diff --git a/public/domain.te b/public/domain.te
index 6b00e126470432510afc660d8e1db2f64d11e03f..c6fc9f831682c656d51b2fdc0c5c259e804bcbdf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1406,3 +1406,22 @@ neverallow {
   domain
   -coredomain
 } mnt_product_file:dir *;
+
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
+full_treble_only(`
+  neverallow {
+    coredomain
+    -healthd
+    -shell
+    # Generate uevents for health info
+    -ueventd
+    # Recovery uses health HAL passthrough implementation.
+    -recovery
+    # Charger uses health HAL passthrough implementation.
+    -charger
+    # TODO(b/110891300): remove this exception
+    -incidentd
+    # TODO(b/110890430): remove this exception
+    -perfprofd
+  } sysfs_batteryinfo:file { open read };
+')
diff --git a/public/vold.te b/public/vold.te
index 06deefce37d9592f889311b03f87292b06072120..481f48c92ab049e633725e0712466e0f7e045564 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -13,7 +13,7 @@ userdebug_or_eng(`
   auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
 ')
 
-r_dir_file(vold, sysfs_type)
+r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
 allow vold sysfs_dm:file w_file_perms;