diff --git a/public/domain.te b/public/domain.te
index beb091cc4b3e61f11e1ed5acd005c8d3ac215fff..dc967f3dfcc9a5bcfaabf3f4d9f35915118e4b31 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -619,12 +619,16 @@ full_treble_only(`
     -appdomain
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain # restrictions for vendor apps are declared lower down
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } service_manager_type:service_manager find;
+')
+full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
   neverallow {
@@ -648,6 +652,8 @@ full_treble_only(`
     -vr_hwc_service
     -vr_manager_service
   }:service_manager find;
+')
+full_treble_only(`
   neverallow {
     domain
     -coredomain
@@ -664,12 +670,18 @@ full_treble_only(`
     userdebug_or_eng(`-su')
     -ueventd # uevent is granted create for this device, but we still neverallow I/O below
   } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
   neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
   neverallow {
     coredomain
     -shell
     userdebug_or_eng(`-su')
   } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
   neverallow {
     coredomain
     -shell
@@ -791,6 +803,8 @@ full_treble_only(`
     data_file_type
     -core_data_file_type
   }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
   neverallow {
     coredomain
     -appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -885,7 +899,9 @@ full_treble_only(`
         -postinstall_dexopt
         -system_server
     } vendor_app_file:dir { open read getattr search };
+')
 
+full_treble_only(`
     neverallow {
         coredomain
         -appdomain
@@ -897,7 +913,9 @@ full_treble_only(`
         -postinstall_dexopt
         -system_server
     } vendor_app_file:{ file lnk_file } r_file_perms;
+')
 
+full_treble_only(`
     # Limit access to /vendor/overlay
     neverallow {
         coredomain
@@ -909,7 +927,9 @@ full_treble_only(`
         -webview_zygote
         -zygote
     } vendor_overlay_file:dir { getattr open read search };
+')
 
+full_treble_only(`
     neverallow {
         coredomain
         -appdomain
@@ -920,7 +940,9 @@ full_treble_only(`
         -webview_zygote
         -zygote
     } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
 
+full_treble_only(`
     # Non-vendor domains are not allowed to file execute shell
     # from vendor
     neverallow {
@@ -928,7 +950,9 @@ full_treble_only(`
         -init
         -shell
     } vendor_shell_exec:file { execute execute_no_trans };
+')
 
+full_treble_only(`
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
     neverallow {
@@ -944,7 +968,9 @@ full_treble_only(`
         -crash_dump_exec
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
+')
 
+full_treble_only(`
     # Do not allow system components to execute files from vendor
     # except for the ones whitelisted here.
     neverallow {
@@ -958,7 +984,9 @@ full_treble_only(`
       -vndk_sp_file
       -vendor_app_file
     }:file execute;
+')
 
+full_treble_only(`
     neverallow {
       coredomain
       -shell