diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index bc847ee9139b4b8d26bc3d7f81d756f38fc3fedf..ae0a94d62f74d1faed9c4a7d67291f523f5150d3 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -65,6 +65,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
     network_watchlist_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0e8c16422587f3efa9f7a64487e872ac80519e3d..79640463dcffb42edb72949f0cdb5a41d851edad 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
     perfetto
diff --git a/private/file_contexts b/private/file_contexts
index c5169ff60060848755275c267bbd59770e3c1027..c2a8c74e102c4fdacc6701216e91a04142d1aa99 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -526,3 +526,7 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
diff --git a/public/domain.te b/public/domain.te
index 598991bc90b6b3f35b3fa3d2236a9ad4c62f3188..b773124180261875f3f9e1421bd2f3605e37a32a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1357,3 +1357,9 @@ userdebug_or_eng(`
   dontaudit domain proc_type:file create;
   dontaudit domain sysfs_type:file create;
 ')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+  coredomain
+  -init
+} mnt_vendor_file:dir *;
diff --git a/public/file.te b/public/file.te
index c5844b60e720ae4fe8546291e09f90b0383a8202..1451dc4501bfb8f4d6f2a9ef26f8cef9bb3f6529 100644
--- a/public/file.te
+++ b/public/file.te
@@ -225,6 +225,9 @@ type storage_file, file_type;
 type mnt_media_rw_stub_file, file_type;
 type storage_stub_file, file_type;
 
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.