diff --git a/public/attributes b/public/attributes
index 2d5db7f15898a80f61a715b4874715ce727e7073..adad87ff63177e2d556933c347970eba9b44ad28 100644
--- a/public/attributes
+++ b/public/attributes
@@ -141,6 +141,11 @@ attribute binder_in_vendor_violators;
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;
 
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients
diff --git a/public/domain.te b/public/domain.te
index dfccfdd9cbb99a88254496ec15715afbe23cefed..e75ce1a4bf8635f0b15db00f062c32519ac722e9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -680,20 +680,18 @@ full_treble_only(`
 
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
-    # TODO:(b/36463595) Make this a neverallow
-    userdebug_or_eng(`
-        auditallow {
-            domain
-            -coredomain
-            -appdomain
-            -rild
-        } {
-            exec_type
-            -vendor_file_type
-            -crash_dump_exec
-            -netutils_wrapper_exec
-        }:file { entrypoint execute execute_no_trans };
-    ')
+    neverallow {
+        domain
+        -coredomain
+        -appdomain
+        -rild
+        -vendor_executes_system_violators
+    } {
+        exec_type
+        -vendor_file_type
+        -crash_dump_exec
+        -netutils_wrapper_exec
+    }:file { entrypoint execute execute_no_trans };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache