diff --git a/sepolicy/pawlet_device.te b/sepolicy/pawlet_device.te
index b43139f..9241fa1 100644
--- a/sepolicy/pawlet_device.te
+++ b/sepolicy/pawlet_device.te
@@ -5,13 +5,17 @@ type pawlet_device_exec, exec_type, file_type, system_file_type;
 # Inherit from core domain
 typeattribute pawlet_device coredomain;
 
-# Property access
+# Property access - use proper macros ONLY
 get_prop(pawlet_device, vendor_default_prop)
 set_prop(pawlet_device, vendor_default_prop)
 
-# Framework interactions - use standard types
-allow pawlet_device system_file:file { read getattr };
-allow pawlet_device system_server:service_manager find;
+# Framework interactions - use proper macros
+# REMOVE direct service_manager access
+# allow pawlet_device system_server:service_manager find;
 
-# File access for properties
-allow pawlet_device vendor_default_prop:file { getattr open read map };
\ No newline at end of file
+# REMOVE all direct file access to properties
+# allow pawlet_device vendor_default_prop:file { getattr open read map };
+
+# If you need to interact with system services, use proper domains:
+allow pawlet_device system_server:binder { call transfer };
+allow pawlet_device servicemanager:binder { call transfer };
\ No newline at end of file