diff --git a/Android.mk b/Android.mk
index e1adea4ca4c7308e7afaed7d17dcf04fb45166dc..729f3b419493b88b052008afbadf4fc377d74b56 100644
--- a/Android.mk
+++ b/Android.mk
@@ -769,6 +769,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
 $(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
 $(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 	$(transform-policy-to-conf)
diff --git a/definitions.mk b/definitions.mk
index 4b9e0989b8a69db791387d3346586626309f59c9..36b75ac042502b8d05da4699196ba8851423cfc6 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -10,6 +10,7 @@ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
 	-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
 	-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
 	-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
+	-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
 	$(PRIVATE_TGT_RECOVERY) \
 	-s $^ > $@
 endef
diff --git a/public/te_macros b/public/te_macros
index 949cad96a188805beaa76ce54cfa5a9133333056..cdfdc89ee3f24461db0a19b234321f7e2979a103 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,10 +213,15 @@ expandattribute hal_$1_client true;
 attribute hal_$1_server;
 expandattribute hal_$1_server false;
 
-neverallow { hal_$1_server -hal_$1 } domain:process fork;
 neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
 neverallow { hal_$1_client -halclientdomain } domain:process fork;
 ')
+')
 
 #####################################
 # hal_server_domain(domain, hal_type)
@@ -498,6 +503,12 @@ define(`userbuild', ifelse(target_build_variant, `user', $1, ))
 #
 define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
 
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
 ####################################
 # Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
 #
@@ -613,7 +624,9 @@ define(`add_hwservice', `
 # Used to pair hal_foo_client with hal_foo_hwservice
 define(`hal_attribute_hwservice', `
   allow $1_client $2:hwservice_manager find;
-  neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
-
   add_hwservice($1_server, $2)
+
+  build_test_only(`
+    neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+  ')
 ')