diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 640775520f89f765187360ca4b645ee6da284c96..31551acc4250a9bed7a4696afe8bb033371c9059 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,6 +100,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
   -sdcard_type
   file_type
   -app_data_file            # The apps sandbox itself
+  -privapp_data_file
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
   -user_profile_data_file   # Access to profile files
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index f53a194ddddabbf15489d3fb250a3adae4a04838..c8b7a1f5a1929fc91544144548d1771b66e59ff2 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -31,7 +31,7 @@
 (typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
 (typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
 (typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
 (typeattributeset app_fuse_file_26_0 (app_fuse_file))
 (typeattributeset app_fusefs_26_0 (app_fusefs))
 (typeattributeset appops_service_26_0 (appops_service))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index e3ca2d045bece67cb0d22f4414dd0c2eae9de833..d0cb9b7bbdce574c2e380b3353b403246b09b4ac 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -737,7 +737,7 @@
 (typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
 (typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
 (typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file))
+(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
 (typeattributeset app_fuse_file_27_0 (app_fuse_file))
 (typeattributeset app_fusefs_27_0 (app_fusefs))
 (typeattributeset appops_service_27_0 (appops_service))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d733132ec71a5281887fb535b7254f0a7cad55a1..a784b444d08a6e873a71da43a49ace1cac455eb7 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -872,7 +872,7 @@
 (typeattributeset apk_private_data_file_28_0 (apk_private_data_file))
 (typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file))
 (typeattributeset apk_tmp_file_28_0 (apk_tmp_file))
-(typeattributeset app_data_file_28_0 (app_data_file))
+(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file))
 (typeattributeset app_fuse_file_28_0 (app_fuse_file))
 (typeattributeset app_fusefs_28_0 (app_fusefs))
 (typeattributeset appops_service_28_0 (appops_service))
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index dfc81b85095c9d6f23eff657306a9660ca80f551..7d01ef5b822661b5f35fb09a225fe3f46ecd18d4 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -19,12 +19,12 @@ allow dexoptanalyzer installd:fd use;
 
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.
-dontaudit dexoptanalyzer app_data_file:dir audit_access;
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
 
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/domain.te b/private/domain.te
index f7f5d66dac483823dd60823a1baa4b14ff42c8ca..1ae31aea1d6686351b1fefff2d21c7823cbd1d3e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -128,7 +128,7 @@ neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
 
 # Only the following processes should be directly accessing private app
 # directories.
@@ -145,7 +145,7 @@ neverallow {
   -runas
   -system_server
   -vold
-} app_data_file:dir *;
+} { privapp_data_file app_data_file }:dir *;
 
 # Only apps should be modifying app data. init and installd are exempted for
 # restorecon and package install/uninstall.
@@ -154,7 +154,7 @@ neverallow {
   -appdomain
   -init
   -installd
-} app_data_file:dir ~r_dir_perms;
+} { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
 neverallow {
   domain
@@ -163,16 +163,16 @@ neverallow {
   -mediaserver # b/80300620
   userdebug_or_eng(`-perfprofd')
   -vold # b/80418809
-} app_data_file:file_class_set open;
+} { privapp_data_file app_data_file }:file_class_set open;
 
 neverallow {
   domain
   -appdomain
   -installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
 
 neverallow {
   domain
   -init
   -installd
-} app_data_file:dir_file_class_set { relabelfrom relabelto };
+} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 75a6317651e2def3f83ad5f047bec1354d927e14..f28d28f04b4ea1bc939d29b48850c3a2d36eadab 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -21,7 +21,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow ephemeral_app app_data_file:file {r_file_perms execute};
+allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
 
 # services
 allow ephemeral_app audioserver_service:service_manager find;
@@ -50,7 +50,7 @@ allow ephemeral_app system_server:udp_socket {
 ### neverallow rules
 ###
 
-neverallow ephemeral_app app_data_file:file execute_no_trans;
+neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index a6276b38c68f906236b017cd61770017e3e0083f..26cb12277a19ac0b9b6a510bdd388d8e161f4584 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
@@ -61,7 +61,7 @@ unix_socket_connect(isolated_app, traced_producer, traced)
 neverallow isolated_app tun_device:chr_file open;
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
+neverallow isolated_app { app_data_file privapp_data_file }:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
diff --git a/private/mls b/private/mls
index 3b8ee3f47f090ff8aa2ef69ffb88c054ca064b59..2eb621ddf8e1c7be9909464ae5f129e4e7116ac5 100644
--- a/private/mls
+++ b/private/mls
@@ -55,9 +55,9 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
 # Subject must dominate object unless the subject is trusted.
 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
-	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+	     ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
-	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+	     ( (t2 != app_data_file and t2 != privapp_data_file) or l1 dom l2 or t1 == mlstrustedsubject);
 
 #
 # Constraints for file types other than app data files.
@@ -66,18 +66,18 @@ mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
 # Read operations: Subject must dominate object unless the subject
 # or the object is trusted.
 mlsconstrain dir { read getattr search }
-	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
-	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Write operations: Subject must be equivalent to the object unless the
 # subject or the object is trusted.
 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
-	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/priv_app.te b/private/priv_app.te
index a952769825c8425822270bb117d21d98ed948237..0afd721adc8de6d6c89c2f855c9e23e3ead32d5d 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -19,7 +19,7 @@ allow priv_app self:process ptrace;
 
 # Some apps ship with shared libraries that they write out
 # to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
+allow priv_app { app_data_file privapp_data_file }:file execute;
 
 allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;
diff --git a/private/storaged.te b/private/storaged.te
index 0916adf9530b91f3f0ec0e561d9b6fb20d7c03ca..f5f073513bc1962f0b4eb96abb516683f21abd20 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -29,7 +29,7 @@ allow storaged shell:fifo_file write;
 
 # Needed for GMScore to call dumpsys storaged
 allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
+allow storaged { privapp_data_file app_data_file }:file write;
 allow storaged permission_service:service_manager find;
 
 # Binder permissions
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index d9d7dea6edc765b888f006e3641736967ef7a2bf..a5ebfb0e0c50736c166ea293028769a7cd64960c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -55,7 +55,7 @@ set_prop(surfaceflinger, ctl_bootanim_prop)
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
+allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
 
 # Allow writing surface traces to /data/misc/wmtrace.
 userdebug_or_eng(`
diff --git a/private/system_server.te b/private/system_server.te
index 01da377400c140d72e5b7dac3855597746e0d6fe..895024040003f28088dd4dc391e54ac0e926be77 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -446,7 +446,16 @@ allow system_server zoneinfo_data_file:file create_file_perms;
 
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server {
+  system_app_data_file
+  bluetooth_data_file
+  nfc_data_file
+  radio_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:dir { getattr read search };
+
 # Also permit for unlabeled /data/data subdirectories and
 # for unlabeled asec containers on upgrades from 4.2.
 allow system_server unlabeled:dir r_dir_perms;
@@ -459,7 +468,15 @@ allow system_server system_app_data_file:file create_file_perms;
 
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+allow system_server {
+  system_app_data_file
+  bluetooth_data_file
+  nfc_data_file
+  radio_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:file { getattr read write append };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
@@ -821,7 +838,13 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # file descriptor.
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+neverallow system_server {
+  bluetooth_data_file
+  nfc_data_file
+  shell_data_file
+  app_data_file
+  privapp_data_file
+}:file { open create unlink link };
 
 # Forking and execing is inherently dangerous and racy. See, for
 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 07d9d4d19697415b26bc9a75cd0ca3de0d0d7d44..65be583a731469776a616eeb45092e14ae936181 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
 
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 55b268a30305d95a874d14e70cacfaa27107a5cb..ea0141266e17db0e1f6ad0f1e21bf37b3a21287b 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -95,6 +95,7 @@ neverallow webview_zygote property_type:property_service set;
 # Should not have any access to app data files.
 neverallow webview_zygote {
     app_data_file
+    privapp_data_file
     system_app_data_file
     bluetooth_data_file
     nfc_data_file
diff --git a/public/app.te b/public/app.te
index 169e61995c18ddf158a0204c803e8a92e63dce6a..64bb839c19c5cbc7f8f0714e351a7121fa2afa76 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,8 +66,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:notdevfile_class_set create_file_perms;
 
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 608ba7987f79d9705690bd09e86ff6e19d55c6ec..75a3018bed34ead7dceaa8dafabb5f1487a30af7 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -33,7 +33,7 @@ allow dex2oat user_profile_data_file:file { getattr read lock };
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
 
 ##################
 # A/B OTA Dexopt #
@@ -63,4 +63,4 @@ allow dex2oat ota_data_file:file { create w_file_perms setattr };
 # Neverallow #
 ##############
 
-neverallow dex2oat app_data_file:notdevfile_class_set open;
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/domain.te b/public/domain.te
index 6c0a92a4a47304fb3d3bb5c7b44aa89d2d8558fe..f6ee4edf508ebf31e5a197cceb1635f48d57e63b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -777,6 +777,7 @@ full_treble_only(`
     unlabeled # used only by core domains
     core_data_file_type
     -app_data_file
+    -privapp_data_file
     -pdx_endpoint_socket_type # used by VR layer
     -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
@@ -1195,7 +1196,7 @@ neverallow {
   -appdomain
   -installd
   -uncrypt  # TODO: see if we can remove
-} app_data_file:lnk_file read;
+} { app_data_file privapp_data_file }:lnk_file read;
 
 neverallow {
   domain
diff --git a/public/drmserver.te b/public/drmserver.te
index f752c13ee8dcaf544154395dd86aea68b66e7185..1a675bebae852783ceb15d3d50b9882a41b461bd 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,7 +21,7 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
 r_dir_file(drmserver, efs_file)
 
diff --git a/public/file.te b/public/file.te
index 2f14b5b128aa5d4330f368dbb6ae34fddcdb5c08..79e36d41898e48f19b3cc5b4c9c8341f9058b6b0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -283,6 +283,8 @@ type method_trace_data_file, file_type, data_file_type, core_data_file_type, mls
 
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type, core_data_file_type;
+# /data/data subdirectories - priv-app sandboxes
+type privapp_data_file, file_type, data_file_type, core_data_file_type;
 # /data/data subdirectory for system UID apps.
 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/public/init.te b/public/init.te
index 1a5a651f8e85d1cbf156e38e266cafea71252be7..43e858c50ee0d668b2cdb7ee16d1166744369c9d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -145,6 +145,7 @@ allow init {
   -exec_type
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -system_app_data_file
   -system_file
   -vendor_file_type
@@ -157,6 +158,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -171,6 +173,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -runtime_event_log_tags_file
   -shell_data_file
   -system_app_data_file
@@ -186,6 +189,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -200,6 +204,7 @@ allow init {
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -privapp_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -211,7 +216,7 @@ allow init cache_file:lnk_file r_file_perms;
 
 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 # does init really need to relabel app data?
-userdebug_or_eng(`auditallow init app_data_file:dir_file_class_set relabelto;')
+userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
@@ -508,7 +513,7 @@ neverallow init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
 neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
+neverallow init { app_data_file privapp_data_file }:lnk_file read;
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
diff --git a/public/installd.te b/public/installd.te
index 6aba962ddbf81e4b3c1bc75058d5634e9d8bc5a2..8d7301bcd152a89aa0091862101ab431bad1c1ca 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -103,6 +103,7 @@ allow installd {
     radio_data_file
     shell_data_file
     app_data_file
+    privapp_data_file
 }:dir { create_dir_perms relabelfrom relabelto };
 
 allow installd {
@@ -112,6 +113,7 @@ allow installd {
     radio_data_file
     shell_data_file
     app_data_file
+    privapp_data_file
 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
 
 # Similar for the files under /data/misc/profiles/
diff --git a/public/kernel.te b/public/kernel.te
index cf913ba6859ccdc48319b3f2b3e5f35b41d4a454..af02c7e494b8b6768e28c3efbe09ca7285f5f97a 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -62,7 +62,7 @@ allow kernel mediaprovider:fd use;
 #  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
 #  * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
 allow kernel vold:fd use;
-allow kernel app_data_file:file read;
+allow kernel { app_data_file privapp_data_file }:file read;
 allow kernel asec_image_file:file read;
 
 # Allow reading loop device in update_engine_unittests. (b/28319454)
diff --git a/public/logd.te b/public/logd.te
index 2ef257f38468e518f0b7e8edbdb05ef29974b116..b5112b0b442a20ac2da6f5cb508d1fc2367d660c 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -58,7 +58,7 @@ neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
 neverallow logd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
 # Only init is allowed to enter the logd domain via exec()
 neverallow { domain -init } logd:process transition;
diff --git a/public/logpersist.te b/public/logpersist.te
index 7536cb84d853fd5abe88d8b65faee0ba18b5d942..c7cab80c83d3dea940b1ef654c4e517a8bbce78f 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -13,7 +13,7 @@ neverallow logpersist dev_type:blk_file { read write };
 neverallow logpersist domain:process ptrace;
 
 # Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
 
 # Only init should be allowed to enter the logpersist domain via exec()
 # Following is a list of debug domains we know that transition to logpersist
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index b0554626fa9b7d76333e961f4983465d5d808e65..ec9c6345a478a93e33693526ef12a2f28d8afb7e 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,7 +25,7 @@ crash_dump_fallback(mediaextractor)
 # allow mediaextractor read permissions for file sources
 allow mediaextractor sdcardfs:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor app_data_file:file { getattr read };
+allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
 
 # Read resources from open apk files passed over Binder
 allow mediaextractor apk_data_file:file { read getattr };
diff --git a/public/mediametrics.te b/public/mediametrics.te
index ada90cca3a1651949033e3d2d658d81712a8fb81..1c8f5b80b1548e4d2051f3bf8211fe1414193598 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -15,7 +15,7 @@ r_dir_file(mediametrics, cgroup)
 allow mediametrics proc_meminfo:file r_file_perms;
 
 # allows interactions with dumpsys to GMScore
-allow mediametrics app_data_file:file write;
+allow mediametrics { app_data_file privapp_data_file }:file write;
 
 # allow access to package manager for uid->apk mapping
 allow mediametrics package_native_service:service_manager find;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 9e00fbbf85cc13291f5dc2b17b282db265344721..b9b08dd1794dccf6d6fef63e9d06c51565ca71d6 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -28,10 +28,10 @@ binder_service(mediaserver)
 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 # TODO(b/80190017, b/80300620): remove direct access to private app data
-userdebug_or_eng(`auditallow mediaserver app_data_file:dir search;')
-allow mediaserver app_data_file:dir search;
-userdebug_or_eng(`auditallow mediaserver app_data_file:file open;')
-allow mediaserver app_data_file:file rw_file_perms;
+userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:dir search;')
+allow mediaserver { app_data_file privapp_data_file }:dir search;
+userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:file open;')
+allow mediaserver { app_data_file privapp_data_file }:file rw_file_perms;
 allow mediaserver sdcard_type:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
diff --git a/public/netd.te b/public/netd.te
index 7657eaf9d42c5ac6a3e305e67b9adb3006610639..1315398c0bd1ac677999ba8dfb680a417ca7c621 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -128,7 +128,7 @@ neverallow netd { domain }:process ptrace;
 neverallow netd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
 # only system_server and dumpstate may find netd service
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f067af5d4a9b5da0c847ef04eadb4324f9b477e8..70becb202c514cccc976b0201d4cb56d5a9f7c09 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -21,8 +21,8 @@ userdebug_or_eng(`
   allow perfprofd system_file:file rx_file_perms;
 
   # perfprofd reads a config file from /data/data/com.google.android.gms/files
-  allow perfprofd app_data_file:file r_file_perms;
-  allow perfprofd app_data_file:dir search;
+  allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
+  allow perfprofd { privapp_data_file app_data_file }:dir search;
   allow perfprofd self:global_capability_class_set { dac_override };
 
   # perfprofd opens a file for writing in /data/misc/perfprofd
diff --git a/public/profman.te b/public/profman.te
index 4296d1b1724c70279091e4a394a88fae7ae9fe06..3f0348658f525b2a52ae880691ba1931b82ea393 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -19,11 +19,11 @@ allow profman installd:fd use;
 # Allow profman to analyze profiles for the secondary dex files. These
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
-allow profman app_data_file:dir { getattr read search };
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock };
+allow profman { privapp_data_file app_data_file }:dir { getattr read search };
 
 ###
 ### neverallow rules
 ###
 
-neverallow profman app_data_file:notdevfile_class_set open;
+neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index 091d3001a04eda7a2e46336783455aeeb405c8ba..67f852a15a40be0f917053ba7ebb75cec5bc63db 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -23,5 +23,5 @@ neverallow recovery_persist domain:process ptrace;
 neverallow recovery_persist system_file:dir_file_class_set write;
 
 # Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
 
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index 602ed51d7cb5e75e90af276c7b5041f11a950c10..0c76afdc0f485d9faef915911cb46ccd7767fb83 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -21,4 +21,4 @@ neverallow recovery_refresh domain:process ptrace;
 neverallow recovery_refresh system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 941303c4a74c49b9fc8ccafea36c957fdf277a5e..f55b3e818263f91bd5f27dca1c548b788e902916 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -216,7 +216,7 @@ neverallow { domain -init } vendor_init:process transition;
 neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init app_data_file:lnk_file read;
+neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
 neverallow vendor_init shell_data_file:lnk_file read;
 # Init should not be creating subdirectories in /data/local/tmp
 neverallow vendor_init shell_data_file:dir { write add_name remove_name };
diff --git a/public/vold.te b/public/vold.te
index 1aa616b3aa5b448f38fe3c6d069f7b3378645df3..5cf489c73db82023eeca5658a21ea6a8950de123 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -82,10 +82,10 @@ allow vold tmpfs:dir mounton;
 allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 # TODO(b/80418809): remove direct access to private app data
-userdebug_or_eng(`auditallow vold app_data_file:dir search;')
-allow vold app_data_file:dir search;
-userdebug_or_eng(`auditallow vold app_data_file:file rw_file_perms;')
-allow vold app_data_file:file rw_file_perms;
+userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
+allow vold { app_data_file privapp_data_file }:dir search;
+userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
+allow vold { app_data_file privapp_data_file }:file rw_file_perms;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };