Can't mount /vendor/firmware_mnt when Magisk is installed and Selinux is enforcing

[SGCMarkus]

Device: Motorola Edge 20 Pro (pstar)
Android version: 12 (LineageOS 19.0)
Magisk version name: 23, 24, Canary
Magisk version code: 24102 (e7c82f2)

The error only occurs when running selinux enforcig (not 100% sure if its my device tree at fault, lineage or a magisk issue).
After flashing magisk in recovery (or using the app to patch the boot.img and flashing that in fastboot) the system is unable to mount /vendor/firmware_mnt (maybe also others, but this is the only one i see in the logs as not found). And this causes the kernel to panic as it cant find required firmware.
Without magisk installed this works fine, as well as when magisk is installed and its set to permissive.

To my understanding magisk should inject its needed sepolicies itself. Found this difference (when booting permissive), which is there with magisk installed, but not when its not installed:

[    4.293184] type=1400 audit(929526.980:8): avc: denied { create } for comm="init" name="TemporaryDir-DSsjdN" scontext=u:r:init:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir permissive=1
[    4.293206] type=1400 audit(929526.980:9): avc: denied { create } for comm="init" name="TemporaryDir-c5PdVa" scontext=u:r:init:s0 tcontext=u:object_r:adsprpcd_file:s0 tclass=dir permissive=1
[    4.293233] type=1400 audit(929526.980:10): avc: denied { create } for comm="init" name="TemporaryDir-xh3vOe" scontext=u:r:init:s0 tcontext=u:object_r:bt_firmware_file:s0 tclass=dir permissive=1
[    4.293267] type=1400 audit(929526.980:11): avc: denied { create } for comm="init" name="TemporaryDir-VcnACW" scontext=u:r:init:s0 tcontext=u:object_r:fsg_file:s0 tclass=dir permissive=1
[    4.293513] init: [libfs_mgr]__mount(source=overlay,target=/vendor,type=overlay,upperdir=/mnt/scratch/overlay/vendor/upper)=0
[    4.293577] type=1400 audit(929526.983:12): avc: denied { rmdir } for comm="init" name="TemporaryDir-DSsjdN" dev="tmpfs" ino=34761 scontext=u:r:init:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir permissive=1
[    4.293646] type=1400 audit(929526.983:13): avc: denied { rmdir } for comm="init" name="TemporaryDir-c5PdVa" dev="tmpfs" ino=34762 scontext=u:r:init:s0 tcontext=u:object_r:adsprpcd_file:s0 tclass=dir permissive=1
[    4.293697] type=1400 audit(929526.983:14): avc: denied { rmdir } for comm="init" name="TemporaryDir-xh3vOe" dev="tmpfs" ino=34763 scontext=u:r:init:s0 tcontext=u:object_r:bt_firmware_file:s0 tclass=dir permissive=1
[    4.293796] type=1400 audit(929526.983:15): avc: denied { rmdir } for comm="init" name="TemporaryDir-VcnACW" dev="tmpfs" ino=34764 scontext=u:r:init:s0 tcontext=u:object_r:fsg_file:s0 tclass=dir permissive=1

Magisk works on stock A11, compared the policies there with what i have, but didnt find a difference regarding the tcontexts above.
If you need further information let me know.

boot_dmesg_permissive.log
magisk_boot_dmesg_permissive.log
mounts.log
boot_dmesg_enforcing.log
pstore.zip

Links to device trees and kernel:
https://github.com/SGCMarkus/android_device_motorola_pstar
https://github.com/SGCMarkus/android_device_motorola_sm8250-common
https://github.com/SGCMarkus/android_kernel_motorola_sm8250

[KurtKrummbein]

Have the same issue with gauguin and LOS18.1 (official nightly from 20220314).
If i do "mount | grep firmware" is see with patched boot from magisk 24301:
/dev/block/sde48 on /vendor/firmware_mnt type vfat (ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=utf8,shortname=lower,errors=remount-ro)
/dev/block/sde33 on /vendor/bt_firmware type vfat (ro,context=u:object_r:bt_firmware_file:s0,relatime,uid=1002,gid=3002,fmask=0337,dmask=0227,codepage=437,iocharset=utf8,shortname=lower,errors=remount-ro)

and the same when i boot stock boot.img.
But "ls /vendor/firmware_mnt" is empty with magisk and shows image subdir on stock.
SE-Linux enforcing, rules missing or wrong?