diff --git a/private/system_server.te b/private/system_server.te
index e23a33c11fdf9551077f49a288a7ddf83eae15cb..738a84eebbe9c42c5ef696bb4e3bb095431d3989 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -195,7 +195,6 @@ binder_call(system_server, hal_usb)
 binder_call(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 binder_call(system_server, hal_wifi)
-binder_call(system_server, hal_drm)
 binder_call(system_server, wpa)
 
 # Talk to tombstoned to get ANR traces.
diff --git a/public/attributes b/public/attributes
index 5c43d5e790e6c539069b941c342ef7e3e3b4d798..281724e14df14f6aa7dd1162bae45ccf137aaeef 100644
--- a/public/attributes
+++ b/public/attributes
@@ -135,6 +135,8 @@ attribute hal_camera_server;
 attribute hal_configstore;
 attribute hal_contexthub;
 attribute hal_drm;
+attribute hal_drm_client;
+attribute hal_drm_server;
 attribute hal_dumpstate;
 attribute hal_fingerprint;
 attribute hal_gatekeeper;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 79b385f7af6b464103bde9ecbfaa3ca19b04dc74..05fe347847b7b838ce7d353975d3203adbf6257c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,5 +1,6 @@
-## call into system_server process (for invoking callbacks)
-binder_call(hal_drm, mediadrmserver)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
 
 # Required by Widevine DRM (b/22990512)
 allow hal_drm self:process execmem;
@@ -50,4 +51,4 @@ allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
 neverallow hal_drm { file_type fs_type }:file execute_no_trans;
 
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
\ No newline at end of file
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 8835585f6f92dc2077489a84a4d047ea4099fe9c..9eb597c07f50f6175276fd34e9fe9f66e2596c0f 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -9,7 +9,7 @@ binder_use(mediadrmserver)
 binder_call(mediadrmserver, binderservicedomain)
 binder_call(mediadrmserver, appdomain)
 binder_service(mediadrmserver)
-binder_call(mediadrmserver, hal_drm)
+hal_client_domain(mediadrmserver, hal_drm)
 
 add_service(mediadrmserver, mediadrmserver_service)
 allow mediadrmserver mediaserver_service:service_manager find;
@@ -17,56 +17,6 @@ allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 
-### Rules needed when DRM HAL runs inside mediadrmserver process.
-### These rules should eventually be granted only when needed.
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-allow mediadrmserver hal_graphics_allocator:fd use;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
-  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Permit reading device's serial number from system properties
-get_prop(mediadrmserver, serialno_prop)
-###
-
-### Rules needed when DRM HAL runs outside of mediadrmserver process.
-### These rules should eventually be granted only when needed.
-hwbinder_use(mediadrmserver)
-###
-
 ###
 ### neverallow rules
 ###
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 74875af44e7d06c092b614c4889967a3c5d45747..eba763aa864195f0e7433db13664efe64b42e4ab 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -1,5 +1,5 @@
 type hal_drm_default, domain;
-hal_impl_domain(hal_drm_default, hal_drm)
+hal_server_domain(hal_drm_default, hal_drm)
 
 type hal_drm_default_exec, exec_type, file_type;
 init_daemon_domain(hal_drm_default)