diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 3aed94f..e13001f 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -25,3 +25,5 @@ type thermal_data_file, file_type, data_file_type;
 type ultrasound_device, dev_type;
 
 type vendor_sysfs_iio, fs_type, sysfs_type;
+
+type thermal_link_device, dev_type;
\ No newline at end of file
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 2b1155e..689b9f0 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -89,6 +89,9 @@
 # Thermal
 /vendor/bin/mi_thermald                                                 u:object_r:mi_thermald_exec:s0
 /data/vendor/thermal(/.*)?                                              u:object_r:thermal_data_file:s0
+/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel                     u:object_r:hal_thermal_default_exec:s0
+/vendor/bin/thermal_symlinks                                                      u:object_r:init-thermal-symlinks-sh_exec:s0
+/dev/thermal(/.*)?                                                                u:object_r:thermal_link_device:s0
 
 # USB
 /vendor/bin/init\.mi\.usb\.sh                                           u:object_r:vendor_qti_init_shell_exec:s0
diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te
new file mode 100644
index 0000000..888cf94
--- /dev/null
+++ b/sepolicy/vendor/hal_thermal_default.te
@@ -0,0 +1,9 @@
+allow hal_thermal_default sysfs_thermal:dir r_dir_perms;
+allow hal_thermal_default sysfs_thermal:file rw_file_perms;
+allow hal_thermal_default sysfs_thermal:lnk_file r_file_perms;
+allow hal_thermal_default thermal_link_device:dir r_dir_perms;
+allow hal_thermal_default proc_stat:file r_file_perms;
+allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+hal_client_domain(hal_thermal_default, hal_power);
+# read thermal_config
+get_prop(hal_thermal_default, vendor_thermal_normal_prop)
\ No newline at end of file
diff --git a/sepolicy/vendor/init-thermal-symlinks.sh.te b/sepolicy/vendor/init-thermal-symlinks.sh.te
new file mode 100644
index 0000000..ee9b861
--- /dev/null
+++ b/sepolicy/vendor/init-thermal-symlinks.sh.te
@@ -0,0 +1,10 @@
+type init-thermal-symlinks-sh, domain;
+type init-thermal-symlinks-sh_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(init-thermal-symlinks-sh)
+allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms;
+allow init-thermal-symlinks-sh thermal_link_device:dir rw_dir_perms;
+allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:dir r_dir_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:file r_file_perms;
+allow init-thermal-symlinks-sh sysfs_thermal:lnk_file r_file_perms;
+set_prop(init-thermal-symlinks-sh, vendor_thermal_normal_prop)
\ No newline at end of file
diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 67eae7e..871fd65 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts
@@ -40,3 +40,4 @@ ro.vendor.ril                                   u:object_r:vendor_public_vendor_
 sys.thermal.                                    u:object_r:vendor_thermal_normal_prop:s0
 vendor.sys.thermal.                             u:object_r:vendor_thermal_normal_prop:s0
 persist.sys.thermal.config                      u:object_r:vendor_thermal_normal_prop:s0
+vendor.thermal.                                 u:object_r:vendor_thermal_normal_prop:s0