diff --git a/private/app.te b/private/app.te
index c0fdff2aa676c5f8635fdd4ed190c694e62d2353..2ee3bee915f52215ec054c0dc351394624f69b11 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,8 +87,9 @@ allow appdomain oemfs:file rx_file_perms;
 
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;
diff --git a/public/dhcp.te b/public/dhcp.te
index c18b08d68ff0332c0568a90ddd947a11681f7e86..22351edccf36024f4ccf65731d00a1eb690878b7 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -9,6 +9,7 @@ allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 
 # dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
 allow dhcp toolbox_exec:file rx_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index bfbb43bcaf879b206eb9884fcd57cf983454a8cd..3322e14680372b06ec30c15d2973289ae422466a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@ allow dumpstate self:capability {
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
 allow dumpstate toolbox_exec:file rx_file_perms;
 
 # Create and write into /data/anr/
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 06794ee1ec679e2c981f5930bed7ddabf542e14e..9a2a9ee0521729b87028394b82268d2ab1e139f8 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@ allow install_recovery shell_exec:file rx_file_perms;
 
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
+not_full_treble(allow install_recovery vendor_file:file rx_file_perms;')
 
 allow install_recovery toolbox_exec:file rx_file_perms;
 
diff --git a/public/netd.te b/public/netd.te
index 3a48cd389e26dec11f792f36fb4f7ce3964a2b27..1694aecdf8046b6b3349e421ff61e9ed142337e9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -27,6 +27,7 @@ allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
 allow netd devpts:chr_file rw_file_perms;
 
 # Acquire advisory lock on /system/etc/xtables.lock
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada59b382c2caab6a361fd78709cdc04c598..918ef5e7f914333441ee3ba630965f20e4207f9d 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;
diff --git a/public/racoon.te b/public/racoon.te
index d5d5a4ef1521acfbbe9062cb418a0b398b9e4eac..00744d8f10a0de919c1ffe1838ec5c72d68a6b89 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@ allow racoon self:capability { net_admin net_bind_service net_raw };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
 
diff --git a/public/vold.te b/public/vold.te
index 89e2c2471bc8da3ad1e0c69aa4d219877052c5df..20181d113a87215ebde8ec1e4bb88c9e4b913078 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,6 +31,7 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;