diff --git a/adbd.te b/adbd.te
index 58fdead680ac7800f55b288e5011c58c53021070..3b654a152d9aae89605d94befb23970064a1303c 100644
--- a/adbd.te
+++ b/adbd.te
@@ -68,3 +68,9 @@ allow adbd appdomain:unix_stream_socket connectto;
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
+
+service_manager_local_audit_domain(adbd)
+auditallow adbd {
+    service_manager_type
+    -surfaceflinger_service
+}:service_manager find;
diff --git a/attributes b/attributes
index 613ed8f35e2bd7c35318a66a22d40da4bd6e7a39..d40217aed9e08c404e188958aa69b9dffe71ceb4 100644
--- a/attributes
+++ b/attributes
@@ -67,3 +67,6 @@ attribute bluetoothdomain;
 
 # All domains used for binder service domains.
 attribute binderservicedomain;
+
+# All domains that are excluded from the domain.te auditallow.
+attribute service_manager_local_audit;
diff --git a/bluetooth.te b/bluetooth.te
index 2b108a9e8ae99e87f9c738e9d03c2aa9637bfc17..56fe17058c4cc95a6c417016eda2a68bc669cc60 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,15 @@ allow bluetooth bluetooth_prop:property_service set;
 allow bluetooth pan_result_prop:property_service set;
 allow bluetooth ctl_dhcp_pan_prop:property_service set;
 
+# Audited locally.
+service_manager_local_audit_domain(bluetooth)
+auditallow bluetooth {
+    service_manager_type
+    -bluetooth_service
+    -radio_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### Neverallow rules
 ###
diff --git a/bootanim.te b/bootanim.te
index 3a0a76f0f737666b251a185def0c40cbd0f7e15e..759229553aa2e9ca335f63be94b81a2a406595a7 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,3 +11,7 @@ allow bootanim gpu_device:chr_file rw_file_perms;
 
 # /oem access
 allow bootanim oemfs:dir search;
+
+# Audited locally.
+service_manager_local_audit_domain(bootanim)
+auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
diff --git a/domain.te b/domain.te
index ba4c65ac007da55a511d7446207f055a5c4262f0..015274bf0bdc83d073fc299980554ea8f9880581 100644
--- a/domain.te
+++ b/domain.te
@@ -159,7 +159,9 @@ allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
 allow domain servicemanager:service_manager list;
+auditallow domain servicemanager:service_manager list;
 allow domain service_manager_type:service_manager find;
+auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
 
 ###
 ### neverallow rules
diff --git a/drmserver.te b/drmserver.te
index 1d6b07552ae142cf1fe456c647d076aff31d31b6..2a146b6bb78ebc3b6498217c1f95abbc779d1156 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -47,4 +47,12 @@ allow drmserver radio_data_file:file { read getattr };
 
 allow drmserver drmserver_service:service_manager add;
 
+# Audited locally.
+service_manager_local_audit_domain(drmserver)
+auditallow drmserver {
+    service_manager_type
+    -drmserver_service
+    -system_server_service
+}:service_manager find;
+
 selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index b2870bcc05079d0cf0f9f8a786fb7f2ce9e9c71c..481febad2b2101cfe4225ed359093cd8c73b0283 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -100,3 +100,18 @@ allow dumpstate net_data_file:file r_file_perms;
 # Access /data/tombstones.
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
+
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+    service_manager_type
+    -drmserver_service
+    -healthd_service
+    -inputflinger_service
+    -keystore_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -system_app_service
+    -system_server_service
+}:service_manager find;
diff --git a/healthd.te b/healthd.te
index e7e165a84a504e3474134b4606a1f8c27b062ac3..3cb69bf8eda643d1eadab3989e9fe653c313b86b 100644
--- a/healthd.te
+++ b/healthd.te
@@ -40,6 +40,10 @@ allow healthd self:capability sys_boot;
 
 allow healthd healthd_service:service_manager add;
 
+# Audited locally.
+service_manager_local_audit_domain(healthd)
+auditallow healthd { service_manager_type -healthd_service }:service_manager find;
+
 # Healthd needs to tell init to continue the boot
 # process when running in charger mode.
 unix_socket_connect(healthd, property, init)
diff --git a/inputflinger.te b/inputflinger.te
index 283bbbaf37e0140d8dbb9525380985259d187ec0..4377a104f833fff9bddcae4ffdbf26f5b0496bde 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -9,3 +9,7 @@ binder_service(inputflinger)
 binder_call(inputflinger, system_server)
 
 allow inputflinger inputflinger_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(inputflinger)
+auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
diff --git a/isolated_app.te b/isolated_app.te
index a156838bbdb0c91392c252016409e1732851faaf..5929b259324bd2d6b6dfe67f0e439eb5b6a9e596 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,3 +18,12 @@ net_domain(isolated_app)
 # Needed to allow dlopen() from Chrome renderer processes.
 # See b/15902433 for details.
 allow isolated_app app_data_file:file execute;
+
+# Audited locally.
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app {
+    service_manager_type
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
diff --git a/keystore.te b/keystore.te
index afa701c7ee46b8eb3255c49ccc945dcbee7d9040..f2c5039b00ba5a1742399b93e924a4bc6201a799 100644
--- a/keystore.te
+++ b/keystore.te
@@ -28,5 +28,9 @@ neverallow domain keystore:process ptrace;
 
 allow keystore keystore_service:service_manager add;
 
+# Audited locally.
+service_manager_local_audit_domain(keystore)
+auditallow keystore { service_manager_type -keystore_service }:service_manager find;
+
 # Check SELinux permissions.
 selinux_check_access(keystore)
diff --git a/mediaserver.te b/mediaserver.te
index ce3dc0d55094f6c9422a2c532dbab848ecb027ac..3eb078d4b0dbc9620f4e666c8d552d28fce229d8 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,6 +80,16 @@ allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver mediaserver_service:service_manager add;
 
+# Audited locally.
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+    service_manager_type
+    -drmserver_service
+    -mediaserver_service
+    -system_server_service
+    -surfaceflinger_service
+}:service_manager find;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights
diff --git a/nfc.te b/nfc.te
index 65aaef76cbca14b6225259991ca27f9dfc1e88d7..2b851a276fd1e2865bea86aa9093eead3620d3f8 100644
--- a/nfc.te
+++ b/nfc.te
@@ -15,3 +15,12 @@ allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
 
 allow nfc nfc_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+    service_manager_type
+    -mediaserver_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 7ff8d62e23b20e8c61e0893837113958c152a3a9..a44e35d8acb8c87403f05b7ddcdede7d97100d42 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -27,3 +27,13 @@ allow platform_app media_rw_data_file:file create_file_perms;
 # Write to /cache.
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;
+
+# Audited locally.
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+    service_manager_type
+    -mediaserver_service
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
diff --git a/radio.te b/radio.te
index d0018eac209daf5dab3fe238460d8fe447931417..5f45df33c6741c23c2becc1988206661a13d092a 100644
--- a/radio.te
+++ b/radio.te
@@ -28,3 +28,13 @@ auditallow radio system_radio_prop:property_service set;
 allow radio ctl_rildaemon_prop:property_service set;
 
 allow radio radio_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(radio)
+auditallow radio {
+    service_manager_type
+    -mediaserver_service
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c5086120996b0ab444c463c4e5f8ab115f907600..ff91993ec4d3c14be974ae63850a8a483e094a1c 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -59,6 +59,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 allow surfaceflinger surfaceflinger_service:service_manager add;
 
+# Audited locally.
+service_manager_local_audit_domain(surfaceflinger)
+auditallow surfaceflinger {
+    service_manager_type
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### Neverallow rules
 ###
diff --git a/system_app.te b/system_app.te
index 2a7421b39f76a6b08d75f8334b30b28affe987b1..5a5888f2ff1522b441421064bed4f6fd1efec73e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -64,3 +64,14 @@ allow system_app keystore:keystore_key {
 };
 
 control_logd(system_app)
+
+# Audited locally.
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+    service_manager_type
+    -keystore_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
diff --git a/system_server.te b/system_server.te
index c5e7b58f3feba3c80911328524c2c67de363586f..8ecfe52778f2f8fb1f6ff453d2426678aae1b70b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,6 +364,9 @@ allow system_server pstorefs:file r_file_perms;
 
 allow system_server system_server_service:service_manager add;
 
+# Audited locally.
+service_manager_local_audit_domain(system_server)
+
 allow system_server keystore:keystore_key {
 	test
 	get
diff --git a/te_macros b/te_macros
index fdcfe87dbeaa7de50848df304768c0b855929ce5..f18cd36d5c280241f2ff3436beec72b250e8c2ab 100644
--- a/te_macros
+++ b/te_macros
@@ -109,6 +109,7 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
+service_manager_local_audit_domain($1)
 ')
 
 #####################################
@@ -360,6 +361,13 @@ define(`use_keystore', `
 ')
 
 ###########################################
+# service_manager_local_audit_domain(domain)
+# Has its own auditallow rule on service_manager
+# and should be excluded from the domain.te auditallow.
+define(`service_manager_local_audit_domain', `
+  typeattribute $1 service_manager_local_audit;
+')
+
 # use_drmservice(domain)
 # Ability to use DrmService which requires
 # DrmService to call getpidcon.
diff --git a/untrusted_app.te b/untrusted_app.te
index f29149e3d2f8d39fc69cd3abcbbac1042599ecc1..c97b4513b8212c429aa286f23ce88d106fb3489d 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,6 +64,19 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
 
+# Audited locally.
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+    service_manager_type
+    -drmserver_service
+    -keystore_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### neverallow rules
 ###