diff --git a/native/jni/core/bootstages.c b/native/jni/core/bootstages.c
index 81593426e..890698921 100644
--- a/native/jni/core/bootstages.c
+++ b/native/jni/core/bootstages.c
@@ -311,11 +311,11 @@ static void clone_skeleton(struct node_entry *node) {
 		if (IS_LNK(child)) {
 			// Copy symlinks directly
 			cp_afc(buf2, buf);
-			#ifdef MAGISK_DEBUG
-				LOGI("creat_link: %s <- %s\n",buf, buf2);
-			#else
-				LOGI("creat_link: %s\n", buf);
-			#endif
+#ifdef MAGISK_DEBUG
+			LOGI("creat_link: %s <- %s\n",buf, buf2);
+#else
+			LOGI("creat_link: %s\n", buf);
+#endif
 		} else {
 			snprintf(buf, PATH_MAX, "%s/%s", full_path, child->name);
 			bind_mount(buf2, buf);
@@ -449,18 +449,9 @@ static int prepare_img() {
 	// Remount them back :)
 	magiskloop = mount_image(MAINIMG, MOUNTPOINT);
 	free(magiskloop);
-
-	// Fix file selinux contexts
-	fix_filecon();
 	return 0;
 }
 
-void fix_filecon() {
-	int dirfd = xopen(MOUNTPOINT, O_RDONLY | O_CLOEXEC);
-	restorecon(dirfd);
-	close(dirfd);
-}
-
 /****************
  * Entry points *
  ****************/
@@ -675,6 +666,8 @@ void post_fs_data(int client) {
 	if (prepare_img())
 		goto core_only; // Mounting fails, we can only do core only stuffs
 
+	restorecon();
+
 	// Run common scripts
 	LOGI("* Running post-fs-data.d scripts\n");
 	exec_common_script("post-fs-data");
diff --git a/native/jni/core/magisk.c b/native/jni/core/magisk.c
index a72a44850..e5fe80642 100644
--- a/native/jni/core/magisk.c
+++ b/native/jni/core/magisk.c
@@ -136,7 +136,7 @@ int magisk_main(int argc, char *argv[]) {
 		unlock_blocks();
 		return 0;
 	} else if (strcmp(argv[1], "--restorecon") == 0) {
-		fix_filecon();
+		restorecon();
 		return 0;
 	} else if (strcmp(argv[1], "--clone-attr") == 0) {
 		if (argc < 4) usage();
diff --git a/native/jni/include/daemon.h b/native/jni/include/daemon.h
index 9bab5b153..164a66faf 100644
--- a/native/jni/include/daemon.h
+++ b/native/jni/include/daemon.h
@@ -62,7 +62,6 @@ void write_string(int fd, const char* val);
 void startup();
 void post_fs_data(int client);
 void late_start(int client);
-void fix_filecon();
 
 /**************
  * MagiskHide *
diff --git a/native/jni/include/magisk.h b/native/jni/include/magisk.h
index b2f5ee212..098d49729 100644
--- a/native/jni/include/magisk.h
+++ b/native/jni/include/magisk.h
@@ -24,21 +24,22 @@
 #define COREDIR         MOUNTPOINT "/.core"
 #define HOSTSFILE       COREDIR "/hosts"
 #define HIDELIST        COREDIR "/hidelist"
-#define SECURE_DIR      "/data/adb/"
-#define MAINIMG         SECURE_DIR "magisk.img"
-#define DATABIN         SECURE_DIR "magisk"
-#define MAGISKDB        SECURE_DIR "magisk.db"
-#define SIMPLEMOUNT     SECURE_DIR "magisk_simple"
-#define DEBUG_LOG       SECURE_DIR "magisk_debug.log"
+#define SECURE_DIR      "/data/adb"
+#define MAINIMG         SECURE_DIR "/magisk.img"
+#define DATABIN         SECURE_DIR "/magisk"
+#define MAGISKDB        SECURE_DIR "/magisk.db"
+#define SIMPLEMOUNT     SECURE_DIR "/magisk_simple"
+#define DEBUG_LOG       SECURE_DIR "/magisk_debug.log"
 #define MANAGERAPK      DATABIN "/magisk.apk"
 #define MAGISKRC        "/init.magisk.rc"
 
 
 // selinuxfs paths
-#define SELINUX_PATH        "/sys/fs/selinux/"
-#define SELINUX_ENFORCE     SELINUX_PATH "enforce"
-#define SELINUX_POLICY      SELINUX_PATH "policy"
-#define SELINUX_LOAD        SELINUX_PATH "load"
+#define SELINUX_PATH        "/sys/fs/selinux"
+#define SELINUX_ENFORCE     SELINUX_PATH "/enforce"
+#define SELINUX_POLICY      SELINUX_PATH "/policy"
+#define SELINUX_LOAD        SELINUX_PATH "/load"
+#define SELINUX_CONTEXT     SELINUX_PATH "/context"
 
 // split policy paths
 #define PLAT_POLICY_DIR     "/system/etc/selinux/"
diff --git a/native/jni/include/utils.h b/native/jni/include/utils.h
index 6e08c9deb..8a2c86285 100644
--- a/native/jni/include/utils.h
+++ b/native/jni/include/utils.h
@@ -122,7 +122,7 @@ int setattrat(int dirfd, const char *pathname, struct file_attr *a);
 int fsetattr(int fd, struct file_attr *a);
 void fclone_attr(const int sourcefd, const int targetfd);
 void clone_attr(const char *source, const char *target);
-void restorecon(int dirfd);
+void restorecon();
 int mmap_ro(const char *filename, void **buf, size_t *size);
 int mmap_rw(const char *filename, void **buf, size_t *size);
 void fd_full_read(int fd, void **buf, size_t *size);
diff --git a/native/jni/utils/file.c b/native/jni/utils/file.c
index ee690d331..1e4c8e539 100644
--- a/native/jni/utils/file.c
+++ b/native/jni/utils/file.c
@@ -15,6 +15,7 @@
 #include <selinux/selinux.h>
 #endif
 
+#include "magisk.h"
 #include "utils.h"
 
 char **excl_list = NULL;
@@ -341,17 +342,22 @@ void fclone_attr(const int sourcefd, const int targetfd) {
 
 #ifdef SELINUX
 
+#include "magiskpolicy.h"
+
 #define UNLABEL_CON "u:object_r:unlabeled:s0"
 #define SYSTEM_CON  "u:object_r:system_file:s0"
+#define ADB_CON     "u:object_r:adb_data_file:s0"
+#define MAGISK_CON  "u:object_r:"SEPOL_FILE_DOMAIN":s0"
 
-void restorecon(int dirfd) {
+static void restore_syscon(int dirfd) {
 	struct dirent *entry;
 	DIR *dir;
-	int fd;
+
 	char path[PATH_MAX], *con;
 
 	fd_getpath(dirfd, path, sizeof(path));
-	lgetfilecon(path, &con);
+	size_t len = strlen(path);
+	getfilecon(path, &con);
 	if (strlen(con) == 0 || strcmp(con, UNLABEL_CON) == 0)
 		lsetfilecon(path, SYSTEM_CON);
 	freecon(con);
@@ -361,20 +367,65 @@ void restorecon(int dirfd) {
 		if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
 			continue;
 		if (entry->d_type == DT_DIR) {
-			fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
-			restorecon(fd);
+			int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
+			restore_syscon(fd);
+			close(fd);
 		} else {
-			fd = xopenat(dirfd, entry->d_name, O_PATH | O_NOFOLLOW | O_CLOEXEC);
-			fd_getpath(fd, path, sizeof(path));
+			path[len] = '/';
+			strcpy(path + len + 1, entry->d_name);
 			lgetfilecon(path, &con);
 			if (strlen(con) == 0 || strcmp(con, UNLABEL_CON) == 0)
 				lsetfilecon(path, SYSTEM_CON);
 			freecon(con);
+			path[len] = '\0';
 		}
-		close(fd);
 	}
 }
 
+static void restore_magiskcon(int dirfd) {
+	struct dirent *entry;
+	DIR *dir;
+
+	char path[PATH_MAX];
+
+	fd_getpath(dirfd, path, sizeof(path));
+	size_t len = strlen(path);
+	lsetfilecon(path, MAGISK_CON);
+	lchown(path, 0, 0);
+
+	dir = xfdopendir(dirfd);
+	while ((entry = xreaddir(dir))) {
+		if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+			continue;
+		if (entry->d_type == DT_DIR) {
+			int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
+			restore_magiskcon(fd);
+			close(fd);
+		} else {
+			path[len] = '/';
+			strcpy(path + len + 1, entry->d_name);
+			lsetfilecon(path, MAGISK_CON);
+			lchown(path, 0, 0);
+			path[len] = '\0';
+		}
+	}
+}
+
+void restorecon() {
+	int fd;
+	fd = xopen(SELINUX_CONTEXT, O_WRONLY | O_CLOEXEC);
+	if (write(fd, ADB_CON, sizeof(ADB_CON)) >= 0) {
+		lsetfilecon(SECURE_DIR, ADB_CON);
+	}
+	close(fd);
+	fd = xopen(MOUNTPOINT, O_RDONLY | O_CLOEXEC);
+	restore_syscon(fd);
+	close(fd);
+	fd = xopen(DATABIN, O_RDONLY | O_CLOEXEC);
+	restore_magiskcon(fd);
+	close(fd);
+}
+
 #endif   // SELINUX
 
 static int _mmap(int rw, const char *filename, void **buf, size_t *size) {