## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

# WARNING: The admin.vm.Console service is dangerous and allows any
# qube to access any other qube console. It should be restricted
# only to management/admin qubes. This is why the default policy is 'deny'

# Example of policy: mgmtvm $tag:created-by-mgmtvm allow,target=dom0