diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te
new file mode 100644
index 000000000..1eaf9ef58
--- /dev/null
+++ b/target/board/generic/sepolicy/createns.te
@@ -0,0 +1,14 @@
+# Network namespace creation
+type createns, domain;
+type createns_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(createns)
+
+allow createns self:capability { sys_admin net_raw setuid setgid };
+allow createns varrun_file:dir { add_name search write };
+allow createns varrun_file:file { create mounton open read write };
+
+#Allow createns itself to be run by init in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
+allow createns goldfish_setup:fd use;
+
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index d1e373e89..9675a99c7 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -5,8 +5,9 @@ type execns_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(execns)
 
 allow execns varrun_file:dir search;
+allow execns varrun_file:file r_file_perms;
 allow execns self:capability sys_admin;
-allow execns proc:file { open read };
+allow execns nsfs:file { open read };
 
 #Allow execns itself to be run by init in its own domain
 domain_auto_trans(init, execns_exec, execns);
@@ -17,6 +18,17 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
 # Allow dhcpserver to be run by execns in its own domain
 domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
 
-# Allow hostapd to be run by execns in its own domain
-domain_auto_trans(execns, hostapd_exec, hostapd);
-allow hostapd execns:fd use;
+# Rules to allow execution of hostapd and allow it to run
+allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
+allow execns self:capability { net_admin net_raw };
+allow execns self:netlink_generic_socket { bind create getattr read setopt write };
+allow execns self:netlink_route_socket { bind create read write nlmsg_write };
+allow execns execns:udp_socket { create ioctl };
+allow execns self:packet_socket { create setopt };
+allow execns sysfs_net:dir { search };
+allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+
+# Allow execns to read createns proc file to get the namespace file
+allow execns createns:file read;
+allow execns createns:dir search;
+allow execns createns:lnk_file read;
diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te
index 4762e0d7a..b0aa217ae 100644
--- a/target/board/generic/sepolicy/file.te
+++ b/target/board/generic/sepolicy/file.te
@@ -1,3 +1,4 @@
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type varrun_file, file_type, data_file_type, mlstrustedobject;
 type mediadrm_vendor_data_file, file_type, data_file_type;
+type nsfs, fs_type;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 41a319e76..73fe75245 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -19,6 +19,7 @@
 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
 /vendor/bin/init\.wifi\.sh   u:object_r:goldfish_setup_exec:s0
 /vendor/bin/qemu-props       u:object_r:qemu_props_exec:s0
+/vendor/bin/createns         u:object_r:createns_exec:s0
 /vendor/bin/execns           u:object_r:execns_exec:s0
 /vendor/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0
 /vendor/bin/dhcpclient       u:object_r:dhcpclient_exec:s0
@@ -41,5 +42,5 @@
 
 # data
 /data/vendor/mediadrm(/.*)?            u:object_r:mediadrm_vendor_data_file:s0
-/data/var/run(/.*)?                    u:object_r:varrun_file:s0
+/data/vendor/var/run(/.*)?             u:object_r:varrun_file:s0
 
diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts
index 91cedf13d..1b816263b 100644
--- a/target/board/generic/sepolicy/genfs_contexts
+++ b/target/board/generic/sepolicy/genfs_contexts
@@ -15,3 +15,6 @@ genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
 genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
+
+# /proc/<pid>/ns
+genfscon nsfs / u:object_r:nsfs:s0
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
index 31d35e68a..1492cbd42 100644
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ b/target/board/generic/sepolicy/goldfish_setup.te
@@ -17,7 +17,7 @@ set_prop(goldfish_setup, ctl_default_prop);
 
 # Set up WiFi
 allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
-allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl;
+allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow goldfish_setup self:capability { sys_module sys_admin };
 allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
 allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
@@ -25,14 +25,21 @@ allow goldfish_setup execns_exec:file rx_file_perms;
 allow goldfish_setup proc_net:file rw_file_perms;
 allow goldfish_setup proc:file r_file_perms;
 set_prop(goldfish_setup, ctl_default_prop);
+allow goldfish_setup nsfs:file r_file_perms;
 allow goldfish_setup system_data_file:dir getattr;
 allow goldfish_setup kernel:system module_request;
 # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
 allow goldfish_setup system_file:file execute_no_trans;
 # Allow goldfish_setup to run init.wifi.sh
 allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
+#Allow goldfish_setup to run createns in its own domain
+domain_auto_trans(goldfish_setup, createns_exec, createns);
 # iw
 allow goldfish_setup sysfs:file { read open };
 # iptables
 allow goldfish_setup system_file:file lock;
 allow goldfish_setup self:rawip_socket { create getopt setopt };
+# Allow goldfish_setup to read createns proc file to get the namespace file
+allow goldfish_setup createns:file { read };
+allow goldfish_setup createns:dir { search };
+allow goldfish_setup createns:lnk_file { read };
diff --git a/target/product/emulator.mk b/target/product/emulator.mk
index 7a6aa09c8..11466b890 100644
--- a/target/product/emulator.mk
+++ b/target/product/emulator.mk
@@ -119,6 +119,7 @@ PRODUCT_PACKAGES += \
 
 # WiFi
 PRODUCT_PACKAGES += \
+	createns \
 	dhcpclient \
 	dhcpserver \
 	execns \