diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS
new file mode 100644
index 0000000..e6ce5d0
--- /dev/null
+++ b/sepolicy/OWNERS
@@ -0,0 +1,2 @@
+# per-file for Pixel device makefiles, see go/pixel-device-mk-owner-checklist for details.
+per-file *.mk=file:device/google/gs-common:main:/MK_OWNERS
diff --git a/sepolicy/README.txt b/sepolicy/README.txt
new file mode 100644
index 0000000..67a320f
--- /dev/null
+++ b/sepolicy/README.txt
@@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.
diff --git a/sepolicy/tegu-sepolicy.mk b/sepolicy/tegu-sepolicy.mk
new file mode 100644
index 0000000..1d59a75
--- /dev/null
+++ b/sepolicy/tegu-sepolicy.mk
@@ -0,0 +1,4 @@
+# sepolicy that are shared among devices using ZumaPro
+BOARD_SEPOLICY_DIRS += device/google/tegu-sepolicy/vendor
+BOARD_SEPOLICY_DIRS += device/google/tegu-sepolicy/tracking_denials
+
diff --git a/sepolicy/tracking_denials/README.txt b/sepolicy/tracking_denials/README.txt
new file mode 100644
index 0000000..6cfc62d
--- /dev/null
+++ b/sepolicy/tracking_denials/README.txt
@@ -0,0 +1,2 @@
+This folder stores known errors detected by PTS. Be sure to remove relevant
+files to reproduce error log on latest ROMs.
diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map
new file mode 100644
index 0000000..7e15f18
--- /dev/null
+++ b/sepolicy/tracking_denials/bug_map
@@ -0,0 +1 @@
+system_suspend sysfs dir b/371877715
diff --git a/sepolicy/tracking_denials/grilservice_app.te b/sepolicy/tracking_denials/grilservice_app.te
new file mode 100644
index 0000000..bd47db7
--- /dev/null
+++ b/sepolicy/tracking_denials/grilservice_app.te
@@ -0,0 +1,3 @@
+# b/371877868
+dontaudit grilservice_app default_android_hwservice:hwservice_manager find;
+
diff --git a/sepolicy/tracking_denials/hal_camera_default.te b/sepolicy/tracking_denials/hal_camera_default.te
new file mode 100644
index 0000000..1bdb5ce
--- /dev/null
+++ b/sepolicy/tracking_denials/hal_camera_default.te
@@ -0,0 +1,3 @@
+# b/371878208
+dontaudit hal_camera_default default_android_hwservice:hwservice_manager find;
+
diff --git a/sepolicy/vendor/README.txt b/sepolicy/vendor/README.txt
new file mode 100644
index 0000000..67a320f
--- /dev/null
+++ b/sepolicy/vendor/README.txt
@@ -0,0 +1,2 @@
+This folder holds sepolicy exclusively for one device. For example, genfs_contexts
+paths that are affected by device tree.
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
new file mode 100644
index 0000000..0f19b2e
--- /dev/null
+++ b/sepolicy/vendor/file_contexts
@@ -0,0 +1,10 @@
+# Devices
+/dev/lwis-act-nessie                                                        u:object_r:lwis_device:s0
+/dev/lwis-eeprom-nessie                                                     u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-leshen                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-smaug-leshen-uw                                            u:object_r:lwis_device:s0
+/dev/lwis-flash-lm3644                                                      u:object_r:lwis_device:s0
+/dev/lwis-ois-nessie                                                        u:object_r:lwis_device:s0
+/dev/lwis-sensor-barghest                                                   u:object_r:lwis_device:s0
+/dev/lwis-sensor-leshen                                                     u:object_r:lwis_device:s0
+/dev/lwis-sensor-leshen-uw                                                  u:object_r:lwis_device:s0
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
new file mode 100644
index 0000000..4730cb2
--- /dev/null
+++ b/sepolicy/vendor/genfs_contexts
@@ -0,0 +1,10 @@
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061/power_supply                                               u:object_r:sysfs_batteryinfo:s0
+
+# wake up nodes
+genfscon sysfs /devices/platform/google,ccd/power_supply/gccd/wakeup                                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/power/wakeup                       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/111d0000.spi/spi_master/spi20/spi20.0/synaptics_tcm.0/wakeup                             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/110f0000.drmdp/wakeup                                                                    u:object_r:sysfs_wakeup:s0
+
+# WLC
+genfscon sysfs /devices/platform/10ca0000.hsi2c/i2c-10/10-0061                                                            u:object_r:sysfs_wlc:s0
diff --git a/sepolicy/vendor/grilservice_app.te b/sepolicy/vendor/grilservice_app.te
new file mode 100644
index 0000000..2ee3ef2
--- /dev/null
+++ b/sepolicy/vendor/grilservice_app.te
@@ -0,0 +1 @@
+binder_call(grilservice_app, twoshay)
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
new file mode 100644
index 0000000..189034c
--- /dev/null
+++ b/sepolicy/vendor/hal_health_default.te
@@ -0,0 +1 @@
+allow hal_health_default sysfs:file r_file_perms;