diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 7f9d315edf6b613e3fe6bbca2e8b590dd7dee04f..b04e5e076435f85f0c9277e4d4893546caf47db7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,10 @@
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
+; Apps, except isolated apps, are clients of OMX-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/public/app.te b/public/app.te
index 35c200859dd8fd1b8d3ec149265ee76b644c7974..1dca49cb538c25ef9ae55d4d9755cca029cdb70f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -219,15 +219,6 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
-# TODO(b/80317992): use hal_client_domain on individual domains or have tests
-#     that the required individual permissions are all granted
-hwbinder_use({ appdomain  -isolated_app })
-allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-binder_call({ appdomain -isolated_app }, hal_omx_server)
-
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;
 
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 037066ea8bcb6c989cbb3b7c78298c8b0c7d9084..d97910389ac68fd8a47568e102e98abaaa2436d0 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,7 +3,7 @@ binder_call(hal_audio_client, hal_audio_server)
 binder_call(hal_audio_server, hal_audio_client)
 
 add_hwservice(hal_audio_server, hal_audio_hwservice)
-allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_audio, hal_audio_hwservice)
 
 allow hal_audio ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 438db531f17504ddba04cef78b8963a48f05a265..dc4aaa0cc66b8d3e78a8b1251e8d780a9c75b779 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,5 +3,4 @@ binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
 binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
 
 add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
-
-allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_audiocontrol, hal_audiocontrol_hwservice)
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index 81b0c04451b03c12ad1453f9635a8e04b589b9ca..f58b8aac94eed0ac1b9b36cb460215d2e7620634 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,4 +2,4 @@
 binder_call(hal_authsecret_client, hal_authsecret_server)
 
 add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
-allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_authsecret, hal_authsecret_hwservice)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 373dbec6bf6829f803db996b01467209c95d57fd..b0c68bf721254414dd05e4d5d5747bff3730c349 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -3,7 +3,7 @@ binder_call(hal_bluetooth_client, hal_bluetooth_server)
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
 
 add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
-allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_bluetooth, hal_bluetooth_hwservice)
 
 wakelock_use(hal_bluetooth);
 
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 181de4a9cf5e4f261cf6fc8ba1f236a44424994c..a901cf292db735a27fde5bd99d3734d9212a13c2 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,6 +3,6 @@ binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
 
 add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
-allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_bootctl, hal_bootctl_hwservice)
 
 dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 24d4908e14e3b46aaf2c788d98f5c4d4917c7f16..45adb4a7af81afd1e66c018f087017179d5f9450 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -1,4 +1,4 @@
 binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
 
 add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
-allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 43f74b488e7b579757f997b2f50df2a667be1c36..4e807948417b54236de5ecd101bb1ccec695b14e 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -3,7 +3,7 @@ binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 
 add_hwservice(hal_camera_server, hal_camera_hwservice)
-allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_camera, hal_camera_hwservice)
 
 allow hal_camera device:dir r_dir_perms;
 allow hal_camera video_device:dir r_dir_perms;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7f653585815bd79e4ea13b198747a37b8525d3e9..0ba39edac62c153f6ac75112d4d8f9a5b97ff640 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -3,7 +3,7 @@ binder_call(hal_cas_client, hal_cas_server)
 binder_call(hal_cas_server, hal_cas_client)
 
 add_hwservice(hal_cas_server, hal_cas_hwservice)
-allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_cas, hal_cas_hwservice)
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 
 # Permit reading device's serial number from system properties
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
index 228e8649658e77fe92719d41ed5625a460195db7..9a7e697834c1fdb83e43a81a50548b003b2678c1 100644
--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -2,4 +2,4 @@
 binder_call(hal_confirmationui_client, hal_confirmationui_server)
 
 add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
-allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index f11bfc816e0e48820181b36b9b93c5b16cceb92f..0f23ae51b8c3a960ec60f779c5a73f06632c960d 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -3,4 +3,4 @@ binder_call(hal_contexthub_client, hal_contexthub_server)
 binder_call(hal_contexthub_server, hal_contexthub_client)
 
 add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
-allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_contexthub, hal_contexthub_hwservice)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a46dd9116e87fcd9be191c5698ca5fbed49c8d7a..0a03a95a30e5891ddea9ef40b1f57639ac598709 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -3,7 +3,7 @@ binder_call(hal_drm_client, hal_drm_server)
 binder_call(hal_drm_server, hal_drm_client)
 
 add_hwservice(hal_drm_server, hal_drm_hwservice)
-allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_drm, hal_drm_hwservice)
 
 allow hal_drm hidl_memory_hwservice:hwservice_manager find;
 
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 2853567e0c2b2b4d5bb7bf968d1faf374a9e40ea..75e59f3b45fc8e369e828c99f777191dfc73b530 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -3,7 +3,7 @@ binder_call(hal_dumpstate_client, hal_dumpstate_server)
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 
 add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
-allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_dumpstate, hal_dumpstate_hwservice)
 
 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
 allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index ebe0b0c82a77f1a5a0c0b131f76b9a4ec20ffc47..240f1ddade10044edc49d04eaab63e0dd426ef73 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -3,7 +3,7 @@ binder_call(hal_fingerprint_client, hal_fingerprint_server)
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
-allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_fingerprint, hal_fingerprint_hwservice)
 
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 123acf5674f26f776fbe82eadff8aa8bcd4c4c8a..0ff8f08442832d2b913539150f545fc4b08c68ff 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,7 @@
 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 
 add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
-allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gatekeeper, hal_gatekeeper_hwservice)
 
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index b59cd1d5a6aba07027b153b15273f9c5b86ee358..7e206a8ffa2a4988ec05fc7c1679a9251c216f8a 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -3,4 +3,4 @@ binder_call(hal_gnss_client, hal_gnss_server)
 binder_call(hal_gnss_server, hal_gnss_client)
 
 add_hwservice(hal_gnss_server, hal_gnss_hwservice)
-allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_gnss, hal_gnss_hwservice)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e2b04ae83ce0e500742f9646e45f5711a5f105aa..753b816d7e9a2595149aabe95041dc9ed0801e98 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -2,7 +2,7 @@
 binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
 
 add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_graphics_allocator, hal_graphics_allocator_hwservice)
 allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
 
 # GPU device access
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 2df461249614627d8b7414c49438e80d32d5850a..e6854f6f3f2681c8063ee5289756b46d7072886c 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -3,7 +3,7 @@ binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
 binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
 
 add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
-allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_graphics_composer, hal_graphics_composer_hwservice)
 
 # Coordinate with hal_graphics_mapper
 allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
diff --git a/public/hal_health.te b/public/hal_health.te
index c0a0f804cb021105c17e303a98a95f93e4b150e9..f6d5d3b8e5e1bde1b44634bd7c4e4edb8fc84e09 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -3,7 +3,7 @@ binder_call(hal_health_client, hal_health_server)
 binder_call(hal_health_server, hal_health_client)
 
 add_hwservice(hal_health_server, hal_health_hwservice)
-allow hal_health_client hal_health_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_health, hal_health_hwservice)
 
 # Read access to system files for HALs in
 # /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index b1bfdd804b144b92c786e34f5a6b7ceebc3868b0..022d5eeb625ba4e6bac5d7e0bbf0a2640d49a4c0 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -3,4 +3,4 @@ binder_call(hal_ir_client, hal_ir_server)
 binder_call(hal_ir_server, hal_ir_client)
 
 add_hwservice(hal_ir_server, hal_ir_hwservice)
-allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_ir, hal_ir_hwservice)
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index dc5f6d01d15ea48f280c0be36162699246245bc1..664f2774bf9d793f39c46db2a61d4c4fcc43ffe4 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,7 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
-allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_keymaster, hal_keymaster_hwservice)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
 allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 5b93dd115fd478a1c9a396ca898ca1f688f16ac4..841b17ab0a193f651b21eb0f0b1366dbe69f8ace 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -3,7 +3,7 @@ binder_call(hal_light_client, hal_light_server)
 binder_call(hal_light_server, hal_light_client)
 
 add_hwservice(hal_light_server, hal_light_hwservice)
-allow hal_light_client hal_light_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_light, hal_light_hwservice)
 
 allow hal_light sysfs_leds:lnk_file read;
 allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_lowpan.te b/public/hal_lowpan.te
index af491b159d79ef9ad423c5d5a2389fe548f3c104..5bb36f96fd11f402a68bc09c0f01000132031453 100644
--- a/public/hal_lowpan.te
+++ b/public/hal_lowpan.te
@@ -5,7 +5,7 @@ binder_call(hal_lowpan_server, hal_lowpan_client)
 add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
 
 # Allow hal_lowpan_client to be able to find the hal_lowpan_server
-allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_lowpan, hal_lowpan_hwservice)
 
 # hal_lowpan domain can write/read to/from lowpan_prop
 set_prop(hal_lowpan_server, lowpan_prop)
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index b2cc9cd1ec730b2feb27ef098da2329b9319be9e..8185fd144d07c6525e681383eb5d5d2abbd873d0 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,4 +2,4 @@
 binder_call(hal_memtrack_client, hal_memtrack_server)
 
 add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
-allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_memtrack, hal_memtrack_hwservice)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index c697ac2f2674e42c655da3a5f0a440df6ed33a9a..149f76811fa89f11b2216f2005394cd92dd095de 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -3,6 +3,6 @@ binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
 binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
 
 add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_neuralnetworks, hal_neuralnetworks_hwservice)
 allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
 allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 3bcdf5ee10ea54ff5a66847b1333a54b318f38a1..caa4c823b3103f05ff190e6e655a4f2d9095db8b 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -3,7 +3,7 @@ binder_call(hal_nfc_client, hal_nfc_server)
 binder_call(hal_nfc_server, hal_nfc_client)
 
 add_hwservice(hal_nfc_server, hal_nfc_hwservice)
-allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_nfc, hal_nfc_hwservice)
 
 # Set NFC properties (used by bcm2079x HAL).
 set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 3fb5a18713647337e79ab91ca7a05645f113f241..d118f43cd7505162c248b857f50fa1d9de7211a9 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,4 +2,4 @@
 binder_call(hal_oemlock_client, hal_oemlock_server)
 
 add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
-allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_oemlock, hal_oemlock_hwservice)
diff --git a/public/hal_omx.te b/public/hal_omx.te
index cf036900e0bc7f9aadb81bc6543a9c6675d4d573..375f386c3550a3ec945ebdd1d8362568ca7f96a0 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -27,11 +27,13 @@ crash_dump_fallback(hal_omx_server)
 # via PDX. Thus, there is no need to use pdx_client macro.
 allow hal_omx_server bufferhubd:fd use;
 
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_client hal_omx_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_omx, hal_omx_hwservice)
+hal_attribute_hwservice_client(hal_omx, hal_codec2_hwservice)
+
 allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
 
 binder_call(hal_omx_client, hal_omx_server)
+binder_call(hal_omx_server, hal_omx_client)
 
 ###
 ### neverallow rules
diff --git a/public/hal_power.te b/public/hal_power.te
index fcba3d25dadd72ec7b502f2fbd16dce706f6b71b..26fbd4c3078200b129c652d2e03308b1eac5cab9 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,4 +3,4 @@ binder_call(hal_power_client, hal_power_server)
 binder_call(hal_power_server, hal_power_client)
 
 add_hwservice(hal_power_server, hal_power_hwservice)
-allow hal_power_client hal_power_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_power, hal_power_hwservice)
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index e3046d12ecdec6f3063de3730237d7ff936d55db..8410c772d1d80d8987ef5370988ae281972cd134 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -3,4 +3,4 @@ binder_call(hal_secure_element_client, hal_secure_element_server)
 binder_call(hal_secure_element_server, hal_secure_element_client)
 
 add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
-allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_secure_element, hal_secure_element_hwservice)
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 9d7cbe91396652ea4943147203937c1071501d6a..603eead92ef872b35aa7865a872c1941cbe8530c 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -2,7 +2,7 @@
 binder_call(hal_sensors_client, hal_sensors_server)
 
 add_hwservice(hal_sensors_server, hal_sensors_hwservice)
-allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_sensors, hal_sensors_hwservice)
 
 # Allow sensor hals to access ashmem memory allocated by apps
 allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 21b6e02081bd7f6a2a7d9ca85f1089bfcb9c6880..a20350b41265e6c2a425fdcfc7518138c70e02cb 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,7 +3,7 @@ binder_call(hal_telephony_client, hal_telephony_server)
 binder_call(hal_telephony_server, hal_telephony_client)
 
 add_hwservice(hal_telephony_server, hal_telephony_hwservice)
-allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_telephony, hal_telephony_hwservice)
 
 allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
 
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index 48d67a29b5c466597b54b63cb8842916d9ff6a1a..d44573a3e9c8e66d3dd6a2580456cc1dc26b10a8 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -2,7 +2,7 @@
 binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
 
-allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_tetheroffload, hal_tetheroffload_hwservice)
 
 # allow the client to pass the server already open netlink sockets
 allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index b1764f114c9862ce0eb3abf118bfe0fb428c374a..105e882a4997eeb72cc71f48dbc0e743078b2af7 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -3,4 +3,4 @@ binder_call(hal_thermal_client, hal_thermal_server)
 binder_call(hal_thermal_server, hal_thermal_client)
 
 add_hwservice(hal_thermal_server, hal_thermal_hwservice)
-allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_thermal, hal_thermal_hwservice)
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
index 7719cae92092228bb3c4d52551d7980654d0aae1..9ee2e3eedf27d9bfbc0f34b39a0fb342e0e2000a 100644
--- a/public/hal_tv_cec.te
+++ b/public/hal_tv_cec.te
@@ -3,4 +3,4 @@ binder_call(hal_tv_cec_client, hal_tv_cec_server)
 binder_call(hal_tv_cec_server, hal_tv_cec_client)
 
 add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
-allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 31a006740da1fd891ae90c2711ba3c18f0770f4e..cee55bde33436b46e18a9eb19c62d99e8d4f3583 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -3,4 +3,4 @@ binder_call(hal_tv_input_client, hal_tv_input_server)
 binder_call(hal_tv_input_server, hal_tv_input_client)
 
 add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
-allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_tv_input, hal_tv_input_hwservice)
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd5165d282b0ea21acddda9574b68e7443e4bf..52fdce224d01c8a6b870b368ccbe23b5269b3f1c 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -3,7 +3,7 @@ binder_call(hal_usb_client, hal_usb_server)
 binder_call(hal_usb_server, hal_usb_client)
 
 add_hwservice(hal_usb_server, hal_usb_hwservice)
-allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_usb, hal_usb_hwservice)
 
 allow hal_usb self:netlink_kobject_uevent_socket create;
 allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index e412758a0e3f5140b45aa3d7c2467e59123418c0..41683b0cd1c31988b97cfa88cecf8bdd91401318 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -3,7 +3,7 @@ binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
 binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
 
 add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
-allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_usb_gadget, hal_usb_gadget_hwservice)
 
 # Configuring usb gadget functions
 allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
index a59f8d2bd56a354f9fb7b6b73bfd14bc8542a357..d021da3440b3c5de7889f86583859e1ba6e76fc2 100644
--- a/public/hal_vehicle.te
+++ b/public/hal_vehicle.te
@@ -4,4 +4,4 @@ binder_call(hal_vehicle_server, hal_vehicle_client)
 
 add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
 
-allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_vehicle, hal_vehicle_hwservice)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 9ce34cac258e73906e8acb1cf49d14064dda7f49..ba6830d7002cc4d923c7310715efb5ba3c0aa007 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -2,7 +2,7 @@
 binder_call(hal_vibrator_client, hal_vibrator_server)
 
 add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
-allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_vibrator, hal_vibrator_hwservice)
 
 # vibrator sysfs rw access
 allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 3cb392d144f5985aba44c335c5d1a3d14866ff95..4afe3cdeb1a92deab927b9f1813bdad9dac554aa 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -3,4 +3,4 @@ binder_call(hal_vr_client, hal_vr_server)
 binder_call(hal_vr_server, hal_vr_client)
 
 add_hwservice(hal_vr_server, hal_vr_hwservice)
-allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_vr, hal_vr_hwservice)
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index b80ba292c6eb7e1fc710a9ca366db3674f3585ad..405321def16bfa9f5cbea3d6afa5704642a80599 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,4 +2,4 @@
 binder_call(hal_weaver_client, hal_weaver_server)
 
 add_hwservice(hal_weaver_server, hal_weaver_hwservice)
-allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_weaver, hal_weaver_hwservice)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 8f5b77b86b2c6af601643703929102ada8119300..45738e20925cb32a583297de8075b521ee666062 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,7 +3,7 @@ binder_call(hal_wifi_client, hal_wifi_server)
 binder_call(hal_wifi_server, hal_wifi_client)
 
 add_hwservice(hal_wifi_server, hal_wifi_hwservice)
-allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi, hal_wifi_hwservice)
 
 r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 73bf037b11732329e8eda024fdffaae1e6245169..ea84a36e2a42102093032194724a5e4ea9bdb4d4 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -3,7 +3,7 @@ binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
 binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
 
 add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
-allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
 
 allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
 
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index f74ed05ffe37be5d4e9f8aa247b4b37b18ad7751..1b75711d7308fa95baf70c54cf35640e7ec19b54 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -3,7 +3,7 @@ binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
 binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
 
 add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
-allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi_offload, hal_wifi_offload_hwservice)
 
 r_dir_file(hal_wifi_offload, proc_net_type)
 r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 3d617661f7678beff644cace59f4899da2eb4af8..87a061f4db582459ee2a7f0e4ce8386b218bb7ae 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,7 +3,7 @@ binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
 binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
 
 add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
-allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+hal_attribute_hwservice_client(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
 
 # in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
 allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/te_macros b/public/te_macros
index e5c476a356667ce2103c196e4da5d82284cc5ad9..ffb84281f915cd7f89257aad5d93fafab2ed7722 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -603,3 +603,15 @@ define(`add_hwservice', `
   allow $1 hidl_base_hwservice:hwservice_manager add;
   neverallow { domain -$1 } $2:hwservice_manager add;
 ')
+
+###########################################
+# hal_attribute_hwservice_client(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice_client', `
+  allow $1_client $2:hwservice_manager find;
+  neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+')