diff --git a/sepolicy/vendor/hal_drm_default.te b/sepolicy/vendor/hal_drm_default.te
index 3781f126..d7346144 100644
--- a/sepolicy/vendor/hal_drm_default.te
+++ b/sepolicy/vendor/hal_drm_default.te
@@ -1 +1,7 @@
 allow hal_drm_default vndbinder_device:chr_file rw_file_perms;
+
+# TODO(b/36601695): Remove data_between_core_and_vendor violators once
+# hal_drm_default no longer directly accesses media_data_file.
+typeattribute hal_drm_default data_between_core_and_vendor_violators;
+allow hal_drm_default media_data_file:dir create_dir_perms;
+allow hal_drm_default media_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index 629ba5e9..46abf783 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -8,8 +8,8 @@ hal_server_domain(hal_drm_widevine, hal_drm)
 
 vndbinder_use(hal_drm_widevine);
 
-allow hal_drm mediacodec:fd use;
-allow hal_drm { appdomain -isolated_app }:fd use;
+allow hal_drm_widevine mediacodec:fd use;
+allow hal_drm_widevine { appdomain -isolated_app }:fd use;
 
 # The Qualcomm DRM-HAL implementation uses a vendor-binder service provided
 # by the HWC HAL.
@@ -17,5 +17,7 @@ allow hal_drm_widevine qdisplay_service:service_manager { find };
 binder_call(hal_drm_widevine, hal_graphics_composer)
 
 # TODO(b/36601695): Remove data_between_core_and_vendor violators once
-# hal_drm no longer directly accesses media_data_file.
+# hal_drm_widevine no longer directly accesses media_data_file.
 typeattribute hal_drm_widevine data_between_core_and_vendor_violators;
+allow hal_drm_widevine media_data_file:dir create_dir_perms;
+allow hal_drm_widevine media_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_fingerprint.te b/sepolicy/vendor/hal_fingerprint.te
deleted file mode 100644
index 3f2e772d..00000000
--- a/sepolicy/vendor/hal_fingerprint.te
+++ /dev/null
@@ -1,7 +0,0 @@
-allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms;
-allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
-allow hal_fingerprint sysfs_msm_subsys:dir search;
-allow hal_fingerprint sysfs_msm_subsys:file r_file_perms;
-allow hal_fingerprint tee_device:file rw_file_perms;
-allow hal_fingerprint tee_device:chr_file rw_file_perms;
-allow hal_fingerprint uhid_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
new file mode 100644
index 00000000..ed638458
--- /dev/null
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -0,0 +1,14 @@
+allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default sysfs_msm_subsys:dir search;
+allow hal_fingerprint_default sysfs_msm_subsys:file r_file_perms;
+allow hal_fingerprint_default tee_device:file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# hal_fingerprint no longer directly accesses fingerprintd_data_file.
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+# access to /data/system/users/[0-9]+/fpdata
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
index 3044f1d5..8aa7c444 100644
--- a/sepolicy/vendor/hal_nfc_default.te
+++ b/sepolicy/vendor/hal_nfc_default.te
@@ -1,3 +1,10 @@
 # Data file accesses.
 allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms;
 allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;
+
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hal_nfc no longer directly accesses /data owned by the nfc app.
+typeattribute hal_nfc_default data_between_core_and_vendor_violators;
+# Data file accesses.
+allow hal_nfc_default nfc_data_file:dir create_dir_perms;
+allow hal_nfc_default nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/sepolicy/vendor/hal_wifi_supplicant_default.te b/sepolicy/vendor/hal_wifi_supplicant_default.te
new file mode 100644
index 00000000..4f13574e
--- /dev/null
+++ b/sepolicy/vendor/hal_wifi_supplicant_default.te
@@ -0,0 +1,10 @@
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hal_wifi_supplicant no longer directly accesses wifi_data_file .
+typeattribute hal_wifi_supplicant_default data_between_core_and_vendor_violators;
+
+allow hal_wifi_supplicant_default wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant_default wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant_default wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant_default wpa_socket:sock_file create_file_perms;
diff --git a/sepolicy/vendor/hostapd.te b/sepolicy/vendor/hostapd.te
new file mode 100644
index 00000000..b7069692
--- /dev/null
+++ b/sepolicy/vendor/hostapd.te
@@ -0,0 +1,12 @@
+# TODO(b/36657258): Remove data_between_core_and_vendor_violators once
+# hostapd no longer directly accesses /data outside /data/vendor.
+typeattribute hostapd data_between_core_and_vendor_violators;
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;