diff --git a/private/file_contexts b/private/file_contexts
index 87673126bfbdbadc7594feb97ef21b5820f770f7..450101614ef5ecae84dc26972a72ac815ce04d01 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,6 +238,7 @@
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
diff --git a/private/hal_fingerprint_default.te b/private/hal_fingerprint_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..3903f85331e5195ccb9637464bd510453b35664f
--- /dev/null
+++ b/private/hal_fingerprint_default.te
@@ -0,0 +1,5 @@
+type hal_fingerprint_default, hal_fingerprint, domain;
+type hal_fingerprint_default_exec, exec_type, file_type;
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hal_fingerprint_default)
diff --git a/public/attributes b/public/attributes
index b310c1da13ae05b67728415571139f261f90a2e6..30a6014ccf8643a7897941fc10844fd34a114469 100644
--- a/public/attributes
+++ b/public/attributes
@@ -118,6 +118,7 @@ attribute update_engine_common;
 attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_dumpstate;
+attribute hal_fingerprint;
 attribute hal_gatekeeper;
 attribute hal_gnss;
 attribute hal_graphics_allocator;
diff --git a/public/file.te b/public/file.te
index 0365dc9e684402a8cedb939fa533ad5c81d3166e..8b3b62c83ffe902360a93a6b53ba9dbd566baa06 100644
--- a/public/file.te
+++ b/public/file.te
@@ -208,7 +208,7 @@ type backup_data_file, file_type, data_file_type, mlstrustedobject;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
-# Type for fingerprint template file.
+# Type for fingerprint template file
 type fingerprintd_data_file, file_type, data_file_type;
 # Type for appfuse file.
 type app_fuse_file, file_type, data_file_type, mlstrustedobject;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
new file mode 100644
index 0000000000000000000000000000000000000000..426b73ad27e574d34b69c277ba47a00b5492e9da
--- /dev/null
+++ b/public/hal_fingerprint.te
@@ -0,0 +1,23 @@
+hwbinder_use(hal_fingerprint)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hal_fingerprint system_file:dir r_dir_perms;
+
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(hal_fingerprint)
+allow hal_fingerprint keystore:keystore_key add_auth;
+
+# For permissions checking
+binder_call(hal_fingerprint, system_server);
+allow hal_fingerprint permission_service:service_manager find;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
diff --git a/public/service.te b/public/service.te
index 8fcf5d077170f1477340e70f565cc020726382e1..1b65b5aafff2541e5079b55a3507b63f7f4d7f3b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -6,6 +6,7 @@ type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
 type fingerprintd_service,      service_manager_type;
+type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index 5cb46d5d39ca25b17cb602d4a4f7e69b6b332dd6..ee552630b06fd911daec1ac5fd37a4666b1f82e0 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -162,6 +162,7 @@ hwbinder_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
+binder_call(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss);
 binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -477,6 +478,7 @@ allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;