diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bb9142d0b56342649515889ea6371c4f0fc423a0..df140198cdbad5033070317a5144e93cecace2ba 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -199,6 +199,7 @@ neverallow all_untrusted_apps {
   hal_nfc_hwservice
   hal_oemlock_hwservice
   hal_power_hwservice
+  hal_secure_element_hwservice
   hal_sensors_hwservice
   hal_telephony_hwservice
   hal_thermal_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 2b0a3fb9ea548a330bb76f28b33bf15f3df5fad9..7769b65b6bb76e3947f234e425486cca6062df06 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -40,6 +40,7 @@
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
+    hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_usb_gadget_hwservice
     hal_wifi_offload_hwservice
@@ -65,6 +66,9 @@
     perfetto_traces_data_file
     perfprofd_service
     property_info
+    secure_element
+    secure_element_tmpfs
+    secure_element_service
     slice_service
     stats
     stats_data_file
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 5a65580761254d7e5cf578a1e6bf0c223e35b587..96233fcda2e9c763f1c7801dfe7ae82196c160d2 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -38,6 +38,7 @@ android.hardware.radio.deprecated::IOemHook                     u:object_r:hal_t
 android.hardware.radio::IRadio                                  u:object_r:hal_telephony_hwservice:s0
 android.hardware.radio::ISap                                    u:object_r:hal_telephony_hwservice:s0
 android.hardware.renderscript::IDevice                          u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement                 u:object_r:hal_secure_element_hwservice:s0
 android.hardware.sensors::ISensors                              u:object_r:hal_sensors_hwservice:s0
 android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_audio_hwservice:s0
 android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
diff --git a/private/nfc.te b/private/nfc.te
index 56446f4f7e729ef2c37a1ebd5ceb17c2c49e03fa..5e856729185b8757d832188a7df38aa548bf2405 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@ allow nfc radio_service:service_manager find;
 allow nfc app_api_service:service_manager find;
 allow nfc system_api_service:service_manager find;
 allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
 
 set_prop(nfc, nfc_prop);
 
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 76f299866425dc70f0e769fcdf1fc13fcea36ea0..6efd59f769ec6cb16b84a901b2705e9cb38e7479 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -99,6 +99,7 @@ user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_d
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000000000000000000000000000000000000..57f512bbd250f37ba0b93d080ebb4028ef77dfb5
--- /dev/null
+++ b/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/private/service_contexts b/private/service_contexts
index 373c7cca0a8422dd414331ac64fedc535b00e0c1..71d484514a5c37eb42185826a31366b0c8a3a668 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -134,6 +134,7 @@ rttmanager                                u:object_r:rttmanager_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0
 scheduling_policy                         u:object_r:scheduling_policy_service:s0
 search                                    u:object_r:search_service:s0
+secure_element                            u:object_r:secure_element_service:s0
 sec_key_att_app_id_provider               u:object_r:sec_key_att_app_id_provider_service:s0
 sensorservice                             u:object_r:sensorservice_service:s0
 serial                                    u:object_r:serial_service:s0
diff --git a/public/attributes b/public/attributes
index 66ce7d09c10f6986431f9227bbb678addd108504..8138a3fa2205d839aa723ea59b3c725df8ad9482 100644
--- a/public/attributes
+++ b/public/attributes
@@ -229,6 +229,7 @@ hal_attribute(neuralnetworks);
 hal_attribute(nfc);
 hal_attribute(oemlock);
 hal_attribute(power);
+hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
 hal_attribute(tetheroffload);
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
new file mode 100644
index 0000000000000000000000000000000000000000..e3046d12ecdec6f3063de3730237d7ff936d55db
--- /dev/null
+++ b/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index f6ab621fce982748e8dd9c42846010d5cfc28e54..436ec68ac9e93ad17ee779e8537276699059a7ce 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -31,6 +31,7 @@ type hal_oemlock_hwservice, hwservice_manager_type;
 type hal_omx_hwservice, hwservice_manager_type;
 type hal_power_hwservice, hwservice_manager_type;
 type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
 type hal_tetheroffload_hwservice, hwservice_manager_type;
diff --git a/public/secure_element.te b/public/secure_element.te
new file mode 100644
index 0000000000000000000000000000000000000000..4ce6714f6eb264fb927a76641369ce910677ac50
--- /dev/null
+++ b/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/public/service.te b/public/service.te
index 6f9d47c2b6188319fe6f61ce06773af7f9fecd47..e13b6d5e78f36b854a4cca4efbded730aa02be6c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,6 +23,7 @@ type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type perfprofd_service,         service_manager_type;
 type radio_service,             service_manager_type;
+type secure_element_service,    service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
diff --git a/public/su.te b/public/su.te
index edc62c3c1996425ac3dce7eebec68815f5695982..fd90ebe0e7dfc7cc965fcdb8bb188a16c53f5332 100644
--- a/public/su.te
+++ b/public/su.te
@@ -81,6 +81,7 @@ userdebug_or_eng(`
   typeattribute su hal_nfc_client;
   typeattribute su hal_oemlock_client;
   typeattribute su hal_power_client;
+  typeattribute su hal_secure_element_client;
   typeattribute su hal_sensors_client;
   typeattribute su hal_telephony_client;
   typeattribute su hal_tetheroffload_client;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5be64247d5a7246b8b276f644e04a3e0158cc5f1..320a9b18c5f555bed70045c69ff115ca1385104d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -31,6 +31,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service          u:object_r:hal_power_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service  u:object_r:hal_radio_config_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service        u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service        u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..86fe0b9939e12d6f4574b931feb26cecc21d871f
--- /dev/null
+++ b/vendor/hal_secure_element_default.te
@@ -0,0 +1,5 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_secure_element_default)