diff --git a/domain.te b/domain.te
index 549a0b96370c1bb2778d008ffd7bce732405ed46..46e0ad2e4a8e0e18848d043c8095bd2037217540 100644
--- a/domain.te
+++ b/domain.te
@@ -419,6 +419,14 @@ neverallow {
 # to installd
 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 
+# respect system_app sandboxes
+neverallow {
+  domain
+  -system_app # its own sandbox
+  -system_server #populate com.android.providers.settings/databases/settings.db.
+  -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell