diff --git a/magisk/service.sh b/magisk/service.sh
index 3bdbf786..13675169 100755
--- a/magisk/service.sh
+++ b/magisk/service.sh
@@ -1,6 +1,8 @@
 #!/system/bin/sh
 # Conditional MagiskHide properties
 
+MODDIR=${0%/*}
+
 maybe_set_prop() {
     local prop="$1"
     local contains="$2"
@@ -20,12 +22,20 @@ maybe_set_prop vendor.boot.mode recovery unknown
 maybe_set_prop ro.boot.hwc CN GLOBAL
 maybe_set_prop ro.boot.hwcountry China GLOBAL
 
-resetprop --delete ro.build.selinux
+# Kernel cmdline
+chmod 0640 /proc/cmdline
 
 # SELinux permissive
+resetprop --delete ro.build.selinux
+
 if [[ "$(cat /sys/fs/selinux/enforce)" == "0" ]]; then
-    chmod 640 /sys/fs/selinux/enforce
-    chmod 440 /sys/fs/selinux/policy
+    echo "1" > "${MODDIR}/enforce"
+
+    chmod 0640 "${MODDIR}/enforce"
+    chmod 0640 /sys/fs/selinux/enforce
+    chmod 0440 /sys/fs/selinux/policy
+
+    mount -o bind "${MODDIR}/enforce /sys/fs/selinux/enforce"
 fi
 
 # Late props which must be set after boot_completed
diff --git a/magisk/system.prop b/magisk/system.prop
index 42af17bb..321d3aa7 100644
--- a/magisk/system.prop
+++ b/magisk/system.prop
@@ -21,3 +21,6 @@ vendor.boot.vbmeta.device_state=locked
 ro.build.type=user
 ro.debuggable=0
 ro.secure=1
+
+# SELinux
+ro.boot.selinux=enforcing