diff --git a/public/domain.te b/public/domain.te
index 3f8eb66322aaa306c1977814f8105827bbe22947..0a3709690844dcb5476f3f446399ac8d842e8b5b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -656,10 +656,17 @@ neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 # respect system_app sandboxes
 neverallow {
   domain
-  -system_app # its own sandbox
+  -appdomain # finer-grained rules for appdomain are listed below
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+  isolated_app
+  untrusted_app_all # finer-grained rules for appdomain are listed below
+  ephemeral_app
+  priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
 
 # Services should respect app sandboxes
 neverallow {