diff --git a/public/domain.te b/public/domain.te
index 91e1671b97820e7ab639ca641c94ae6c261b9741..9c591db59f1958081ce5a6de8bebc9f02d363545 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -214,7 +214,12 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 # TODO(b/34454312) remove this when the correct policy is in place
 allow domain default_android_hwservice:hwservice_manager { add find };
-allow domain hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
 
 ###
 ### neverallow rules
diff --git a/public/te_macros b/public/te_macros
index b931f1e0e98654ca1d6e992cafe2bf007be73166..beec54640aaaef079c848cd8e996ccd8e8a2e579 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -509,8 +509,7 @@ define(`add_service', `
 # others from adding it.
 define(`add_hwservice', `
   allow $1 $2:hwservice_manager { add find };
-# TODO(b/34454312): Uncomment the neverallow once issues on user builds are resolved
-#  neverallow { domain -$1 } $2:hwservice_manager add;
+  neverallow { domain -$1 } $2:hwservice_manager add;
 ')
 
 ##########################################