diff --git a/domain.te b/domain.te
index ff641bd3a5e93a31c28c5ad48c1562bf92f7aa00..4aa9c10e6af118035676c1e43e12f2f1963ed94a 100644
--- a/domain.te
+++ b/domain.te
@@ -166,3 +166,7 @@ neverallow { domain -init } proc_security:file { append write };
 
 # No domain should be allowed to ptrace init.
 neverallow domain init:process ptrace;
+
+# Init can't receive binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow domain init:binder call;
diff --git a/unconfined.te b/unconfined.te
index 45c82920109644d384db5b855c11aaa54ba2fc41..bdebf3a2cbc75dc68e4e53a74f735b6de2fa8d88 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -38,5 +38,5 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer set_context_mgr };
+allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
 allow unconfineddomain property_type:property_service set;
diff --git a/zygote.te b/zygote.te
index 5d1f489ede2630012bb94342b1f41454fcb80859..9092457e42a7bac9937f60daa7f878dba0762014 100644
--- a/zygote.te
+++ b/zygote.te
@@ -47,7 +47,6 @@ allow zygote zygote_exec:file { execute_no_trans open };
 
 # handle bugreports b/10498304
 allow zygote ashmem_device:chr_file execute;
-allow zygote init:binder call;
 allow zygote shell_data_file:file { write getattr };
 allow zygote system_server:binder { transfer call };
 allow zygote servicemanager:binder { call };