diff --git a/public/domain.te b/public/domain.te
index e550485ee7fdcb11ade80a8a94fde20d86b570dc..0ea69d740932303ba23b8ae4db262402d45f7ea7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -775,13 +775,6 @@ neverallow {
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
-neverallow {
-  domain
-  -crash_dump
-  -mediacodec
-  -mediaextractor
-} tombstoned_crash_socket:sock_file write;
-
 # Never allow anyone except dumpstate or the system server to connect or write to
 # the tombstoned intercept socket.
 neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 795592ff33c4de387f6464831611b91860ccd5d0..d5f2ef6fe440e7e8342ebd0703032b8efc4cc688 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -8,6 +8,10 @@ add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # this HAL should be restricted to different clients. Thus, the allow rules for
 # clients are defined in the .te files of the clients.
 
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
 ###
 ### neverallow rules
 ###
@@ -33,11 +37,14 @@ neverallow hal_configstore_server {
   -hal_configstore_server
   -logd
   userdebug_or_eng(`-su')
+  -tombstoned
 }:{ unix_dgram_socket unix_stream_socket } *;
 
 # Should never need access to anything on /data
 neverallow hal_configstore_server {
   data_file_type
+  -anr_data_file # for crash dump collection
+  -tombstone_data_file # for crash dump collection
   -zoneinfo_data_file # granted to domain
 }:{ file fifo_file sock_file } *;