diff --git a/domain.te b/domain.te
index eb22ec7b96dcab5bc110c1c3cbfca3473d22ac90..23dabf58e8f4839911aab9272899ac0ca40b0ef0 100644
--- a/domain.te
+++ b/domain.te
@@ -494,3 +494,9 @@ neverallow {
   -installd
   -surfaceflinger # TODO: see if we can remove from mako sepolicy
 } shell_data_file:lnk_file read;
+
+# servicemanager is the only process which handles list request
+neverallow domain ~servicemanager:service_manager list;
+
+# only service_manager_types can be added to service_manager
+neverallow domain ~service_manager_type:service_manager { add find };
diff --git a/init.te b/init.te
index 34b010cf3ce1dd9cad4a50f3cae6c1c2ce1fac52..9fdfd222a3cd27a569828a37989a3180e44deb35 100644
--- a/init.te
+++ b/init.te
@@ -282,3 +282,7 @@ neverallow init app_data_file:lnk_file read;
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;