diff --git a/Android.mk b/Android.mk
index e2883560fc544b0785b49deae0c5d4d5e9396056..976d61b5a6cbab7b55b72b4b80eb3a79e6799f75 100644
--- a/Android.mk
+++ b/Android.mk
@@ -158,6 +158,7 @@ $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_M
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 
 reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -188,6 +189,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 
 plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -243,6 +245,7 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
@@ -342,6 +345,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEP
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
diff --git a/private/adbd.te b/private/adbd.te
index 1865b2a101d163a0713d9fcf088f66e773da7076..9b84603d056b7902b3bc9b9d07f008c8c7fefe93 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -1,5 +1,6 @@
 ### ADB daemon
 
+typeattribute adbd coredomain;
 typeattribute adbd mlstrustedsubject;
 
 domain_auto_trans(adbd, shell_exec, shell)
diff --git a/private/atrace.te b/private/atrace.te
index 9c4f342007dc16cff4358c4a58833bcec1adaa0e..94d84834d116ddf9020232f883f2fec997a1f2b8 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -3,7 +3,7 @@
 type atrace_exec, exec_type, file_type;
 
 userdebug_or_eng(`
-  type atrace, domain, domain_deprecated;
+  type atrace, domain, coredomain, domain_deprecated;
 
   init_daemon_domain(atrace)
 
diff --git a/private/audioserver.te b/private/audioserver.te
index 95a752169c29b52077ff61e8acfb6481d0473237..a6253f244510d053db811d78f96854c4f5c61974 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -1,5 +1,7 @@
 # audioserver - audio services daemon
 
+typeattribute audioserver coredomain;
+
 type audioserver_exec, exec_type, file_type;
 init_daemon_domain(audioserver)
 
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000000000000000000000000000000000000..4a1218e1da65f72cc871664a2fb1db2c63b42a8a
--- /dev/null
+++ b/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/blkid.te b/private/blkid.te
index 9c4cfccc80b624ef925828488b8ddd97f5850caa..090912b82140c6a108afacc0a80b4f822413f28f 100644
--- a/private/blkid.te
+++ b/private/blkid.te
@@ -1,5 +1,7 @@
 # blkid called from vold
 
+typeattribute blkid coredomain;
+
 type blkid_exec, exec_type, file_type;
 
 # Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
index ae18e6860c30f063f51a01711d6b443c6b09465d..125677157ebaadf6fce40e245c85904008103b13 100644
--- a/private/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
@@ -1,5 +1,7 @@
 # blkid for untrusted block devices
 
+typeattribute blkid_untrusted coredomain;
+
 # Allowed read-only access to vold block devices to extract UUID/label
 allow blkid_untrusted block_device:dir search;
 allow blkid_untrusted vold_device:blk_file r_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 9c7182e6c7aa8beb042d1e4212512d799d19cc95..628f9714c171c4de96a1fb64c0b81702f70c36d3 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,5 +1,6 @@
 # bluetooth subsystem
 
+typeattribute bluetooth coredomain;
 typeattribute bluetooth domain_deprecated;
 
 app_domain(bluetooth)
diff --git a/private/bootanim.te b/private/bootanim.te
index 94fbc1f4f67100c71b8ca2c5feb418d30b78c434..8c9f6c76ef8a0db457c724a447d57a879b3fc4ca 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootanim coredomain;
+
 init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
index caa82fd62c17a7ca9346bec6871c15f3d1335f52..806144cf6d34d1d0e4fa82f23863d2d20f217a2b 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootstat coredomain;
+
 init_daemon_domain(bootstat)
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
index 4fa77a59b3aff645540d07bb426bc427f7074570..012eb20270cb536f73ae5c02e199a76706106312 100644
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@@ -1 +1,3 @@
+typeattribute bufferhubd coredomain;
+
 init_daemon_domain(bufferhubd)
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b34d74608c49c3141e33f087e464308a122b9197..c16c13260d187562822104ec370bdefa1cb8778b 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cameraserver coredomain;
+
 init_daemon_domain(cameraserver)
diff --git a/private/charger.te b/private/charger.te
new file mode 100644
index 0000000000000000000000000000000000000000..65109deff1cd8bc78d679e2faa0a2c440ebc8ef0
--- /dev/null
+++ b/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/private/clatd.te b/private/clatd.te
new file mode 100644
index 0000000000000000000000000000000000000000..5ba0fc5cdcb99da7e531a630fc50aa621714dbf4
--- /dev/null
+++ b/private/clatd.te
@@ -0,0 +1 @@
+typeattribute clatd coredomain;
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 02c13b3a08b60fa0d8293162b162b0026e45ab23..34f0d669b3d6bc5897f848a5904edf952ccb117e 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cppreopts coredomain;
+
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(cppreopts)
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 0000000000000000000000000000000000000000..fb73f08a994a8912746b87a257e323ae762c5931
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/private/dex2oat.te b/private/dex2oat.te
new file mode 100644
index 0000000000000000000000000000000000000000..fd45484f4db5bce7e3945b95dff8a76633e9d160
--- /dev/null
+++ b/private/dex2oat.te
@@ -0,0 +1 @@
+typeattribute dex2oat coredomain;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 2239d2ae8a5b7433f8a0e57f14d5e3cacc315c02..db81d0dad0f826de8a8a8294440ac38284e3ca76 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,5 +1,5 @@
 # dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, exec_type, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
diff --git a/private/dhcp.te b/private/dhcp.te
index 67451896eb89c1510cfb6f503f1195d6ed62519a..b2f8ac7c747cf6bba0fe8080fa1afb8348b9ae95 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dhcp coredomain;
+
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/dnsmasq.te b/private/dnsmasq.te
new file mode 100644
index 0000000000000000000000000000000000000000..96084b490a08b671853cafdbf5762b7ae1c5118c
--- /dev/null
+++ b/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/private/drmserver.te b/private/drmserver.te
index cc96afdce91012b208bb2511ea5d2a14bac56cf7..45663bbe1f8dff7116edca57d613c148007d501a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute drmserver coredomain;
+
 init_daemon_domain(drmserver)
 
 type_transition drmserver apk_data_file:sock_file drmserver_socket;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 62628dd2575710e22f82bf7992fefeed9f5e3578..cbdfbc6d55ed0d2829648884dec023ae5644f741 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dumpstate coredomain;
+
 init_daemon_domain(dumpstate)
 
 # Execute and transition to the vdc domain
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b0515ad904d1b78edaf23632cc58d69ab0341b4..92890273ade1711973c99d68a96939c9fd45d12d 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -11,6 +11,8 @@
 ###
 ### PackageManager flags an app as ephemeral at install time.
 
+typeattribute ephemeral_app coredomain;
+
 net_domain(ephemeral_app)
 app_domain(ephemeral_app)
 
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index a733cabd9d066dd2a28bb5f3bb5c0f3d7b0bc15d..eb73ef8ccf9a3129f5a635c3f390d1177277e6f5 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fingerprintd coredomain;
+
 init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index f3f4c52d2b6a1e05b74d6428ac322d65fa3d2df2..3a36329f7cca371944b2835dee1854966a754269 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fsck coredomain;
+
 init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
new file mode 100644
index 0000000000000000000000000000000000000000..9a57bf02771bb2a06bf59d5b0a922e96dcb81aa6
--- /dev/null
+++ b/private/fsck_untrusted.te
@@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index d050c2edfd71a9ba87ff915073317cd1dff1d498..5e4d0a2e9de7c4649a6b699d46ef8a8d3d2def99 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute gatekeeperd coredomain;
+
 init_daemon_domain(gatekeeperd)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index ff407d5a6f153cad002b1d323abd2a94209216e6..49ef1781bb0e5f0296e44d3784958c607d2f1382 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -1,4 +1,4 @@
-type hal_allocator_default, domain;
+type hal_allocator_default, domain, coredomain;
 hal_server_domain(hal_allocator_default, hal_allocator)
 
 type hal_allocator_default_exec, exec_type, file_type;
diff --git a/private/healthd.te b/private/healthd.te
index fc13e28fd28a637a568afe6eb567537c591e3413..0693a3a683d078e39b086c36fedf3c579908a229 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute healthd coredomain;
+
 init_daemon_domain(healthd)
 
 # Allow callback to storaged batteryproperties listener
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e15d13db0bc0740c057b87af6fbbd4715a3af161..627b93f5f532bfd262a48686513873503127d9f5 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute hwservicemanager coredomain;
+
 init_daemon_domain(hwservicemanager)
diff --git a/private/idmap.te b/private/idmap.te
new file mode 100644
index 0000000000000000000000000000000000000000..73abf355291f7ad485f2e8013794a23a63c287df
--- /dev/null
+++ b/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/private/incident.te b/private/incident.te
index 084bd5dfdc03f8f973a9b8ef85f45614c59f6620..b910ddef3687d0f778050413153b6b5fd4d9a1d3 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -1,3 +1,5 @@
+typeattribute incident coredomain;
+
 type incident_exec, exec_type, file_type;
 
 # switch to incident domain for incident command
diff --git a/private/incidentd.te b/private/incidentd.te
index 49830f43e7b843e8043062383218b63fbc51cce1..efd23bdae8896c29a4bce0757e9a8c4b61e6e60f 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,3 +1,5 @@
+typeattribute incidentd coredomain;
+
 init_daemon_domain(incidentd)
 type incidentd_exec, exec_type, file_type;
 binder_use(incidentd)
diff --git a/private/init.te b/private/init.te
index f491d00f3f18f6cb15d1ea2ac4e210bed9b750c1..fb4335a0908e3698f22e213821f5a0f2c56a3275 100644
--- a/private/init.te
+++ b/private/init.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute init coredomain;
+
 tmpfs_domain(init)
 
 # Transitions to seclabel processes in init.rc
diff --git a/private/inputflinger.te b/private/inputflinger.te
index dae01f86705dea1dd8aa87fd8a06edcbba8c06a3..9696b491b75897d98346b9494cce5f92ad10733c 100644
--- a/private/inputflinger.te
+++ b/private/inputflinger.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute inputflinger coredomain;
+
 init_daemon_domain(inputflinger)
diff --git a/private/install_recovery.te b/private/install_recovery.te
index b9b402b568f25428b518e3c51ba1ade2bf28bc26..b79d683a6d7bf756695d22b0b889dd032eb6de75 100644
--- a/private/install_recovery.te
+++ b/private/install_recovery.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute install_recovery coredomain;
+
 init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
index e18d8410a322e05f0d57e2041161598344ed281b..f74843dd135d4f6550d2dc6ff8c58e1ac343c550 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute installd coredomain;
+
 init_daemon_domain(installd)
 
 # Run dex2oat in its own sandbox.
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f98b1d1cd034cd43e2069cb35211c0bc9234d0de..418a3224e5695c8ad1323267b0fc0b8efe602e62 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -6,6 +6,8 @@
 ### and AID_ISOLATED_END (99999).
 ###
 
+typeattribute isolated_app coredomain;
+
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
diff --git a/private/kernel.te b/private/kernel.te
index 1c2223e57171d496c70ae61f40df9f4be713be13..a4e6ebe360f9ebfaf2aacd1befef51b87bd02d0f 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute kernel coredomain;
+
 domain_auto_trans(kernel, init_exec, init)
diff --git a/private/keystore.te b/private/keystore.te
index 70ad3b24dfef1e0d686f35d046a2b8c6c6fe31bb..6aa888429255afbd4cc7edc8bf27c536b55afd33 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute keystore coredomain;
+
 init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
index a5d0d77568cde7061dde12f36dede567f3aeee79..a07ce879cc6eedbaddfe024633416b053e43bf35 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute lmkd coredomain;
+
 init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
index aea6654c87998c49776c3b5b65b6a481005d6cdd..4338e40054183a611300801ebb53b594c83c791b 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute logd coredomain;
+
 init_daemon_domain(logd)
 
 # logd is not allowed to write anywhere other than /data/misc/logd, and then
diff --git a/private/logpersist.te b/private/logpersist.te
index dbace693ce41e7d026e789f259279a0677be25b4..70e3198b54fb04f230575ac384da5291a4363543 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -1,3 +1,5 @@
+typeattribute logpersist coredomain;
+
 # android debug log storage in logpersist domains (eng and userdebug only)
 userdebug_or_eng(`
 
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 2fefc32dd1eb6c02d72d0a8b56bb95c1b9c4c73f..96259e2986258cd4381fbc117d06e6e91aa99c5f 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -1,5 +1,6 @@
 # mdns daemon
 
+typeattribute mdnsd coredomain;
 typeattribute mdnsd mlstrustedsubject;
 
 type mdnsd_exec, exec_type, file_type;
diff --git a/private/mediacodec.te b/private/mediacodec.te
index 7f88433a101fd3d653fb04e98dfec647eb6dce96..ff290bc41f2dc5a789f293236a21d4e5e2101a1b 100644
--- a/private/mediacodec.te
+++ b/private/mediacodec.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediacodec coredomain;
+
 init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index 5a8e7446cdc5142fbbc773cb33b4c6b06833d8d7..def87599ffdf931e4068d669fcc1518d1ff598ed 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediadrmserver coredomain;
+
 init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 8596c1440a10415fa76c02c00e4d9a0047a7f498..c1a85219c34447bffb208b0ec4853b9f05936826 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaextractor coredomain;
+
 init_daemon_domain(mediaextractor)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index 11f17d23d1d3d1891a443d6b84b219f87d3e6cb3..f8b2fa5cdcf1995c62fd767be217af4bd80d9905 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediametrics coredomain;
+
 init_daemon_domain(mediametrics)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 74b11b07b7021c5e84d27494cd5caa0959078074..4b510a54a4e1271be7dc3ebbabda6ccecb0e6ba2 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaserver coredomain;
+
 init_daemon_domain(mediaserver)
diff --git a/private/modprobe.te b/private/modprobe.te
new file mode 100644
index 0000000000000000000000000000000000000000..98586756f91da77583959db541ca421a565ebcf3
--- /dev/null
+++ b/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/private/mtp.te b/private/mtp.te
index 69e1353b0f7085730ec94b5fb37b9cf1e5c936a7..732e111ed0b42407b3076a9ce971946b9a01e818 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mtp coredomain;
+
 init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index cc87dcbb45ce4218c6cc743a7d7223bdaf14d5fc..f501f25e9f56361cb38813acec88f440a1ad7ee1 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute netd coredomain;
+
 init_daemon_domain(netd)
 
 # Allow netd to spawn dnsmasq in it's own domain
diff --git a/private/nfc.te b/private/nfc.te
index 4d1f2ce2913875b44e972c19b8d3e255bddfb785..25ad702b536fc927416963f4cb7d8c532aaab439 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,4 +1,5 @@
 # nfc subsystem
+typeattribute nfc coredomain;
 app_domain(nfc)
 net_domain(nfc)
 
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 8e54a790fc1dca67306535f6f766404b340673c3..1f69931c8b0589858f24724ae9daebf3fb9b551a 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_chroot coredomain;
+
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 519c34274128ef5c68b18ccf3b5f233f9b8fd106..98b93d4065a767898729a6977f78031ae873981a 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_slot coredomain;
+
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(otapreopt_slot)
diff --git a/private/performanced.te b/private/performanced.te
index 9544f662c1f5466dc5bac166320152e37cb9d8a5..792826e02297ffdeb248014a2af721339c6593ed 100644
--- a/private/performanced.te
+++ b/private/performanced.te
@@ -1 +1,3 @@
+typeattribute performanced coredomain;
+
 init_daemon_domain(performanced)
diff --git a/private/platform_app.te b/private/platform_app.te
index 6b18d8feec929897da5b96a17c261f04335d6831..984bb7b4fc54e159cad5d6a3c6f60532a54b50ae 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -2,6 +2,7 @@
 ### Apps signed with the platform key.
 ###
 
+typeattribute platform_app coredomain;
 typeattribute platform_app domain_deprecated;
 
 app_domain(platform_app)
diff --git a/private/postinstall.te b/private/postinstall.te
index 47bf320f3b7d9437a53da6a63b2581779e03d776..363e362dda7be27d3127e4006428a31e427a8e60 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall coredomain;
+
 domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 7596465aa8a1d747e278e723df518de60acaed2f..ff5fe8735d9d097c6b02191e029897cf77399919 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall_dexopt coredomain;
+
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
index befc20e5e012605601cc10b041727bcdd42ad384..968b221b688ffe92f04a98d4211648a26d1e7ffc 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ppp coredomain;
+
 domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
new file mode 100644
index 0000000000000000000000000000000000000000..d10f76766c0aad8d6a72474ed767a1a3dfe66a7d
--- /dev/null
+++ b/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/private/priv_app.te b/private/priv_app.te
index 83a4b3f769ffc99b67ce181a93ad783c87ccd147..38ce673a1efa7ee8410fbcf2852dc1a460dc2435 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -2,6 +2,7 @@
 ### A domain for further sandboxing privileged apps.
 ###
 
+typeattribute priv_app coredomain;
 app_domain(priv_app)
 
 # Access the network.
diff --git a/private/profman.te b/private/profman.te
new file mode 100644
index 0000000000000000000000000000000000000000..f61d05efe7b8908ba5dbd7464cfb84b2c4118e94
--- /dev/null
+++ b/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/private/racoon.te b/private/racoon.te
index 3eeb8151a3c87d7ccc48290efa038d817eccad0d..42ea7c9e48416235ba3f28b878ff7fac20d87196 100644
--- a/private/racoon.te
+++ b/private/racoon.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute racoon coredomain;
+
 init_daemon_domain(racoon)
diff --git a/private/radio.te b/private/radio.te
index 95e7f0a47fac0ae379921dfb66e428b2774f16b9..b4f539048f3b56816ff9f011a6d1cf0349d6ef6b 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,3 +1,5 @@
+typeattribute radio coredomain;
+
 app_domain(radio)
 
 read_runtime_log_tags(radio)
diff --git a/private/recovery.te b/private/recovery.te
new file mode 100644
index 0000000000000000000000000000000000000000..2a7fdc7e1d3ad16a0b8f211def5313f91376c7dd
--- /dev/null
+++ b/private/recovery.te
@@ -0,0 +1 @@
+typeattribute recovery coredomain;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 3c37d2bc984c765ac425f916ec19dd85b6d09cbb..1fdd7583d735021ca0bbcce783af2ea906c14a92 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_persist coredomain;
+
 init_daemon_domain(recovery_persist)
 
 # recovery_persist is not allowed to write anywhere other than recovery_data_file
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index d1cfbfea0e96fea0f1ebcf1b9a2ed8a17826c275..327098dadb87835c3c1367409282ea73a70cac5e 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_refresh coredomain;
+
 init_daemon_domain(recovery_refresh)
 
 # recovery_refresh is not allowed to write anywhere
diff --git a/private/runas.te b/private/runas.te
index d791501b346372cf3d8941939011dd221b1949b8..ef31aac3471736662b840960b05e242ccb80856d 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute runas coredomain;
+
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 55915fed71432a6282c837b5c55e583ce9daaf3b..126d643490d7081ad0db7db021320aa74af171b8 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute sdcardd coredomain;
+
 type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/sensord.te b/private/sensord.te
index ef03b095cb4d4b7cb6b22856cfceb4b5df1df6bf..bdeded638f1f8442570ceb2e3ee2cb6f2bbeebe0 100644
--- a/private/sensord.te
+++ b/private/sensord.te
@@ -1 +1,3 @@
+typeattribute sensord coredomain;
+
 init_daemon_domain(sensord)
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6f382a7c326e0800dbfedcdc8370277ab97b970a..9f675a2bed692007a3fba82c7be774daeaf749a7 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute servicemanager coredomain;
+
 init_daemon_domain(servicemanager)
 
 read_runtime_log_tags(servicemanager)
diff --git a/private/sgdisk.te b/private/sgdisk.te
new file mode 100644
index 0000000000000000000000000000000000000000..a17342e01023583ada9fc6526fea79fb2c685145
--- /dev/null
+++ b/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index b1ba0ff4a323127bbab48dfb8475792886f845e5..02f7206829d2901285479f95ed49fa656327e0d1 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,3 +1,5 @@
+typeattribute shared_relro coredomain;
+
 # The shared relro process is a Java program forked from the zygote, so it
 # inherits from app to get basic permissions it needs to run.
 app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 1e779645abd426728a26d1a10f07416f3d45ba85..aab0a15c327c347d1596b46a7cd4fd01d44d96a0 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,3 +1,5 @@
+typeattribute shell coredomain;
+
 # systrace support - allow atrace to run
 allow shell debugfs_tracing:dir r_dir_perms;
 allow shell debugfs_tracing:file r_file_perms;
diff --git a/private/slideshow.te b/private/slideshow.te
new file mode 100644
index 0000000000000000000000000000000000000000..7dfa994ea7add2eddb4c6e3f2598a79c6d9b5de0
--- /dev/null
+++ b/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/private/storaged.te b/private/storaged.te
index 4796675acf1c586fc1251b0c7ad177b26e715291..3dbabf6f2aa6a322635e029c2d77226fd5edef39 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,5 +1,5 @@
 # storaged daemon
-type storaged, domain, mlstrustedsubject;
+type storaged, domain, coredomain, mlstrustedsubject;
 type storaged_exec, exec_type, file_type;
 
 init_daemon_domain(storaged)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3808c838f3169d5a149363e657d1867cc1bc0d63..f143580ddaa89e2b54ed4c4dfd971ae1b8d6ae01 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -1,5 +1,7 @@
 # surfaceflinger - display compositor service
 
+typeattribute surfaceflinger coredomain;
+
 type surfaceflinger_exec, exec_type, file_type;
 init_daemon_domain(surfaceflinger)
 
diff --git a/private/system_app.te b/private/system_app.te
index 7539da226e47cb605534d1610c206821b27975e8..12ba6094f5dada9e9c3011cc69a3fe81bdaf3e28 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,6 +4,7 @@
 ### server.
 ###
 
+typeattribute system_app coredomain;
 typeattribute system_app domain_deprecated;
 
 app_domain(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index d1f9bc322bc884a4b65fdd12e83e0b474b03a925..da1c625503493b3df894bf1a9c9072bd9b8f51ad 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -3,6 +3,7 @@
 # Most of the framework services run in this process.
 #
 
+typeattribute system_server coredomain;
 typeattribute system_server domain_deprecated;
 typeattribute system_server mlstrustedsubject;
 
diff --git a/private/tee.te b/private/tee.te
index 17b276fdd28eb30ae8457fcab26251cb521533b1..99f501e9f6e7c036e7f164b95591a0c4a97782e0 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tee coredomain;
+
 init_daemon_domain(tee)
diff --git a/private/tombstoned.te b/private/tombstoned.te
index 73fdb1bdfc559ab527a534da500dd6b8585764a8..305f9d00679e573f56837a9ff9c215ae217e777c 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tombstoned coredomain;
+
 init_daemon_domain(tombstoned)
diff --git a/private/toolbox.te b/private/toolbox.te
index fd43d5ee6cbf414864e8c2e65a66fdb04ad35b29..a2b958dba339a87ece3bc9fa66112cc49abc23ae 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute toolbox coredomain;
+
 init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
index ee67bb2e59ff8efb67bf9fe213a8e52edb5e36c9..502735cad0c34d31e410302fbb3dc6b3de090109 100644
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tzdatacheck coredomain;
+
 init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
index 5034db7f9b49361c01611b9dce93ff9260c8c557..1bd67735e99dc6ea00b17af8db5e4f03550311df 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ueventd coredomain;
+
 tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e2b919c74bc7c202662cedfdc7f6770032d2273e..e4e9224d9d54910d303676d82c2a2b2ae3473f58 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute uncrypt coredomain;
+
 init_daemon_domain(uncrypt)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 2f4a1a4dec2d42a55ce8a2cb3c3ff930815d1024..68c1a41bd19c50f3e2e9d8bc3c0d7d6f9e52b155 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -17,6 +17,8 @@
 ### seapp_contexts.
 ###
 
+typeattribute untrusted_app coredomain;
+
 app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index e576d27dc9f01efe5047c08dd4cad47adaaf762f..3fa79efcef8b66af46f34f7763551cacbdf874e3 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -19,6 +19,8 @@
 ### seapp_contexts.
 ###
 
+typeattribute untrusted_app_25 coredomain;
+
 app_domain(untrusted_app_25)
 untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index e51170915df112ea72a31c443389f0e988e9b2b4..ef628414d746f2b5a2997fb76c40c2f9e8e5d7fb 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -1,6 +1,9 @@
 ###
 ### Untrusted v2 sandbox apps.
 ###
+
+typeattribute untrusted_v2_app coredomain;
+
 app_domain(untrusted_v2_app)
 net_domain(untrusted_v2_app)
 bluetooth_domain(untrusted_v2_app)
diff --git a/private/update_engine.te b/private/update_engine.te
index 01199ebb2b70f22bd1dc78e67a04789b8b790e84..5af7db6817de8df41bab90c9bf82eacde78dcf74 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_engine coredomain;
+
 init_daemon_domain(update_engine);
diff --git a/private/update_verifier.te b/private/update_verifier.te
index c5f110b6cf5ea82158a957aa95880fbfc136cce3..1b934d9805eff901c50e2f5c7277034b5941722a 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_verifier coredomain;
+
 init_daemon_domain(update_verifier)
diff --git a/private/vdc.te b/private/vdc.te
index 877e9133123bac2fe5d66bc393a4095e16f3c8af..bc7409eee5f72ec9c706f7d9e303c3ae9f84f7c4 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vdc coredomain;
+
 init_daemon_domain(vdc)
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
index ced556e263eb1d1850f4e3c8b12efb8b27f9bb14..e735172fed4128d3f841f0c4cef2c8e10a5c3bab 100644
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
@@ -1 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
 init_daemon_domain(virtual_touchpad)
diff --git a/private/vold.te b/private/vold.te
index b2495f688342e3aec67aca2418d012635e75bf1d..a6d1001d1d48325e4fff25e4c15d888023ae297a 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vold coredomain;
+
 init_daemon_domain(vold)
 
 # Switch to more restrictive domains when executing common tools
diff --git a/private/watchdogd.te b/private/watchdogd.te
new file mode 100644
index 0000000000000000000000000000000000000000..36dd30fd77bbb1d38c7ab650449a24ce042e9ab5
--- /dev/null
+++ b/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index aad66bf983947998ebbbdb83f2c5f1c0a3c4bfbb..b2a19519fc7ee44edb68e6b7322405c25a22739a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -1,6 +1,8 @@
 # webview_zygote is an auxiliary zygote process that is used to spawn
 # isolated_app processes for rendering untrusted web content.
 
+typeattribute webview_zygote coredomain;
+
 # The webview_zygote needs to be able to transition domains.
 typeattribute webview_zygote mlstrustedsubject;
 
diff --git a/private/wificond.te b/private/wificond.te
index 2e89975d0724277ae8927ebc8b82613135905538..5476e33858dc85e21afeeec385417fb51d03bde1 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute wificond coredomain;
+
 init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index f0ac0b2abe8fb284898d59b5c68ef74af06203e4..e9ec6724ff53a5210f54865ed6d83a5d8655003b 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -1,4 +1,5 @@
 # zygote
+typeattribute zygote coredomain;
 typeattribute zygote domain_deprecated;
 typeattribute zygote mlstrustedsubject;
 
diff --git a/public/attributes b/public/attributes
index b9360a6c683686e035885df34ae3dd807160a998..00035abbae5a32094cb3a144481bf5fee4f8a196 100644
--- a/public/attributes
+++ b/public/attributes
@@ -115,6 +115,13 @@ attribute binderservicedomain;
 # recovery for A/B devices.
 attribute update_engine_common;
 
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients
diff --git a/public/domain.te b/public/domain.te
index 5f7da0bf369972fe348163859c537e3145b431ea..8a42336fb515da602f92da3f77c736b079b047e8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,10 @@ allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
@@ -420,6 +423,24 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } binder_device:chr_file rw_file_perms;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } servicemanager:binder { call transfer };
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain
diff --git a/public/te_macros b/public/te_macros
index aeb291613b98910a04a204cc2b2aa52b61844f51..52f2e1b611336bee8d1a448ebdcb6728fcc7da74 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -394,6 +394,18 @@ define(`non_system_app_set', `{ appdomain -system_app }')
 #
 define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
 #####################################
 # Userdebug or eng builds
 # SELinux rules which apply only to userdebug or eng builds
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 3bde9ecdc543f708a4150855ea4b693a1817cfef..5e49605ff8c35cd6bc478cced5935e512a214d59 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -7,3 +7,6 @@ init_daemon_domain(hal_wifi_supplicant_default)
 net_domain(hal_wifi_supplicant_default)
 # Create a socket for receiving info from wpa
 type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+
+# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
+typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index 9357042f5d987fe91d21c67dcc2163c96840b927..dff18ce5625efa6b976077d8e0487785d86c3be7 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@ init_daemon_domain(vndservicemanager);
 allow vndservicemanager self:binder set_context_mgr;
 
 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init }:binder transfer;
 
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;