diff --git a/public/attributes b/public/attributes
index d9d123fd0843c98a57f6a7d32fede35c0aaf949a..8231551347648939ba39d5e3d3cfa57239b3e77d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -45,6 +45,10 @@ attribute core_data_file_type;
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
 attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;
 
 # All types use for sysfs files.
 attribute sysfs_type;
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4ad11fd47d19b304d4c85613e9609bba558..c18b08d68ff0332c0568a90ddd947a11681f7e86 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
 type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
 
 net_domain(dhcp)
 
diff --git a/public/domain.te b/public/domain.te
index bd5cb895cdd8e83206fbd98dfaf71c4ff638061b..5c8280f042c5582d93c9f16703edd8aef079ec70 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -509,6 +509,25 @@ full_treble_only(`
     -appdomain
     -coredata_in_vendor_violators
   } system_data_file:dir ~search;
+  # do not allow coredomains to directly access vendor data. Exempt init
+  # because it is responsible for dir/file creation in init.rc scripts.
+  # Also exempt halclientdomain to exclude rules for passthrough mode.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  # do not allow coredomain to access vendor data directories.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+    } { data_file_type -core_data_file_type }:dir *;
 ')
 
 # On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/file.te b/public/file.te
index d7a82bc6cdaddf6bbbe51b4c2bae8a21a93d9af7..32de73514671cfa897f89066e4724e2114b2c911 100644
--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@ type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
 type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;