platform_system_sepolicy/kernel.te

# Life begins with the kernel.
type kernel, domain;

# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;

# The kernel is unconfined.
unconfined_domain(kernel)

# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;

# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel { device socket_device }:dir relabelto;
# /dev/__properties__
allow kernel properties_device:file relabelto;
# /sys
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
allow kernel sysfs_type:{ dir file lnk_file } relabelto;

# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;