diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 5d4a73c29..e4315a200 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -57,6 +57,9 @@ unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
 allow microdroid_payload encryptedstore_file:dir create_dir_perms;
 allow microdroid_payload encryptedstore_file:file create_file_perms;
 
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
 # Never allow microdroid_payload to connect to vsock
 neverallow microdroid_payload self:vsock_socket connect;
 
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 1a64b629c..dfae6f9df 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -12,6 +12,7 @@ type loop_device, dev_type;
 type null_device, dev_type;
 type open_dice_device, dev_type;
 type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type property_info, dev_type;