diff --git a/private/init.te b/private/init.te
index 4cf69224973580a9336e1ef456111e37398dfd2a..02686a3f46332f51d865aeb7263a69b3068ae3f0 100644
--- a/private/init.te
+++ b/private/init.te
@@ -15,7 +15,12 @@ domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, vendor_init)
 domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
+  # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
   domain_auto_trans(init, logcat_exec, logpersist)
+
+  # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
+  allow init su:process transition;
+  dontaudit init su:process noatsecure;
+  allow init su:process { siginh rlimitinh };
 ')