diff --git a/private/file_contexts b/private/file_contexts
index 90124b73d7be6e38455bb44f4291caf4d4032393..f6e1be1b7e7444b549299eaca1ddb8e7aa11ae8b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -237,6 +237,7 @@
 /system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
+/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
diff --git a/private/hal_camera_default.te b/private/hal_camera_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..a97989a543c4cc1bc2aa0e0bd39eb7c44fca773f
--- /dev/null
+++ b/private/hal_camera_default.te
@@ -0,0 +1,5 @@
+type hal_camera_default, domain;
+hal_impl_domain(hal_camera_default, hal_camera)
+
+type hal_camera_default_exec, exec_type, file_type;
+init_daemon_domain(hal_camera_default)
diff --git a/public/attributes b/public/attributes
index 66cc594032b593fd2bb0c58a399b830dd67449ce..aec85fb06ef97c332a6dbfeaa2f57b8664f193a7 100644
--- a/public/attributes
+++ b/public/attributes
@@ -120,6 +120,7 @@ attribute haldomain;
 # HALs
 attribute hal_audio;
 attribute hal_bluetooth;
+attribute hal_camera;
 attribute hal_dumpstate;
 attribute hal_fingerprint;
 attribute hal_gatekeeper;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 51f96d748420b0ec33d9c3192a3fe8bbcb866d7d..41359261ef3aaed2bbd4892b70c369f7abd2a67d 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -7,6 +7,10 @@ binder_call(cameraserver, binderservicedomain)
 binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
+hwbinder_use(cameraserver)
+binder_call(cameraserver, hal_camera)
+binder_call(cameraserver, hwservicemanager)
+
 # access /data/misc/camera
 allow cameraserver camera_data_file:dir create_dir_perms;
 allow cameraserver camera_data_file:file create_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
new file mode 100644
index 0000000000000000000000000000000000000000..e412a4d8bdf86f6322c235ebbca9579ec7099d8e
--- /dev/null
+++ b/public/hal_camera.te
@@ -0,0 +1,26 @@
+hwbinder_use(hal_camera)
+binder_call(hal_camera, cameraserver)
+
+allow hal_camera system_file:dir { open read };
+
+# access /data/misc/camera
+allow hal_camera camera_data_file:dir create_dir_perms;
+allow hal_camera camera_data_file:file create_file_perms;
+
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera hal_graphics_allocator:fd use;
+
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;