From Debian policy 0.0.20080702-14

Allow noatsecure for Xen domains so that LD_PRELOAD will work across                
a domain transition.  Also dontaudit searching of the sysadm home dir               
and allow xend_t to manage xenstored_var_run_t.
Allow losetup (fsadm_t) and udev access to Xen image files

Updated for UBAC
fsadm_t change and xen_rw_image_files merged upstream in 77c71b54 (2009-11-25)

Index: policy/modules/system/xen.te
===================================================================
--- policy/modules/system/xen.te.orig
+++ policy/modules/system/xen.te
@@ -345,6 +345,13 @@
 
 netutils_domtrans(xend_t)
 
+unconfined_dontaudit_search_home_dirs({ xend_t xenconsoled_t xenstored_t })
+ifdef(`distro_debian', `
+# xend uses LD_PRELOAD or similar for libxenctrl.so
+allow xend_t { xenconsoled_t xenstored_t }:process noatsecure;
+')
+allow xend_t xenstored_var_run_t:file manage_file_perms;
+
 optional_policy(`
 	brctl_domtrans(xend_t)
 ')
Index: policy/modules/system/udev.fc
===================================================================
--- policy/modules/system/udev.fc.orig
+++ policy/modules/system/udev.fc
@@ -13,6 +13,7 @@
 
 ifdef(`distro_debian', `
 /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
 ', `
 /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 ')
Index: policy/modules/system/udev.te
===================================================================
--- policy/modules/system/udev.te.orig
+++ policy/modules/system/udev.te
@@ -175,6 +175,8 @@
 
 userdom_dontaudit_search_user_home_content(udev_t)
 
+fstools_getattr_swap_files(udev_t)
+
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting