diff --git a/device.te b/device.te
index 8882d9935257180909a8e63190d5106555cee9cf..508c0ebffa2a98c76aa1cd0bbfd3387f0c4f9844 100644
--- a/device.te
+++ b/device.te
@@ -17,6 +17,7 @@ type console_device, dev_type;
 type cpuctl_device, dev_type;
 type full_device, dev_type;
 type graphics_device, dev_type;
+type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
diff --git a/domain.te b/domain.te
index 12aa89888c9d30d9d5a1d8816431f17485d947c6..bfe8a9cc5b1eb8e9b2b4efa65ade718e7df6b53a 100644
--- a/domain.te
+++ b/domain.te
@@ -139,5 +139,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 # Only init should be able to load SELinux policies
 neverallow { domain -init } kernel:security load_policy;
 
+# Only init and system_server should be able to access HW RNG
+neverallow { domain -init -system_server -unconfineddomain } hw_random_device:chr_file *;
+
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
diff --git a/file_contexts b/file_contexts
index c4c4a094ec68d7f1d81eb0117f22e8798472ea46..dfdb43943723b9e28c1d2d7f09c63bce257e8ddc 100644
--- a/file_contexts
+++ b/file_contexts
@@ -48,6 +48,7 @@
 /dev/full		u:object_r:full_device:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
+/dev/hw_random		u:object_r:hw_random_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
diff --git a/system_server.te b/system_server.te
index 35df21c6642adb780d8cb562660cc7217246d8c5..6e1acd3b1079ae65cfd5983b5dfde586a242bd43 100644
--- a/system_server.te
+++ b/system_server.te
@@ -33,6 +33,9 @@ allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
 
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
 allow system_server backup_data_file:dir relabelto;
 allow system_server cache_backup_file:dir relabelto;
 allow system_server anr_data_file:dir relabelto;