diff --git a/Android.bp b/Android.bp
index 0ca82a6db..8e2a96604 100644
--- a/Android.bp
+++ b/Android.bp
@@ -189,6 +189,11 @@ se_build_files {
     srcs: ["seapp_contexts"],
 }
 
+se_build_files {
+    name: "vndservice_contexts_files",
+    srcs: ["vndservice_contexts"],
+}
+
 // For vts_treble_sys_prop_test
 filegroup {
     name: "private_property_contexts",
@@ -1103,3 +1108,29 @@ se_neverallow_test {
 se_freeze_test {
     name: "sepolicy_freeze_test",
 }
+
+//////////////////////////////////
+// sepolicy_test checks various types of violations, which can't be easily done
+// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
+//////////////////////////////////
+genrule {
+    name: "sepolicy_test",
+    srcs: [
+        ":plat_file_contexts",
+        ":vendor_file_contexts",
+        ":system_ext_file_contexts",
+        ":product_file_contexts",
+        ":odm_file_contexts",
+        ":precompiled_sepolicy",
+    ],
+    tools: ["sepolicy_tests"],
+    out: ["sepolicy_test"],
+    cmd: "$(location sepolicy_tests) " +
+        "-f $(location :plat_file_contexts) " +
+        "-f $(location :vendor_file_contexts) " +
+        "-f $(location :system_ext_file_contexts) " +
+        "-f $(location :product_file_contexts) " +
+        "-f $(location :odm_file_contexts) " +
+        "-p $(location :precompiled_sepolicy) && " +
+        "touch $(out)",
+}
diff --git a/Android.mk b/Android.mk
index 27123d7a3..c98de456b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -347,9 +347,13 @@ endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
 ifneq ($(with_asan),true)
 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 LOCAL_REQUIRED_MODULES += \
-    sepolicy_tests \
     sepolicy_compat_test \
 
+# HACK: sepolicy_test is implemented as genrule
+# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
+# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+
 ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 LOCAL_REQUIRED_MODULES += \
     $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
@@ -505,6 +509,7 @@ LOCAL_REQUIRED_MODULES += \
     vendor_hwservice_contexts_test \
     vendor_bug_map \
     vndservice_contexts \
+    vndservice_contexts_test \
 
 ifdef BOARD_ODM_SEPOLICY_DIRS
 LOCAL_REQUIRED_MODULES += \
@@ -663,51 +668,9 @@ file_contexts.device.tmp :=
 file_contexts.local.tmp :=
 file_contexts.modules.tmp :=
 
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
-$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
-$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
-	@mkdir -p $(dir $@)
-	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
-
-vnd_svcfiles :=
-vndservice_contexts.tmp :=
-
 ##################################
 include $(LOCAL_PATH)/mac_permissions.mk
 
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
 all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
 all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
 ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -721,13 +684,6 @@ all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
 endif
 all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
 
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
-	$(hide) touch $@
-
 ##################################
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 889493158..463a978ed 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -93,11 +93,13 @@ func init() {
 	android.RegisterModuleType("service_contexts", serviceFactory)
 	android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
 	android.RegisterModuleType("seapp_contexts", seappFactory)
+	android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
 
 	android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
 	android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
 	android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
 	android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
+	android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
 }
 
 func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -495,6 +497,18 @@ func seappFactory() android.Module {
 	return m
 }
 
+func vndServiceFactory() android.Module {
+	m := newModule()
+	m.build = m.buildGeneralContexts
+	android.AddLoadHook(m, func(ctx android.LoadHookContext) {
+		if !ctx.SocSpecific() {
+			ctx.ModuleErrorf(m.Name(), "must set vendor: true")
+			return
+		}
+	})
+	return m
+}
+
 var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
 
 // Implements android.OutputFileProducer
@@ -565,6 +579,14 @@ func serviceContextsTestFactory() android.Module {
 	return m
 }
 
+// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
+func vndServiceContextsTestFactory() android.Module {
+	m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+	m.AddProperties(&m.properties)
+	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+	return m
+}
+
 func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	tool := m.tool
 	if tool != "checkfc" && tool != "property_info_checker" {
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 3062a6160..2a5a0584b 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -67,28 +67,55 @@ file_contexts {
         ":file_contexts_files{.vendor}",
     ],
     soc_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "vendor_file_contexts.recovery",
+    srcs: [
+        ":file_contexts_files{.plat_vendor_for_vendor}",
+        ":file_contexts_files{.vendor}",
+    ],
+    stem: "vendor_file_contexts",
+    recovery: true,
 }
 
 file_contexts {
     name: "system_ext_file_contexts",
     srcs: [":file_contexts_files{.system_ext_private}"],
     system_ext_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "system_ext_file_contexts.recovery",
+    srcs: [":file_contexts_files{.system_ext_private}"],
+    stem: "system_ext_file_contexts",
+    recovery: true,
 }
 
 file_contexts {
     name: "product_file_contexts",
     srcs: [":file_contexts_files{.product_private}"],
     product_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "product_file_contexts.recovery",
+    srcs: [":file_contexts_files{.product_private}"],
+    stem: "product_file_contexts",
+    recovery: true,
 }
 
 file_contexts {
     name: "odm_file_contexts",
     srcs: [":file_contexts_files{.odm}"],
     device_specific: true,
-    recovery_available: true,
+}
+
+file_contexts {
+    name: "odm_file_contexts.recovery",
+    srcs: [":file_contexts_files{.odm}"],
+    stem: "odm_file_contexts",
+    recovery: true,
 }
 
 hwservice_contexts {
@@ -287,6 +314,16 @@ seapp_contexts {
     sepolicy: ":precompiled_sepolicy",
 }
 
+vndservice_contexts {
+    name: "vndservice_contexts",
+    srcs: [
+        ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+        ":vndservice_contexts_files{.vendor}",
+        ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+    ],
+    soc_specific: true,
+}
+
 // for CTS
 genrule {
     name: "plat_seapp_neverallows",
@@ -432,3 +469,9 @@ service_contexts_test {
     srcs: [":vendor_service_contexts"],
     sepolicy: ":precompiled_sepolicy",
 }
+
+vndservice_contexts_test {
+    name: "vndservice_contexts_test",
+    srcs: [":vndservice_contexts"],
+    sepolicy: ":precompiled_sepolicy",
+}