diff --git a/domain.te b/domain.te
index 1a3feb4351db37f7d1154d6354187812864f3568..9f5ea9b6fe59462a1f171f157b7c3aef6c18cdf6 100644
--- a/domain.te
+++ b/domain.te
@@ -289,3 +289,10 @@ neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
 # mount to another type.
 neverallow { domain -recovery } contextmount_type:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Do not allow service_manager add for default_android_service.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in service.te and new mappings
+# from service name to service_type are defined in service_contexts.
+neverallow domain default_android_service:service_manager add;
diff --git a/untrusted_app.te b/untrusted_app.te
index 50a02da689fc988e98b6197f00aafe693c6764c3..35b32487e11a285684edff81459bd8bf6ea494e8 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -71,3 +71,8 @@ allow untrusted_app cache_file:file create_file_perms;
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow untrusted_app debugfs:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow untrusted_app service_manager_type:service_manager add;