diff --git a/tracking_denials/hal_drm_default.te b/tracking_denials/hal_drm_default.te
deleted file mode 100644
index 872f5a0f..00000000
--- a/tracking_denials/hal_drm_default.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/223502652
-dontaudit hal_drm_default vndbinder_device:chr_file { read };
-# b/232714489
-dontaudit hal_drm_default default_prop:file { read };
diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te
new file mode 100644
index 00000000..01581ca2
--- /dev/null
+++ b/tracking_denials/hal_drm_widevine.te
@@ -0,0 +1,4 @@
+# b/223502652
+dontaudit hal_drm_widevine vndbinder_device:chr_file { read };
+# b/232714489
+dontaudit hal_drm_widevine default_prop:file { read };
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 78b5983f..8f010c5a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -1,7 +1,7 @@
 #
 # Exynos HAL
 #
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
diff --git a/whitechapel/vendor/google/hal_drm_widevine.te b/whitechapel/vendor/google/hal_drm_widevine.te
new file mode 100644
index 00000000..753f5e66
--- /dev/null
+++ b/whitechapel/vendor/google/hal_drm_widevine.te
@@ -0,0 +1,12 @@
+type hal_drm_widevine, domain;
+type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_widevine)
+
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms;
\ No newline at end of file