diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 2e72866..fd25d0a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -339,6 +339,7 @@
 /system/bin/bootstat                                              bootstat_exec
 /system/bin/app_process32                                         zygote_exec
 /system/bin/app_process64                                         zygote_exec
+/system/bin/pbtombstone                                           pbtombstone_exec
 /system/bin/servicemanager                                        servicemanager_exec
 /system/bin/surfaceflinger                                        surfaceflinger_exec
 /system/bin/gpuservice                                            gpuservice_exec
@@ -1344,3 +1345,5 @@
 /tmp                                                              shell_data_file
 
 /mnt/pre_reboot_dexopt                                            pre_reboot_dexopt_file
+
+/second_stage_resources/overlay_remounter                         overlay_remounter_exec
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4fe3843..7d8a706 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -54,7 +54,7 @@
 neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
 neverallow { domain -bpfloader } fs_bpf_loader:file *;
 
-neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init userdebug_or_eng(`-overlay_remounter') } bpfloader_exec:file { execute execute_no_trans };
 
 neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
 
diff --git a/private/compat/202504/202504.ignore.cil b/private/compat/202504/202504.ignore.cil
index 100ba40..04d9387 100644
--- a/private/compat/202504/202504.ignore.cil
+++ b/private/compat/202504/202504.ignore.cil
@@ -5,5 +5,5 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
-    
+    pbtombstone_exec
   ))
diff --git a/private/coredomain.te b/private/coredomain.te
index 23ad43a..7f0ca9d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -63,6 +63,7 @@
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
         -traced_perf
+        userdebug_or_eng(`-overlay_remounter')
     } vendor_app_file:dir { open read getattr search };
 ')
 
@@ -84,6 +85,7 @@
         -system_server
         -traced_perf
         -mediaserver
+        userdebug_or_eng(`-overlay_remounter')
     } vendor_app_file:file r_file_perms;
 ')
 
@@ -105,6 +107,7 @@
         -webview_zygote
         -zygote
         -heapprofd
+        userdebug_or_eng(`-overlay_remounter')
     } vendor_overlay_file:dir { getattr open read search };
 ')
 
@@ -127,6 +130,7 @@
         -heapprofd
         userdebug_or_eng(`-profcollectd')
         userdebug_or_eng(`-simpleperf_boot')
+        userdebug_or_eng(`-overlay_remounter')
     } vendor_overlay_file:file open;
 ')
 
diff --git a/private/crash_dump.te b/private/crash_dump.te
index a9a802c..4bd1d38 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -118,7 +118,10 @@
 
 # A domain transition must occur for crash_dump to get the privileges needed to trace the process.
 # Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
+neverallow {
+  domain
+  userdebug_or_eng(`-overlay_remounter')
+} crash_dump_exec:file execute_no_trans;
 
 # sigchld not explicitly forbidden since it's part of the
 # domain-transition-on-exec macros, and is by itself not sensitive
diff --git a/private/crosvm.te b/private/crosvm.te
index a377e7a..6051992 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -223,6 +223,7 @@
   -crosvm
   -virtualizationmanager
   -vmlauncher_app
+  userdebug_or_eng(`-overlay_remounter')
 
   is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
 } crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 618258c..7b448c3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -595,6 +595,11 @@
 # permission on /metadata dir
 allow domain metadata_file:dir search;
 
+# overlayfs performs all file operations as the mounter, being overlay_remounter.
+# It thus opens files as overlay_remounter, and then uses those files in the context of
+# the caller, which is anyone accessing a file on a overlaid read-only partition
+userdebug_or_eng(`allow domain overlay_remounter:fd use');
+
 ###
 ### neverallow rules
 ###
@@ -705,7 +710,7 @@
 # Do not allow renaming of block files or character files
 # Ability to do so can lead to possible use in an exploit chain
 # e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
+neverallow { domain userdebug_or_eng(`-overlay_remounter') } *:{ blk_file chr_file } rename;
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
@@ -740,16 +745,21 @@
     domain
     with_asan(`-asan_extract')
     recovery_only(`userdebug_or_eng(`-fastbootd')')
+    userdebug_or_eng(`-kernel')
+    userdebug_or_eng(`-overlay_remounter')
 } {
     system_file_type
     vendor_file_type
     exec_type
 }:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
 
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
+neverallow {
+  domain
+  userdebug_or_eng(`-overlay_remounter')
+} exec_type:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -761,9 +771,9 @@
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
-neverallow * contextmount_type:dir_file_class_set
+neverallow { domain userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set
     { create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set { write unlink };
 
 # Do not allow service_manager add for default service labels.
 # Instead domains should use a more specific type such as
@@ -1150,6 +1160,7 @@
         -init
         -shell
         -ueventd
+        userdebug_or_eng(`-overlay_remounter')
     } vendor_shell_exec:file { execute execute_no_trans };
 ')
 
@@ -1204,6 +1215,7 @@
       -shell
       -system_executes_vendor_violators
       -ueventd
+      userdebug_or_eng(`-overlay_remounter')
     } {
       vendor_file_type
       -same_process_hal_file
@@ -1219,6 +1231,7 @@
       coredomain
       -shell
       -system_executes_vendor_violators
+      userdebug_or_eng(`-overlay_remounter')
     } {
       vendor_file_type
       -same_process_hal_file
@@ -1302,19 +1315,25 @@
 
 # Do not mount on top of symlinks, fifos, or sockets.
 # Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+neverallow {
+  domain
+  userdebug_or_eng(`-overlay_remounter')
+} { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
 
 # Nobody should be able to execute su on user builds.
 # On userdebug/eng builds, only dumpstate, shell, and
 # su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -overlay_remounter') } su_exec:file no_x_file_perms;
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.
 # The only exceptions are for NDK text relocations associated with
 # https://code.google.com/p/android/issues/detail?id=23203
 # which, long term, need to go away.
-neverallow * {
+neverallow {
+  domain
+  userdebug_or_eng(`-overlay_remounter')
+} {
   file_type
   -apk_data_file
   -app_data_file
@@ -1328,7 +1347,12 @@
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
+neverallow {
+  domain
+  -untrusted_app_25
+  -untrusted_app_27
+  userdebug_or_eng(`-overlay_remounter')
+} file_type:file execmod;
 
 # Ensure that all types assigned to processes are included
 # in the domain attribute, so that all allow and neverallow rules
@@ -1453,6 +1477,7 @@
   -installd
   -profman
   -artd
+  userdebug_or_eng(`-overlay_remounter')
 } profman_exec:file no_x_file_perms;
 
 # Enforce restrictions on kernel module origin.
@@ -1520,6 +1545,7 @@
   neverallow {
     coredomain
     -appdomain
+    userdebug_or_eng(`-overlay_remounter')
   } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
 ')
 
@@ -1834,6 +1860,7 @@
     -zygote
     userdebug_or_eng(`-mediaextractor')
     userdebug_or_eng(`-mediaswcodec')
+    userdebug_or_eng(`-overlay_remounter')
 } {
     file_type
     -system_file_type
@@ -1909,6 +1936,7 @@
 neverallow {
   domain
   -appdomain
+  userdebug_or_eng(`-overlay_remounter')
 } {
   data_file_type
   -apex_art_data_file
@@ -1942,6 +1970,7 @@
   vold
   vold_prepare_subdirs
   zygote
+  userdebug_or_eng(`overlay_remounter')
 }')
 neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
 # Since the kernel checks dac_read_search before dac_override, domains that
@@ -1970,6 +1999,7 @@
     -update_engine
     -vold
     -zygote
+    userdebug_or_eng(`-overlay_remounter')
 } { fs_type
     -sdcard_type
     -fusefs_type
@@ -2038,6 +2068,7 @@
     userdebug_or_eng(`-simpleperf_boot')
     -traced_perf
     -ueventd
+    userdebug_or_eng(`-overlay_remounter')
   } vendor_file:file { no_w_file_perms no_x_file_perms open };
 ')
 
@@ -2081,6 +2112,7 @@
     -traced_perf # library/binary access for symbolization
     -ueventd # reads /vendor/ueventd.rc
     -vold # loads incremental fs driver
+    userdebug_or_eng(`-overlay_remounter')
   } {
     vendor_file_type
     -same_process_hal_file
@@ -2114,7 +2146,16 @@
 
 # Only init and otapreopt_chroot should be mounting filesystems on locations
 # labeled system or vendor (/product and /vendor respectively).
-neverallow { domain -dexopt_chroot_setup -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+neverallow {
+  domain
+  -dexopt_chroot_setup
+  -init
+  -otapreopt_chroot
+  userdebug_or_eng(`-overlay_remounter')
+} {
+  system_file_type
+  vendor_file_type
+}:dir_file_class_set mounton;
 
 # Only allow init and vendor_init to read/write mm_events properties
 # NOTE: dumpstate is allowed to read any system property
diff --git a/private/file.te b/private/file.te
index 3a66143..6bdcc39 100644
--- a/private/file.te
+++ b/private/file.te
@@ -192,6 +192,9 @@
 # /sys/firmware/acpi/tables
 type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
 
+# Type for /system/bin/pbtombstone.
+type pbtombstone_exec, system_file_type, exec_type, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
diff --git a/private/file_contexts b/private/file_contexts
index 7ef3226..0b3e7f4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -353,6 +353,7 @@
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
+/system/bin/pbtombstone       u:object_r:pbtombstone_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap2(d)?              u:object_r:idmap_exec:s0
 /system/bin/update_engine           u:object_r:update_engine_exec:s0
@@ -952,3 +953,7 @@
 #############################
 # For early boot VM
 /mnt/vm u:object_r:vm_data_file:s0
+
+#############################
+# For overlays
+/second_stage_resources/overlay_remounter u:object_r:overlay_remounter_exec:s0
diff --git a/private/incident.te b/private/incident.te
index db9ae86..19db7d7 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -34,4 +34,14 @@
 allow incident incidentd:fifo_file write;
 
 # only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
+neverallow {
+    domain
+    -su
+    -shell
+    -incident
+    -dumpstate
+    userdebug_or_eng(`-overlay_remounter')
+} incident_exec:file {
+    execute
+    execute_no_trans
+};
diff --git a/private/incident_helper.te b/private/incident_helper.te
index b453855..cdaf144 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -11,4 +11,13 @@
 allow incident_helper incidentd:unix_stream_socket { read write };
 
 # only allow incidentd and shell to call incident_helper
-neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
+neverallow {
+    domain
+    -incidentd
+    -incident_helper
+    -shell
+    userdebug_or_eng(`-overlay_remounter')
+} incident_helper_exec:file {
+    execute
+    execute_no_trans
+};
diff --git a/private/init.te b/private/init.te
index 35d7647..6f0ee80 100644
--- a/private/init.te
+++ b/private/init.te
@@ -814,7 +814,7 @@
 # The init domain is only entered via an exec based transition from the
 # kernel domain, never via setcon().
 neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
+neverallow { domain -kernel userdebug_or_eng(`-overlay_remounter') } init:process transition;
 neverallow init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
diff --git a/private/kernel.te b/private/kernel.te
index 1b82c66..0d3aa77 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -2,6 +2,9 @@
 
 domain_auto_trans(kernel, init_exec, init)
 domain_auto_trans(kernel, snapuserd_exec, snapuserd)
+userdebug_or_eng(`
+  domain_auto_trans(kernel, overlay_remounter_exec, overlay_remounter)
+')
 
 # Allow the kernel to read otapreopt_chroot's file descriptors and files under
 # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
@@ -150,6 +153,15 @@
 # required by VTS lidbm unit test
 allow kernel appdomain_tmpfs:file { read write };
 
+# Allow first stage init to copy and then launch overlay_remounter
+userdebug_or_eng(`
+  allow kernel tmpfs:dir rw_dir_perms;
+  allow kernel tmpfs:file { create_file_perms relabelfrom };
+  allow kernel overlay_remounter_exec:file { relabelto unlink };
+  allow kernel overlay_remounter:process2 nosuid_transition;
+  allow kernel overlay_remounter:process share;
+')
+
 dontaudit kernel metadata_file:dir search;
 dontaudit kernel ota_metadata_file:dir rw_dir_perms;
 dontaudit kernel sysfs:dir r_dir_perms;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index ce26fd2..5459c1d 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -36,4 +36,5 @@
   -init
   -linkerconfig
   -otapreopt_chroot
+  userdebug_or_eng(`-overlay_remounter')
 } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 37a2c47..28766dd 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -50,4 +50,4 @@
 # netutils wrapper may only use the following capabilities.
 neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
 
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
+neverallow { domain userdebug_or_eng(`-overlay_remounter') } netutils_wrapper_exec:file execute_no_trans;
diff --git a/private/overlay_remounter.te b/private/overlay_remounter.te
new file mode 100644
index 0000000..766ed68
--- /dev/null
+++ b/private/overlay_remounter.te
@@ -0,0 +1,40 @@
+# Domain used for overlay_remounter process
+
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type overlay_remounter, domain, coredomain;
+
+# File types must be defined for file_contexts.
+type overlay_remounter_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  domain_auto_trans(overlay_remounter, init_exec, init)
+
+  allow overlay_remounter init:process share;
+  allow overlay_remounter init:process2 nosuid_transition;
+  allow overlay_remounter kernel:fd use;
+  allow overlay_remounter tmpfs:chr_file { open read write };
+  allow overlay_remounter labeledfs:filesystem { mount unmount };
+  allow overlay_remounter overlayfs_file:chr_file { unlink create link rename };
+  allow overlay_remounter overlayfs_file:dir create_dir_perms;
+  allow overlay_remounter overlayfs_file:file { create open rename unlink write };
+  allow overlay_remounter self:capability { chown fowner sys_admin dac_override dac_read_search };
+  allow overlay_remounter unlabeled:dir { rmdir search };
+  use_bootstrap_libs(overlay_remounter)
+
+  # overlay_remounter must be able to perform all possible operations
+  # on the overlaid partitions
+  allow overlay_remounter {
+    system_dlkm_file_type
+    vendor_file_type
+    system_file_type
+    adb_keys_file
+  }:{ file } ~{ entrypoint };
+
+  allow overlay_remounter {
+    system_dlkm_file_type
+    vendor_file_type
+    system_file_type
+    adb_keys_file
+  }:{ dir lnk_file } *;
+')
diff --git a/private/system_server.te b/private/system_server.te
index 57536de..be486ac 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1168,6 +1168,9 @@
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
+# Allow invoking pbtombstone
+allow system_server pbtombstone_exec:file rx_file_perms;
+
 # Allow system process to setup fs-verity
 allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
 
@@ -1360,6 +1363,7 @@
   file_type
   -toolbox_exec
   -logcat_exec
+  -pbtombstone_exec
   with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
 }:file execute_no_trans;
 
diff --git a/private/vendor_toolbox.te b/private/vendor_toolbox.te
index 178fa8f..5421dd5 100644
--- a/private/vendor_toolbox.te
+++ b/private/vendor_toolbox.te
@@ -7,5 +7,6 @@
         coredomain
         -init
         -modprobe
+        userdebug_or_eng(`-overlay_remounter')
     } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
 ')
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 259c402..95bdd1c 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -115,8 +115,16 @@
 r_dir_file(virtualizationmanager, vendor_microdroid_file)
 
 # Do not allow writing vendor_microdroid_file from any process.
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
+neverallow {
+  domain
+  recovery_only(`userdebug_or_eng(`-fastbootd')')
+  userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:dir no_w_dir_perms;
+neverallow {
+  domain
+  recovery_only(`userdebug_or_eng(`-fastbootd')')
+  userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:file no_w_file_perms;
 
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);
diff --git a/tests/policy.py b/tests/policy.py
index 98133b7..cf93ed7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -589,7 +589,7 @@
                 vendor = any(MatchPathPrefix(path, prefix) for prefix in
                              ["/vendor", "/odm"])
                 system = any(MatchPathPrefix(path, prefix) for prefix in
-                             ["/init", "/system_ext", "/product" ])
+                             ["/init", "/system_ext", "/product", "/second_stage_resources" ])
 
                 # only mark entrypoint as system if it is not in legacy /system/vendor
                 if MatchPathPrefix(path, "/system/vendor"):