diff --git a/public/domain.te b/public/domain.te
index 3ed451a155e438b951b00c59ec8a016e25c8eea6..847de67ac4cf3580be0de486c99894194b760196 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -656,10 +656,17 @@ neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
 # respect system_app sandboxes
 neverallow {
   domain
-  -system_app # its own sandbox
+  -appdomain # finer-grained rules for appdomain are listed below
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
 } system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+  isolated_app
+  untrusted_app_all # finer-grained rules for appdomain are listed below
+  ephemeral_app
+  priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
 
 # Services should respect app sandboxes
 neverallow {