diff --git a/overlay/usr/libexec/init-storage b/overlay/usr/libexec/init-storage
index 3cca98c..8141047 100755
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@@ -28,6 +28,8 @@ format_dev() {
     mount "${dev}" "${tmpdir}" || exit
     btrfs subvolume create "${tmpdir}"/var || exit
     chcon -t var_t "${tmpdir}"/var || exit
+    btrfs subvolume create "${tmpdir}"/etc || exit
+    chcon -t etc_t "${tmpdir}"/etc || exit
     umount "${dev}" || exit
 }
 
@@ -37,6 +39,18 @@ has_fs() {
     [ -n "${fstype}" ]
 }
 
+setup_etc() {
+    dev="$1"
+
+    echo 'Initializing writable paths in /etc'
+    mount -o subvol=etc "${dev}" "${tmpdir}" || exit
+    if [ ! -f "${tmpdir}"/shadow ]; then
+        cp -ca /etc/shadow "${tmpdir}"/shadow || exit
+    fi
+    mount -o bind "${tmpdir}"/shadow /etc/shadow || exit
+    umount "${tmpdir}"
+}
+
 datapart=$(findfs PARTLABEL=dch-data)
 if [ -b "${datapart}" ]; then
     printf 'Found data partition: %s\n' "${datapart}"
@@ -53,4 +67,5 @@ if ! has_fs "${datapart}"; then
     format_dev "${datapart}"
 fi
 
+setup_etc "${datapart}"
 copy_var "${datapart}"
diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index bb4a57c..eeaa03d 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -61,6 +61,10 @@ seutil_read_file_contexts(aimee_storinit_t)
 
 kernel_rw_unlabeled_dirs(aimee_storinit_t)
 kernel_relabelfrom_unlabeled_dirs(aimee_storinit_t)
+
+auth_manage_shadow(aimee_storinit_t)
+auth_relabel_shadow(aimee_storinit_t)
+
 files_manage_var_dirs(aimee_storinit_t)
 files_relabel_var_dirs(aimee_storinit_t)
 files_manage_var_files(aimee_storinit_t)
@@ -74,6 +78,8 @@ gen_require(`
 	type init_var_lib_t;
 	type auditd_log_t;
 	type tmp_t;
+	type etc_t;
+	type shadow_t;
 	attribute logfile;
 ')
 manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
@@ -124,6 +130,9 @@ manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
 relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
 manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
 relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
+manage_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
+relabel_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
+allow aimee_storinit_t shadow_t:file mounton;
 
 ########################################
 #