diff --git a/private/app.te b/private/app.te
index e0fb6f14d86696aaad672c31e565f1f218a1f156..b009d986944a0e3ea1f127921174937a6cd86eaa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -158,6 +158,11 @@ binder_call(appdomain, appdomain)
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
diff --git a/private/system_server.te b/private/system_server.te
index 30fe3e2ba039be200a3c3e0037ed5fe407336cf9..cba1ab3d9fdbd6500c377605c841658e10c4e08e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -179,6 +179,7 @@ binder_service(system_server)
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+hwallocator_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 9f07d8564ac4df721d855ff17954f710ca83f263..6b4d677181d06f033860e1e990822302d9cfad1e 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -18,6 +18,11 @@ allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
 
+# hidl access
+hwbinder_use(mediacodec)
+hwallocator_use(mediacodec)
+allow mediacodec system_file:dir { open read };
+
 ###
 ### neverallow rules
 ###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 16b8013288aa19530e33547c616156ca260677cf..fa472886a77b0decf418e2ee04529e36fc2a20b3 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -132,6 +132,10 @@ allow mediaserver hal_graphics_allocator:fd use;
 
 allow mediaserver system_server:fd use;
 
+# hidl access
+hwbinder_use(mediaserver)
+hwallocator_use(mediaserver)
+
 ###
 ### neverallow rules
 ###