diff --git a/README.md b/README.md
index 4b0a9305..d33be7b9 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ and zip binaries can be downloaded from [here](http://gnuwin32.sourceforge.net/p
 
 ## Install
 
-1. Install Magisk v19.0+ (for latest EdXposed or Huawei devices, use our custom Magisk: Change Magisk update channel to [this](http://edxp.meowcat.org/repo/version.json)).
+1. Install Magisk v19.0+ (for latest EdXposed or Huawei devices, use at least official Magisk v20.2+ or use our custom Magisk: Change Magisk update channel to [this](http://edxp.meowcat.org/repo/version.json)).
 2. Install [Riru-Core](https://github.com/RikkaApps/Riru/releases) v19+ from Magisk repo.
 3. [Download](#download) and install EdXposed in Magisk Manager or recovery mode.
 4. Install [companion application](#companion-applications).
diff --git a/edxp-core/template_override/post-fs-data.sh b/edxp-core/template_override/post-fs-data.sh
index ba9a0020..66c2bd1c 100644
--- a/edxp-core/template_override/post-fs-data.sh
+++ b/edxp-core/template_override/post-fs-data.sh
@@ -6,20 +6,6 @@ MODDIR=${0%/*}
 # This script will be executed in post-fs-data mode
 # More info in the main Magisk thread
 
-# necessary for using mmap in system_server process
-#supolicy --live "allow system_server system_server process {execmem}"
-# supolicy --live "allow system_server system_server memprotect {mmap_zero}"
-
-# for built-in apps // TODO maybe narrow down the target classes
-#supolicy --live "allow coredomain coredomain process {execmem}"
-
-# read configs set in our app
-#supolicy --live "allow coredomain app_data_file * *"
-#supolicy --live "attradd {system_app platform_app} mlstrustedsubject"
-
-# read module apk file in zygote
-#supolicy --live "allow zygote apk_data_file * *"
-
 . ${MODDIR}/util_functions.sh
 
 start_log_catchers
diff --git a/edxp-core/template_override/sepolicy.rule b/edxp-core/template_override/sepolicy.rule
new file mode 100644
index 00000000..6a14063f
--- /dev/null
+++ b/edxp-core/template_override/sepolicy.rule
@@ -0,0 +1,12 @@
+# necessary for using mmap in system_server process
+allow system_server system_server process {execmem}
+
+# for built-in apps // TODO maybe narrow down the target classes
+allow coredomain coredomain process {execmem}
+
+# read configs set in our app
+allow coredomain app_data_file * *
+attradd {system_app platform_app} mlstrustedsubject
+
+# read module apk file in zygote
+allow zygote apk_data_file * *