sepolicy/vendor/update_engine.te - device/fairphone/fp3 - Gitiles

 # Allow update_engine and update_engine_sideload (recovery) read/write on the
 # device-specific partitions it should update.
 allow update_engine {
     boot_block_device
     custom_ab_block_device
     mdtp_device
     modem_block_device
     xbl_block_device
 }:blk_file rw_file_perms;

 allow update_engine firmware_file:filesystem getattr;
 allow update_engine self:capability kill;
	# Allow update_engine and update_engine_sideload (recovery) read/write on the
	# device-specific partitions it should update.
	allow update_engine {
	boot_block_device
	custom_ab_block_device
	mdtp_device
	modem_block_device
	xbl_block_device
	}:blk_file rw_file_perms;

	allow update_engine firmware_file:filesystem getattr;
	allow update_engine self:capability kill;