diff --git a/private/app.te b/private/app.te
index 7d9bc89ed10ea07053c23a253f38d49598eacfaf..b2c1be334bccfe713ef84eafabbb68c39e7e4134 100644
--- a/private/app.te
+++ b/private/app.te
@@ -13,3 +13,11 @@ allow appdomain priv_app_tmpfs:file read;
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+    { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+    { dyntransition };
diff --git a/private/coredomain.te b/private/coredomain.te
index 2fbbbfd1aab1af6659da4138e68937076d651fc8..78ffb27df123287c9211abd8bc8f9cc0ed9d6c0b 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,69 @@ neverallow {
 } sysfs_leds:file *;
 ')
 
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+    # Limit access to /vendor/app
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        userdebug_or_eng(`-perfprofd')
+        userdebug_or_eng(`-heapprofd')
+        -postinstall_dexopt
+        -system_server
+    } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        userdebug_or_eng(`-perfprofd')
+        userdebug_or_eng(`-heapprofd')
+        -postinstall_dexopt
+        -system_server
+        -mediaserver
+    } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+    # Limit access to /vendor/overlay
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+        -init
+        -installd
+        -system_server
+        -webview_zygote
+        -zygote
+        userdebug_or_eng(`-heapprofd')
+    } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+        -init
+        -installd
+        -system_server
+        -webview_zygote
+        -zygote
+        userdebug_or_eng(`-heapprofd')
+    } vendor_overlay_file:file r_file_perms;
+')
+
 # Core domains are not permitted to use kernel interfaces which are not
 # explicitly labeled.
 # TODO(b/65643247): Apply these neverallow rules to all coredomain.
diff --git a/private/domain.te b/private/domain.te
index 65688b20f17d88c8dc2ca89e60b8d728fa7351d2..7a41ab21300044bba6d753362c63e53a93d8433b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -23,6 +23,42 @@ userdebug_or_eng(`can_profile_heap({
   -vold
 })')
 
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain } cgroup:dir w_dir_perms;
+allow { domain -appdomain } cgroup:file w_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+    get_prop(domain, core_property_type)
+    get_prop(domain, exported_dalvik_prop)
+    get_prop(domain, exported_ffs_prop)
+    get_prop(domain, exported_system_radio_prop)
+    get_prop(domain, exported2_config_prop)
+    get_prop(domain, exported2_radio_prop)
+    get_prop(domain, exported2_system_prop)
+    get_prop(domain, exported2_vold_prop)
+    get_prop(domain, exported3_default_prop)
+    get_prop(domain, exported3_radio_prop)
+    get_prop(domain, exported3_system_prop)
+    get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+    get_prop({coredomain appdomain shell}, core_property_type)
+    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+    get_prop({coredomain appdomain shell}, exported_ffs_prop)
+    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+    get_prop({coredomain appdomain shell}, exported2_config_prop)
+    get_prop({coredomain appdomain shell}, exported2_radio_prop)
+    get_prop({coredomain appdomain shell}, exported2_system_prop)
+    get_prop({coredomain appdomain shell}, exported2_vold_prop)
+    get_prop({coredomain appdomain shell}, exported3_default_prop)
+    get_prop({coredomain appdomain shell}, exported3_radio_prop)
+    get_prop({coredomain appdomain shell}, exported3_system_prop)
+    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
diff --git a/public/app.te b/public/app.te
index 40dee5dcdf510e1d8d839ddacf0e928e51dca995..aa735b4703d72a4dfedf8bca0901d033e82e9611 100644
--- a/public/app.te
+++ b/public/app.te
@@ -435,14 +435,6 @@ neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 neverallow appdomain { domain -appdomain }:process
     { sigkill sigstop signal };
 
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
-    { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
-    { dyntransition };
-
 # Write to rootfs.
 neverallow appdomain rootfs:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/public/domain.te b/public/domain.te
index 67002c93fe8bf5b163957dc0b197cd98b096e4b4..c536c127dec10e6ca58bdd9e4c95c58ede9e2fa5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -83,37 +83,6 @@ allow domain properties_device:dir { search getattr };
 allow domain properties_serial:file r_file_perms;
 allow domain property_info:file r_file_perms;
 
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
-    get_prop(domain, core_property_type)
-    get_prop(domain, exported_dalvik_prop)
-    get_prop(domain, exported_ffs_prop)
-    get_prop(domain, exported_system_radio_prop)
-    get_prop(domain, exported2_config_prop)
-    get_prop(domain, exported2_radio_prop)
-    get_prop(domain, exported2_system_prop)
-    get_prop(domain, exported2_vold_prop)
-    get_prop(domain, exported3_default_prop)
-    get_prop(domain, exported3_radio_prop)
-    get_prop(domain, exported3_system_prop)
-    get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
-    get_prop({coredomain appdomain shell}, core_property_type)
-    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
-    get_prop({coredomain appdomain shell}, exported_ffs_prop)
-    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
-    get_prop({coredomain appdomain shell}, exported2_config_prop)
-    get_prop({coredomain appdomain shell}, exported2_radio_prop)
-    get_prop({coredomain appdomain shell}, exported2_system_prop)
-    get_prop({coredomain appdomain shell}, exported2_vold_prop)
-    get_prop({coredomain appdomain shell}, exported3_default_prop)
-    get_prop({coredomain appdomain shell}, exported3_radio_prop)
-    get_prop({coredomain appdomain shell}, exported3_system_prop)
-    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
 # Public readable properties
 get_prop(domain, debug_prop)
 get_prop(domain, exported_config_prop)
@@ -251,11 +220,6 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain -appdomain } cgroup:dir w_dir_perms;
-allow { domain -appdomain } cgroup:file w_file_perms;
-
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
 # The reason behind this is documented in b/6513400
@@ -966,69 +930,6 @@ full_treble_only(`
     }:file_class_set ~{ append getattr ioctl read write map };
 ')
 
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
-full_treble_only(`
-    # Limit access to /vendor/app
-    neverallow {
-        coredomain
-        -appdomain
-        -dex2oat
-        -idmap
-        -init
-        -installd
-        userdebug_or_eng(`-perfprofd')
-        userdebug_or_eng(`-heapprofd')
-        -postinstall_dexopt
-        -system_server
-    } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
-    neverallow {
-        coredomain
-        -appdomain
-        -dex2oat
-        -idmap
-        -init
-        -installd
-        userdebug_or_eng(`-perfprofd')
-        userdebug_or_eng(`-heapprofd')
-        -postinstall_dexopt
-        -system_server
-        -mediaserver
-    } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
-    # Limit access to /vendor/overlay
-    neverallow {
-        coredomain
-        -appdomain
-        -idmap
-        -init
-        -installd
-        -system_server
-        -webview_zygote
-        -zygote
-        userdebug_or_eng(`-heapprofd')
-    } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
-    neverallow {
-        coredomain
-        -appdomain
-        -idmap
-        -init
-        -installd
-        -system_server
-        -webview_zygote
-        -zygote
-        userdebug_or_eng(`-heapprofd')
-    } vendor_overlay_file:file r_file_perms;
-')
-
 full_treble_only(`
     # Non-vendor domains are not allowed to file execute shell
     # from vendor