diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index edcc179..a195ed4 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -708,6 +708,7 @@
 
 # Keymaster
 /dev/ut_keymaster u:object_r:ut_keymaster_device:s0
+/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keyinstall@1\.0-service u:object_r:mtk_hal_keyinstall_exec:s0
 
 # Ipsec
 /(system\/vendor|vendor)/bin/ipsec		u:object_r:ipsec_exec:s0
diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te
index 9a34d78..51f2d74 100644
--- a/non_plat/hwservice.te
+++ b/non_plat/hwservice.te
@@ -64,3 +64,6 @@ type mtk_hal_bgs_hwservice, hwservice_manager_type;
 
 # vtservice
 type mtk_hal_videotelephony_hwservice, hwservice_manager_type;
+
+# Keyinstall
+type mtk_hal_keyinstall_hwservice, hwservice_manager_type;
diff --git a/non_plat/hwservice_contexts b/non_plat/hwservice_contexts
index 6d8015c..d0f304f 100644
--- a/non_plat/hwservice_contexts
+++ b/non_plat/hwservice_contexts
@@ -78,3 +78,6 @@ vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0
 
 # vtservice
 vendor.mediatek.hardware.videotelephony::IVideoTelephony u:object_r:mtk_hal_videotelephony_hwservice:s0
+
+# Keyinstall
+vendor.mediatek.hardware.keyinstall::IKeyinstall u:object_r:mtk_hal_keyinstall_hwservice:s0
diff --git a/non_plat/mtk_hal_keyinstall.te b/non_plat/mtk_hal_keyinstall.te
new file mode 100644
index 0000000..258f457
--- /dev/null
+++ b/non_plat/mtk_hal_keyinstall.te
@@ -0,0 +1,17 @@
+type mtk_hal_keyinstall_exec, exec_type, file_type, vendor_file_type;
+type mtk_hal_keyinstall, domain;
+
+hal_server_domain(mtk_hal_keyinstall, hal_keymaster)
+init_daemon_domain(mtk_hal_keyinstall)
+
+add_hwservice(hal_keymaster_server, mtk_hal_keyinstall_hwservice)
+
+allow hal_keymaster_client mtk_hal_keyinstall_hwservice:hwservice_manager find;
+
+allow mtk_hal_keyinstall persist_data_file:dir { search write add_name };
+allow mtk_hal_keyinstall persist_data_file:file { read write create open setattr getattr };
+
+allow mtk_hal_keyinstall key_install_data_file:dir { write add_name remove_name search };
+allow mtk_hal_keyinstall key_install_data_file:file { write create setattr read getattr unlink open append };
+
+allow mtk_hal_keyinstall debugfs_tracing:file { write };