diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3bdbfb181e524687395f009f2f693747d9f3ff31..ca18c0396cc606235005e48f19ede76712673ba5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,3 +258,8 @@ full_treble_only(`
 
 # Untrusted apps are not allowed to find mediaextractor update service.
 neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Untrusted apps are not allowed to use the signature|privileged|development
+# android.permission.READ_LOGS permission, so they may not read dropbox files.
+# Access to the the dropbox directory is covered by a neverallow for domain.
+neverallow all_untrusted_apps dropbox_data_file:file *;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ff2d4c61f809f5144ff033b472b4a31421eba57..30f0d74cf10993b69fcaed9a23037cb38683b4d9 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -641,6 +641,7 @@
 (typeattributeset system_block_device_26_0 (system_block_device))
 (typeattributeset system_data_file_26_0
   ( system_data_file
+    dropbox_data_file
     vendor_data_file))
 (typeattributeset system_file_26_0 (system_file))
 (typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c1f5e941049110dda74444e610f40b8380489302..f8c86b08db73447dbf75caa1b1b1f1accd8966d2 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1359,6 +1359,7 @@
 (typeattributeset system_block_device_27_0 (system_block_device))
 (typeattributeset system_data_file_27_0
   ( system_data_file
+    dropbox_data_file
     vendor_data_file))
 (typeattributeset system_file_27_0 (system_file))
 (typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
diff --git a/private/domain.te b/private/domain.te
index fb6ba4f78fadf6787de52fd745038420a3ba3a3f..3a7ef424261dd60fd0187e36c7d9ce91d6ce3634 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -116,3 +116,8 @@ full_treble_only(`
     -init
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
+
+# System_server owns dropbox data, and init creates/restorecons the directory
+# Disallow direct access by other processes.
+neverallow { domain -init -system_server } dropbox_data_file:dir *;
+neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
diff --git a/private/file_contexts b/private/file_contexts
index 4e2a7654b8678a61bfe7161d7208d33a1ccfabbd..31cc59d54e2fda4805b3aec30bbb1c5c4561d6e4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,6 +432,7 @@
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
+/data/system/dropbox(/.*)?      u:object_r:dropbox_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 /data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
 /data/misc/wmtrace(/.*)?        u:object_r:wm_trace_data_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index f60597a7ef59918bbe2d4405781b6777b8e0bd82..b147bd9c2ed561217f35129f307911e0166f8f1a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,6 +27,9 @@ allow platform_app asec_apk_file:file create_file_perms;
 allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
+# Read access to FDs from the DropboxManagerService.
+allow platform_app dropbox_data_file:file { getattr read };
+
 # Write to /cache.
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5bc418448733678c4b1c56f813d9af4468..3c2e6417dee5df33867f5c9df946db6f2f5639e7 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -53,6 +53,9 @@ allow priv_app ota_package_file:file create_file_perms;
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
 
+# Read access to FDs from the DropboxManagerService.
+allow priv_app dropbox_data_file:file { getattr read };
+
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index eb7e050522a8c9695fdd3f2ae14f3674dd3140be..efb768b9811919e3ed4cf696d1b6013ec02fdece 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,9 @@ allow system_app misc_user_data_file:file create_file_perms;
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
+# Read access to FDs from the DropboxManagerService.
+allow system_app dropbox_data_file:file { getattr read };
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 
diff --git a/private/system_server.te b/private/system_server.te
index e9cf30301f2ecafe489c82e4e73c764460ef77e9..da06de032f244cdc1fd10b730d6e09983f8f0274 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -391,6 +391,10 @@ userdebug_or_eng(`
 allow system_server backup_data_file:dir create_dir_perms;
 allow system_server backup_data_file:file create_file_perms;
 
+# Write to /data/system/dropbox
+allow system_server dropbox_data_file:dir create_dir_perms;
+allow system_server dropbox_data_file:file create_file_perms;
+
 # Write to /data/system/heapdump
 allow system_server heapdump_data_file:dir rw_dir_perms;
 allow system_server heapdump_data_file:file create_file_perms;
diff --git a/public/file.te b/public/file.te
index 01b489d71aea04479364c46de52e820819fa3c1b..aeb15dc9132ce3a111fa2ca8a928a38a20bd4a3c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -202,6 +202,8 @@ type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrusted
 type property_data_file, file_type, data_file_type, core_data_file_type;
 # /data/bootchart
 type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/dropbox
+type dropbox_data_file, file_type, data_file_type, core_data_file_type;
 # /data/system/heapdump
 type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/nativetest
diff --git a/public/init.te b/public/init.te
index 88357e524f1f71feda472aa24eafe2c92ecbea3b..3047037668070289703a56a45501ae68dcdb06ae 100644
--- a/public/init.te
+++ b/public/init.te
@@ -164,11 +164,11 @@ allow init {
 allow init {
   file_type
   -app_data_file
-  -runtime_event_log_tags_file
   -exec_type
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
+  -runtime_event_log_tags_file
   -shell_data_file
   -system_app_data_file
   -system_file