diff --git a/public/attributes b/public/attributes
index 9f42c9ab7caf03402474fe15b2fe0da66bbf28ad..b1d83d04223aec3fce70ee97ff4421e7ecbe868c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -45,6 +45,10 @@ attribute core_data_file_type;
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
 attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;
 
 # All types use for sysfs files.
 attribute sysfs_type;
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4ad11fd47d19b304d4c85613e9609bba558..c18b08d68ff0332c0568a90ddd947a11681f7e86 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
 type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
 
 net_domain(dhcp)
 
diff --git a/public/domain.te b/public/domain.te
index bd5deb7cfd13c50e209ca27bcb2a7ea9a946f803..30b3a98e0b998f4405a399c1a14dac9b8c172cc7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -516,6 +516,25 @@ full_treble_only(`
     -appdomain
     -coredata_in_vendor_violators
   } system_data_file:dir ~search;
+  # do not allow coredomains to directly access vendor data. Exempt init
+  # because it is responsible for dir/file creation in init.rc scripts.
+  # Also exempt halclientdomain to exclude rules for passthrough mode.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  # do not allow coredomain to access vendor data directories.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+    } { data_file_type -core_data_file_type }:dir *;
 ')
 
 # On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/file.te b/public/file.te
index 1634e33616cfb061af18a3324613797dfd59f326..f7f91df35a28c3d1033ad9cc54fce9dd14955409 100644
--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@ type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
 type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;