diff --git a/Android.mk b/Android.mk
index ef1ff1b..ad7d9bd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1402,13 +1402,15 @@
 # The file_contexts.bin is built in the following way:
 # 1. Collect all file_contexts files in THIS repository and process them with
 #    m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
+#    modules with m4 with a tmp file called file_contexts.modules.tmp.
+# 3. Collect all device specific file_contexts files and process them with m4
 #    into a tmp file called file_contexts.device.tmp.
-# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
 #    file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
-#    file_contexts.concat.tmp.
-# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
+#    file_contexts.device.tmp into file_contexts.concat.tmp.
+# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
 #    file_contexts.bin.
 #
 #  Note: That a newline file is placed between each file_context file found to
@@ -1431,21 +1433,12 @@
   local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
 endif
 
-# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
-$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
-  $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
-  $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
-  $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
-  $(eval _input := $(_fc_path))\
-  $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
-  $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
-  )
-
 file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
-$(file_contexts.local.tmp): $(local_fc_files) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@
+$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
+
+# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
+# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
+file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
 
 device_fc_files := $(call build_vendor_policy, file_contexts)
 
@@ -1469,10 +1462,9 @@
 	$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
 
 file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
-$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@
+$(call merge-fc-files,\
+  $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
+  $(file_contexts.concat.tmp))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -1489,6 +1481,7 @@
 file_contexts.device.sorted.tmp :=
 file_contexts.device.tmp :=
 file_contexts.local.tmp :=
+file_contexts.modules.tmp :=
 
 ##################################
 include $(CLEAR_VARS)
diff --git a/definitions.mk b/definitions.mk
index 2ecdbdc..f6b80d0 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -18,3 +18,20 @@
 	-s $(PRIVATE_POLICY_FILES) > $@
 endef
 .KATI_READONLY := transform-policy-to-conf
+
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+	$(hide) mkdir -p $$(dir $$@)
+	$(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
diff --git a/private/genfs_contexts b/private/genfs_contexts
index accd02e..136da2b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -256,6 +256,8 @@
 genfscon tracefs /events/thermal/cdev_update/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpuhp/cpuhp_enter/                              u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpuhp/cpuhp_exit/                               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/                                            u:object_r:debugfs_tracing:s0
 
 genfscon debugfs /tracing/trace_clock                                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/buffer_size_kb                                         u:object_r:debugfs_tracing:s0
@@ -306,6 +308,8 @@
 genfscon debugfs /tracing/events/thermal/cdev_update/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/                              u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/                                            u:object_r:debugfs_tracing:s0
 
 genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
 
diff --git a/private/property_contexts b/private/property_contexts
index 1fe3e0c..4f7a1dc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -115,6 +115,9 @@
 vold.                   u:object_r:vold_prop:s0
 ro.crypto.              u:object_r:vold_prop:s0
 
+# TODO(b/141677108): Remove once true everywhere
+ro.vold.level_from_user          u:object_r:vold_config_prop:s0
+
 # ro.build.fingerprint is either set in /system/build.prop, or is
 # set at runtime by system_server.
 ro.build.fingerprint    u:object_r:fingerprint_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index f5cd873..a2c8455 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -20,8 +20,8 @@
 android.os.UpdateEngineStableService      u:object_r:update_engine_stable_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
-android.security.keystore2                u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
+android.system.keystore2                  u:object_r:keystore_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_integrity                             u:object_r:app_integrity_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index dcdf501..cadc6cd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -566,6 +566,9 @@
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+# Allow PackageManager to rename file from /data/app-staging folder to /data/app during
+# staged apk install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom };
 
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index f3ec058..4197ddd 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1,5 +1,7 @@
 domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
 
+typeattribute vold_prepare_subdirs mlstrustedsubject;
+
 allow vold_prepare_subdirs system_file:file execute_no_trans;
 allow vold_prepare_subdirs shell_exec:file rx_file_perms;
 allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
@@ -24,6 +26,7 @@
     iris_vendor_data_file
     rollback_data_file
     storaged_data_file
+    system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
@@ -41,5 +44,9 @@
     vold_data_file
 }:file { getattr unlink };
 allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
+allow vold_prepare_subdirs mnt_expand_file:dir search;
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+# /data/misc is unlabeled during early boot.
+allow vold_prepare_subdirs unlabeled:dir search;
 
 dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 7d40854..b7a287b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -183,7 +183,7 @@
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, system_server_service, service_manager_type;
 type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
+type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;