diff --git a/init.te b/init.te
index f0e11f6390400e05e18ca96a78740765d951ae11..5cb947199734767423663f128f17bef9421486f7 100644
--- a/init.te
+++ b/init.te
@@ -3,17 +3,30 @@ type init, domain;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
-# add a rule to handle unlabelled mounts
-allow init unlabeled:filesystem mount;
 
 allow init self:capability { sys_rawio mknod };
 
+# Running e2fsck or mkswap via fs_mgr.
 allow init dev_type:blk_file rw_file_perms;
+
+# Mounting filesystems.
 allow init fs_type:filesystem *;
-allow init {fs_type dev_type}:dir_file_class_set relabelto;
+allow init unlabeled:filesystem *;
+
+# restorecon and restorecon_recursive calls from init.rc files.
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+
+# Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
+
+# Set usermodehelpers and /proc security settings.
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 
diff --git a/kernel.te b/kernel.te
index b09c106483f7fc4f487beb17c2a432f5a7f3ff16..96b57407eceb1bc1248e0fdf44d1848d8c362732 100644
--- a/kernel.te
+++ b/kernel.te
@@ -8,10 +8,14 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)
 
-allow kernel {fs_type dev_type}:dir_file_class_set relabelto;
-allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow kernel unlabeled:filesystem mount;
-allow kernel fs_type:filesystem *;
+# init direct restorecon calls prior to switching to init domain
+# /dev and /dev/socket
+allow kernel { device socket_device }:dir relabelto;
+# /dev/__properties__
+allow kernel properties_device:file relabelto;
+# /sys
+allow kernel sysfs:{ dir file lnk_file } relabelfrom;
+allow kernel sysfs_type:{ dir file lnk_file } relabelto;
 
 # Initial setenforce by init prior to switching to init domain.
 # We use dontaudit instead of allow to prevent a kernel spawned userspace
diff --git a/recovery.te b/recovery.te
index 811623e62d724fc07a94c42e57819734bde099be..669c1da372a30d8714f50f395efd5d286924a2b3 100644
--- a/recovery.te
+++ b/recovery.te
@@ -5,11 +5,12 @@ unconfined_domain(recovery)
 
 allow recovery self:capability2 mac_admin;
 
-allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto;
-allow recovery {fs_type file_type}:dir_file_class_set relabelto;
-allow recovery unlabeled:filesystem mount;
+# Mount filesystems.
 allow recovery fs_type:filesystem *;
+allow recovery unlabeled:filesystem *;
 
+
+# Create and relabel files under /system.
 allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
 allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };