diff --git a/private/coredomain.te b/private/coredomain.te
new file mode 100644
index 0000000000000000000000000000000000000000..0ca4913653444f7384e5c8fdee85c1302e555258
--- /dev/null
+++ b/private/coredomain.te
@@ -0,0 +1 @@
+get_prop(coredomain, pm_prop)
diff --git a/public/domain.te b/public/domain.te
index d283006e320ba6201fbabf961345e5325ad31936..6852d9d113abfe426d5af95f7067553de4cf8afd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -450,6 +450,10 @@ neverallow * hidl_base_hwservice:hwservice_manager find;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
 
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
 # Do not allow reading device's serial number from system properties except form
 # a few whitelisted domains.
 neverallow {