From Debian package 0.2.20100524-8
0094-xen-policy-adjustments-Allow-xenconsoled_t-capabilit.patch (part of)

  * Allow xm_t to read kernel image files, needed for DomU startup on boot

Index: policy/modules/contrib/xen.te
===================================================================
--- policy/modules/contrib/xen.te.orig
+++ policy/modules/contrib/xen.te
@@ -492,6 +492,7 @@
 manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 files_search_var_lib(xm_t)
+files_read_kernel_img(xm_t)
 
 allow xm_t xen_image_t:dir rw_dir_perms;
 allow xm_t xen_image_t:file read_file_perms;