diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7644cac84..d7b27b556 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -40,7 +40,17 @@ neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setat
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
-neverallow { domain -bpfloader -gpuservice -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow {
+  domain
+  -bpfloader
+  -gpuservice
+  -hal_health_server
+  -mediaprovider_app
+  -netd
+  -netutils_wrapper
+  -network_stack
+  -system_server
+} *:bpf prog_run;
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
diff --git a/public/charger_vendor.te b/public/charger_vendor.te
index 2dd106fa2..d8f3bb2f9 100644
--- a/public/charger_vendor.te
+++ b/public/charger_vendor.te
@@ -2,3 +2,5 @@
 
 type charger_vendor, charger_type, domain;
 hal_server_domain(charger_vendor, hal_health)
+
+typeattribute charger_vendor bpfdomain;
diff --git a/public/hal_health.te b/public/hal_health.te
index e2a6a6001..a31da4d93 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -26,3 +26,9 @@ allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
 
 # Allow to use timerfd to wake itself up periodically to send health info.
 allow hal_health_server self:capability2 wake_alarm;
+
+# Use bpf programs
+allow hal_health_server fs_bpf:dir search;
+allow hal_health_server fs_bpf_vendor:dir search;
+allow hal_health_server fs_bpf_vendor:file read;
+allow hal_health_server bpfloader:bpf prog_run;
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index a48c7b8cc..8e118e9f5 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -1,5 +1,8 @@
 # health info abstraction
 type hal_health_default, domain;
+
+typeattribute hal_health_default bpfdomain;
+
 hal_server_domain(hal_health_default, hal_health)
 
 type hal_health_default_exec, exec_type, vendor_file_type, file_type;