Support

If there is a real file called sitemap.xml on your site what you're doing is enough. However, I don't think this is the case.

If there no real sitemap.xml file on your site but you are using XML Sitemap Generator for WordPress or a similar plugin you must NOT add sitemap.xml in the "Allow direct access to these files". The file sitemap.xml does not exist, it's a permalink. Permalinks are allowed without any further changes as long as their extension is allowed.

This brings us to the solution. You may have to add xml (lowercase) to "File extensions allowed". If xml is not in this list the Site Protection feature will block the request. The xml extension was added to that list in 1.0.0.rc1. Since you've been using the alpha versions you have the old list which does not include it. That explains why you have an issue.

Finally, there's another option. You can simply add the following to "Custom .htaccess rules at the top of the file":

RewriteCond %{REQUEST_URI} ^/sitemap\.xml$
RewriteRule . /index.php [L]

This tells Apache to have WordPress parse sitemap.xml as a permalink without bothering with the rest of the settings. This is the "nuclear option" and should not be required.