diff --git a/private/isolated_app.te b/private/isolated_app.te
index 85e80a5fa82d2412dcf370a2513c4387cf8102bf..95b008da1e56ab5132ed19b85a744207e6643747 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -47,6 +47,12 @@ allow isolated_app webview_zygote_tmpfs:file read;
 # suppress denials to /data/local/tmp
 dontaudit isolated_app shell_data_file:dir search;
 
+# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
+# if needed.
+userdebug_or_eng(`
+  auditallow isolated_app same_process_hal_file:file *;
+')
+
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 allow isolated_app traced:fd use;
diff --git a/public/domain.te b/public/domain.te
index b47922752c6133184f5ec0201215c653bd0793dc..04774ed8162cafbf8dbeda5ca6899b8623a6a730 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -188,7 +188,22 @@ allow domain vendor_hal_file:dir r_dir_perms;
 
 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
+# TODO(b/37211678): whitelist domains that actually need same process HALs.
 allow domain same_process_hal_file:file { execute read open getattr map };
+# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
+# same_process_hal_file label, which is what we are interested in.
+userdebug_or_eng(`
+  auditallow {
+    coredomain
+    -zygote
+    -hal_allocator_client
+    # Graphics mapper clients.
+    -hal_graphics_allocator_client
+    # Renderscript clients include { system_server appdomain -isolated_app }.
+    -appdomain
+    -system_server
+  } same_process_hal_file:file *;
+')
 
 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs