platform_system_sepolicy/private/hal_keymint.te

binder_call(hal_keymint_client, hal_keymint_server)

hal_attribute_service(hal_keymint, hal_keymint_service)
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)

allow hal_keymint_server tee_device:chr_file rw_file_perms;
allow hal_keymint_server ion_device:chr_file r_file_perms;