diff --git a/sepolicy/esed.te b/sepolicy/esed.te
index 6646334e..a989d553 100644
--- a/sepolicy/esed.te
+++ b/sepolicy/esed.te
@@ -1,3 +1,5 @@
+# android.hardware.oemlock and weaver HAL implementation
+# Clean up naming after via b/38447431
 type esed, domain;
 type esed_exec, exec_type, vendor_file_type, file_type;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 516bc026..6d05b93c 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -214,8 +214,11 @@
 /vendor/bin/ims_rtp_daemon      u:object_r:ims_exec:s0
 /vendor/bin/qmuxd               u:object_r:qmuxd_exec:s0
 /vendor/bin/cnd                 u:object_r:cnd_exec:s0
+# Remove after b/38447389
 /vendor/bin/esed                u:object_r:esed_exec:s0
-/vendor/bin/ese_load            u:object_r:esed_exec:s0
+# Rename to android.hardware.[XXX] after b/38447431
+/vendor/bin/hw/esed             u:object_r:esed_exec:s0
+/vendor/bin/ese_load            u:object_r:init_ese_exec:s0
 /vendor/bin/ese-replay          u:object_r:esed_exec:s0
 /vendor/bin/ese-ls-provision    u:object_r:esed_exec:s0
 /vendor/bin/hw/android\.hardware\.usb@1\.1-service.wahoo             u:object_r:hal_usb_default_exec:s0
diff --git a/sepolicy/init_ese.te b/sepolicy/init_ese.te
new file mode 100644
index 00000000..200e2772
--- /dev/null
+++ b/sepolicy/init_ese.te
@@ -0,0 +1,18 @@
+# /vendor/bin/ese_load init called shell script.
+# TODO: Update system_violators for b/38447496
+type init_ese, domain, vendor_executes_system_violators;
+type init_ese_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_ese)
+
+# Shell script exec (toolbox)
+allow init_ese shell_exec:file r_file_perms;
+allow init_ese toolbox_exec:file rx_file_perms;
+
+# eSE tools
+allow init_ese esed_exec:file rx_file_perms;
+
+# eSE device and data dirs
+allow init_ese pn81a_device:chr_file rw_file_perms;
+allow init_ese ese_vendor_data_file:dir create_dir_perms;
+allow init_ese ese_vendor_data_file:file create_file_perms;