diff --git a/Android.mk b/Android.mk
index 776be6c0a7d8aed7dea6770a3e0f6596a837513a..10848b3a8fbef7429e67d739f800849c65f851c4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -24,38 +24,6 @@ PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sep
 sepolicy_major_vers :=
 sepolicy_minor_vers :=
 
-include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy
-LOCAL_MODULE_TAGS := optional
-# Include SELinux policy. We do this here because different modules
-# need to be included based on the value of PRODUCT_FULL_TREBLE. This
-# type of conditional inclusion cannot be done in top-level files such
-# as build/target/product/embedded.mk.
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-# Use split SELinux policy
-LOCAL_REQUIRED_MODULES += \
-    mapping_sepolicy.cil \
-    nonplat_sepolicy.cil \
-    plat_sepolicy.cil \
-    plat_and_mapping_sepolicy.cil.sha256 \
-    secilc \
-    nonplat_file_contexts \
-    plat_file_contexts
-
-# Include precompiled policy, unless told otherwise
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
-endif
-
-else
-# Use monolithic SELinux policy
-LOCAL_REQUIRED_MODULES += sepolicy \
-    file_contexts.bin
-endif
-include $(BUILD_PHONY_PACKAGE)
-
 include $(CLEAR_VARS)
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
@@ -197,6 +165,42 @@ ifneq (,$(filter address,$(SANITIZE_TARGET)))
   with_asan := true
 endif
 
+include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+
+platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
+
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+    $(platform_mapping_file) \
+    nonplat_sepolicy.cil \
+    plat_sepolicy.cil \
+    plat_and_mapping_sepolicy.cil.sha256 \
+    secilc \
+    nonplat_file_contexts \
+    plat_file_contexts \
+    plat_sepolicy_vers.txt
+
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+    file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
 ##################################
 # reqd_policy_mask - a policy.conf file which contains only the bare minimum
 # policy necessary to use checkpolicy.  This bare-minimum policy needs to be
@@ -335,10 +339,26 @@ plat_policy.conf :=
 #################################
 include $(CLEAR_VARS)
 
-LOCAL_MODULE := mapping_sepolicy.cil
+LOCAL_MODULE := plat_sepolicy_vers.txt
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) :
+	mkdir -p $(dir $@)
+	echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := $(platform_mapping_file)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 9e2c464c165934d93624ed8f97a10e31c940962c..09331156f4246bed7754dc0b126b512286d29a29 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -70,3 +70,4 @@ $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
diff --git a/private/file_contexts b/private/file_contexts
index d547a9f52d1b72228824838a79b431dfbde2c673..aa89601bac694c80f7e26baa36dab1f9cecae7b9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -248,14 +248,14 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
-/system/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 
 #############################
@@ -284,7 +284,7 @@
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
 /vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/vndservice_contexts         u:object_r:vndservice_contexts_file:s0
 
 #############################