Isso é pouco explicado em Implementação do SELinux como um módulo de segurança do Linux
This results in a populated selinuxfs filesystem and sets up the special null device node used by SELinux when it closes unauthorized files upon a context-changing execve.
Aparentemente, os programas não podem usar /dev/null diretamente no contexto SELinux e eles needed sua própria versão. Isso era conhecido anteriormente como open_devnull e seu
This patch against 2.6.6-rc3 changes the SELinux module to try to reset any descriptors it closes on exec (due to a lack of permission by the new domain to the inherited open file) to refer to the null device. This counters the problem of SELinux inducing program misbehavior, particularly due to having descriptors 0-2 closed when the new domain is not allowed access to the caller's tty. This is primarily to address the case where the caller is trusted with respect to the new domain, as the untrusted caller case is already handled via AT_SECURE and glibc secure mode.