platform_system_sepolicy/kernel.te

# Life begins with the kernel.
type kernel, domain;

allow kernel init:process dyntransition;

# The kernel is unconfined.
unconfined_domain(kernel)
relabelto_domain(kernel)

allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;

# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;