diff --git a/qubes-rpc-policy/qubes.repos.Disable b/qubes-rpc-policy/qubes.repos.Disable
new file mode 100644
index 0000000..c829d5a
--- /dev/null
+++ b/qubes-rpc-policy/qubes.repos.Disable
@@ -0,0 +1,7 @@
+## Note that policy parsing stops at the first match,
+## so adding anything below "$anyvm $anyvm action" line will have no effect
+
+## Please use a single # to start your custom comments
+
+dom0	dom0	allow
+$anyvm	$anyvm	deny
diff --git a/qubes-rpc-policy/qubes.repos.Enable b/qubes-rpc-policy/qubes.repos.Enable
new file mode 100644
index 0000000..c829d5a
--- /dev/null
+++ b/qubes-rpc-policy/qubes.repos.Enable
@@ -0,0 +1,7 @@
+## Note that policy parsing stops at the first match,
+## so adding anything below "$anyvm $anyvm action" line will have no effect
+
+## Please use a single # to start your custom comments
+
+dom0	dom0	allow
+$anyvm	$anyvm	deny
diff --git a/qubes-rpc-policy/qubes.repos.List b/qubes-rpc-policy/qubes.repos.List
new file mode 100644
index 0000000..c829d5a
--- /dev/null
+++ b/qubes-rpc-policy/qubes.repos.List
@@ -0,0 +1,7 @@
+## Note that policy parsing stops at the first match,
+## so adding anything below "$anyvm $anyvm action" line will have no effect
+
+## Please use a single # to start your custom comments
+
+dom0	dom0	allow
+$anyvm	$anyvm	deny
diff --git a/qubes-rpc/qubes.repos.Disable b/qubes-rpc/qubes.repos.Disable
new file mode 100755
index 0000000..3d62b79
--- /dev/null
+++ b/qubes-rpc/qubes.repos.Disable
@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+# `ok` on stdout indicates success; any stderr output indicates an error
+# (probably an exception)
+
+import dnf
+import iniparse
+import os
+import sys
+
+os.umask(0o022)
+
+base = dnf.Base()
+
+base.read_all_repos()
+
+reponame = sys.argv[1]
+repo = base.repos[reponame]
+
+# Loosely based on write_raw_configfile() from DNF source code, because
+# that method was introduced in DNF 2.0 but Qubes dom0 has DNF 1.x.
+with open(repo.repofile) as fp:
+    ini = iniparse.INIConfig(fp)
+
+ini[reponame]['enabled'] = 0
+
+with open(repo.repofile + '.new', 'w') as fp:
+    fp.write(str(ini))
+
+os.rename(repo.repofile + '.new', repo.repofile)
+
+print('ok')
diff --git a/qubes-rpc/qubes.repos.Enable b/qubes-rpc/qubes.repos.Enable
new file mode 100755
index 0000000..ed24484
--- /dev/null
+++ b/qubes-rpc/qubes.repos.Enable
@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+# `ok` on stdout indicates success; any stderr output indicates an error
+# (probably an exception)
+
+import dnf
+import iniparse
+import os
+import sys
+
+os.umask(0o022)
+
+base = dnf.Base()
+
+base.read_all_repos()
+
+reponame = sys.argv[1]
+repo = base.repos[reponame]
+
+# Loosely based on write_raw_configfile() from DNF source code, because
+# that method was introduced in DNF 2.0 but Qubes dom0 has DNF 1.x.
+with open(repo.repofile) as fp:
+    ini = iniparse.INIConfig(fp)
+
+ini[reponame]['enabled'] = 1
+
+with open(repo.repofile + '.new', 'w') as fp:
+    fp.write(str(ini))
+
+os.rename(repo.repofile + '.new', repo.repofile)
+
+print('ok')
diff --git a/qubes-rpc/qubes.repos.List b/qubes-rpc/qubes.repos.List
new file mode 100755
index 0000000..d16f4d4
--- /dev/null
+++ b/qubes-rpc/qubes.repos.List
@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+# Records in the output are separated by newlines; fields are separated by \0
+# Each record is unique_id:pretty_name:enabled
+
+import dnf
+
+base = dnf.Base()
+
+base.read_all_repos()
+
+first = True
+for repo in base.repos.all():
+    l = [repo.id, repo.name, 'enabled' if repo.enabled else 'disabled']
+    if not first: print()
+    first = False
+    print('\0'.join(l), end='')
diff --git a/rpm_spec/core-dom0-linux.spec.in b/rpm_spec/core-dom0-linux.spec.in
index 71b2b10..b3d667f 100644
--- a/rpm_spec/core-dom0-linux.spec.in
+++ b/rpm_spec/core-dom0-linux.spec.in
@@ -96,6 +96,12 @@ install -m 0664 -D dom0-updates/qubes.ReceiveUpdates.policy $RPM_BUILD_ROOT/etc/
 
 install -d $RPM_BUILD_ROOT/var/lib/qubes/updates
 
+# Qrexec services
+mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes/qubes-rpc $RPM_BUILD_ROOT/etc/qubes-rpc/policy
+cp qubes-rpc/* $RPM_BUILD_ROOT/usr/lib/qubes/qubes-rpc/
+for i in qubes-rpc/*; do ln -s ../../usr/lib/qubes/$i $RPM_BUILD_ROOT/etc/qubes-rpc/$(basename $i); done
+cp qubes-rpc-policy/* $RPM_BUILD_ROOT/etc/qubes-rpc/policy/
+
 ### pm-utils
 mkdir -p $RPM_BUILD_ROOT/usr/lib64/pm-utils/sleep.d
 cp pm-utils/52qubes-pause-vms $RPM_BUILD_ROOT/usr/lib64/pm-utils/sleep.d/
@@ -197,6 +203,12 @@ chmod -x /etc/grub.d/10_linux
 /etc/qubes-rpc/qubes.ReceiveUpdates
 %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.ReceiveUpdates
 %attr(0770,root,qubes) %dir /var/lib/qubes/updates
+# Qrexec services
+/etc/qubes-rpc/qubes.repos.*
+/usr/lib/qubes/qubes-rpc/qubes.repos.*
+%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.repos.List
+%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.repos.Enable
+%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.repos.Disable
 # Dracut module
 /etc/dracut.conf.d/*
 %dir %{_dracutmoddir}/90qubes-pciback