diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes
new file mode 100644
index 0000000000000000000000000000000000000000..c5a79e7e8e54a5cca4779794d32ee52efcc77c83
--- /dev/null
+++ b/sepolicy/public/attributes
@@ -0,0 +1,3 @@
+attribute hal_mlipay;
+attribute hal_mlipay_client;
+attribute hal_mlipay_server;
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
new file mode 100644
index 0000000000000000000000000000000000000000..303b5de5ced57ef6ebb7c6f885ff221635f4d65d
--- /dev/null
+++ b/sepolicy/vendor/app.te
@@ -0,0 +1 @@
+get_prop({ appdomain -isolated_app }, mlipay_prop)
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 63ca34fe63e63d8ce5d6d164b74b350fc20bf88a..61320e7c1cd6f1ff05828086baa22073371bde3d 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -14,6 +14,9 @@
 # IR
 /dev/ir_spi                                      u:object_r:ir_spi_device:s0
 
+# Mlipay
+/(vendor|system/vendor)/bin/mlipayd@1.1          u:object_r:hal_mlipay_default_exec:s0
+
 # Power
 /sys/devices/virtual/touch/tp_dev/double_tap                       u:object_r:vendor_sysfs_double_tap:s0
 
diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te
new file mode 100644
index 0000000000000000000000000000000000000000..fa6fbdaa0cc44f173c01e78f77d8e62e9b11d0ad
--- /dev/null
+++ b/sepolicy/vendor/hal_mlipay.te
@@ -0,0 +1,25 @@
+type hal_mlipay_hwservice, hwservice_manager_type;
+
+type hal_mlipay_default, domain;
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+
+type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_mlipay_default)
+
+type mlipay_prop, property_type;
+
+# Allow hwbinder call from hal client to server
+binder_call(hal_mlipay_client, hal_mlipay_server)
+
+# Add hwservice related rules
+add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
+allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
+
+allow hal_mlipay_default tee_device:chr_file rw_file_perms;
+allow hal_mlipay_default ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_mlipay_default, firmware_file)
+set_prop(hal_mlipay_default, mlipay_prop);
+
+get_prop(hal_mlipay_default, vendor_fp_prop)
+get_prop(hal_mlipay_default, vendor_fp_info_prop)
diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
index 13e51938ab5853982325e2414367d5036527cffb..3e8a909520380953e825015eace8b26d678fb3a0 100644
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts
@@ -7,3 +7,6 @@ com.fingerprints.extension::IFingerprintNavigation
 com.fingerprints.extension::IFingerprintSensorTest                                   u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
 com.fingerprints.extension::IFingerprintCalibration                                  u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
 com.fingerprints.extension::IFingerprintOptical                                      u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
+
+# Mlipay
+vendor.xiaomi.hardware.mlipay::IMlipayService                                 u:object_r:hal_mlipay_hwservice:s0
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 641b5fdc52bf6f3dd2b5e0c3f02cdf7610828911..8dbd8a38f1629c573a6a7d92d7dd84d82d2875b2 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -9,3 +9,7 @@ persist.vendor.sys.fp.uid    u:object_r:vendor_fp_info_prop:s0
 
 # SPU
 persist.vendor.security.spuari.              u:object_r:vendor_security_spuari_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay.                 u:object_r:mlipay_prop:s0
+persist.vendor.sys.provision.status     u:object_r:mlipay_prop:s0