diff --git a/private/access_vectors b/private/access_vectors
index 6b08d9efce4fd28b4032f324637532252bff465b..74cf530a6e92484209db5f6e723f9d11d98f8ad8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@ class hwservice_manager
 	list
 }
 
-class vndservice_manager
-{
-	add
-	find
-	list
-}
-
 class keystore_key
 {
 	get_state
diff --git a/private/security_classes b/private/security_classes
index 5685bd6f8f7bd9fcb2553059b3c80603fef7e0db..02e3ef2f6ee2d109a62e814f86e77b158ac2159c 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@ class service_manager           # userspace
 # hardware service manager      # userspace
 class hwservice_manager
 
-# vendor service manager        # userspace
-class vndservice_manager
-
 # Keystore Key
 class keystore_key              # userspace
 
diff --git a/public/domain.te b/public/domain.te
index e75ce1a4bf8635f0b15db00f062c32519ac722e9..97f75c065f2939dde0c551df0da75585f9fc472c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -219,7 +219,7 @@ allow domain default_android_hwservice:hwservice_manager { add find };
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
 # Workaround for policy compiler being too aggressive and removing vndservice_manager_type
 # when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
 
 ###
 ### neverallow rules
@@ -914,8 +914,17 @@ neverallow {
 } shell_data_file:file open;
 
 
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+    servicemanager
+    vndservicemanager
+    }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+    hwservicemanager
+    }:hwservice_manager list;
 
 # only service_manager_types can be added to service_manager
 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
diff --git a/public/su.te b/public/su.te
index 77fd07111359a625ff5b24d93a7d91b65b0bfd50..47349d88f52e0ddb4ec4a032d03e3678f2101697 100644
--- a/public/su.te
+++ b/public/su.te
@@ -38,10 +38,10 @@ userdebug_or_eng(`
   dontaudit su property_type:file *;
   dontaudit su service_manager_type:service_manager *;
   dontaudit su hwservice_manager_type:hwservice_manager *;
-  dontaudit su vndservice_manager_type:vndservice_manager *;
+  dontaudit su vndservice_manager_type:service_manager *;
   dontaudit su servicemanager:service_manager list;
   dontaudit su hwservicemanager:hwservice_manager list;
-  dontaudit su vndservicemanager:vndservice_manager list;
+  dontaudit su vndservicemanager:service_manager list;
   dontaudit su keystore:keystore_key *;
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;