diff --git a/private/adbd.te b/private/adbd.te
index 73302acd169918e36455a07e3703aab478830bc4..eb6ae3268c6988cafd2e713d8601f9a055b31513 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,9 @@ allow adbd system_file:file r_file_perms;
 allow adbd selinuxfs:dir r_dir_perms;
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
 
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 1db5210d941c44a38112c6185218e03cefea3bf0..6687144910a186cc5d98e2e1c7a6d8ad04a5cf37 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,20 +38,20 @@
 /sdcard             u:object_r:rootfs:s0
 
 # SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
-/mapping_sepolicy\.cil   u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil   u:object_r:rootfs:s0
-/plat_sepolicy\.cil      u:object_r:rootfs:s0
-/plat_property_contexts  u:object_r:property_contexts:s0
-/nonplat_property_contexts  u:object_r:property_contexts:s0
-/seapp_contexts     u:object_r:rootfs:s0
-/nonplat_seapp_contexts     u:object_r:rootfs:s0
-/plat_seapp_contexts     u:object_r:rootfs:s0
-/sepolicy           u:object_r:rootfs:s0
-/plat_service_contexts   u:object_r:rootfs:s0
-/nonplat_service_contexts   u:object_r:rootfs:s0
+/file_contexts\.bin     u:object_r:file_contexts_file:s0
+/nonplat_file_contexts  u:object_r:file_contexts_file:s0
+/plat_file_contexts     u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil   u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil   u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil      u:object_r:sepolicy_file:s0
+/plat_property_contexts  u:object_r:property_contexts_file:s0
+/nonplat_property_contexts  u:object_r:property_contexts_file:s0
+/seapp_contexts     u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
+/sepolicy           u:object_r:sepolicy_file:s0
+/plat_service_contexts   u:object_r:service_contexts_file:s0
+/nonplat_service_contexts   u:object_r:service_contexts_file:s0
 
 ##########################
 # Devices
@@ -249,11 +249,27 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
 
 #############################
 # Vendor files
 #
 /vendor(/.*)?		u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
 
 #############################
 # OEM and ODM files
diff --git a/private/system_server.te b/private/system_server.te
index 5aae022bdf8e59ca0e91eb531305ec25caafb11d..ddeeb1b97bd1d72f214fc5ae1f7948709d707255 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -230,6 +230,10 @@ allow system_server mediaserver:udp_socket rw_socket_perms;
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b2a19519fc7ee44edb68e6b7322405c25a22739a..501581abf3b3f091bc31b30b5641f844b2cd2517 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # resulting process into webview_zygote domain.
 init_daemon_domain(webview_zygote)
 
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
 # Allow reading/executing installed binaries to enable preloading the
 # installed WebView implementation.
 allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@ allow webview_zygote system_server:process getpgid;
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;
 
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(webview_zygote)
 # Check SELinux permissions.
diff --git a/private/zygote.te b/private/zygote.te
index e9ec6724ff53a5210f54865ed6d83a5d8655003b..15fd951952756e30159a4c76f0f329339ba39751 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@ allow zygote self:capability sys_admin;
 allow zygote pmsg_device:chr_file getattr;
 allow zygote debugfs_trace_marker:file getattr;
 
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(zygote)
 # Check SELinux permissions.
diff --git a/public/domain.te b/public/domain.te
index 0a3709690844dcb5476f3f446399ac8d842e8b5b..97d6a111fc655cc44f5e4cb278233aa2f9c69db4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -89,7 +89,7 @@ get_prop(domain, core_property_type)
 # messages to logd.
 get_prop(domain, log_property_type)
 dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
+allow domain property_contexts_file:file r_file_perms;
 
 allow domain init:key search;
 allow domain vold:key search;
diff --git a/public/file.te b/public/file.te
index 92fa4a35fe40f14298838ee2f4d41bdedbb8ccb4..d7a82bc6cdaddf6bbbe51b4c2bae8a21a93d9af7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -256,8 +256,23 @@ type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
 
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
 # property_contexts file
-type property_contexts, file_type;
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
 
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
diff --git a/public/init.te b/public/init.te
index 4b080464b99e86e29b986f0ed1e50891cc0f9df9..4af41ec978db4f9e72160665050d46ce89365341 100644
--- a/public/init.te
+++ b/public/init.te
@@ -299,6 +299,12 @@ r_dir_file(init, domain)
 # setsockcreate is for labeling local/unix domain sockets.
 allow init self:process { setexec setfscreate setsockcreate };
 
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
 # Perform SELinux access checks on setting properties.
 selinux_check_access(init)
 
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a380e9a4ab1e9e79012f1d7bbf59f106b95..a85edff9f0fb08099db00bd35b78b83480aca3b3 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,10 @@ selinux_check_context(installd)
 r_dir_file(installd, rootfs)
 # Scan through APKs in /system/app and /system/priv-app
 r_dir_file(installd, system_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e908b32433e6869fa1d2a1f30bad1c06de4..9537c0dfaf4f8c4feec5ec47f24e62a28fba12a6 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@ r_dir_file(kernel, proc)
 allow kernel selinuxfs:dir r_dir_perms;
 allow kernel selinuxfs:file r_file_perms;
 
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
 # Allow init relabel itself.
 allow kernel rootfs:file relabelfrom;
 allow kernel init_exec:file relabelto;
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5ada5299a37cb4289f3746d3efd74b8795..d6aef1c58b0cadd48b7a208b7f644a0eb1f195ea 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -37,6 +37,8 @@ recovery_only(`
   # currently loaded policy. Allow it.
   allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+  # Get file contexts
+  allow recovery file_contexts_file:file r_file_perms;
 
   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
   # support to OTAs. However, that code has a bug. When an update occurs,
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 46b3b0e802702a3a6a2fcc7f8c5d0a5cb1ad6780..7ad32fc6dcf41e58d15a8fdae604712cbfdbd7ba 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -11,7 +11,8 @@ type servicemanager_exec, exec_type, file_type;
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager { domain -init }:binder transfer;
 
-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+allow servicemanager service_contexts_file:file r_file_perms;
 
 # Check SELinux permissions.
 selinux_check_access(servicemanager)
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c89508b09d1639adefda2f6e5a5995a0266..512b019d471a33241066b2d531ce003df393241c 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@ allow ueventd efs_file:file r_file_perms;
 # Get SELinux enforcing status.
 r_dir_file(ueventd, selinuxfs)
 
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 
diff --git a/public/vold.te b/public/vold.te
index f4a391693f4e28aaa128d8f3500d241f9aeff26f..89e2c2471bc8da3ad1e0c69aa4d219877052c5df 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@ allow vold sysfs_zram_uevent:file w_file_perms;
 r_dir_file(vold, rootfs)
 allow vold proc_meminfo:file r_file_perms;
 
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
 # Allow us to jump into execution domains of above tools
 allow vold self:process setexec;