Merge "Revisit kernel setenforce"
diff --git a/domain.te b/domain.te
index 5e29272..7f0347a 100644
--- a/domain.te
+++ b/domain.te
@@ -169,7 +169,8 @@
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+neverallow domain kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
neverallow domain kernel:security setbool;
diff --git a/kernel.te b/kernel.te
index 1ff8f68..c40d08b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -11,7 +11,9 @@
allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;