diff --git a/private/system_server.te b/private/system_server.te
index a4fa493adfc9782ec2364f3e104dde4b48ab84c0..2711a8c1aeebbb06efc6183a54adb993380718cf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -197,11 +197,6 @@ binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
 
-# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
-# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
-# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
-typeattribute system_server socket_between_core_and_vendor_violators;
-
 hal_client_domain(system_server, hal_wifi_supplicant)
 
 # Talk to tombstoned to get ANR traces.
diff --git a/public/te_macros b/public/te_macros
index 020bdc505176a3d8256416ca912dfba1e9019896..3ac0e5dc53d07b83302a04680317e62604fe4acd 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -175,15 +175,17 @@ define(`hal_client_domain', `
 typeattribute $1 halclientdomain;
 typeattribute $1 $2_client;
 
-# TODO(b/34170079): Make the inclusion of the rules below conditional,
-# once we know at build time whether a HAL is going to run in
-# passthrough or binderized mode.
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
 allow $2 vendor_file:file { read open getattr execute };
 ')
+')
 
 #####################################
 # passthrough_hal_client_domain(domain, hal_type)