mediaserver needs tee_device for widevine classic

avc: denied { read write } for name="tlk_device" dev="tmpfs" ino=9459 scontext=u:r:mediaserver:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
avc: denied { open } for path="/dev/tlk_device" dev="tmpfs" ino=9459 scontext=u:r:mediaserver:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
avc: denied { ioctl } for path="/dev/tlk_device" dev="tmpfs" ino=9459 ioctlcmd=7410 scontext=u:r:mediaserver:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file

Bug: 29153599

Change-Id: I45d1d6d898c03b5efb8612dd34438f6a96a99451
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index e099e40..42ecbf4 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -2,3 +2,7 @@
 allow mediaserver self:netlink_kobject_uevent_socket create_socket_perms;
 allow mediaserver sensorservice_service:service_manager find;
 allow mediaserver sysfs_gpu:file r_file_perms;
+
+# needed for widevine classic
+allow mediaserver tee_device:chr_file { ioctl open read write };
+