diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1e824046b4f2670daafa993ddbdfb0644d8e98d4..c1f9a2b01aa639b7a9e9fde858d49b8c34e1ce0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -232,6 +232,7 @@ neverallow all_untrusted_apps {
   hal_wifi_supplicant_hwservice
   hidl_base_hwservice
   system_net_netd_hwservice
+  thermalcallback_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 7e9e04c71c8dab3302d85fa8f36cf5e5cd7f2aa6..2a4f854d27ecaa7a2c8c80104868dce6fde7e391 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -4,11 +4,10 @@
 (type mediacodec_exec)
 (type qtaguid_proc)
 (type reboot_data_file)
+(type vold_socket)
 (type rild)
 (type untrusted_v2_app)
 (type webview_zygote_socket)
-(type vold_socket)
-(type thermalcallback_hwservice)
 
 (expandtypeattribute (accessibility_service_27_0) true)
 (expandtypeattribute (account_service_27_0) true)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index e7354a74c510e9a547b02b5359ae43685651f173..6c00f35a37e274f07a0f3971e97ff080eaf4ca30 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -52,6 +52,7 @@ android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_a
 android.hardware.tetheroffload.config::IOffloadConfig           u:object_r:hal_tetheroffload_hwservice:s0
 android.hardware.tetheroffload.control::IOffloadControl         u:object_r:hal_tetheroffload_hwservice:s0
 android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback                      u:object_r:thermalcallback_hwservice:s0
 android.hardware.tv.cec::IHdmiCec                               u:object_r:hal_tv_cec_hwservice:s0
 android.hardware.tv.input::ITvInput                             u:object_r:hal_tv_input_hwservice:s0
 android.hardware.usb::IUsb                                      u:object_r:hal_usb_hwservice:s0
diff --git a/public/hwservice.te b/public/hwservice.te
index 0064d9de382ecfe1d0f49938092ce4505b55c423..e5c254ec00c01da58fb34672bd588261285fd76e 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -63,3 +63,4 @@ type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index 1353e4300084ded321d67242b52bb42cc8e2e913..4716826226f8d0acc2a5448be70b76a68e72f093 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -8,6 +8,7 @@ add_service(thermalserviced, thermal_service)
 
 hwbinder_use(thermalserviced)
 hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
 
 binder_call(thermalserviced, platform_app)
 binder_call(thermalserviced, system_server)