2 files changed, 11 insertions, 2 deletions

diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index 285bb9ff53..5b4297da85 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -55,10 +55,11 @@ kernel; it is normally placed either just above the dom0 kernel or at the end.
 Once dom0 is running, the policy can be reloaded using "xl loadpolicy".
 
 The example policy included with Xen demonstrates most of the features of FLASK
-that can be used without dom0 disaggregation. It has two main types for domUs:
+that can be used without dom0 disaggregation. The main types for domUs are:
 
  - domU_t is a domain that can communicate with any other domU_t
  - isolated_domU_t can only communicate with dom0
+ - prot_domU_t is a domain type whose creation can be disabled with a boolean
 
 One disadvantage of using type enforcement to enforce isolation is that a new
 type is needed for each group of domains. In addition, it is not possible to
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index fb71b757ca..f7343a2dd6 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -73,7 +73,7 @@ allow dom0_t domio_t:mmu { map_read map_write };
 
 domain_self_comms(dom0_t)
 
-auditallow dom0_t security_t:security { load_policy setenforce };
+auditallow dom0_t security_t:security { load_policy setenforce setbool };
 
 ###############################################################################
 #
@@ -92,6 +92,14 @@ create_domain(dom0_t, isolated_domU_t)
 manage_domain(dom0_t, isolated_domU_t)
 domain_comms(dom0_t, isolated_domU_t)
 
+gen_bool(prot_doms_locked, false)
+declare_domain(prot_domU_t)
+if (!prot_doms_locked) {
+	create_domain(dom0_t, prot_domU_t)
+}
+domain_comms(dom0_t, prot_domU_t)
+domain_comms(domU_t, prot_domU_t)
+
 ###############################################################################
 #
 # Device delegation