diff --git a/private/file_contexts b/private/file_contexts
index 540757d970c9f511d6204965d5c359e31b759604..85d50bf97a7f3bf3d15f4405adc89f4bdd5b78d8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -363,6 +363,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
diff --git a/public/domain.te b/public/domain.te
index 0cc29fb179b0c10cbfe9c82bb90764d65ac401d2..872ec2e8a57fb08da84e04f16320d9af0408c382 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -452,6 +452,9 @@ neverallow {
   -apk_data_file
 }:file no_x_file_perms;
 
+# The test files and executables MUST not be accessible to any domain
+neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
 # Only the init property service should write to /data/property and /dev/__properties__
@@ -1182,7 +1185,6 @@ neverallow {
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 
-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{
diff --git a/public/init.te b/public/init.te
index b30b98b58c0a992a8d1f36c0352bdfed240794f5..3eec6ff3b209ca4c2667b0ffd165600fba521803 100644
--- a/public/init.te
+++ b/public/init.te
@@ -138,6 +138,7 @@ allow init {
   -app_data_file
   -exec_type
   -misc_logd_file
+  -nativetest_data_file
   -system_app_data_file
   -system_file
   -vendor_file_type
@@ -149,6 +150,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -163,6 +165,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -176,6 +179,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
@@ -189,6 +193,7 @@ allow init {
   -exec_type
   -keystore_data_file
   -misc_logd_file
+  -nativetest_data_file
   -shell_data_file
   -system_app_data_file
   -system_file
diff --git a/public/kernel.te b/public/kernel.te
index ba1dec95cf6ac5adbb9780d0c84b436e1bb9c679..c8521e329dc9cae2c3164b941059fd4da9b67ef5 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -66,6 +66,7 @@ allow kernel app_data_file:file read;
 allow kernel asec_image_file:file read;
 
 # Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
   allow kernel update_engine_data_file:file read;
   allow kernel nativetest_data_file:file read;