diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 2f8066ab0ad6243af7f4541189e2f6a9a59a7406..15ab764c48b94b297ac957aa21f1e18b809e3991 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -97,3 +97,6 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 54192128bc5e804de2fd1b23d97824423574fe59..0b3584b1d04637b9bbadef3b143494fdd545aa29 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -291,6 +291,8 @@
 /data/nativetest64(/.*)?	u:object_r:nativetest_data_file:s0
 /data/property(/.*)?	u:object_r:property_data_file:s0
 /data/preloads(/.*)?	u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)?	u:object_r:preloads_media_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 2817e5a4721068a263d903fdbeaf3b8e0e618449..6b18d8feec929897da5b96a17c261f04335d6831 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -56,5 +56,7 @@ allow platform_app vr_manager_service:service_manager find;
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;
 allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
 
 read_runtime_log_tags(platform_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index 76dbb98b1489087685681c6d0e59069bc793e118..83a4b3f769ffc99b67ce181a93ad783c87ccd147 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -96,6 +96,8 @@ allow priv_app ringtone_file:file { getattr read write };
 # Access to /data/preloads
 allow priv_app preloads_data_file:file r_file_perms;
 allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
 
 # TODO: revert this as part of fixing 33574909
 # android.process.media uses /dev/mtp_usb
diff --git a/private/system_server.te b/private/system_server.te
index 7f601e091439b43ddd686e66c3280f5e08e514de..eb151b68d829f1b6e25e5db233c3d85d44bbf162 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -596,6 +596,8 @@ allow system_server update_engine:fifo_file write;
 # Access to /data/preloads
 allow system_server preloads_data_file:file { r_file_perms unlink };
 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6534412719923951ff924997828aec8f5fb8a8d5..993b3d0e3b3479bdb4317c8ca96da52bacb54354 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -88,6 +88,7 @@ allow untrusted_app_all self:process ptrace;
 allow untrusted_app_all sysfs_hwrandom:dir search;
 allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
 
-# Allow apps to view preloaded content
-allow untrusted_app_all preloads_data_file:dir r_dir_perms;
-allow untrusted_app_all preloads_data_file:file r_file_perms;
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
diff --git a/public/file.te b/public/file.te
index 71ea3244c0fca05f8aab41b43b5ec029491ec3cc..5cf30d090d52b693d878a1c40784c4ac8afcb39e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -132,6 +132,8 @@ type nativetest_data_file, file_type, data_file_type;
 type ringtone_file, file_type, data_file_type, mlstrustedobject;
 # /data/preloads
 type preloads_data_file, file_type, data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/public/installd.te b/public/installd.te
index 5e0ccc437d60d2221990188b0ae3d78f8a16ffe1..0a5b8a380e9a4ab1e9e79012f1d7bbf59f106b95 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -132,6 +132,8 @@ allow installd labeledfs:filesystem { quotaget quotamod };
 # TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
 allow installd preloads_data_file:file { r_file_perms unlink };
 allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 ###
 ### Neverallow rules
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6b3f0511e72a85bca54dd2c27f1e646e1c8c6293..a641bf7432f208f9676fb5c8443947ef9664c511 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -124,8 +124,8 @@ allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
 allow mediaserver media_rw_data_file:dir create_dir_perms;
 allow mediaserver media_rw_data_file:file create_file_perms;
 
-# Access to /data/preloads
-allow mediaserver preloads_data_file:file { getattr read ioctl };
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
 
 allow mediaserver ion_device:chr_file r_file_perms;
 allow mediaserver hal_graphics_allocator:fd use;