connect() fails with -EACCES

[RenaKunisaki]

On LG G4 with Android 6.0, the exploit works (code is running under init process), but fails to connect the shell due to selinux (connect() returns -EACCES). I've been toying with other methods (exec a shell script, open /dev/pts/n) but so far nothing. (I might be doing the /dev/pts part wrong?)

timwr's method (replacing run-as) does spawn a shell, but in a more limited context. Ideally I want a shell in init context, or some other that has more access.

Any other ideas to get around selinux blocking sockets?