diff --git a/domain.te b/domain.te
index 0af215d1b49b1c6a1dd780ebc67fc6ede1826adf..de00ac1dfecf64e672af23dbc81dc24d656b04c2 100644
--- a/domain.te
+++ b/domain.te
@@ -427,6 +427,13 @@ neverallow {
   -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
 
+# Services should respect app sandboxes
+neverallow {
+  domain
+  -appdomain
+  -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell