From Debian package 0.0.20080702-13

Use the Lenny paths for xm, xend, xenstored, and xenconsoled.
Paths merged upstream in r2885
Add some extra permissions that Xen needs.

So far as I can see, parts of this are now redundant.

Index: policy/modules/system/xen.te
===================================================================
--- policy/modules/system/xen.te.orig
+++ policy/modules/system/xen.te
@@ -83,6 +83,9 @@
 files_type(xend_var_lib_t)
 # for mounting an NFS store
 files_mountpoint(xend_var_lib_t)
+fs_getattr_xattr_fs(xend_t)
+# for /var/lib/python-support/python2.5/.path
+files_read_var_lib_files(xend_t)
 
 # log files
 type xend_var_log_t;
@@ -298,7 +301,6 @@
 dev_rw_sysfs(xend_t)
 dev_rw_xen(xend_t)
 
-domain_dontaudit_read_all_domains_state(xend_t)
 domain_dontaudit_ptrace_all_domains(xend_t)
 
 files_read_etc_files(xend_t)
@@ -379,6 +381,7 @@
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 
 files_read_etc_files(xenconsoled_t)
+corecmd_search_bin(xenconsoled_t)
 files_read_usr_files(xenconsoled_t)
 
 fs_list_tmpfs(xenconsoled_t)
@@ -430,6 +433,9 @@
 manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
 manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
 files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file })
+allow xend_t xenstored_var_lib_t:dir rw_dir_perms;
+allow xend_t xenstored_var_lib_t:file unlink;
+corecmd_search_bin(xenstored_t)
 
 stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)