diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
index 8a302845..b9b3b8c5 100644
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@@ -34,3 +34,8 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger
 
 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
+
+# pKVM
+ifeq ($(TARGET_PKVM_ENABLED),true)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm
+endif
diff --git a/pkvm/file_contexts b/pkvm/file_contexts
new file mode 100644
index 00000000..310aad4d
--- /dev/null
+++ b/pkvm/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/pkvm_enabler             u:object_r:vendor_misc_writer_exec:s0
diff --git a/pkvm/vendor_misc_writer.te b/pkvm/vendor_misc_writer.te
new file mode 100644
index 00000000..b9b4ceb1
--- /dev/null
+++ b/pkvm/vendor_misc_writer.te
@@ -0,0 +1,2 @@
+# Allow pkvm_enabler to execute misc_writer.
+allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans;