--- a/CMakeLists.txt	2017-11-27 20:08:14.961623274 +0800
+++ b/CMakeLists.txt	2017-11-27 15:13:34.564869828 +0800
@@ -45,6 +45,10 @@
   add_subdirectory(upgraded)
 ENDIF()

+IF(SELINUX_ENABLED)
+  ADD_DEFINITIONS(-DSELINUX_ENABLED)
+ENDIF()
+
 ADD_EXECUTABLE(procd ${SOURCES})
 TARGET_LINK_LIBRARIES(procd ${LIBS})
 INSTALL(TARGETS procd
--- a/initd/init.c	2017-11-27 20:08:14.961623274 +0800
+++ b/initd/init.c	2017-11-27 20:09:08.089625538 +0800
@@ -29,6 +29,12 @@
 #include <unistd.h>
 #include <stdio.h>

+#if SELINUX_ENABLED
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#include <selinux/restorecon.h>
+#endif
+
 #include "../utils/utils.h"
 #include "init.h"
 #include "../watchdog.h"
@@ -67,6 +73,53 @@
	}
 }

+#if SELINUX_ENABLED
+static const struct selinux_opt se_opts[] = {
+	{ SELABEL_OPT_PATH, "/etc/selinux/targeted/contexts/files/file_contexts" },
+	{ 0, NULL } };
+
+struct selabel_handle *h = NULL;
+
+static int procd_selinux_init()
+{
+	int enforce = 0;
+
+	if (getenv("SELINUX_INIT") == NULL) {
+		putenv((char*)"SELINUX_INIT=YES");
+
+		// load policy
+		if (selinux_init_load_policy(&enforce) == 0)
+			fprintf(stdout, "SELinux policy load success!\n");
+		else if (enforce > 0) {
+			/* SELinux in enforcing mode but load_policy failed */
+			fprintf(stderr, "can't load SELinux Policy. "
+				"Machine is in enforcing mode. Halting now.\n");
+			return EXIT_FAILURE;
+		}
+
+		// load file_contexts
+		h = selabel_open(SELABEL_CTX_FILE, se_opts, 1);
+		if (!h)
+			fprintf(stderr, "Error getting file context handle\n");
+		else
+			fprintf(stdout, "%s load success!\n", se_opts[0].value);
+
+		// set init process security context to u:r:init:s0
+		setcon("u:r:init:s0");
+
+		// restore contexts
+		selinux_restorecon("/", SELINUX_RESTORECON_RECURSE |
+					SELINUX_RESTORECON_PROGRESS |
+					SELINUX_RESTORECON_MASS_RELABEL |
+					SELINUX_RESTORECON_IGNORE_NOENTRY |
+					SELINUX_RESTORECON_ADD_ASSOC |
+					SELINUX_RESTORECON_SET_SPECFILE_CTX);
+	}
+
+	return 0;
+}
+#endif
+
 int
 main(int argc, char **argv)
 {
@@ -80,6 +133,11 @@
	cmdline();
	watchdog_init(1);

+#if SELINUX_ENABLED
+	if (procd_selinux_init() != 0)
+		return EXIT_FAILURE;
+#endif
+
	uloop_init();
	preinit();
	uloop_run();