diff --git a/overlay/usr/libexec/init-storage b/overlay/usr/libexec/init-storage
index 043cd32..c4685dc 100755
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@@ -68,6 +68,26 @@ setup_etc() {
         cp -ca /etc/shadow "${tmpdir}"/shadow || exit
     fi
     mount -o bind "${tmpdir}"/shadow /etc/shadow || exit
+    if [ -f /etc/aimee-os/writable-etc ]; then
+        while read type path; do
+            if [ ! -e "${tmpdir}/${path}" ]; then
+                if [ -e /etc/"${path}" ]; then
+                    cp -ca /etc/"${path}" "${tmpdir}/${path}"
+                elif [ "${type}" = d ]; then
+                    mkdir -p "${tmpdir}/${path}"
+                elif [ "${type}" = f ]; then
+                    : > "${tmpdir}/${path}"
+                else
+                    printf 'Invalid path type %s for %s\n' \
+                        "${type}" \
+                        "${path}" \
+                        >&2
+                    continue
+                fi
+            fi
+            mount -o bind "${tmpdir}/${path}" /etc/"${path}"
+        done < /etc/aimee-os/writable-etc
+    fi
     umount "${tmpdir}"
 }
 
diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index 9e132b1..2b7e1c0 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -86,8 +86,10 @@ auth_manage_shadow(aimee_storinit_t)
 auth_relabel_shadow(aimee_storinit_t)
 gen_require(`
 	type shadow_t;
+	attribute configfile;
 ')
 allow aimee_storinit_t shadow_t:file mounton;
+allow aimee_storinit_t configfile:{file dir} mounton;
 
 ########################################
 #