diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f9ec790fc973e93ee593376e6f9c9f65cddd1403..b7b6df609e89597c2251d0d9bfc86e7a9221f82c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -79,6 +79,7 @@
     mediaextractor_update_service
     mediaprovider_tmpfs
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 9b82f35f3927527b12f4939ec37451f212ca36f5..4530df498088c36def3031cb839a2ed44411fb07 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -68,6 +68,7 @@
     lowpan_service
     mediaextractor_update_service
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
diff --git a/private/file_contexts b/private/file_contexts
index 4bbf1baae68b32d0f3736fe267730b3d7d919748..804c06fe5bffc1c8a9299c3d2638180c42aa74ae 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -545,4 +545,8 @@
 
 #############################
 # mount point for read-write vendor partitions
-/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
+/mnt/vendor(/.*)?           u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)?          u:object_r:mnt_product_file:s0
diff --git a/public/domain.te b/public/domain.te
index 3d35fabf0f760d35acc98293956a42cc9dd6ff4e..6b00e126470432510afc660d8e1db2f64d11e03f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1400,3 +1400,9 @@ full_treble_only(`
     -appdomain
   } vendor_public_lib_file:file { execute execute_no_trans };
 ')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+  domain
+  -coredomain
+} mnt_product_file:dir *;
diff --git a/public/file.te b/public/file.te
index 8092fe4ec7c38dfe1db604f644b9fa7fd2bf7918..6cbc64704141a6a0ae5ea60e55c07755d0a70aba 100644
--- a/public/file.te
+++ b/public/file.te
@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
 # Mount location for read-write vendor partitions.
 type mnt_vendor_file, file_type;
 
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 81124743e1bb39ccc05abcc1c43ae391db34d303..9b537c10f977e0a0702d6b8f4edf6fb7716c4868 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -42,6 +42,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -system_file
+  -mnt_product_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -82,6 +83,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
+  -mnt_product_file
   -system_file
   -vendor_file_type
   -vold_metadata_file