diff --git a/sepolicy/device.te b/sepolicy/device.te
index 694bb58..216a165 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -12,3 +12,4 @@ type avtimer_device, dev_type;
 type ssr_device, dev_type;
 type ramdump_device, dev_type;
 type hbtp_device, dev_type;
+type sg_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index bdfb797..1e6bbc7 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -25,6 +25,7 @@
 /dev/ramdump_.*                                 u:object_r:ramdump_device:s0
 /dev/hbtp_input                                 u:object_r:hbtp_device:s0
 /dev/hbtp_vm                                    u:object_r:hbtp_device:s0
+/dev/sg[0-9]+                                   u:object_r:sg_device:s0
 
 # dev socket nodes
 /dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index de44b9d..521fa27 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,3 +1,6 @@
+allow tee self:capability { chown setgid setuid sys_admin sys_rawio };
+
 allow tee device:dir r_dir_perms;
 
-allow tee block_device:dir { getattr search};
+allow tee block_device:dir { getattr search };
+allow tee sg_device:chr_file { rw_file_perms setattr };