diff --git a/public/attributes b/public/attributes
index d418375ce0290454bc7cb44f746fe95af9d0acbd..55f87ca683f6f1e2cabe8f93783173f476da2029 100644
--- a/public/attributes
+++ b/public/attributes
@@ -150,6 +150,8 @@ attribute hal_graphics_composer;
 attribute hal_health;
 attribute hal_ir;
 attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
 attribute hal_light;
 attribute hal_memtrack;
 attribute hal_nfc;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index a3aef59ae7cf95414a0087d134ed20954b1b18e5..d50812c3972419fa19e0f3ca018feaf4e0aee596 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,5 @@
-# hwbinder access
-hwbinder_use(hal_keymaster)
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster tee:unix_stream_socket connectto;
diff --git a/public/keystore.te b/public/keystore.te
index ec6d1926f449f2619da6c27140c86b0bfe1299fe..55cafc541e70e6d3af4a8709381948a9d308900a 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -8,14 +8,11 @@ binder_service(keystore)
 binder_call(keystore, system_server)
 
 # talk to keymaster
-binder_call(keystore, hwservicemanager)
-binder_call(keystore, hal_keymaster)
+hal_client_domain(keystore, hal_keymaster)
 
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
 
 add_service(keystore, keystore_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
@@ -23,9 +20,7 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
 # Check SELinux permissions.
 selinux_check_access(keystore)
 
-allow keystore ion_device:chr_file r_file_perms;
 r_dir_file(keystore, cgroup)
-allow keystore system_file:dir r_dir_perms;
 
 ###
 ### Neverallow rules
diff --git a/public/vold.te b/public/vold.te
index 0e4eddc7065ab7726f5f21bcf5a67e35d630cf94..cda6424bc75c5b2d3c0d2b40574eec9ce932283b 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,7 +27,6 @@ allow vold shell_exec:file rx_file_perms;
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
-allow vold system_file:dir r_dir_perms;
 allow vold system_file:file x_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
@@ -87,8 +86,6 @@ allow vold fsck_exec:file { r_file_perms execute };
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;
 
-allow vold ion_device:chr_file r_file_perms;
-
 #
 # Rules to support encrypted fs support.
 #
@@ -131,9 +128,7 @@ binder_use(vold)
 binder_call(vold, healthd)
 
 # talk to keymaster
-binder_call(vold, hwservicemanager)
-binder_call(vold, hal_keymaster)
-allow vold tee_device:chr_file rw_file_perms;
+hal_client_domain(vold, hal_keymaster)
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 4c6d0d2922d605446ec08c8c7549a892a19118d6..32df262abee79e3dfe35b22f328beb174a1886be 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
 type hal_keymaster_default, domain;
-hal_impl_domain(hal_keymaster_default, hal_keymaster)
+hal_server_domain(hal_keymaster_default, hal_keymaster)
 
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)