diff --git a/sepolicy/init_radio.te b/sepolicy/init_radio.te
index a464f6bd..77c8b5ea 100644
--- a/sepolicy/init_radio.te
+++ b/sepolicy/init_radio.te
@@ -7,6 +7,10 @@ init_daemon_domain(init_radio)
 allow init_radio shell_exec:file r_file_perms;
 allow init_radio toolbox_exec:file rx_file_perms;
 
+# TODO(b/36663092): Remove once init_radio no longer accesses data
+# outside /data/vendor. Also, the label cannot be radio_data_file since
+# that belongs to the radio app.
+typeattribute init_radio coredata_in_vendor_violators;
 allow init_radio radio_data_file:dir create_dir_perms;
 allow init_radio radio_data_file:file create_file_perms;
 
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index e6c16a6f..7cfbceb8 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -30,6 +30,10 @@ r_dir_file(netmgrd, sysfs_msm_subsys)
 wakelock_use(netmgrd)
 
 allow netmgrd proc_net:file rw_file_perms;
+# TODO(b/36663482): Remove coredata_in_vendor_violators once
+# netmgrd no longer directly accesses /data outside
+# /data/vendor.
+typeattribute netmgrd coredata_in_vendor_violators;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd net_data_file:file r_file_perms;
 allow netmgrd netmgr_data_file:dir rw_dir_perms;
diff --git a/sepolicy/nfc_hal_pn54x.te b/sepolicy/nfc_hal_pn54x.te
index 2830a71a..d27e5e67 100644
--- a/sepolicy/nfc_hal_pn54x.te
+++ b/sepolicy/nfc_hal_pn54x.te
@@ -19,7 +19,10 @@ set_prop(nfc_hal_pn54x, nfc_prop)
 # NFC device access.
 allow nfc_hal_pn54x nfc_device:chr_file rw_file_perms;
 
-# Data file accesses.
+# TODO(b/36686703): Remove once nfc_hal_pn54x is no longer accesses data
+# outside /data/vendor. Also, the label cannot be nfc_data_file since
+# that belongs to the nfc app.
+typeattribute nfc_hal_pn54x coredata_in_vendor_violators;
 allow nfc_hal_pn54x nfc_data_file:dir create_dir_perms;
 allow nfc_hal_pn54x nfc_data_file:notdevfile_class_set create_file_perms;
 
diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te
index 75c4e1a3..1c29347b 100644
--- a/sepolicy/wcnss_service.te
+++ b/sepolicy/wcnss_service.te
@@ -19,6 +19,10 @@ allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls;
 allow wcnss_service self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl;
 
+# TODO(b/36683225): Remove this once wcnss_service stops accessing data
+# outside /data/vendor.
+typeattribute wcnss_service coredata_in_vendor_violators;
+
 allow wcnss_service wifi_data_file:dir rw_dir_perms;
 allow wcnss_service wifi_data_file:file create_file_perms;