diff --git a/private/file_contexts b/private/file_contexts
index 3fc8129175c97342897350e73e33613220395a9a..0b81d4cc6c30bb4af88b09f74a227048e9e994c1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -235,6 +235,7 @@
 /system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
 /system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
+/system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..f77410cf3439b0df9f2ed7d87cea3c2f4eace5ad
--- /dev/null
+++ b/private/hal_bluetooth_default.te
@@ -0,0 +1,9 @@
+type hal_bluetooth_default, hal_bluetooth, domain;
+type hal_bluetooth_default_exec, exec_type, file_type;
+
+init_daemon_domain(hal_bluetooth_default)
+
+# VTS tests need to be able to toggle rfkill
+userdebug_or_eng(`
+  allow hal_bluetooth_default self:capability net_admin;
+')
diff --git a/public/attributes b/public/attributes
index 9bed18da238df653cae43b05a90739a6c924c628..6c2904249bbf6bba7da8bfc8969e90386e633723 100644
--- a/public/attributes
+++ b/public/attributes
@@ -116,6 +116,7 @@ attribute update_engine_common;
 
 # HALs
 attribute hal_audio;
+attribute hal_bluetooth;
 attribute hal_dumpstate;
 attribute hal_gatekeeper;
 attribute hal_graphics_allocator;
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 9f21676a76e2a7e0fe0c5572b600625e22faf917..209a68b69e3dab56954758d50a354ad7165f1009 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -60,6 +60,7 @@ allow bluetooth shell_data_file:file read;
 
 # Perform HwBinder IPC.
 hwbinder_use(bluetooth)
+binder_call(bluetooth, hal_bluetooth)
 binder_call(bluetooth, hal_telephony)
 
 ###
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
new file mode 100644
index 0000000000000000000000000000000000000000..d06147137fd1a4ab22e206eafb764517136b00a4
--- /dev/null
+++ b/public/hal_bluetooth.te
@@ -0,0 +1,25 @@
+# hwbinder access
+hwbinder_use(hal_bluetooth)
+
+r_dir_file(hal_bluetooth, system_file)
+
+# call into the Bluetooth process (callbacks)
+binder_call(hal_bluetooth, bluetooth)
+
+wakelock_use(hal_bluetooth);
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# Access to config files to look for a Bluetooth address
+r_dir_file(hal_bluetooth, bluetooth_data_file)
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:capability2 wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_prop)
diff --git a/public/system_server.te b/public/system_server.te
index b77cf15adb8448c70a26f7fe23122f3c19de08df..aa096797a783b186c19c3352162c9f2074df773c 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -159,6 +159,7 @@ binder_service(system_server)
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
 binder_call(system_server, hal_ir)