diff --git a/domain.te b/domain.te
index a498980486a015a1c2fd39cfe604817b70656c16..653a5077690ed57e172752f7e02a77c8d0f8ba91 100644
--- a/domain.te
+++ b/domain.te
@@ -148,7 +148,7 @@ neverallow { domain -init } kernel:security load_policy;
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After
 # switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security setenforce;
+neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
 
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
diff --git a/kernel.te b/kernel.te
index 089786bff834cdd689e5f997c5fdbf451ef164bb..4ccce20f169022e1178e2898c0b46c654777fcc9 100644
--- a/kernel.te
+++ b/kernel.te
@@ -9,3 +9,6 @@ allow kernel unlabeled:filesystem mount;
 
 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel self:security setcheckreqprot;
diff --git a/unconfined.te b/unconfined.te
index bdebf3a2cbc75dc68e4e53a74f735b6de2fa8d88..ef134026dea0216306c72280a6d8433efb59a724 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -17,7 +17,7 @@
 ######################################################
 
 allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security ~{ load_policy setenforce };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;