recovery_only(`
  allow recovery sysfs_ota:file rw_file_perms;
  allow recovery st54spi_device:chr_file rw_file_perms;
  allow recovery tee_device:chr_file rw_file_perms;
  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
  set_prop(recovery, boottime_prop)
')