diff --git a/Android.bp b/Android.bp
index b47d72f9d..79a8f4d84 100644
--- a/Android.bp
+++ b/Android.bp
@@ -106,7 +106,7 @@ product_private_policy = [":se_build_files{.product_private}"]
 // policy and subsequent removal of CIL policy that should not be exported.
 se_policy_conf {
     name: "reqd_policy_mask.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: reqd_mask_policy,
     installable: false,
 }
@@ -142,7 +142,7 @@ se_policy_cil {
 //
 se_policy_conf {
     name: "pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
@@ -162,7 +162,7 @@ se_policy_cil {
 
 se_policy_conf {
     name: "system_ext_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         reqd_mask_policy,
@@ -181,7 +181,7 @@ se_policy_cil {
 
 se_policy_conf {
     name: "plat_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         reqd_mask_policy,
     installable: false,
@@ -403,7 +403,7 @@ se_versioned_policy {
 // policy and the platform public policy files in order to use checkpolicy.
 se_policy_conf {
     name: "vendor_sepolicy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
@@ -445,7 +445,7 @@ se_versioned_policy {
 // policy and the platform public policy files in order to use checkpolicy.
 se_policy_conf {
     name: "odm_sepolicy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
@@ -786,7 +786,7 @@ se_policy_binary {
 
 se_policy_conf {
     name: "base_plat_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         reqd_mask_policy,
     build_variant: "user",
@@ -806,7 +806,7 @@ se_policy_cil {
 
 se_policy_conf {
     name: "base_product_pub_policy.conf",
-    defaults: ["se_policy_conf_flags_defaults"],
+    defaults: ["se_policy_conf_public_flags_defaults"],
     srcs: plat_public_policy +
         system_ext_public_policy +
         product_public_policy +
diff --git a/build/soong/policy.go b/build/soong/policy.go
index cbcc57ae6..be9d34e03 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -90,6 +90,9 @@ type policyConfProperties struct {
 
 	// Desired number of MLS categories. Defaults to 1024
 	Mls_cats *int64
+
+	// Whether to turn on board_api_level guard or not. Defaults to false
+	Board_api_level_guard *bool
 }
 
 type policyConf struct {
@@ -220,6 +223,14 @@ func (c *policyConf) mlsCats() int {
 	return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
 }
 
+func (c *policyConf) boardApiLevel(ctx android.ModuleContext) string {
+	if proptools.Bool(c.properties.Board_api_level_guard) {
+		return ctx.Config().VendorApiLevel()
+	}
+	// aribtrary value greater than any other vendor API levels
+	return "1000000"
+}
+
 func findPolicyConfOrder(name string) int {
 	for idx, pattern := range policyConfOrder {
 		// We could use regexp but it seems like an overkill
@@ -261,6 +272,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
 		FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
 		FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
 		FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
+		FlagWithArg("-D target_board_api_level=", c.boardApiLevel(ctx)).
 		Flags(flagsToM4Macros(flags)).
 		Flag("-s").
 		Inputs(srcs).
diff --git a/flagging/Android.bp b/flagging/Android.bp
index b40a80aa9..a965f1f67 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -36,6 +36,13 @@ se_policy_conf_defaults {
     build_flags: ["all_selinux_flags"],
 }
 
+se_policy_conf_defaults {
+    name: "se_policy_conf_public_flags_defaults",
+    srcs: [":sepolicy_flagging_macros"],
+    build_flags: ["all_selinux_flags"],
+    board_api_level_guard: true,
+}
+
 contexts_defaults {
     name: "contexts_flags_defaults",
     srcs: [":sepolicy_flagging_macros"],
diff --git a/flagging/te_macros b/flagging/te_macros
index 34645023f..baf26c35d 100644
--- a/flagging/te_macros
+++ b/flagging/te_macros
@@ -7,3 +7,18 @@ define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
 # is_flag_disabled(flag, rules)
 # SELinux rules which apply only if given feature is turned off
 define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
+
+####################################
+# starting_at_board_api(api_level, rules)
+#
+# This macro conditionally exposes SELinux rules within system/sepolicy/public,
+# ensuring they are available to vendors only when the board API level is at or
+# above the specified 'api_level'.
+#
+# * Platform sepolicy: Rules are always enabled, regardless of API level.
+# * Vendor sepolicy: Rules are enabled only when the board API level meets or
+#                    exceeds the value provided in 'api_level'.
+#
+# Apply this macro to public types and attributes (in system/sepolicy/public) to
+# restrict vendor access based on board API level.
+define(`starting_at_board_api', `ifelse(eval(target_board_api_level >= $1), 1, `$2')')