diff --git a/private/blank_screen.te b/private/blank_screen.te
index 69dd7e6a0..51310d180 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -4,5 +4,3 @@ type blank_screen_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(blank_screen)
 
 hal_client_domain(blank_screen, hal_light)
-
-allow blank_screen hal_light_service:service_manager find;
diff --git a/public/hal_light.te b/public/hal_light.te
index 1e70b74d5..7054d7b32 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,11 +4,14 @@ binder_call(hal_light_server, hal_light_client)
 
 hal_attribute_hwservice(hal_light, hal_light_hwservice)
 
+# client finds and uses server via service_manager
+allow hal_light_client hal_light_service:service_manager find;
+binder_use(hal_light_client)
+
+# server adds itself via service_manager
 add_service(hal_light_server, hal_light_service)
 binder_call(hal_light_server, servicemanager)
 
-allow hal_light_client hal_light_service:service_manager find;
-
 allow hal_light_server dumpstate:fifo_file write;
 
 allow hal_light sysfs_leds:lnk_file read;