diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
index 9675a99c7..dc6c42411 100644
--- a/target/board/generic/sepolicy/execns.te
+++ b/target/board/generic/sepolicy/execns.te
@@ -6,7 +6,7 @@ init_daemon_domain(execns)
 
 allow execns varrun_file:dir search;
 allow execns varrun_file:file r_file_perms;
-allow execns self:capability sys_admin;
+allow execns self:capability { sys_admin setuid setgid };
 allow execns nsfs:file { open read };
 
 #Allow execns itself to be run by init in its own domain
@@ -18,15 +18,8 @@ domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
 # Allow dhcpserver to be run by execns in its own domain
 domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
 
-# Rules to allow execution of hostapd and allow it to run
-allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans };
-allow execns self:capability { net_admin net_raw };
-allow execns self:netlink_generic_socket { bind create getattr read setopt write };
-allow execns self:netlink_route_socket { bind create read write nlmsg_write };
-allow execns execns:udp_socket { create ioctl };
-allow execns self:packet_socket { create setopt };
-allow execns sysfs_net:dir { search };
-allowxperm execns self:udp_socket ioctl priv_sock_ioctls;
+# Allow hostapd_nohidl to be run by execns in its own domain
+domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
 
 # Allow execns to read createns proc file to get the namespace file
 allow execns createns:file read;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
index 73fe75245..7cd79fecd 100644
--- a/target/board/generic/sepolicy/file_contexts
+++ b/target/board/generic/sepolicy/file_contexts
@@ -24,6 +24,7 @@
 /vendor/bin/ipv6proxy        u:object_r:ipv6proxy_exec:s0
 /vendor/bin/dhcpclient       u:object_r:dhcpclient_exec:s0
 /vendor/bin/dhcpserver       u:object_r:dhcpserver_exec:s0
+/vendor/bin/hostapd_nohidl   u:object_r:hostapd_nohidl_exec:s0
 
 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine          u:object_r:hal_drm_widevine_exec:s0
 
diff --git a/target/board/generic/sepolicy/hostapd_nohidl.te b/target/board/generic/sepolicy/hostapd_nohidl.te
new file mode 100644
index 000000000..add648a01
--- /dev/null
+++ b/target/board/generic/sepolicy/hostapd_nohidl.te
@@ -0,0 +1,16 @@
+type hostapd_nohidl, domain;
+type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hostapd_nohidl)
+net_domain(hostapd_nohidl)
+
+allow hostapd_nohidl execns:fd use;
+
+allow hostapd_nohidl self:capability { net_admin net_raw };
+allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
+allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
+allow hostapd_nohidl self:packet_socket { create setopt };
+allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
+
+# hostapd will attempt to search sysfs but it's not needed and will spam the log
+dontaudit hostapd_nohidl sysfs_net:dir search;