diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index c695432b1789d24698b556555e91deb44839e5de..781229b7242d3590f4b1f768e139b71c1956e490 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -16,6 +16,63 @@ allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 
-# Inherit hal_drm access rules until DRM HAL implementation is
-# moved out of mediadrmserver
-hal_impl_domain(mediadrmserver, hal_drm)
+### Rules needed when DRM HAL runs inside mediadrmserver process.
+### These rules should eventually be granted only when needed.
+# Required by Widevine DRM (b/22990512)
+allow mediadrmserver self:process execmem;
+
+# System file accesses.
+allow mediadrmserver system_file:dir r_dir_perms;
+allow mediadrmserver system_file:file r_file_perms;
+allow mediadrmserver system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data.
+allow mediadrmserver system_data_file:dir { search getattr };
+allow mediadrmserver system_data_file:file { getattr read };
+allow mediadrmserver system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(mediadrmserver, cgroup)
+allow mediadrmserver cgroup:dir { search write };
+allow mediadrmserver cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow mediadrmserver ion_device:chr_file rw_file_perms;
+allow mediadrmserver hal_graphics_allocator:fd use;
+
+# Allow access to app_data and media_data_files
+allow mediadrmserver media_data_file:dir create_dir_perms;
+allow mediadrmserver media_data_file:file create_file_perms;
+allow mediadrmserver media_data_file:file { getattr read };
+
+allow mediadrmserver tee_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediadrmserver sysfs:file r_file_perms;
+
+# Connect to tee service.
+allow mediadrmserver tee:unix_stream_socket connectto;
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Permit reading device's serial number from system properties
+get_prop(mediadrmserver, serialno_prop)
+###
+
+### Rules needed when DRM HAL runs outside of mediadrmserver process.
+### These rules should eventually be granted only when needed.
+hwbinder_use(mediadrmserver)
+###
+
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;