MicroOS has a read only system. So to work around this the labeling happens pre-pivot in the initrd. To be able to label files it loads the policy. Which wasn't a problem, since kernel_t was unconfined. Since this is now different this doesn't work anymore. On regular systems labeling is done post-pivot in a normal environment and transitions away from kernel_t. I try to recreate this behavior in the initrd environment now