diff --git a/public/domain.te b/public/domain.te
index 0d50c38f961cf9019cb538e35192419b98c38479..92ea561d909056fd8af5ed056182af05fae758d2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -678,79 +678,6 @@ full_treble_only(`
   }:sock_file ~{ append getattr ioctl read write };
 ')
 
-# On TREBLE devices, vendor and system components are only allowed to share
-# files by passing open FDs over hwbinder. Ban all directory access and all file
-# accesses other than what can be applied to an open FD such as
-# ioctl/stat/read/write/append. This is enforced by segregating /data.
-# Vendor domains may directly access file in /data/vendor by path, but may only
-# access files outside of /data/vendor via an open FD passed over hwbinder.
-# Likewise, core domains may only directly access files outside /data/vendor by
-# path and files in /data/vendor by open FD.
-full_treble_only(`
-  # only coredomains may only access core_data_file_type, particularly not
-  # /data/vendor
-  neverallow {
-    coredomain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -data_between_core_and_vendor_violators
-    -init
-    -vendor_init
-  } {
-    data_file_type
-    -core_data_file_type
-  }:file_class_set ~{ append getattr ioctl read write };
-  neverallow {
-    coredomain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -data_between_core_and_vendor_violators
-    -init
-    -vendor_init
-    } {
-      data_file_type
-      -core_data_file_type
-    }:dir *;
-
-')
-full_treble_only(`
-  # vendor domains may only access files in /data/vendor, never core_data_file_types
-  neverallow {
-    domain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -coredomain
-    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
-  } {
-    core_data_file_type
-    # libc includes functions like mktime and localtime which attempt to access
-    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
-    # vndk-stable and thus must be allowed for all processes.
-    -zoneinfo_data_file
-    }:file_class_set ~{ append getattr ioctl read write };
-')
-full_treble_only(`
-  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
-  neverallow {
-    domain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -coredomain
-    -data_between_core_and_vendor_violators
-    } {
-      core_data_file_type
-      -system_data_file # default label for files on /data. Covered below...
-      -zoneinfo_data_file
-    }:dir *;
-')
-full_treble_only(`
-  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
-  neverallow {
-    domain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -coredomain
-    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
-    } {
-      system_data_file # default label for files on /data. Covered below
-    }:dir ~{ getattr search };
-')
-
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a46dd9116e87fcd9be191c5698ca5fbed49c8d7a..30742d7c7d4d78d23ebc576bebf95483a8881bf1 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -33,6 +33,11 @@ allow hal_drm hal_graphics_allocator:fd use;
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;
 
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
 allow hal_drm sysfs:file r_file_perms;
 
 allow hal_drm tee_device:chr_file rw_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 36de76191c0a38118a576784af64e9aaf5cb4424..bef9f556ee8a94519e5ff1bb540d52234b577233 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,6 +5,12 @@ binder_call(hal_fingerprint_server, hal_fingerprint_client)
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
 allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
 
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 3bcdf5ee10ea54ff5a66847b1333a54b318f38a1..a027c48bebd80f1830d357c807b5cbc88e5b1da9 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,3 +10,7 @@ set_prop(hal_nfc, nfc_prop)
 
 # NFC device access.
 allow hal_nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow hal_nfc nfc_data_file:dir create_dir_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d32659c7a666d8c36a5e194d97f48a88e95a..a4f041f58a0cb5eaa16cc3fbe207745fe9058e00 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,6 +19,12 @@ allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
 
 ###
 ### neverallow rules
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index 9f99378219d04ac712193a86f8a616f6aa54fb62..ab0545df50e9947440664e1848cfcd1d2096eb25 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -21,3 +21,13 @@ allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hostapd self:packet_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_route_socket nlmsg_write;
+
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;