diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 83c82180eefd75a756caf0a0ef2047ac39e722ea..0faca6802405ffe1dff838896dc241ecfde84cba 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -61,6 +61,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
     network_watchlist_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 33777e283a1a79779d52c1b8d05f906337906e81..a7e953bfffd4c476deb409e847441a3e90d54ec8 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -50,6 +50,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
     perfetto
diff --git a/private/file_contexts b/private/file_contexts
index c5169ff60060848755275c267bbd59770e3c1027..c2a8c74e102c4fdacc6701216e91a04142d1aa99 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -526,3 +526,7 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
diff --git a/public/domain.te b/public/domain.te
index 1b7bbd4abf30f44bd89fd48c49205344feabc822..d1fcbbce5f0cb8d7e4e674d15cc19d3d57a91fde 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1355,3 +1355,9 @@ userdebug_or_eng(`
   dontaudit domain proc_type:file create;
   dontaudit domain sysfs_type:file create;
 ')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+  coredomain
+  -init
+} mnt_vendor_file:dir *;
diff --git a/public/file.te b/public/file.te
index 156fce141519249a0ef180f6f7870de867ed0f4a..631e49ced32820876b00fb518201f6c4df4c7e43 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,6 +224,9 @@ type storage_file, file_type;
 type mnt_media_rw_stub_file, file_type;
 type storage_stub_file, file_type;
 
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.