diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d99c58f5553922ae7c7e8f28b9c4d18059ccf614..ae36f1c706be5f48d6ba680a36c63f39c06746d7 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -82,6 +82,7 @@
     mediaextractor_update_service
     mediaprovider_tmpfs
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 9b82f35f3927527b12f4939ec37451f212ca36f5..4530df498088c36def3031cb839a2ed44411fb07 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -68,6 +68,7 @@
     lowpan_service
     mediaextractor_update_service
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
diff --git a/private/file_contexts b/private/file_contexts
index bec6b14056cfc21aab5e08826550f5bf18125246..9f3d8174bb85d98ebdba13e438a1ecf1d24d6dbb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -541,4 +541,8 @@
 
 #############################
 # mount point for read-write vendor partitions
-/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
+/mnt/vendor(/.*)?           u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)?          u:object_r:mnt_product_file:s0
diff --git a/public/domain.te b/public/domain.te
index 3d35fabf0f760d35acc98293956a42cc9dd6ff4e..6b00e126470432510afc660d8e1db2f64d11e03f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1400,3 +1400,9 @@ full_treble_only(`
     -appdomain
   } vendor_public_lib_file:file { execute execute_no_trans };
 ')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+  domain
+  -coredomain
+} mnt_product_file:dir *;
diff --git a/public/file.te b/public/file.te
index 68ce321707aeeff74eef8dbc2488928d8cfa600a..2f14b5b128aa5d4330f368dbb6ae34fddcdb5c08 100644
--- a/public/file.te
+++ b/public/file.te
@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
 # Mount location for read-write vendor partitions.
 type mnt_vendor_file, file_type;
 
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 81124743e1bb39ccc05abcc1c43ae391db34d303..9b537c10f977e0a0702d6b8f4edf6fb7716c4868 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -42,6 +42,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -system_file
+  -mnt_product_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -82,6 +83,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
+  -mnt_product_file
   -system_file
   -vendor_file_type
   -vold_metadata_file