diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 4040420..ca8fa77 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -8,4 +8,3 @@ TARGET_SYSTEM_PROP := $(DEVICE_PATH)/system.prop
 
 # Sepolicy
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
-SELINUX_IGNORE_NEVERALLOWS := true
diff --git a/init/init_gsi.rc b/init/init_gsi.rc
index f7ae309..9dcbb56 100644
--- a/init/init_gsi.rc
+++ b/init/init_gsi.rc
@@ -1,2 +1,2 @@
 on post-fs
-    exec u:r:init:s0 -- /system_ext/bin/init_gsi
+    exec -- /system_ext/bin/init_gsi
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
new file mode 100644
index 0000000..44409c4
--- /dev/null
+++ b/sepolicy/private/file_contexts
@@ -0,0 +1 @@
+/system/system_ext/bin/init_gsi        u:object_r:init_gsi_exec:s0
diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te
deleted file mode 100644
index 492567e..0000000
--- a/sepolicy/private/init.te
+++ /dev/null
@@ -1 +0,0 @@
-allow init system_file:file execute_no_trans;
diff --git a/sepolicy/private/init_gsi.te b/sepolicy/private/init_gsi.te
new file mode 100644
index 0000000..90229c1
--- /dev/null
+++ b/sepolicy/private/init_gsi.te
@@ -0,0 +1,7 @@
+type init_gsi, domain, coredomain;
+type init_gsi_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(init_gsi);
+
+# TODO: Address denials and remove this
+permissive init_gsi;