diff --git a/private/app.te b/private/app.te
index 81de403aa049522f126fb7138e67583d1e163d70..73d77299591ec35fab15f6b449ca631f25b2ff6c 100644
--- a/private/app.te
+++ b/private/app.te
@@ -94,6 +94,13 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
 allow appdomain system_file:dir r_dir_perms;
 allow appdomain system_file:lnk_file { getattr open read };
 
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
 
diff --git a/private/system_server.te b/private/system_server.te
index 430234313c684d99e635f72cf2c7fb576a083196..90e8b10ed0b059de59bfcde227c8f2a8d8c8e9bb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,9 @@ allow system_server apk_tmp_file:file create_file_perms;
 # Access /vendor/app
 r_dir_file(system_server, vendor_app_file)
 
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 15fd951952756e30159a4c76f0f329339ba39751..52250f8f85587aa572c8bb6127859b405111ac92 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,10 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 
+# /vendor/overlay existence is checked before
+# passing it on as an argument to idmap in AssetManager
+allow zygote vendor_overlay_file:dir { getattr open read search };
+
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 1d794e2212eb843bb7a34f048557dfe19a8ab166..2fb233649ac0168539cb15b6cd4a8a315c8ba725 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -3,6 +3,11 @@ type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;
 
 r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
 
 allow dex2oat tmpfs:file { read getattr };
 
diff --git a/public/domain.te b/public/domain.te
index 4fc3bc03c73aaa7c0e83e5e64f25c21b1455f951..f16d2771e0498c50202d0bc48edc38f271898e31 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -123,34 +123,11 @@ allow domain same_process_hal_file:file { execute read open getattr };
 allow domain vendor_configs_file:dir r_dir_perms;
 allow domain vendor_configs_file:file { read open getattr };
 
-# TODO: (b/36681074) - Remove after this is resolved
-# TODO: (b/36680116, b/36656392, b/36681210) All need directory
-# lookup to find / open their libraries
 full_treble_only(`
-    # Everyone needs to lookup libraries in /vendor/lib(64)
-    # through linker/loader.
+    # This is required "most likely" for LD_LIBRARY_PATH
+    # (b/36681074)
     allow domain vendor_file:dir { getattr search };
 
-    # TODO: b/36681210, find out who needs access and only allow
-    # specific domains for Treble
-    allow domain vendor_app_file:dir r_dir_perms;
-    allow domain vendor_app_file:file { read open getattr };
-
-    # Some apps (com.android.phone) need to be able to open
-    # symlinked libraries
-    # TODO: b/36806861
-    allow domain vendor_app_file:lnk_file { open read };
-
-    # TODO: b/36656392, find out who needs access and only allow
-    # specific domains.
-    allow domain vendor_overlay_file:dir r_dir_perms;
-    allow domain vendor_overlay_file:file { read open getattr };
-
-    # TODO: b/36680116, find out who neeeds access and only allow
-    # specific domains
-    allow domain vendor_framework_file:dir r_dir_perms;
-    allow domain vendor_framework_file:file { read open getattr };
-
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
     allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
@@ -689,6 +666,50 @@ full_treble_only(`
   }:sock_file ~{ append getattr ioctl read write };
 ')
 
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+    # Limit access to /vendor/app
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        -system_server
+    } vendor_app_file:dir { open read getattr search };
+
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        -system_server
+    } vendor_app_file:{ file lnk_file } r_file_perms;
+
+    # Limit access to /vendor/overlay
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+	-init
+        -system_server
+        -zygote
+    } vendor_overlay_file:dir { getattr open read search };
+
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+	-init
+        -system_server
+        -zygote
+    } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain
@@ -908,6 +929,7 @@ neverallow {
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 
+
 # servicemanager is the only process which handles list request
 neverallow * ~servicemanager:service_manager list;
 
diff --git a/public/idmap.te b/public/idmap.te
index 61f1e1cc172bc2c5a77a8e54956a7025f5d752b4..1c32f8fd54ce8721c21dc09f539865368aa47275 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -9,3 +9,9 @@ allow idmap resourcecache_data_file:file { getattr read write };
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/public/installd.te b/public/installd.te
index a85edff9f0fb08099db00bd35b78b83480aca3b3..774ba49e1c0e881de42802a8d7cfe1eb1651d89b 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@ selinux_check_context(installd)
 r_dir_file(installd, rootfs)
 # Scan through APKs in /system/app and /system/priv-app
 r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
 # Get seapp_context