diff --git a/init.te b/init.te
index abd069099961c1618a08f54c15aa3fe39ec83feb..361fb87668d30ddde3b80f8aa5c973225b67de23 100644
--- a/init.te
+++ b/init.te
@@ -71,9 +71,9 @@ domain_trans(init, rootfs, watchdogd)
 
 # Certain domains need LD_PRELOAD passed from init.
 # https://android-review.googlesource.com/94851
-# For now, allow it to all domains.
+# For now, allow it to most domains.
 # TODO: scope this down.
-allow init domain:process noatsecure;
+allow init { domain -lmkd }:process noatsecure;
 
 # Support "adb shell stop"
 allow init domain:process sigkill;
diff --git a/lmkd.te b/lmkd.te
index 771c7805e735436b985daea429e58ed219490b9a..df8208f71b8c45423c9ee1911aec42fd47f6bc06 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -30,3 +30,8 @@ allow lmkd cgroup:dir { remove_name rmdir };
 
 # Set self to SCHED_FIFO
 allow lmkd self:capability sys_nice;
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow domain lmkd:process noatsecure;