kernel.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Life begins with the kernel.
 type kernel, domain;
 # The kernel is unconfined.
 unconfined_domain(kernel)
 relabelto_domain(kernel)

 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;

 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;
	# Life begins with the kernel.
	type kernel, domain;
	# The kernel is unconfined.
	unconfined_domain(kernel)
	relabelto_domain(kernel)

	allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
	allow kernel unlabeled:filesystem mount;

	# Initial setenforce by init prior to switching to init domain.
	allow kernel self:security setenforce;