diff --git a/public/domain.te b/public/domain.te
index 9458d796a199b312e33ab430e69d0a82f4ceb8cd..3a914d7b5fa5d9776a5f49d8d0e216cc10a47cca 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -841,13 +841,25 @@ full_treble_only(`
     -appdomain # TODO(b/34980020) remove exemption for appdomain
     -coredomain
     -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    -vendor_init
   } {
     core_data_file_type
     # libc includes functions like mktime and localtime which attempt to access
     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
     # vndk-stable and thus must be allowed for all processes.
     -zoneinfo_data_file
-    }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write };
+  neverallow {
+    vendor_init
+    -data_between_core_and_vendor_violators
+  } {
+    core_data_file_type
+    -unencrypted_data_file
+    -zoneinfo_data_file
+  }:file_class_set ~{ append getattr ioctl read write };
+  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+  # The vendor init binary lives on the system partition so there is not a concern with stability.
+  neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
 ')
 full_treble_only(`
   # vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -856,12 +868,26 @@ full_treble_only(`
     -appdomain # TODO(b/34980020) remove exemption for appdomain
     -coredomain
     -data_between_core_and_vendor_violators
-    } {
-      core_data_file_type
-      -system_data_file # default label for files on /data. Covered below...
-      -vendor_data_file
-      -zoneinfo_data_file
-    }:dir *;
+    -vendor_init
+  } {
+    core_data_file_type
+    -system_data_file # default label for files on /data. Covered below...
+    -vendor_data_file
+    -zoneinfo_data_file
+  }:dir *;
+  neverallow {
+    vendor_init
+    -data_between_core_and_vendor_violators
+  } {
+    core_data_file_type
+    -unencrypted_data_file
+    -system_data_file
+    -vendor_data_file
+    -zoneinfo_data_file
+  }:dir *;
+  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+  # The vendor init binary lives on the system partition so there is not a concern with stability.
+  neverallow vendor_init unencrypted_data_file:dir ~search;
 ')
 full_treble_only(`
   # vendor domains may only access dirs in /data/vendor, never core_data_file_types
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244ee756c349aa1f18ae94fea497f53585a5a..135dfa859580cd29c16d8e0edb949d622c331d11 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@ allow vendor_init self:global_capability_class_set dac_override;
 # we just allow all file types except /system files here.
 allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
 allow vendor_init {
   file_type
   -core_data_file_type