From Debian package 0.2.20091117-2
Mostly merged upstream in 77c71b54 (2009-11-25)
fs_search_xenfs merged upstream in 7af0e9bc (2010-03-12)
Some permissions merged upstream in 0d86ea1d (2010-03-19)

* Label xenfs_t and allow xend etc to use it.

Also makes xenconsoled_t and xenstored_t daemon domains, and allows xenconsole
some other access.

Index: policy/modules/system/xen.te
===================================================================
--- policy/modules/system/xen.te.orig
+++ policy/modules/system/xen.te
@@ -329,6 +329,9 @@
 miscfiles_read_localization(xend_t)
 miscfiles_read_hwdata(xend_t)
 
+fs_manage_xenfs_dirs(xend_t)
+fs_manage_xenfs_files(xend_t)
+
 mount_domtrans(xend_t)
 
 sysnet_domtrans_dhcpc(xend_t)
@@ -370,7 +373,10 @@
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+# for /usr/lib/pt_chown
+libs_exec_lib_files(xenconsoled_t)
+
+allow xenconsoled_t xen_devpts_t:chr_file { setattr rw_term_perms };
 
 # pid file
 manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -443,6 +449,7 @@
 allow xend_t xenstored_var_lib_t:dir rw_dir_perms;
 allow xend_t xenstored_var_lib_t:file unlink;
 corecmd_search_bin(xenstored_t)
+fs_manage_xenfs_dirs(xenstored_t)
 
 stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)