new file mode 100644
@@ -0,0 +1,83 @@
+From 0e76a2a30d459e9c8416225dc51280927d0f27b1 Mon Sep 17 00:00:00 2001
+From: Daniel Burgener <Daniel.Burgener@microsoft.com>
+Date: Wed, 8 Apr 2026 20:43:43 +0000
+Subject: [PATCH] Add op-tee based tee supplicant policy
+
+Some of the op-tee required policies are missing.
+
+Added required policies for op-tee.
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1103]
+
+Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
+Signed-off-by: Sasi Kumar Maddineni <sasikuma@qti.qualcomm.com>
+---
+ policy/modules/kernel/devices.if | 18 ++++++++++++++++++
+ policy/modules/services/tee_supplicant.fc | 1 +
+ policy/modules/services/tee_supplicant.te | 12 +++++++++++-
+ 3 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index a7ebcc922..1e4ec76e5 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -5050,6 +5050,24 @@ interface(`dev_rw_tee',`
+ rw_chr_files_pattern($1, device_t, tee_device_t)
+ ')
+
++########################################
++## <summary>
++## Read and write the privileged trusted execution environment devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_tee_priv',`
++ gen_require(`
++ type device_t, tee_priv_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, tee_priv_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write the TPM device.
+diff --git a/policy/modules/services/tee_supplicant.fc b/policy/modules/services/tee_supplicant.fc
+index 9c6e77836..41b654268 100644
+--- a/policy/modules/services/tee_supplicant.fc
++++ b/policy/modules/services/tee_supplicant.fc
+@@ -1 +1,2 @@
+ /usr/bin/qtee_supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0)
++/usr/sbin/tee-supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0)
+diff --git a/policy/modules/services/tee_supplicant.te b/policy/modules/services/tee_supplicant.te
+index 2d5905318..0e0b67bc2 100644
+--- a/policy/modules/services/tee_supplicant.te
++++ b/policy/modules/services/tee_supplicant.te
+@@ -9,9 +9,19 @@ type tee_supplicant_t;
+ type tee_supplicant_exec_t;
+ init_daemon_domain(tee_supplicant_t, tee_supplicant_exec_t)
+
+-########################################
++type tee_supplicant_var_lib_t;
++files_type(tee_supplicant_var_lib_t)
++
++#########################################
+ #
+ # Local policy
+ #
+
++manage_files_pattern(tee_supplicant_t, tee_supplicant_var_lib_t, tee_supplicant_var_lib_t)
++manage_dirs_pattern(tee_supplicant_t, tee_supplicant_var_lib_t, tee_supplicant_var_lib_t)
++files_var_lib_filetrans(tee_supplicant_t, tee_supplicant_var_lib_t, { file dir })
++
+ dev_rw_tee(tee_supplicant_t)
++dev_rw_tee_priv(tee_supplicant_t)
++
++kernel_read_vm_overcommit_sysctl(tee_supplicant_t)
+--
+2.43.0
+
@@ -76,6 +76,7 @@ SRC_URI += " \
file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \
file://0062-selinux-allow-seatd-to-use-unallocated-TTYs.patch \
file://0063-dmesg-allow-dmesg_t-access-to-init-script-stream-soc.patch \
+ file://0064-Add-op-tee-based-tee-supplicant-policy.patch \
"
S = "${UNPACKDIR}/refpolicy"
Some of the op-tee required policies are missing. Added required policies for op-tee. Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1103] Signed-off-by: Sasi Kumar Maddineni <sasikuma@qti.qualcomm.com> --- ...d-op-tee-based-tee-supplicant-policy.patch | 83 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 84 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0064-Add-op-tee-based-tee-supplicant-policy.patch