checking the obvious, you need to search files for “qubes.Filecopy” (with a capital F) since searches are case sensitive.
in any case, there are policy entries in 90-default.policy (the line there lets any VM copy to any other VM with “ask” (i.e., popping up the dialog that has you pick a qube to copy to.)
I added more stuff in 30-user.policy that overrides the default; I gave three different VMs “allow” permission to copy to a fourth one (which accesses a “dropbox” on a NAS)–basically after I do a backup I send the backup file to the dropbox. It looks like this:
qubes.Filecopy * SourceQube1 DropBoxQube allow
qubes.Filecopy * SourceQube2 DropBoxQube allow
qubes.Filecopy * SourceQube3 DropBoxQube allow
Note that this allows direct copy access without asking the user; I wanted this process to be unattended. I made sure to restrict it only to three different source qubes; any other qube will go right on to the default rule. (Below, I explain why this works this way.)
You can probably write something like this into 30-user.policy
qubes.FileCopy * cat @anyvm deny
qubes.FileCopy * tat cat ask
qubes.FileCopy * @anyvm cat deny
The policies function by starting with the lowest numbered file (30 will come before 90). When a line that matches the current situation is reached it stops (so put the more general rules AFTER the more specific ones).
The first line it should hit when looking at file copy is the line forbidding cat from copying to anything else. If the requestor happens to be cat, it’s done; cat can’t do it.
The next line says that tat is allowed to copy to cat. so if tat is the requestor, and it’s trying to copy to cat, it’s done–allowed to do it (it will pop up the dialog; if you don’t want that use allow here). If tat is trying to copy to anywhere else it will keep going until it reads the default rule in 90-default.policy.
Any other qube, if trying to copy to cat, will hit the third line and stop, denied.