diff --git a/private/file_contexts b/private/file_contexts
index 83792ed604d9b9b10e7dfe103c20204e28db2c14..f6e8e6bfe2d5575c308458a74ae5227a6a919614 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -266,6 +266,8 @@
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/vndk-stable(/.*)? u:object_r:vndk_stable_file:s0
+
# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
diff --git a/public/domain.te b/public/domain.te
index f16d2771e0498c50202d0bc48edc38f271898e31..1fb648bbe985a3e591678714a8cfb3a6b84c341f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -119,6 +119,11 @@ allow domain vendor_hal_file:dir r_dir_perms;
allow domain same_process_hal_file:dir r_dir_perms;
allow domain same_process_hal_file:file { execute read open getattr };
+# Any process can load vndk-stable libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_stable_file:dir r_dir_perms;
+allow domain vndk_stable_file:file { execute read open getattr };
+
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr };
diff --git a/public/file.te b/public/file.te
index 6468d16af23b3514033e0829d5367b82e0c93bf2..2d02e8699f28776cc832eaa8ca7e62fbc4e67bf1 100644
--- a/public/file.te
+++ b/public/file.te
@@ -94,6 +94,8 @@ type vendor_configs_file, vendor_file_type, file_type;
# Default type for all *same process* HALs.
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-stable libs. /vendor/lib/vndk-stable
+type vndk_stable_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay