If you want to run the Android Compatibility Test Suite (CTS) with SE for Android, you should follow the standard instructions as per http://source.android.com/compatibility/.
You may wish to collect any permission denials and log messages that occur during the CTS execution for later use in diagnosing failures and amending the policy to better support the CTS. However, note that many denials occur normally during the CTS and should not necessarily be allowed. In particular, various security-related tests may intentionally trigger denials and other tests will often trigger harmless denials from filesystem or /proc/pid traversals that are not required for correct operation. Do not amend the policy unless a denial causes a test failure, and even then, it is best to bring the issue to the seandroid-list mailing list for discussion on the best solution. You can collect denial messages from the kernel ring buffer and from logcat as follows:
adb shell su 0 cat /proc/kmsg > dmesg.txt & adb logcat > logcat.txt &
Individual CTS tests that test SELinux settings can be run as follows:
cts-tradefed run cts -c android.security.cts.KernelSettingsTest run cts -c android.security.cts.SELinuxTest run cts -c android.security.cts.SELinuxDomainTest run cts -c android.cts.security.SELinuxHostTest run cts -c android.cts.security.SELinuxNeverallowRulesTestIn AOSP master, SELinuxDomainTest has been migrated into SELinuxHostTest.