diff --git a/private/atrace.te b/private/atrace.te
index 585c25484..d4aed40a4 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,7 +1,6 @@
 # Domain for atrace process.
 # It is spawned either by traced_probes or by init for the boottrace service.
 
-type atrace, domain, coredomain;
 type atrace_exec, exec_type, file_type, system_file_type;
 
 # boottrace services uses /data/misc/boottrace/categories
diff --git a/public/atrace.te b/public/atrace.te
new file mode 100644
index 000000000..7327f84ec
--- /dev/null
+++ b/public/atrace.te
@@ -0,0 +1 @@
+type atrace, domain, coredomain;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 929f12075..99b60654f 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -3,12 +3,10 @@ binder_call(hal_fingerprint_client, hal_fingerprint_server)
 binder_call(hal_fingerprint_server, hal_fingerprint_client)
 
 hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
+hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
 
-add_service(hal_fingerprint_server, hal_fingerprint_service)
 binder_call(hal_fingerprint_server, servicemanager)
 
-allow hal_fingerprint_client hal_fingerprint_service:service_manager find;
-
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_identity.te b/public/hal_identity.te
index 3a95743c2..8d558ade1 100644
--- a/public/hal_identity.te
+++ b/public/hal_identity.te
@@ -1,7 +1,6 @@
 # HwBinder IPC from client to server
 binder_call(hal_identity_client, hal_identity_server)
 
-add_service(hal_identity_server, hal_identity_service)
-binder_call(hal_identity_server, servicemanager)
+hal_attribute_service(hal_identity, hal_identity_service)
 
-allow hal_identity_client hal_identity_service:service_manager find;
+binder_call(hal_identity_server, servicemanager)
diff --git a/public/hal_light.te b/public/hal_light.te
index 4aa824a6d..40829b6bb 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -3,13 +3,9 @@ binder_call(hal_light_client, hal_light_server)
 binder_call(hal_light_server, hal_light_client)
 
 hal_attribute_hwservice(hal_light, hal_light_hwservice)
+hal_attribute_service(hal_light, hal_light_service)
 
-# server adds itself via service_manager
-add_service(hal_light_server, hal_light_service)
 binder_call(hal_light_server, servicemanager)
-
-# client finds and uses server via service_manager
-allow hal_light_client hal_light_service:service_manager find;
 binder_use(hal_light_client)
 
 allow hal_light_server dumpstate:fifo_file write;
diff --git a/public/hal_power.te b/public/hal_power.te
index c94771b57..aae32a016 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,8 +3,7 @@ binder_call(hal_power_client, hal_power_server)
 binder_call(hal_power_server, hal_power_client)
 
 hal_attribute_hwservice(hal_power, hal_power_hwservice)
+hal_attribute_service(hal_power, hal_power_service)
 
-add_service(hal_power_server, hal_power_service)
 binder_call(hal_power_server, servicemanager)
 binder_call(hal_power_client, servicemanager)
-allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/hal_rebootescrow.te b/public/hal_rebootescrow.te
index 4352630ba..d16333bae 100644
--- a/public/hal_rebootescrow.te
+++ b/public/hal_rebootescrow.te
@@ -1,7 +1,6 @@
 # HwBinder IPC from client to server
 binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
 
-add_service(hal_rebootescrow_server, hal_rebootescrow_service)
-binder_use(hal_rebootescrow_server)
+hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
 
-allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
+binder_use(hal_rebootescrow_server)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index a34621d37..c90249571 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -3,12 +3,10 @@ binder_call(hal_vibrator_client, hal_vibrator_server)
 binder_call(hal_vibrator_server, hal_vibrator_client);
 
 hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
+hal_attribute_service(hal_vibrator, hal_vibrator_service)
 
-add_service(hal_vibrator_server, hal_vibrator_service)
 binder_call(hal_vibrator_server, servicemanager)
 
-allow hal_vibrator_client hal_vibrator_service:service_manager find;
-
 allow hal_vibrator_server dumpstate:fifo_file write;
 
 # vibrator sysfs rw access
diff --git a/public/te_macros b/public/te_macros
index 56f977522..fdf0675d9 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -654,10 +654,42 @@ define(`hal_attribute_hwservice', `
   add_hwservice($1_server, $2)
 
   build_test_only(`
+    # if you are hitting this neverallow, try using:
+    #     hal_client_domain(<your domain>, hal_<foo>)
+    # instead
     neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
   ')
 ')
 
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_service', `
+  allow $1_client $2:service_manager find;
+  add_service($1_server, $2)
+
+  build_test_only(`
+    # if you are hitting this neverallow, try using:
+    #     hal_client_domain(<your domain>, hal_<foo>)
+    # instead
+    neverallow {
+        domain
+        -$1_client
+        -$1_server
+        # some services are allowed to find all services
+        -atrace
+        -dumpstate
+        -shell
+        -system_app
+        -traceur_app
+    } $2:service_manager find;
+  ')
+')
+
 ###################################
 # can_profile_heap(domain)
 # Allow processes within the domain to have their heap profiled by heapprofd.