diff --git a/domain.te b/domain.te
index 5e29272de10495c9f7ad4d381adc6f5efb8861d0..7f0347a108b63102e6cd1fdf5d8fd1857b090687 100644
--- a/domain.te
+++ b/domain.te
@@ -169,7 +169,8 @@ neverallow { domain -init } kernel:security load_policy;
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After
 # switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
+neverallow domain kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
 
 # No booleans in AOSP policy, so no need to ever set them.
 neverallow domain kernel:security setbool;
diff --git a/kernel.te b/kernel.te
index 1ff8f682e0a69351ff065bb684fd7106bdc738fb..c40d08b5a77f5b7115a4ecaa4ff4e79ec52ef06e 100644
--- a/kernel.te
+++ b/kernel.te
@@ -11,7 +11,9 @@ allow kernel unlabeled:filesystem mount;
 allow kernel fs_type:filesystem *;
 
 # Initial setenforce by init prior to switching to init domain.
-allow kernel self:security setenforce;
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;