diff --git a/Android.mk b/Android.mk
index 1d7cecb81304e111f92b7ab2f965eebadd550bc1..f03f7c4e0165d6ceab8386cca4354e2bf4ac257c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -290,6 +290,7 @@ LOCAL_REQUIRED_MODULES += \
     product_property_contexts \
     product_seapp_contexts \
     product_service_contexts \
+    product_mac_permissions.xml \
 
 endif
 include $(BUILD_PHONY_PACKAGE)
@@ -1743,8 +1744,7 @@ $(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLIC
 	@mkdir -p $(dir $@)
 	$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
 
-# TODO(b/119305624): Move product-specific sepolicy out of plat_mac_permissions.
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
 
 # Should be synced with keys.conf.
 all_plat_keys := platform media shared testkey
@@ -1764,6 +1764,34 @@ plat_mac_perms_keys.tmp :=
 ##################################
 include $(CLEAR_VARS)
 
+LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
+$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+	@mkdir -p $(dir $@)
+	$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_product_mac_perms_files)
+	@mkdir -p $(dir $@)
+	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+product_mac_perms_keys.tmp :=
+all_product_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := vendor_mac_permissions.xml
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
diff --git a/private/file_contexts b/private/file_contexts
index 6b15fc05b4aace0ce827b91e1b8d45df802d971f..853d0a709421ec5d45dcf455859de7c69232a79b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -379,6 +379,7 @@
 /(product|system/product)/etc/selinux/product_property_contexts  u:object_r:property_contexts_file:s0
 /(product|system/product)/etc/selinux/product_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /(product|system/product)/etc/selinux/product_service_contexts   u:object_r:service_contexts_file:s0
+/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
 
 #############################
 # Product-Services files