diff --git a/sepolicy/file.te b/sepolicy/file.te
index 7c8234c8..dac6db24 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -32,6 +32,7 @@ type perfd_socket, file_type;
 type ims_socket, file_type;
 type cnd_socket, file_type;
 type chre_socket, file_type;
+type hal_bootctl_socket, file_type;
 
 type firmware_file, fs_type, contextmount_type;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 549e56a8..ecca5545 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -39,6 +39,7 @@
 
 # dev socket nodes
 /dev/socket/chre                                u:object_r:chre_socket:s0
+/dev/socket/oemlock                             u:object_r:hal_bootctl_socket:s0
 /dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
 /dev/socket/qmux_bluetooth(/.*)?                u:object_r:qmuxd_socket:s0
 /dev/socket/qmux_gps(/.*)?                      u:object_r:qmuxd_socket:s0
@@ -215,6 +216,8 @@
 /vendor/bin/ese-replay          u:object_r:esed_exec:s0
 /vendor/bin/ese-ls-provision    u:object_r:esed_exec:s0
 /vendor/bin/hw/android\.hardware\.oemlock@1\.0-service               u:object_r:hal_oemlock_default_exec:s0
+/vendor/bin/oemlock_provision   u:object_r:hal_bootctl_default_exec:s0
+/vendor/bin/oemlock-bridge      u:object_r:hal_bootctl_default_exec:s0
 /vendor/bin/hw/android\.hardware\.usb@1\.1-service.wahoo             u:object_r:hal_usb_default_exec:s0
 /vendor/bin/chre                u:object_r:chre_exec:s0
 /vendor/bin/folio_daemon        u:object_r:folio_daemon_exec:s0
diff --git a/sepolicy/hal_bootctl.te b/sepolicy/hal_bootctl.te
index 8d7fc878..bdb9e124 100644
--- a/sepolicy/hal_bootctl.te
+++ b/sepolicy/hal_bootctl.te
@@ -11,6 +11,7 @@ allow hal_bootctl ab_block_device:blk_file getattr;
 allow hal_bootctl boot_block_device:blk_file rw_file_perms;
 allow hal_bootctl modem_block_device:blk_file getattr;
 allow hal_bootctl system_block_device:blk_file getattr;
+allow hal_bootctl misc_block_device:blk_file rw_file_perms;
 
 # Access /dev/sgN devices (generic SCSI) to write the
 # A/B slot selection for the XBL partition. Allow also to issue a
@@ -25,3 +26,6 @@ allow hal_bootctl sysfs:dir r_dir_perms;
 
 # Write to the XBL devices.
 allow hal_bootctl xbl_block_device:blk_file rw_file_perms;
+
+# Expose a socket for brokered boot message access for hal_oemlock.
+allow hal_bootctl hal_bootctl_socket:sock_file create_file_perms;
diff --git a/sepolicy/hal_oemlock_default.te b/sepolicy/hal_oemlock_default.te
index e4f410c4..bc8ee58a 100644
--- a/sepolicy/hal_oemlock_default.te
+++ b/sepolicy/hal_oemlock_default.te
@@ -1,9 +1,8 @@
 type hal_oemlock_default, domain;
 hal_server_domain(hal_oemlock_default, hal_oemlock)
 
-# TODO: work out new permissions
-#allow hal_oemlock_default misc_block_device:blk_file rw_file_perms;
-#allow hal_oemlock_default frp_block_device:blk_file rw_file_perms;
+allow hal_oemlock_default hal_bootctl_socket:sock_file write;
+allow hal_oemlock_default hal_bootctl:unix_stream_socket connectto;
 
 type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_oemlock_default)