diff --git a/private/hal_audio_default.te b/private/hal_audio_default.te
index bbbd419..93ffd8e 100644
--- a/private/hal_audio_default.te
+++ b/private/hal_audio_default.te
@@ -1,4 +1,5 @@
-type hal_audio_default, hal_audio, domain;
-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default, domain;
+hal_impl_domain(hal_audio_default, hal_audio)
 
+type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index f77410c..b8fce63 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -1,6 +1,7 @@
-type hal_bluetooth_default, hal_bluetooth, domain;
-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default, domain;
+hal_impl_domain(hal_bluetooth_default, hal_bluetooth)
 
+type hal_bluetooth_default_exec, exec_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
 
 # VTS tests need to be able to toggle rfkill
diff --git a/private/hal_contexthub_default.te b/private/hal_contexthub_default.te
index 99b6b93..abf5b0e 100644
--- a/private/hal_contexthub_default.te
+++ b/private/hal_contexthub_default.te
@@ -1,4 +1,5 @@
-type hal_contexthub_default, hal_contexthub, domain;
-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default, domain;
+hal_impl_domain(hal_contexthub_default, hal_contexthub)
 
+type hal_contexthub_default_exec, exec_type, file_type;
 init_daemon_domain(hal_contexthub_default)
diff --git a/private/hal_dumpstate_default.te b/private/hal_dumpstate_default.te
index 4616039..2b371b9 100644
--- a/private/hal_dumpstate_default.te
+++ b/private/hal_dumpstate_default.te
@@ -1,4 +1,5 @@
-type hal_dumpstate_default, hal_dumpstate, domain;
-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default, domain;
+hal_impl_domain(hal_dumpstate_default, hal_dumpstate)
 
+type hal_dumpstate_default_exec, exec_type, file_type;
 init_daemon_domain(hal_dumpstate_default)
diff --git a/private/hal_fingerprint_default.te b/private/hal_fingerprint_default.te
index 3903f85..c392a85 100644
--- a/private/hal_fingerprint_default.te
+++ b/private/hal_fingerprint_default.te
@@ -1,5 +1,5 @@
-type hal_fingerprint_default, hal_fingerprint, domain;
+type hal_fingerprint_default, domain;
+hal_impl_domain(hal_fingerprint_default, hal_fingerprint)
+
 type hal_fingerprint_default_exec, exec_type, file_type;
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
 init_daemon_domain(hal_fingerprint_default)
diff --git a/private/hal_gatekeeper_default.te b/private/hal_gatekeeper_default.te
index e0c5613..3c84b13 100644
--- a/private/hal_gatekeeper_default.te
+++ b/private/hal_gatekeeper_default.te
@@ -1,4 +1,5 @@
-type hal_gatekeeper_default, hal_gatekeeper, domain;
-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default, domain;
+hal_impl_domain(hal_gatekeeper_default, hal_gatekeeper)
 
+type hal_gatekeeper_default_exec, exec_type, file_type;
 init_daemon_domain(hal_gatekeeper_default);
diff --git a/private/hal_gnss_default.te b/private/hal_gnss_default.te
index 29ff994..78f85bc 100644
--- a/private/hal_gnss_default.te
+++ b/private/hal_gnss_default.te
@@ -1,6 +1,7 @@
-type hal_gnss_default, hal_gnss, domain;
-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default, domain;
+hal_impl_domain(hal_gnss_default, hal_gnss)
 
+type hal_gnss_default_exec, exec_type, file_type;
 init_daemon_domain(hal_gnss_default)
 
 # Read access to system files for HALs in
diff --git a/private/hal_graphics_allocator_default.te b/private/hal_graphics_allocator_default.te
index 36dcca3..6b3672c 100644
--- a/private/hal_graphics_allocator_default.te
+++ b/private/hal_graphics_allocator_default.te
@@ -1,4 +1,5 @@
-type hal_graphics_allocator_default, hal_graphics_allocator, domain;
-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default, domain;
+hal_impl_domain(hal_graphics_allocator_default, hal_graphics_allocator)
 
+type hal_graphics_allocator_default_exec, exec_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
diff --git a/private/hal_graphics_composer_default.te b/private/hal_graphics_composer_default.te
index 9ddf71f..99bf690 100644
--- a/private/hal_graphics_composer_default.te
+++ b/private/hal_graphics_composer_default.te
@@ -1,4 +1,5 @@
-type hal_graphics_composer_default, hal_graphics_composer, domain;
-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default, domain;
+hal_impl_domain(hal_graphics_composer_default, hal_graphics_composer)
 
+type hal_graphics_composer_default_exec, exec_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
diff --git a/private/hal_health_default.te b/private/hal_health_default.te
index e853fb6..0496cdf 100644
--- a/private/hal_health_default.te
+++ b/private/hal_health_default.te
@@ -1,5 +1,6 @@
 # health info abstraction
-type hal_health_default, hal_health, domain;
-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default, domain;
+hal_impl_domain(hal_health_default, hal_health)
 
+type hal_health_default_exec, exec_type, file_type;
 init_daemon_domain(hal_health_default)
diff --git a/private/hal_ir_default.te b/private/hal_ir_default.te
index 1f3d694..2de1b92 100644
--- a/private/hal_ir_default.te
+++ b/private/hal_ir_default.te
@@ -1,4 +1,5 @@
-type hal_ir_default, hal_ir, domain;
-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default, domain;
+hal_impl_domain(hal_ir_default, hal_ir)
 
+type hal_ir_default_exec, exec_type, file_type;
 init_daemon_domain(hal_ir_default)
diff --git a/private/hal_light_default.te b/private/hal_light_default.te
index aee44d9..bee7c8a 100644
--- a/private/hal_light_default.te
+++ b/private/hal_light_default.te
@@ -1,4 +1,5 @@
-type hal_light_default, hal_light, domain;
-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default, domain;
+hal_impl_domain(hal_light_default, hal_light)
 
+type hal_light_default_exec, exec_type, file_type;
 init_daemon_domain(hal_light_default)
diff --git a/private/hal_memtrack_default.te b/private/hal_memtrack_default.te
index 113ee18..1c5ca99 100644
--- a/private/hal_memtrack_default.te
+++ b/private/hal_memtrack_default.te
@@ -1,4 +1,5 @@
-type hal_memtrack_default, hal_memtrack, domain;
-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default, domain;
+hal_impl_domain(hal_memtrack_default, hal_memtrack)
 
+type hal_memtrack_default_exec, exec_type, file_type;
 init_daemon_domain(hal_memtrack_default)
diff --git a/private/hal_nfc_default.te b/private/hal_nfc_default.te
index 1f7c4ed..b6abb19 100644
--- a/private/hal_nfc_default.te
+++ b/private/hal_nfc_default.te
@@ -1,4 +1,5 @@
-type hal_nfc_default, hal_nfc, domain;
-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default, domain;
+hal_impl_domain(hal_nfc_default, hal_nfc)
 
+type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
diff --git a/private/hal_power_default.te b/private/hal_power_default.te
index e61375d..c8977ee 100644
--- a/private/hal_power_default.te
+++ b/private/hal_power_default.te
@@ -1,4 +1,5 @@
-type hal_power_default, hal_power, domain;
-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default, domain;
+hal_impl_domain(hal_power_default, hal_power)
 
+type hal_power_default_exec, exec_type, file_type;
 init_daemon_domain(hal_power_default)
diff --git a/private/hal_sensors_default.te b/private/hal_sensors_default.te
index 5f29446..3c3a104 100644
--- a/private/hal_sensors_default.te
+++ b/private/hal_sensors_default.te
@@ -1,4 +1,5 @@
-type hal_sensors_default, hal_sensors, domain;
-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default, domain;
+hal_impl_domain(hal_sensors_default, hal_sensors)
 
+type hal_sensors_default_exec, exec_type, file_type;
 init_daemon_domain(hal_sensors_default)
diff --git a/private/hal_thermal_default.te b/private/hal_thermal_default.te
index a2ff70e..baa3b97 100644
--- a/private/hal_thermal_default.te
+++ b/private/hal_thermal_default.te
@@ -1,4 +1,5 @@
-type hal_thermal_default, hal_thermal, domain;
-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default, domain;
+hal_impl_domain(hal_thermal_default, hal_thermal)
 
+type hal_thermal_default_exec, exec_type, file_type;
 init_daemon_domain(hal_thermal_default)
diff --git a/private/hal_vibrator_default.te b/private/hal_vibrator_default.te
index e633953..c185e08 100644
--- a/private/hal_vibrator_default.te
+++ b/private/hal_vibrator_default.te
@@ -1,4 +1,5 @@
-type hal_vibrator_default, hal_vibrator, domain;
-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default, domain;
+hal_impl_domain(hal_vibrator_default, hal_vibrator)
 
+type hal_vibrator_default_exec, exec_type, file_type;
 init_daemon_domain(hal_vibrator_default)
diff --git a/private/hal_vr_default.te b/private/hal_vr_default.te
index ba85157..f32c737 100644
--- a/private/hal_vr_default.te
+++ b/private/hal_vr_default.te
@@ -1,4 +1,5 @@
-type hal_vr_default, hal_vr, domain;
-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default, domain;
+hal_impl_domain(hal_vr_default, hal_vr)
 
+type hal_vr_default_exec, exec_type, file_type;
 init_daemon_domain(hal_vr_default)
diff --git a/private/hal_wifi_default.te b/private/hal_wifi_default.te
index a32a907..5946ba4 100644
--- a/private/hal_wifi_default.te
+++ b/private/hal_wifi_default.te
@@ -1,4 +1,5 @@
-type hal_wifi_default, hal_wifi, domain;
-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default, domain;
+hal_impl_domain(hal_wifi_default, hal_wifi)
 
+type hal_wifi_default_exec, exec_type, file_type;
 init_daemon_domain(hal_wifi_default)
diff --git a/private/haldomain.te b/private/haldomain.te
new file mode 100644
index 0000000..511f78d
--- /dev/null
+++ b/private/haldomain.te
@@ -0,0 +1,3 @@
+###
+### Rules for all HAL implementations
+###
diff --git a/public/attributes b/public/attributes
index 30a6014..66cc594 100644
--- a/public/attributes
+++ b/public/attributes
@@ -114,6 +114,9 @@
 # recovery for A/B devices.
 attribute update_engine_common;
 
+# All domains used for HAL implementations
+attribute haldomain;
+
 # HALs
 attribute hal_audio;
 attribute hal_bluetooth;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index 784bacb..0f3983b 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,5 +1,5 @@
 # allocator subsystem
-type hal_allocator, domain;
+type hal_allocator, domain, haldomain;
 type hal_allocator_exec, exec_type, file_type;
 
 # hwbinder access
diff --git a/public/hal_boot.te b/public/hal_boot.te
index 3cbbb29..d04ced2 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -1,5 +1,5 @@
 # boot_control subsystem
-type hal_boot, domain, boot_control_hal;
+type hal_boot, domain, boot_control_hal, haldomain;
 type hal_boot_exec, exec_type, file_type;
 
 # hwbinder access
diff --git a/public/te_macros b/public/te_macros
index 70f0fdf..d1267ec 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -116,6 +116,20 @@
 ')
 
 #####################################
+# hal_impl_domain(domain, hal_type_attr)
+# Allow a base set of permissions required for a domain to host a
+# HAL implementation of the specified HAL type.
+#
+# For example, default implementation of Foo HAL:
+#   type hal_foo_default, domain;
+#   hal_impl_domain(hal_foo_default, hal_foo)
+#
+define(`hal_impl_domain', `
+typeattribute $1 haldomain;
+typeattribute $1 $2;
+')
+
+#####################################
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
 # socket to serverdomain.