diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c67cef80ebacc1ee3387aac5aa23d5d6395a49d8..c9e5c808e1ab180b678d47efe1592ca611941598 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -201,6 +201,7 @@ neverallow all_untrusted_apps {
   hal_nfc_hwservice
   hal_oemlock_hwservice
   hal_power_hwservice
+  hal_secure_element_hwservice
   hal_sensors_hwservice
   hal_telephony_hwservice
   hal_thermal_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f46d94929d9463b6ca8a1840e4676b92502c565a..fc0ce839e02039f0d23d4d19d682db328274447a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -42,6 +42,7 @@
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
+    hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_wifi_hostapd_hwservice
     hal_usb_gadget_hwservice
@@ -65,6 +66,9 @@
     perfetto_traces_data_file
     perfprofd_service
     property_info
+    secure_element
+    secure_element_tmpfs
+    secure_element_service
     slice_service
     stats
     stats_data_file
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 35fac9c580af26bd33027e40d1c9959ce21b7a47..24c70593e497bfd67fed9f8110a3adb15020ede1 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -39,6 +39,7 @@ android.hardware.radio.deprecated::IOemHook                     u:object_r:hal_t
 android.hardware.radio::IRadio                                  u:object_r:hal_telephony_hwservice:s0
 android.hardware.radio::ISap                                    u:object_r:hal_telephony_hwservice:s0
 android.hardware.renderscript::IDevice                          u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement                 u:object_r:hal_secure_element_hwservice:s0
 android.hardware.sensors::ISensors                              u:object_r:hal_sensors_hwservice:s0
 android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_audio_hwservice:s0
 android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
diff --git a/private/nfc.te b/private/nfc.te
index 56446f4f7e729ef2c37a1ebd5ceb17c2c49e03fa..5e856729185b8757d832188a7df38aa548bf2405 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@ allow nfc radio_service:service_manager find;
 allow nfc app_api_service:service_manager find;
 allow nfc system_api_service:service_manager find;
 allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
 
 set_prop(nfc, nfc_prop);
 
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 0807f58742ccd4d9284b88ec86057960fc70b44e..1b929625c895b52d1b2c82494fb51ca74b444a78 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -99,6 +99,7 @@ user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_d
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000000000000000000000000000000000000..57f512bbd250f37ba0b93d080ebb4028ef77dfb5
--- /dev/null
+++ b/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/private/service_contexts b/private/service_contexts
index 03d58c960b3d8af2e7458f3419854bc6c4cdd9de..bf087ea8e5ca568ae8622803565431aeed210f39 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -134,6 +134,7 @@ rttmanager                                u:object_r:rttmanager_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0
 scheduling_policy                         u:object_r:scheduling_policy_service:s0
 search                                    u:object_r:search_service:s0
+secure_element                            u:object_r:secure_element_service:s0
 sec_key_att_app_id_provider               u:object_r:sec_key_att_app_id_provider_service:s0
 sensorservice                             u:object_r:sensorservice_service:s0
 serial                                    u:object_r:serial_service:s0
diff --git a/public/attributes b/public/attributes
index d71de95d2b7834b2a5909b4b7116d753ca0e1771..14c124284dc0e64984857362ec05eff8d4cdf971 100644
--- a/public/attributes
+++ b/public/attributes
@@ -232,6 +232,7 @@ hal_attribute(neuralnetworks);
 hal_attribute(nfc);
 hal_attribute(oemlock);
 hal_attribute(power);
+hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
 hal_attribute(tetheroffload);
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
new file mode 100644
index 0000000000000000000000000000000000000000..e3046d12ecdec6f3063de3730237d7ff936d55db
--- /dev/null
+++ b/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 6bcf165dc69aed6973ae5f6f1fd0a01a5a511d1c..2b745c0b3fba6c10a5dada2e0427e0e0834afc94 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -32,6 +32,7 @@ type hal_oemlock_hwservice, hwservice_manager_type;
 type hal_omx_hwservice, hwservice_manager_type;
 type hal_power_hwservice, hwservice_manager_type;
 type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
 type hal_tetheroffload_hwservice, hwservice_manager_type;
diff --git a/public/secure_element.te b/public/secure_element.te
new file mode 100644
index 0000000000000000000000000000000000000000..4ce6714f6eb264fb927a76641369ce910677ac50
--- /dev/null
+++ b/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/public/service.te b/public/service.te
index 6f9d47c2b6188319fe6f61ce06773af7f9fecd47..e13b6d5e78f36b854a4cca4efbded730aa02be6c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,6 +23,7 @@ type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type perfprofd_service,         service_manager_type;
 type radio_service,             service_manager_type;
+type secure_element_service,    service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
diff --git a/public/su.te b/public/su.te
index 4a0004585f0c6a6e0977e0b6882b0064dfe6c188..0312945484620db72f6aa59873eb934ae6a5d121 100644
--- a/public/su.te
+++ b/public/su.te
@@ -82,6 +82,7 @@ userdebug_or_eng(`
   typeattribute su hal_nfc_client;
   typeattribute su hal_oemlock_client;
   typeattribute su hal_power_client;
+  typeattribute su hal_secure_element_client;
   typeattribute su hal_sensors_client;
   typeattribute su hal_telephony_client;
   typeattribute su hal_tetheroffload_client;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e1cfd2f765a626b403a4b9633531fa93404fa229..4ca4169e020a876b30f78c829ea7395a4e463c14 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -32,6 +32,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service          u:object_r:hal_power_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service  u:object_r:hal_radio_config_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service        u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service        u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..86fe0b9939e12d6f4574b931feb26cecc21d871f
--- /dev/null
+++ b/vendor/hal_secure_element_default.te
@@ -0,0 +1,5 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_secure_element_default)