diff --git a/public/dex2oat.te b/public/dex2oat.te
index bbd3c72f963a1f40db08ea51e0a75f03da13b40a..2fb233649ac0168539cb15b6cd4a8a315c8ba725 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -5,6 +5,9 @@ type dex2oat_exec, exec_type, file_type;
 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app
 r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
 
 allow dex2oat tmpfs:file { read getattr };
 
diff --git a/public/domain.te b/public/domain.te
index ffa8d44a84c1a5b29f03d0ca7d8b7c830652ee48..b744206dfd0edd32c674620f1f0f8c727bc27f1f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@ full_treble_only(`
     # TODO: b/36806861
     allow domain vendor_app_file:lnk_file { open read };
 
-    # TODO: b/36680116, find out who neeeds access and only allow
-    # specific domains
-    allow domain vendor_framework_file:dir r_dir_perms;
-    allow domain vendor_framework_file:file { read open getattr };
-
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
     allow { domain -coredomain } vendor_file_type:file { read open getattr execute };