;
+attribute hal_drm;
 attribute hal_dumpstate;
 attribute hal_fingerprint;
 attribute hal_gatekeeper;
diff --git a/public/domain.te b/public/domain.te
index 09958f0a5cdea7491e2902a0def6c3f29176616b..ca8683660950b295aadc813aa62457d5b9832109 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,6 +378,7 @@ neverallow {
   domain
   -adbd
   -dumpstate
+  -hal_drm
   -init
   -mediadrmserver
   -recovery
diff --git a/public/hal_drm.te b/public/hal_drm.te
new file mode 100644
index 0000000000000000000000000000000000000000..79b385f7af6b464103bde9ecbfaa3ca19b04dc74
--- /dev/null
+++ b/public/hal_drm.te
@@ -0,0 +1,53 @@
+## call into system_server process (for invoking callbacks)
+binder_call(hal_drm, mediadrmserver)
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# System file accesses
+allow hal_drm system_file:dir r_dir_perms;
+allow hal_drm system_file:file r_file_perms;
+allow hal_drm system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data
+allow hal_drm system_data_file:dir { search getattr };
+allow hal_drm system_data_file:file { getattr read };
+allow hal_drm system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
+allow hal_drm sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow hal_drm tee:unix_stream_socket connectto;
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
\ No newline at end of file
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 817365749c9ec2a700209c6c59208b38f148593e..c695432b1789d24698b556555e91deb44839e5de 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -10,61 +10,12 @@ binder_call(mediadrmserver, binderservicedomain)
 binder_call(mediadrmserver, appdomain)
 binder_service(mediadrmserver)
 
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-allow mediadrmserver hal_graphics_allocator:fd use;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
 allow mediadrmserver mediadrmserver_service:service_manager { add find };
 allow mediadrmserver mediaserver_service:service_manager { add find };
 allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
-  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Permit reading device's serial number from system properties
-get_prop(mediadrmserver, serialno_prop)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+# Inherit hal_drm access rules until DRM HAL implementation is
+# moved out of mediadrmserver
+hal_impl_domain(mediadrmserver, hal_drm)
diff --git a/public/system_server.te b/public/system_server.te
index 5dc99ab07b0cc9b8bf4c648e784d22bc959c9ec8..84854807ee0df1e717f10d5d5ac65e7ae93cfd60 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -181,6 +181,7 @@ binder_call(system_server, hal_thermal)
 binder_call(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 binder_call(system_server, hal_wifi)
+binder_call(system_server, hal_drm)
 binder_call(system_server, wpa)
 
 # Talk to tombstoned to get ANR traces.