Never blindly copy audit2allow output into policy. It suggests rules to make the denial go away, not to make the system secure.
tcontext=u:object_r:device:s0 (or tmpfs, system_data_file), do not write an allow rule for device. The correct fix is to label the specific file or node in file_contexts.dac_override denial occurs, do NOT grant the capability. The proper solution is to fix the underlying UNIX permissions (user/group/world) of the file or process.androidboot.selinux=permissive) only during early device bring-up to gather a comprehensive list of denials.If dmesg logs are insufficient to locate the root cause of an AVC denial, capture the kernel/userspace call chain using simpleperf (requires Linux >= 5.10):
adb shell -t "cd /data/local/tmp && su root simpleperf record -a -g -e avc:selinux_audited" # Trigger the denial, stop the record, then: adb shell -t "cd /data/local/tmp && su root simpleperf report -g --full-callgraph"