diff --git a/file_contexts b/file_contexts
index 36fde98c77dee6c6d8e966e6af37e30aee9a545b..eeda6c73e52d6ceb7c6bb5e10edb6ffa08cc1523 100644
--- a/file_contexts
+++ b/file_contexts
@@ -215,6 +215,8 @@
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
+/system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
+
 
 #############################
 # Vendor files
diff --git a/wifi_hal_legacy.te b/wifi_hal_legacy.te
new file mode 100644
index 0000000000000000000000000000000000000000..a7fce572955646d3f5f0c65fef5a82a92c930a00
--- /dev/null
+++ b/wifi_hal_legacy.te
@@ -0,0 +1,22 @@
+# wifi legacy hal
+type wifi_hal_legacy, domain;
+type wifi_hal_legacy_exec, exec_type, file_type;
+
+# may be started by init
+init_daemon_domain(wifi_hal_legacy)
+
+## hwbinder access
+hwbinder_use(wifi_hal_legacy)
+
+## call into wificond process (callbacks)
+binder_call(wifi_hal_legacy, wificond)
+
+r_dir_file(wifi_hal_legacy, proc_net)
+r_dir_file(wifi_hal_legacy, sysfs_type)
+
+allow wifi_hal_legacy self:udp_socket create_socket_perms;
+allow wifi_hal_legacy self:capability { net_admin net_raw };
+# allow wifi_hal_legacy to speak to nl80211 in the kernel
+allow wifi_hal_legacy self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wifi_hal_legacy self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/wificond.te b/wificond.te
index d7979ec9af97ba1d3fefbc1b2652d3b620bb08b5..673394a2c0c27c77930cf496d482423adaea8b8a 100644
--- a/wificond.te
+++ b/wificond.te
@@ -8,6 +8,9 @@ binder_use(wificond)
 binder_call(wificond, system_server)
 binder_call(wificond, wpa)
 
+hwbinder_use(wificond)
+binder_call(wificond, wifi_hal_legacy)
+
 allow wificond wificond_service:service_manager { add find };
 
 # wificond writes firmware paths to this file.