diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 640775520f89f765187360ca4b645ee6da284c96..5c4aa4093dc8a1810d61afd62866f4c5adca302e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -231,6 +231,7 @@ neverallow all_untrusted_apps {
   hal_wifi_supplicant_hwservice
   hidl_base_hwservice
   system_net_netd_hwservice
+  thermalcallback_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index e3ca2d045bece67cb0d22f4414dd0c2eae9de833..24bcc806d8b4848a38055d4f2dfd445fbeda5875 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -4,10 +4,9 @@
 (type mediacodec)
 (type mediacodec_exec)
 (type reboot_data_file)
+(type vold_socket)
 (type rild)
 (type webview_zygote_socket)
-(type vold_socket)
-(type thermalcallback_hwservice)
 
 (expandtypeattribute (accessibility_service_27_0) true)
 (expandtypeattribute (account_service_27_0) true)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 7a90ad5e83bb49753707f7673f53815458e8f5ee..c75c0a57660e1f2f68dc6416809b94b7f9c39d39 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -49,6 +49,7 @@ android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_a
 android.hardware.tetheroffload.config::IOffloadConfig           u:object_r:hal_tetheroffload_hwservice:s0
 android.hardware.tetheroffload.control::IOffloadControl         u:object_r:hal_tetheroffload_hwservice:s0
 android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback                      u:object_r:thermalcallback_hwservice:s0
 android.hardware.tv.cec::IHdmiCec                               u:object_r:hal_tv_cec_hwservice:s0
 android.hardware.tv.input::ITvInput                             u:object_r:hal_tv_input_hwservice:s0
 android.hardware.usb::IUsb                                      u:object_r:hal_usb_hwservice:s0
diff --git a/public/hwservice.te b/public/hwservice.te
index 6f09efcfeb49b8124bde12a4bccd36aa90faef75..5fba86ac302d9cac9cb4420751d788ce3df7e4e0 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -59,3 +59,4 @@ type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index f47f544bbda019c6c63a2be53073d899639f25b9..00e00713208aa0af32113da145fec849f04c6d82 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -8,5 +8,6 @@ add_service(thermalserviced, thermal_service)
 
 hwbinder_use(thermalserviced)
 hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
 
 binder_call(thermalserviced, platform_app)