diff --git a/public/domain.te b/public/domain.te
index e8baabcbb..d3fac7096 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -355,6 +355,7 @@ neverallow {
   -healthd
   -uncrypt
   -tee
+  -hal_bootctl
 } self:global_capability_class_set sys_rawio;
 
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 2491734f7..be9975f89 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,5 +3,3 @@ binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-
-dontaudit hal_bootctl self:global_capability_class_set sys_rawio;