diff --git a/public/domain.te b/public/domain.te
index 56fcacec7..edf5a9d39 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -77,6 +77,11 @@ allow {
 # Allow using fds to /dev/ashmem.
 allow domain ashmem_server:fd use;
 
+# Allow vendor hals to access IAshmem
+# TODO(b/134783601): Change to a whitelist.
+allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
+allow { domain -coredomain -appdomain } ashmem_server: binder call;
+
 # /dev/binder can be accessed by non-vendor domains and by apps
 allow {
   coredomain