diff --git a/public/hal_audio.te b/public/hal_audio.te
index f620562945a55a89eb1a3635eeb78f7380b175ae..a195c936318b0b0447a103baa9be06e009fa7907 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -38,3 +38,6 @@ neverallow hal_audio { file_type fs_type }:file execute_no_trans;
 # Should never need network access.
 # Disallow network sockets.
 neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index df445fa9a5430a7e7ec472a972ab64b3771b3dec..6ed06b79aef4dfb49d1f177f716eebf02198107c 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -28,3 +28,7 @@ neverallow hal_camera { file_type fs_type }:file execute_no_trans;
 
 # hal_camera should never need network access. Disallow network sockets.
 neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera and video hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
+neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;