diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index cccc651597a2359e6225bce171c7f38eec710bb8..e9337b654c5cbf8e7de550a90c0fa404af9e2614 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -466,7 +466,7 @@ neverallow {
 }:file no_x_file_perms;
 
 # The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
 neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
diff --git a/prebuilts/api/28.0/public/kernel.te b/prebuilts/api/28.0/public/kernel.te
index c8521e329dc9cae2c3164b941059fd4da9b67ef5..b7a351cc87dfab004b486692116b7a062b88961f 100644
--- a/prebuilts/api/28.0/public/kernel.te
+++ b/prebuilts/api/28.0/public/kernel.te
@@ -69,7 +69,7 @@ allow kernel asec_image_file:file read;
 # and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
   allow kernel update_engine_data_file:file read;
-  allow kernel nativetest_data_file:file read;
+  allow kernel nativetest_data_file:file { read write };
 ')
 
 # Access to /data/media.
diff --git a/public/domain.te b/public/domain.te
index cccc651597a2359e6225bce171c7f38eec710bb8..e9337b654c5cbf8e7de550a90c0fa404af9e2614 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -466,7 +466,7 @@ neverallow {
 }:file no_x_file_perms;
 
 # The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
 neverallow domain nativetest_data_file:dir no_w_dir_perms;
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
diff --git a/public/kernel.te b/public/kernel.te
index c8521e329dc9cae2c3164b941059fd4da9b67ef5..b7a351cc87dfab004b486692116b7a062b88961f 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -69,7 +69,7 @@ allow kernel asec_image_file:file read;
 # and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
   allow kernel update_engine_data_file:file read;
-  allow kernel nativetest_data_file:file read;
+  allow kernel nativetest_data_file:file { read write };
 ')
 
 # Access to /data/media.