diff --git a/private/apexd.te b/private/apexd.te
index b3aabea9a..d0ec9f4c0 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -50,6 +50,10 @@ allow apexd staging_data_file:file unlink;
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };
 
+# allow apexd to read files from /vendor/apex
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 45e1dd9e8..3c6ba08b2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -195,6 +195,7 @@
     usbd
     usbd_exec
     usbd_tmpfs
+    vendor_apex_file
     vendor_init
     vendor_shell
     vold_metadata_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0e830f82c..3b9bd52e0 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -171,6 +171,7 @@
     usbd
     usbd_exec
     usbd_tmpfs
+    vendor_apex_file
     vendor_default_prop
     vendor_init
     vendor_security_patch_level_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2ea4d2c04..f07103d95 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -137,6 +137,7 @@
     traced_lazy_prop
     uri_grants_service
     use_memfd_prop
+    vendor_apex_file
     vendor_cgroup_desc_file
     vendor_idc_file
     vendor_keychars_file
diff --git a/private/file_contexts b/private/file_contexts
index 4f0690b0b..9e7bba7bd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -352,6 +352,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
+/vendor/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
diff --git a/public/domain.te b/public/domain.te
index 634a5c558..a4156467a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1003,6 +1003,7 @@ full_treble_only(`
     vendor_file_type
     -same_process_hal_file
     -vendor_app_file
+    -vendor_apex_file
     -vendor_configs_file
     -vendor_framework_file
     -vendor_idc_file
diff --git a/public/file.te b/public/file.te
index c8953dec4..d906b7f6c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -286,6 +286,8 @@ type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
 # /data/app-staging
 type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/public/kernel.te b/public/kernel.te
index 50e72c2b1..99ad01404 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -85,8 +85,11 @@ allow kernel vold_data_file:file { read write };
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
-allow kernel apex_data_file:file read;
-allow kernel staging_data_file:file read;
+allow kernel {
+  apex_data_file
+  staging_data_file
+  vendor_apex_file
+}:file read;
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.