diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a5d5f9832..a58129e18 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -22,6 +22,7 @@
     hal_wifi_service
     healthconnect_service
     keystore_config_prop
+    ntfs
     permissive_mte_prop
     prng_seeder
     servicemanager_prop
diff --git a/private/file_contexts b/private/file_contexts
index 4deecf714..72fae6227 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -230,6 +230,7 @@
 /system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
 /system/bin/fsck\.exfat	--	u:object_r:fsck_exec:s0
 /system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
+/system/bin/ntfsfix	--	u:object_r:fsck_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 # TODO(/123600489): merge mini-keyctl into toybox
 /system/bin/mini-keyctl	--	u:object_r:toolbox_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 65784709c..29d856140 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -385,6 +385,7 @@ genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon binder / u:object_r:binderfs:s0
 genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
diff --git a/public/file.te b/public/file.te
index eb5521085..8d33a9d3d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -157,6 +157,7 @@ type fuse, fusefs_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 886286e85..7d4d150c3 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,11 +49,11 @@ neverallow hal_configstore_server {
 # Should never need sdcard access
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:dir ~getattr;
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:file *;
 
 # Do not permit access to service_manager and vndservice_manager