diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9dd2ee7..fb4a9e6 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -634,7 +634,9 @@
 (typeattributeset system_app_data_file_26_0 (system_app_data_file))
 (typeattributeset system_app_service_26_0 (system_app_service))
 (typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+  ( system_data_file
+    vendor_data_file))
 (typeattributeset system_file_26_0 (system_file))
 (typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 06f4c91..2272903 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1351,7 +1351,9 @@
 (typeattributeset system_app_data_file_27_0 (system_app_data_file))
 (typeattributeset system_app_service_27_0 (system_app_service))
 (typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0 (system_data_file))
+(typeattributeset system_data_file_27_0
+  ( system_data_file
+    vendor_data_file))
 (typeattributeset system_file_27_0 (system_file))
 (typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 25d0d9d..321cfbe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -425,6 +425,9 @@
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)?              u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)?           u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)?           u:object_r:vendor_data_file:s0
 
 # storaged proto files
 /data/misc_de/[0-9]+/storaged(/.*)?       u:object_r:storaged_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 389fdf4..9ac5d87 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -53,7 +53,15 @@
 neverallow perfetto domain:process ptrace;
 
 # Disallows access to other /data files.
-neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto {
+  data_file_type
+  -system_data_file
+  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+  # neverallow. Currently only getattr and search are allowed.
+  -vendor_data_file
+  -zoneinfo_data_file
+  -perfetto_traces_data_file
+}:dir *;
 neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
 neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
 neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
diff --git a/private/traced.te b/private/traced.te
index bb7a091..531ecc2 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -27,8 +27,15 @@
 
 # Disallows access to /data files, still allowing to write to file descriptors
 # passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+  data_file_type
+  -system_data_file
+  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+  # subsequent neverallow. Currently only getattr and search are allowed.
+  -vendor_data_file
+  -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
 neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 15c51d4..26e0051 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -44,7 +44,14 @@
 neverallow traced_probes domain:process ptrace;
 
 # Disallows access to /data files.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
+neverallow traced {
+  data_file_type
+  -system_data_file
+  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+  # subsequent neverallow. Currently only getattr and search are allowed.
+  -vendor_data_file
+  -zoneinfo_data_file
+}:dir *;
 neverallow traced system_data_file:dir ~{ getattr search };
 neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510e..af1f442 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
 allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+  system_data_file
+  vendor_data_file
+}:dir { open read write add_name remove_name };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
 allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
 allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 67eafc2..6f50552 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -208,11 +208,15 @@
 r_dir_file(domain, sysfs_usb);
 
 # files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
+not_full_treble(`
+  allow domain system_data_file:dir getattr;
+')
 allow { coredomain appdomain } system_data_file:dir getattr;
 # /data has the label system_data_file. Vendor components need the search
 # permission on system_data_file for path traversal to /data/vendor.
 allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
 
 # required by the dynamic linker
 allow domain proc:lnk_file { getattr read };
@@ -791,6 +795,9 @@
     } {
       data_file_type
       -core_data_file_type
+      # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+      # neverallow. Currently only getattr and search are allowed.
+      -vendor_data_file
     }:dir *;
 
 ')
@@ -819,6 +826,7 @@
     } {
       core_data_file_type
       -system_data_file # default label for files on /data. Covered below...
+      -vendor_data_file
       -zoneinfo_data_file
     }:dir *;
 ')
@@ -834,6 +842,30 @@
     }:dir ~{ getattr search };
 ')
 
+full_treble_only(`
+  #  coredomains may not access dirs in /data/vendor.
+  neverallow {
+    coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    -init
+    -vold # vold creates per-user storage for both system and vendor
+    -vold_prepare_subdirs
+    } {
+      vendor_data_file # default label for files on /data. Covered below
+    }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+  #  coredomains may not access dirs in /data/vendor.
+  neverallow {
+    coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    -init
+    } {
+      vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+    }:file_class_set ~{ append getattr ioctl read write };
+')
+
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`
diff --git a/public/file.te b/public/file.te
index d1feb3a..0aa7ece 100644
--- a/public/file.te
+++ b/public/file.te
@@ -160,6 +160,8 @@
 type coredump_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
 # Unencrypted data
 type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
 # /data/.layout_version or other installd-created files that
diff --git a/public/vold.te b/public/vold.te
index 0107ebd..95847cf 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -113,6 +113,9 @@
 allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
 allow vold system_data_file:lnk_file getattr;
 
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
 # for secdiscard
 allow vold system_data_file:file read;