Adding SELinux rule for Magisk for specific process

I have decompiled FM Radio app on my device AGM M7 (custom Lineage OS, API 27). This app doesn't have access to /dev/fm. To give this access, I wrote an SELinux rule according to one of the messages from dmesg |grep avc:

allow priv_app fm_device chr_file {read write open ioctl}

I implemented and installed this rule in a Magisk module. But I noticed according to logs that the write permission for this rule was ignored. I asked ChatGPT about it, and it wrote that context priv_app has limitations connected with this permission. Yes, I can install my FM Radio app in the /system/app folder instead of /system/priv-app, so context will probably be platform_app. But in this case, all apps will be able to have access to /dev/fm, which increases the vulnerability of our firmware. So the question is whether it is possible via Magisk to give access to **/dev/fm** to my process FM radio. I am new to Magisk modules, so please help me write a Magisk module connected to this problem. I forgot to mention, from what I noticed, that Magisk does not understand ioctl permission, because when I write something like

magiskpolicy --apply-rule "path_to_sepolicy.rule"

I had a syntax error, but without ioctl, according to logs, my app will not work. Another way is to reassign firmware on my device, because the original FM Radio with the original signature works without any rules, but I don't know how to change keystore signatures on firmware directly on my device. If you want to learn more details about my problem, you can see [this question on SO](https://stackoverflow.com/questions/79314583/selinux-module-to-open-fm-radio-application-access-to-dev-fm) .