diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e558a93b2..0159a0c9e 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -66,6 +66,7 @@
     ota_metadata_file
     ota_prop
     art_apex_dir
+    rebootescrow_hal_prop
     service_manager_service
     simpleperf
     soundtrigger_middleware_service
diff --git a/public/property.te b/public/property.te
index 0fa8143ef..3ca038aca 100644
--- a/public/property.te
+++ b/public/property.te
@@ -155,6 +155,9 @@ system_public_prop(wifi_prop)
 system_public_prop(binder_cache_bluetooth_server_prop)
 system_public_prop(binder_cache_system_server_prop)
 
+# Properties used in default HAL implementations
+vendor_internal_prop(rebootescrow_hal_prop)
+
 # Properties which are public for devices launching with Android O or earlier
 # This should not be used for any new properties.
 not_compatible_property(`
diff --git a/public/property_contexts b/public/property_contexts
index f3dc51fd9..a25f686c5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -150,6 +150,7 @@ ro.minui.pixel_format u:object_r:exported3_default_prop:s0 exact string
 ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
 ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
 ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
+ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
 ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
 ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
 ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 514f67ea5..d4dc7d3fb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -259,6 +259,7 @@ set_prop(vendor_init, exported3_radio_prop)
 set_prop(vendor_init, logd_prop)
 set_prop(vendor_init, log_tag_prop)
 set_prop(vendor_init, log_prop)
+set_prop(vendor_init, rebootescrow_hal_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, userspace_reboot_config_prop)
 set_prop(vendor_init, vehicle_hal_prop)
diff --git a/vendor/hal_rebootescrow_default.te b/vendor/hal_rebootescrow_default.te
index 99faddeb2..26256939d 100644
--- a/vendor/hal_rebootescrow_default.te
+++ b/vendor/hal_rebootescrow_default.te
@@ -1,8 +1,10 @@
 type hal_rebootescrow_default, domain;
 hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+get_prop(hal_rebootescrow_default, rebootescrow_hal_prop);
 
 type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_rebootescrow_default)
 
 type rebootescrow_device, dev_type;
-allow hal_rebootescrow_default rebootescrow_device:chr_file rw_file_perms;
+allow hal_rebootescrow_default rebootescrow_device:{ chr_file blk_file } rw_file_perms;
+allow hal_rebootescrow_default block_device:dir search;