diff --git a/private/crosvm.te b/private/crosvm.te
index f3fc9a8d3..034107f46 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -38,6 +38,12 @@ allow crosvm {
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
+# Let crosvm access its control socket as created by VS.
+#   read, write, getattr: listener socket polling
+#   accept: listener socket accepting new connection
+# Note that the open permission is not given as the socket is passed by FD.
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 9ae5308e1..6e6b45961 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -29,6 +29,9 @@ allow virtualizationservice crosvm:process sigkill;
 allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
 
+# Let virtualizationservice manage crosvm control sockets.
+allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
 allow virtualizationservice adbd:fd use;