diff --git a/public/domain.te b/public/domain.te
index 108278b51610edec5d88a708a18f410425df1f61..f544cd1d80bfe473fd02b9c746343c957445fe3a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -678,6 +678,79 @@ full_treble_only(`
   }:sock_file ~{ append getattr ioctl read write };
 ')
 
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+  # only coredomains may only access core_data_file_type, particularly not
+  # /data/vendor
+  neverallow {
+    coredomain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -data_between_core_and_vendor_violators
+    -init
+    -vendor_init
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  neverallow {
+    coredomain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -data_between_core_and_vendor_violators
+    -init
+    -vendor_init
+    } {
+      data_file_type
+      -core_data_file_type
+    }:dir *;
+
+')
+full_treble_only(`
+  # vendor domains may only access files in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+  } {
+    core_data_file_type
+    # libc includes functions like mktime and localtime which attempt to access
+    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+    # vndk-stable and thus must be allowed for all processes.
+    -zoneinfo_data_file
+    }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators
+    } {
+      core_data_file_type
+      -system_data_file # default label for files on /data. Covered below...
+      -zoneinfo_data_file
+    }:dir *;
+')
+full_treble_only(`
+  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    } {
+      system_data_file # default label for files on /data. Covered below
+    }:dir ~{ getattr search };
+')
+
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 666b1ba82d0712f861db5ab75861c01133de78a9..fbd90eb2df5e95d2d2e15f1cd240cd2b43925392 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -33,11 +33,6 @@ allow hal_drm hal_graphics_allocator:fd use;
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;
 
-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
 allow hal_drm sysfs:file r_file_perms;
 
 allow hal_drm tee_device:chr_file rw_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index bef9f556ee8a94519e5ff1bb540d52234b577233..36de76191c0a38118a576784af64e9aaf5cb4424 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,12 +5,6 @@ binder_call(hal_fingerprint_server, hal_fingerprint_client)
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
 allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
 
-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index a027c48bebd80f1830d357c807b5cbc88e5b1da9..3bcdf5ee10ea54ff5a66847b1333a54b318f38a1 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,7 +10,3 @@ set_prop(hal_nfc, nfc_prop)
 
 # NFC device access.
 allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index a4f041f58a0cb5eaa16cc3fbe207745fe9058e00..6bf0d32659c7a666d8c36a5e194d97f48a88e95a 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,12 +19,6 @@ allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
 
 ###
 ### neverallow rules
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index ab0545df50e9947440664e1848cfcd1d2096eb25..9f99378219d04ac712193a86f8a616f6aa54fb62 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -21,13 +21,3 @@ allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hostapd self:packet_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_route_socket nlmsg_write;
-
-# hostapd can read and write WiFi related data and configuration.
-# For example, the entropy file is periodically updated.
-allow hostapd wifi_data_file:file rw_file_perms;
-r_dir_file(hostapd, wifi_data_file)
-
-# hostapd wants to create the directory holding its control socket.
-allow hostapd hostapd_socket:dir create_dir_perms;
-# hostapd needs to create, bind to, read, and write its control socket.
-allow hostapd hostapd_socket:sock_file create_file_perms;