diff --git a/system_server.te b/system_server.te
index 020f2ab0c706c323cadd2e92a384a9d3b66d52d7..e1528f9009b650527f394c289b6e4488f26b40f0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -405,3 +405,10 @@ allow system_server oemfs:dir search;
 # Do not allow accessing SDcard files as unsafe ejection could
 # cause the kernel to kill the system_server.
 neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be opening zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;