diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index a9050a2e..1f1dd8d8 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -5,8 +5,22 @@
##
########################################
-#
-# kernel_make_userland_entrypoint(domain,entrypoint)
+##
+##
+## Gives kernel an entrypoint to the caller via
+## the entrypoint type.
+##
+##
+## ...
+##
+##
+## The process type entered by kernel.
+##
+##
+## The executable type for the entrypoint.
+##
+##
+##
#
define(`kernel_make_userland_entrypoint',`
requires_block_template(`$0'_depend)
@@ -33,8 +47,20 @@ define(`kernel_make_userland_entrypoint_depend',`
')
########################################
-#
-# kernel_share_state(domain)
+##
+##
+## Allows the kernel to share state information with
+## the caller.
+##
+##
+## Gives a type access to state information about
+## kernel processes
+##
+##
+## The type of the process with which to share state information.
+##
+##
+##
#
define(`kernel_share_state',`
requires_block_template(`$0'_depend)
@@ -49,8 +75,18 @@ define(`kernel_share_state_depend',`
')
########################################
-#
-# kernel_use_file_descriptors(domain)
+##
+##
+## Permits caller to use kernel file descriptors.
+##
+##
+## Permits use of kernel file descriptors.
+##
+##
+## The type of the process using the descriptors.
+##
+##
+##
#
define(`kernel_use_file_descriptors',`
requires_block_template(`$0'_depend)
@@ -65,8 +101,20 @@ define(`kernel_use_file_descriptors_depend',`
')
########################################
-#
-# kernel_ignore_use_file_descriptors(domain)
+##
+##
+## Do not audit attempts by the caller to use
+## kernel file descriptors.
+##
+##
+## Causes attempts to use kernel file descriptors
+## to not be audited for caller.
+##
+##
+## The type of process not to audit.
+##
+##
+##
#
define(`kernel_ignore_use_file_descriptors',`
requires_block_template(`$0'_depend)
@@ -81,8 +129,20 @@ define(`kernel_ignore_use_file_descriptors_depend',`
')
########################################
-#
-# kernel_make_root_filesystem_mountpoint(domain)
+##
+##
+## Allows the kernel to mount filesystems on
+## the caller.
+##
+##
+## Givers kernel permission to mount on directories
+## of the calling type.
+##
+##
+## The type of the directory to use as a mountpoint.
+##
+##
+##
#
define(`kernel_make_root_filesystem_mountpoint',`
requires_block_template(`$0'_depend)
@@ -97,8 +157,19 @@ define(`kernel_make_root_filesystem_mountpoint_depend',`
')
########################################
-#
-# kernel_make_process_identity_change_constraint_exception(domain)
+##
+##
+## Makes caller an exception to the constraint preventing
+## changing of user identity.
+##
+##
+## Allows changing of user identity in context of the calling process.
+##
+##
+## The process type to make an exception to the constraint.
+##
+##
+##
#
define(`kernel_make_process_identity_change_constraint_exception',`
requires_block_template(`$0'_depend)
@@ -111,8 +182,19 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
')
########################################
-#
-# kernel_make_role_change_constraint_exception(domain)
+##
+##
+## Makes caller an exception to the constraint preventing
+## changing of role.
+##
+##
+## Allows changing of role in the context of the calling process.
+##
+##
+## The process type to make an exception to the constraint.
+##
+##
+##
#
define(`kernel_make_role_change_constraint_exception',`
requires_block_template(`$0'_depend)
@@ -125,8 +207,19 @@ define(`kernel_make_role_change_constraint_exception_depend',`
')
########################################
-#
-# kernel_make_object_identity_change_constraint_exception(domain)
+##
+##
+## Makes caller an exception to the constraint preventing
+## changing the user identity in object contexts.
+##
+##
+## Allows caller to change user identities on objects
+##
+##
+## The process type to make an exception to the constraint.
+##
+##
+##
#
define(`kernel_make_object_identity_change_constraint_exception',`
requires_block_template(`$0'_depend)
@@ -139,8 +232,19 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',`
')
########################################
-#
-# kernel_load_module(domain)
+##
+##
+##
+## Allows caller to load kernel modules
+##
+##
+## Allows loading of kernel modules.
+##
+##
+## The process type to allow to load kernel modules.
+##
+##
+##
#
define(`kernel_load_module',`
requires_block_template(`$0'_depend)
@@ -156,8 +260,20 @@ define(`kernel_load_module_depend',`
')
########################################
-#
-# kernel_get_selinux_enforcement_mode(domain)
+##
+##
+##
+## Allows the caller to get the mode of policy enforcement
+## (enforcing or permissive mode).
+##
+##
+## Gives caller access to system state data.
+##
+##
+## The process type to allow to get the enforcing mode.
+##
+##
+##
#
define(`kernel_get_selinux_enforcement_mode',`
requires_block_template(`$0'_depend)
@@ -174,8 +290,19 @@ define(`kernel_get_selinux_enforcement_mode_depend',`
')
########################################
-#
-# kernel_set_selinux_enforcement_mode(domain)
+##
+##
+## Allow caller to set the mode of policy enforcement
+## (enforcing or permissive mode).
+##
+##
+## Caller becomes able to disable enforcement of policy.
+##
+##
+## The process type to allow to set the enforcement mode.
+##
+##
+##
#
define(`kernel_set_selinux_enforcement_mode',`
requires_block_template(`$0'_depend)
@@ -198,8 +325,18 @@ define(`kernel_set_selinux_enforcement_mode_depend',`
')
########################################
-#
-# kernel_load_selinux_policy(domain)
+##
+##
+## Allow caller to load the policy into the kernel.
+##
+##
+## Caller can replace the policy being enforced.
+##
+##
+## The process type that will load the policy.
+##
+##
+##
#
define(`kernel_load_selinux_policy',`
requires_block_template(`$0'_depend)
@@ -222,8 +359,23 @@ define(`kernel_load_selinux_policy_depend',`
')
########################################
-#
-# kernel_set_selinux_boolean(domain,[booltype])
+##
+##
+## Allow caller to set the state of Booleans to
+## enable or disable conditional portions of the policy.
+##
+##
+## Caller can change which of the conditional portions of
+## the policy are being enforced.
+##
+##
+## The process type allowed to set the Boolean.
+##
+##
+## The type of Booleans the caller is allowed to set.
+##
+##
+##
#
define(`kernel_set_selinux_boolean',`
requires_block_template(`$0'_depend)
@@ -250,8 +402,18 @@ define(`kernel_set_selinux_boolean_depend',`
')
########################################
-#
-# kernel_set_selinux_security_parameters(domain)
+##
+##
+## Allow caller to set selinux security parameters.
+##
+##
+## Caller can change security parameters.
+##
+##
+## The process type to allow to set security parameters.
+##
+##
+##
#
define(`kernel_set_selinux_security_parameters',`
requires_block_template(`$0'_depend)
@@ -274,8 +436,18 @@ define(`kernel_set_selinux_security_parameters_depend',`
')
########################################
-#
-# kernel_validate_selinux_context(domain)
+##
+##
+## Allows caller to validate security contexts.
+##
+##
+##
+##
+##
+## The process type permitted to validate contexts.
+##
+##
+##
#
define(`kernel_validate_selinux_context',`
requires_block_template(`$0'_depend)
@@ -294,8 +466,18 @@ define(`kernel_validate_selinux_context_depend',`
')
########################################
-#
-# kernel_compute_selinux_access_vector(domain)
+##
+##
+## Allows caller to compute an access vector.
+##
+##
+##
+##
+##
+## The process type allowed to compute an access vector.
+##
+##
+##
#
define(`kernel_compute_selinux_access_vector',`
requires_block_template(`$0'_depend)
@@ -314,8 +496,18 @@ define(`kernel_compute_selinux_access_vector_depend',`
')
########################################
-#
-# kernel_compute_selinux_create_context(domain)
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
#
define(`kernel_compute_selinux_create_context',`
requires_block_template(`$0'_depend)
@@ -334,8 +526,18 @@ define(`kernel_compute_selinux_create_context_depend',`
')
########################################
-#
-# kernel_compute_selinux_relabel_context(domain)
+##
+##
+##
+##
+##
+##
+##
+##
+## The process type to
+##
+##
+##
#
define(`kernel_compute_selinux_relabel_context',`
requires_block_template(`$0'_depend)
@@ -354,8 +556,18 @@ define(`kernel_compute_selinux_relabel_context_depend',`
')
########################################
-#
-# kernel_compute_selinux_reachable_user_contexts(domain)
+##
+##
+## Allows caller to compute possible contexts for a user.
+##
+##
+##
+##
+##
+## The process type allowed to compute user contexts.
+##
+##
+##
#
define(`kernel_compute_selinux_reachable_user_contexts',`
requires_block_template(`$0'_depend)
@@ -374,8 +586,18 @@ define(`kernel_compute_selinux_reachable_user_contexts_depend',`
')
########################################
-#
-# kernel_read_ring_buffer(domain)
+##
+##
+## Allows caller to read the ring buffer.
+##
+##
+## Buffer read could have sensitive information from multiple doamins.
+##
+##
+## The process type allowed to read the ring buffer.
+##
+##
+##
#
define(`kernel_read_ring_buffer',`
requires_block_template(`$0'_depend)
@@ -390,8 +612,19 @@ define(`kernel_read_ring_buffer_depend',`
')
########################################
-#
-# kernel_ignore_read_ring_buffer(domain)
+##
+##
+## Ignore attempts by caller to read the ring buffer.
+##
+##
+## Causes attepts to read potentially sensitive information
+## from being audited.
+##
+##
+## The domain to not audit.
+##
+##
+##
#
define(`kernel_ignore_read_ring_buffer',`
requires_block_template(`$0'_depend)
@@ -406,8 +639,18 @@ define(`kernel_ignore_read_ring_buffer_depend',`
')
########################################
-#
-# kernel_change_ring_buffer_level(domain)
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
#
define(`kernel_change_ring_buffer_level',`
requires_block_template(`$0'_depend)
@@ -422,8 +665,18 @@ define(`kernel_change_ring_buffer_level_depend',`
')
########################################
-#
-# kernel_clear_ring_buffer(domain)
+##
+##
+## Allows the caller to clear the ring buffer.
+##
+##
+##
+##
+##
+## The process type clearing the buffer.
+##
+##
+##
#
define(`kernel_clear_ring_buffer',`
requires_block_template(`$0'_depend)
@@ -438,8 +691,18 @@ define(`kernel_clear_ring_buffer_depend',`
')
########################################
-#
-# kernel_get_sysvipc_info(domain)
+##
+##
+## Allow caller to get information about an ipc socket.
+##
+##
+##
+##
+##
+##
+##
+##
+##
#
define(`kernel_get_sysvipc_info',`
requires_block_template(`$0'_depend)
@@ -454,8 +717,18 @@ define(`kernel_get_sysvipc_info_depend',`
')
########################################
-#
-# kernel_get_selinuxfs_mount_point(domain)
+##
+##
+## Gets the caller the mountpoint of the selinuxfs filesystem.
+##
+##
+##
+##
+##
+## The process type requesting the selinuxfs mountpoint.
+##
+##
+##
#
define(`kernel_get_selinuxfs_mount_point',`
requires_block_template(`$0'_depend)
@@ -475,8 +748,18 @@ define(`kernel_get_selinuxfs_mount_point_depend',`
')
########################################
-#
-# kernel_read_system_state(domain)
+##
+##
+## Allows caller to read system state information.
+##
+##
+## State data contains information about multiple domains and may be privlaged.
+##
+##
+## The process type reading the system state information.
+##
+##
+##
#
define(`kernel_read_system_state',`
requires_block_template(`$0'_depend)
@@ -495,8 +778,19 @@ define(`kernel_read_system_state_depend',`
')
########################################
-#
-# kernel_ignore_read_system_state(domain)
+##
+##
+## Do not audit attempts by caller to
+## read system state information.
+##
+##
+## Causes attempts to read system state data not to be auditted.
+##
+##
+## The process type not to audit.
+##
+##
+##
#
define(`kernel_ignore_read_system_state',`
requires_block_template(`$0'_depend)
@@ -511,8 +805,18 @@ define(`kernel_ignore_read_system_state_depend',`
')
#######################################
-#
-# kernel_read_software_raid_state(domain)
+##
+##
+## Allow caller to read the state information for software raid.
+##
+##
+##
+##
+##
+## The process type reading software raid state.
+##
+##
+##
#
define(`kernel_read_software_raid_state',`
requires_block_template(`$0'_depend)
@@ -529,8 +833,18 @@ define(`kernel_read_software_raid_state_depend',`
')
########################################
-#
-# kernel_get_core_interface_attributes(domain)
+##
+##
+## Allows caller to get attribues of core kernel interfaces.
+##
+##
+##
+##
+##
+## The process type getting the attibutes.
+##
+##
+##
#
define(`kernel_get_core_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -547,8 +861,20 @@ define(`kernel_get_core_interface_attributes_depend',`
')
########################################
-#
-# kernel_ignore_get_core_interface_attributes(domain)
+##
+##
+## Do not audit attempts to get the attributes of
+## core kernel interfaces.
+##
+##
+## Causes attempts to get attributes of kernel interfaces to
+## not be auditted.
+##
+##
+## The process type to not audit.
+##
+##
+##
#
define(`kernel_ignore_get_core_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -563,8 +889,18 @@ define(`kernel_ignore_get_core_interface_attributes_depend',`
')
########################################
-#
-# kernel_read_messages(domain)
+##
+##
+## Allow caller to receive and read kernel messages.
+##
+##
+##
+##
+##
+## The process type reading the messages.
+##
+##
+##
#
define(`kernel_read_messages',`
requires_block_template(`$0'_depend)
@@ -584,8 +920,19 @@ define(`kernel_read_messages_depend',`
')
########################################
-#
-# kernel_get_message_interface_attributes(domain)
+##
+##
+## Allow caller to get the attributes of kernel message
+## interfaces.
+##
+##
+##
+##
+##
+## The process type getting the attributes.
+##
+##
+##
#
define(`kernel_get_message_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -602,8 +949,20 @@ define(`kernel_get_message_interface_attributes_depend',`
')
########################################
-#
-# kernel_ignore_get_message_interface_attributes(domain)
+##
+##
+## Do not audit attempts by caller to get the attributes of kernel
+## message interfaces.
+##
+##
+## Causes attempts by caller to get the attributes of kernel
+## message interfaces not to be auditted.
+##
+##
+## The process type not to audit.
+##
+##
+##
#
define(`kernel_ignore_get_message_interface_attributes',`
requires_block_template(`$0'_depend)
@@ -618,8 +977,19 @@ define(`kernel_ignore_get_message_interface_attributes_depend',`
')
########################################
-#
-# kernel_read_network_state(domain)
+##
+##
+## Allow caller to read the network state information.
+##
+##
+##
+##
+##
+## The process type reading the state.
+##
+##
+##
+##
#
define(`kernel_read_network_state',`
requires_block_template(`$0'_depend)
@@ -637,8 +1007,19 @@ define(`kernel_read_network_state_depend',`
')
########################################
-#
-# kernel_ignore_search_sysctl_dir(domain)
+##
+##
+## Do not audit attempts by caller to search the sysctl directory.
+##
+##
+## Causes attempts by caller to search the sysctl directy not to be auditted.
+##
+##
+## The process type not to audit.
+##
+##
+##
+##
#
define(`kernel_ignore_search_sysctl_dir',`
requires_block_template(`$0'_depend)
@@ -653,8 +1034,18 @@ define(`kernel_ignore_search_sysctl_dir_depend',`
')
########################################
-#
-# kernel_read_device_sysctl(domain)
+##
+##
+## Allow caller to read the sysctl device.
+##
+##
+##
+##
+##
+## The process type to allow to read the sysctl device.
+##
+##
+##
#
define(`kernel_read_device_sysctl',`
requires_block_template(`$0'_depend)
@@ -673,8 +1064,18 @@ define(`kernel_read_device_sysctl_depend',`
')
########################################
-#
-# kernel_modify_device_sysctl(domain)
+##
+##
+## Allows the caller to modify the sysctl device file.
+##
+##
+##
+##
+##
+## The process type modifying the sysctl device.
+##
+##
+##
#
define(`kernel_modify_device_sysctl',`
requires_block_template(`$0'_depend)
@@ -692,8 +1093,19 @@ define(`kernel_modify_device_sysctl_depend',`
')
########################################
-#
-# kernel_read_virtual_memory_sysctl(domain)
+##
+##
+## Allow caller to read sysctl virtual memory.
+##
+##
+##
+##
+##
+##
+##
+##
+##
+##
#
define(`kernel_read_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
@@ -711,8 +1123,18 @@ define(`kernel_read_virtual_memory_sysctl_depend',`
')
########################################
-#
-# kernel_modify_virtual_memory_sysctl(domain)
+##
+##
+## Allow caller to modify contents of sysctl virtual memory.
+##
+##
+## Allows caller to modify sysctl virtual memory.
+##
+##
+## The process type modifying sysctl virtual memory.
+##
+##
+##
#
define(`kernel_modify_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
@@ -730,8 +1152,19 @@ define(`kernel_modify_virtual_memory_sysctl_depend',`
')
########################################
-#
-# kernel_ignore_search_network_sysctl_dir(domain)
+##
+##
+## Do not audit attempts by caller to search sysctl network directories.
+##
+##
+## Causes attempts by the caller to search the sysctl network
+## directories not to be audited.
+##
+##
+## The process type not to audit.
+##
+##
+##
#
define(`kernel_ignore_search_network_sysctl_dir',`
requires_block_template(`$0'_depend)
@@ -746,8 +1179,19 @@ define(`kernel_ignore_search_network_sysctl_dir_depend',`
')
########################################
-#
-# kernel_read_network_sysctl(domain)
+##
+##
+## Allow caller to read sysctl network files.
+##
+##
+##
+##
+##
+## The process type reading sysctl network files.
+##
+##
+##
+##
#
define(`kernel_read_network_sysctl',`
requires_block_template(`$0'_depend)
@@ -766,8 +1210,19 @@ define(`kernel_read_network_sysctl_depend',`
')
########################################
-#
-# kernel_modify_network_sysctl(domain)
+
+##
+##
+## Allow caller to modiry contents of sysctl network files.
+##
+##
+##
+##
+##
+## The process type modifying sysctl network files.
+##
+##
+##
#
define(`kernel_modify_network_sysctl',`
requires_block_template(`$0'_depend)
@@ -786,8 +1241,18 @@ define(`kernel_modify_network_sysctl_depend',`
')
########################################
-#
-# kernel_read_unix_sysctl(domain)
+##
+##
+## Allow caller to read unix sysctl files.
+##
+##
+##
+##
+##
+## The process type reading unix sysctl files.
+##
+##
+##
#
define(`kernel_read_unix_sysctl',`
requires_block_template(`$0'_depend)
@@ -806,8 +1271,18 @@ define(`kernel_read_net_sysctl_depend',`
')
########################################
-#
-# kernel_modify_unix_sysctl(domain)
+##
+##
+## Allow caller to modify contents of unix sysctl files.
+##
+##
+##
+##
+##
+## The process type modifying contents of unix sysctl files.
+##
+##
+##
#
define(`kernel_modify_unix_sysctl',`
requires_block_template(`$0'_depend)
@@ -826,8 +1301,18 @@ define(`kernel_modify_net_sysctl_depend',`
')
########################################
-#
-# kernel_read_hotplug_sysctl(domain)
+##
+##
+## Allow caller to read data from hotplug.
+##
+##
+##
+##
+##
+## The process type reading hotplug data.
+##
+##
+##
#
define(`kernel_read_hotplug_sysctl',`
requires_block_template(`$0'_depend)
@@ -846,8 +1331,18 @@ define(`kernel_read_hotplug_sysctl_depend',`
')
########################################
-#
-# kernel_modify_hotplug_sysctl(domain)
+##
+##
+## Allow caller to modify hotplug sysctl data.
+##
+##
+##
+##
+##
+## The process type modifying hotplug sysctl data.
+##
+##
+##
#
define(`kernel_modify_hotplug_sysctl',`
requires_block_template(`$0'_depend)
@@ -866,8 +1361,18 @@ define(`kernel_modify_hotplug_sysctl_depend',`
')
########################################
-#
-# kernel_read_modprobe_sysctl(domain)
+##
+##
+## Allow caller to read files containing modprobe information.
+##
+##
+##
+##
+##
+## The process domian reading modprobe information files.
+##
+##
+##
#
define(`kernel_read_modprobe_sysctl',`
requires_block_template(`$0'_depend)
@@ -886,8 +1391,18 @@ define(`kernel_read_modprobe_sysctl_depend',`
')
########################################
-#
-# kernel_modify_modprobe_sysctl(domain)
+##
+##
+## Allow caller to modify files containing modprobe information.
+##
+##
+##
+##
+##
+## The process domian modifying modprobe information files.
+##
+##
+##
#
define(`kernel_modify_modprobe_sysctl',`
requires_block_template(`$0'_depend)
@@ -906,8 +1421,18 @@ define(`kernel_modify_modprobe_sysctl_depend',`
')
########################################
-#
-# kernel_read_kernel_sysctl(domain)
+##
+##
+## Allow caller to read kernel sysctl files.
+##
+##
+##
+##
+##
+## The process type reading kernel sysctl files.
+##
+##
+##
#
define(`kernel_read_kernel_sysctl',`
requires_block_template(`$0'_depend)
@@ -926,8 +1451,18 @@ define(`kernel_read_kernel_sysctl_depend',`
')
########################################
-#
-# kernel_modify_kernel_sysctl(domain)
+##
+##
+## Allow caller to modify kernel sysctl files.
+##
+##
+##
+##
+##
+## The process type modifying kernel sysctl files.
+##
+##
+##
#
define(`kernel_modify_kernel_sysctl',`
requires_block_template(`$0'_depend)
@@ -946,8 +1481,18 @@ define(`kernel_modify_kernel_sysctl_depend',`
')
########################################
-#
-# kernel_read_filesystem_sysctl(domain)
+##
+##
+## Allow caller to read filesystem information.
+##
+##
+##
+##
+##
+## The process type reading filesystem information.
+##
+##
+##
#
define(`kernel_read_filesystem_sysctl',`
requires_block_template(`$0'_depend)
@@ -968,6 +1513,18 @@ define(`kernel_read_filesystem_sysctl_depend',`
########################################
#
# kernel_modify_filesystem_sysctl(domain)
+##
+##
+## Allow caller to modify filesystem information.
+##
+##
+##
+##
+##
+## The process type modifying filesystem information.
+##
+##
+##
#
define(`kernel_modify_filesystem_sysctl',`
requires_block_template(`$0'_depend)
@@ -986,8 +1543,18 @@ define(`kernel_modify_filesystem_sysctl_depend',`
')
########################################
-#
-# kernel_read_irq_sysctl(domain)
+##
+##
+## Allows caller to read interrupt request information.
+##
+##
+##
+##
+##
+## The process type reading interrupt request information.
+##
+##
+##
#
define(`kernel_read_irq_sysctl',`
requires_block_template(`$0'_depend)
@@ -1005,8 +1572,19 @@ define(`kernel_read_irq_sysctl_depend',`
')
########################################
-#
-# kernel_modify_irq_sysctl(domain)
+##
+##
+## Allows caller to modify interrupt request information.
+##
+##
+##
+##
+##
+## The process type modifying interrupt request information.
+##
+##
+##
+##
#
define(`kernel_modify_irq_sysctl',`
requires_block_template(`$0'_depend)
@@ -1064,8 +1642,18 @@ define(`kernel_modify_rpc_sysctl_depend',`
')
########################################
-#
-# kernel_read_all_sysctl(domain)
+##
+##
+## Allow caller to read all sysctl information.
+##
+##
+##
+##
+##
+## The process type reading the information.
+##
+##
+##
#
define(`kernel_read_all_sysctl',`
kernel_read_device_sysctl($1)
@@ -1081,8 +1669,18 @@ define(`kernel_read_all_sysctl',`
')
########################################
-#
-# kernel_modify_all_sysctl(domain)
+##
+##
+## Allow caller to modify all sysctl information.
+##
+##
+##
+##
+##
+## The process type modifying the information.
+##
+##
+##
#
define(`kernel_modify_all_sysctl',`
kernel_modify_device_sysctl($1)
@@ -1121,8 +1719,18 @@ define(`kernel_search_hardware_state_dir_depend',`
')
########################################
-#
-# kernel_read_hardware_state(domain)
+##
+##
+## Allow caller to read hardware state information.
+##
+##
+##
+##
+##
+## The process type reading hardware state information.
+##
+##
+##
#
define(`kernel_read_hardware_state',`
requires_block_template(`$0'_depend)
@@ -1140,8 +1748,18 @@ define(`kernel_read_hardware_state_depend',`
')
########################################
-#
-# kernel_modify_hardware_config_option(domain)
+##
+##
+## Allow caller to modify hardware state information.
+##
+##
+##
+##
+##
+## The process type modifying hardware state information.
+##
+##
+##
#
define(`kernel_modify_hardware_config_option',`
requires_block_template(`$0'_depend)
@@ -1275,8 +1893,20 @@ define(`kernel_sigchld_unlabeled_process_depend',`
')
########################################
-#
-# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+##
+##
+## Do not audit attempts by caller to get attributes for
+## unlabeled block devices.
+##
+##
+## Causes attempts by caller to get attributes on unlabeled
+## block devices to not be auditted.
+##
+##
+## The process type not to audit.
+##
+##
+##
#
define(`kernel_ignore_get_unlabeled_block_device_attributes',`
requires_block_template(`$0'_depend)
@@ -1291,8 +1921,18 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
')
########################################
-#
-# kernel_relabel_unlabeled_object(domain)
+##
+##
+## Allow caller to relabel unlabeled objects.
+##
+##
+##
+##
+##
+## The process type relabeling the objects.
+##
+##
+##
#
define(`kernel_relabel_unlabeled_object',`
requires_block_template(`$0'_depend)
@@ -1336,8 +1976,18 @@ define(`kernel_search_usb_hardware_state_dir_depend',`
')
########################################
-#
-# kernel_list_usb_hardware(domain)
+##
+##
+## Allow caller to get a list of usb hardware.
+##
+##
+##
+##
+##
+## The process type getting the list.
+##
+##
+##
#
define(`kernel_list_usb_hardware',`
requires_block_template(`$0'_depend)
@@ -1383,8 +2033,18 @@ define(`kernel_read_usb_hardware_state_depend',`
')
########################################
-#
-# kernel_modify_usb_hardware_config_option(domain)
+##
+##
+## Allow caller to modify usb hardware configuration files.
+##
+##
+##
+##
+##
+## The process type modifying the options.
+##
+##
+##
#
define(`kernel_modify_usb_hardware_config_option',`
requires_block_template(`$0'_depend)
@@ -1412,8 +2072,18 @@ define(`kernel_modify_usb_hardware_config_option_depend',`
###################################################################
########################################
-#
-# kernel_sigchld_from(domain)
+##
+##
+## Receive sigchild from kernel.
+##
+##
+##
+##
+##
+## The process type receiving the signal.
+##
+##
+##
#
define(`kernel_sigchld_from',`
requires_block_template(`$0'_depend)
@@ -1428,8 +2098,18 @@ define(`kernel_sigchld_from_depend',`
')
########################################
-#
-# kernel_unlabeled_sigchld_from(domain)
+##
+##
+## Receive sigchld from unlabeled processes.
+##
+##
+##
+##
+##
+## The process type receiving the signal.
+##
+##
+##
#
define(`kernel_unlabeled_sigchld_from',`
requires_block_template(`$0'_depend)
@@ -1444,8 +2124,18 @@ define(`kernel_unlabeled_sigchld_from_depend',`
')
########################################
-#
-# kernel_read_directory_from(domain)
+##
+##
+## XXX FIXME
+##
+##
+##
+##
+##
+##
+##
+##
+##
#
define(`kernel_read_directory_from',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 078b1e07..fa75c75c 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -1,4 +1,4 @@
-##
+##
## Policy for reading and setting the hardware clock.
########################################
@@ -67,9 +67,16 @@ define(`clock_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
-#######################################
-#
-# clock_execute(domain)
+########################################
+##
+##
+## Execute hwclock
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`clock_execute',`
requires_block_template(`$0'_depend)
@@ -83,9 +90,16 @@ define(`clock_execute_depend',`
class file { getattr read execute execute_no_trans };
')
-#######################################
-#
-# clock_modify_drift_records(domain)
+########################################
+##
+##
+## Allow executing domain to modify clock drift
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`clock_modify_drift_records',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index ce277329..d7a84f63 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -1,7 +1,16 @@
+##
+## Policy for getty.
-#######################################
-#
-# getty_transition(domain)
+########################################
+##
+##
+## Execute gettys in the getty domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`getty_transition',`
requires_block_template(`$0'_depend)
@@ -26,9 +35,16 @@ define(`getty_transition_depend',`
class fifo_file rw_file_perms;
')
-#######################################
-#
-# getty_read_log_file(domain)
+########################################
+##
+##
+## Allow process to read getty log file.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`getty_read_log_file',`
requires_block_template(`$0'_depend)
@@ -42,9 +58,16 @@ define(`getty_read_log_file_depend',`
class file { getattr read };
')
-#######################################
-#
-# getty_read_config_file(domain)
+########################################
+##
+##
+## Allow process to read getty config file.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`getty_read_config_file',`
requires_block_template(`$0'_depend)
@@ -58,9 +81,16 @@ define(`getty_read_config_file_depend',`
class file { getattr read };
')
-#######################################
-#
-# getty_modify_config_file(domain)
+########################################
+##
+##
+## Allow process to edit getty config file.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`getty_modify_config_file',`
requires_block_template(`$0'_depend)
@@ -73,3 +103,5 @@ define(`getty_modify_config_file_depend',`
class file { getattr read write };
')
+
+##
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index a1144fd2..4efe9793 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,4 +1,4 @@
-##
+##
## Policy for changing the system host name.
########################################
@@ -69,6 +69,18 @@ define(`hostname_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
+########################################
+##
+##
+## Execute hostname in the hostname domain, and
+## Has a sigchld signal backchannel.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
#######################################
#
# hostname_execute(domain)
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 66ee967b..688e183c 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -1,7 +1,16 @@
+##
+## Policy for local logins.
-#######################################
-#
-# locallogin_transition(domain)
+########################################
+##
+##
+## Execute local logins in the locallogin domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`locallogin_transition',`
requires_block_template(`$0'_depend)
@@ -13,6 +22,17 @@ define(`locallogin_transition_depend',`
type local_login_t;
')
+########################################
+##
+##
+## Allow processes to inherit local login file descriptors
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
########################################
#
# locallogin_use_file_descriptors(domain)
@@ -28,3 +48,5 @@ define(`locallogin_use_file_descriptors_depend',`
class fd use;
')
+
+##
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 63c6501f..d55dbe61 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -1,7 +1,20 @@
+##
+## Miscelaneous files.
########################################
-#
-# miscfiles_manage_man_page_cache(domain)
+##
+##
+## Allow process to create files and dirs in /var/cache/man
+## and /var/catman/
+##
+##
+## ...
+##
+##
+## Type type of the process performing this action.
+##
+##
+##
#
define(`miscfiles_manage_man_page_cache',`
requires_block_template(`$0'_depend)
@@ -19,8 +32,18 @@ define(`miscfiles_manage_man_page_cache_depend',`
')
########################################
-#
-# miscfiles_read_fonts(domain)
+##
+##
+## Allow process to read fonts files
+##
+##
+## ...
+##
+##
+## Type type of the process performing this action.
+##
+##
+##
#
define(`miscfiles_read_fonts',`
requires_block_template(`$0'_depend)
@@ -40,8 +63,18 @@ define(`miscfiles_read_fonts_depend',`
')
########################################
-#
-# miscfiles_read_localization(domain)
+##
+##
+## Allow process to read localization info
+##
+##
+## ...
+##
+##
+## Type type of the process performing this action.
+##
+##
+##
#
define(`miscfiles_read_localization',`
requires_block_template(`$0'_depend)
@@ -65,8 +98,18 @@ define(`miscfiles_read_localization_depend',`
')
########################################
-#
-# miscfiles_legacy_read_localization(domain)
+##
+##
+## Allow process to read legacy time localization info
+##
+##
+## ...
+##
+##
+## Type type of the process performing this action.
+##
+##
+##
#
define(`miscfiles_legacy_read_localization',`
requires_block_template(`$0'_depend)
@@ -82,8 +125,18 @@ define(`miscfiles_read_localization_depend',`
')
########################################
-#
-# miscfiles_read_man_pages(domain)
+##
+##
+## Allow process to read manpages
+##
+##
+## ...
+##
+##
+## Type type of the process performing this action.
+##
+##
+##
#
define(`miscfiles_read_man_pages',`
requires_block_template(`$0'_depend)
@@ -101,3 +154,5 @@ define(`miscfiles_read_man_pages_depend',`
class file { getattr read };
class lnk_file { getattr read };
')
+
+##
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 413bc8b3..11bcc8fb 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -68,9 +68,16 @@ define(`mount_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
-#######################################
-#
-# mount_use_file_descriptors(domain)
+########################################
+##
+##
+## Use file descriptors for mount.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`mount_use_file_descriptors',`
requires_block_template(`$0'_depend)
@@ -84,9 +91,17 @@ define(`mount_use_file_descriptors_depend',`
class fd use;
')
-#######################################
-#
-# mount_send_nfs_client_request(domain)
+########################################
+##
+##
+## Allow the mount domain to send nfs requests for mounting
+## network drives
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`mount_send_nfs_client_request',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index ad35f94e..3a2a61c2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -1,9 +1,16 @@
##
## Policy for network configuration: ifconfig and dhcp client.
-########################################
-#
-# sysnetwork_dhcpc_transition(domain)
+#######################################
+##
+##
+## Execute dhcp client in dhcpc domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`sysnetwork_dhcpc_transition',`
requires_block_template(`$0'_depend)
@@ -95,9 +102,16 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
class chr_file { getattr read write ioctl };
')
-########################################
-#
-# sysnetwork_read_network_config(domain)
+#######################################
+##
+##
+## Allow network init to read network config files.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`sysnetwork_read_network_config',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 2beaa000..87313f3a 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -1,7 +1,16 @@
+##
+## Policy for udev.
-#######################################
-#
-# udev_transition(domain)
+########################################
+##
+##
+## Execute udev in the udev domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`udev_transition',`
requires_block_template(`$0'_depend)
@@ -27,8 +36,15 @@ define(`udev_transition_depend',`
')
########################################
-#
-# udev_read_database(domain)
+##
+##
+## Allow process to read list of devices.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`udev_read_database',`
requires_block_template(`$0'_depend)
@@ -43,8 +59,15 @@ define(`udev_read_database_depend',`
')
########################################
-#
-# udev_modify_database(domain)
+##
+##
+## Allow process to modify list of devices.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`udev_modify_database',`
requires_block_template(`$0'_depend)
@@ -57,3 +80,5 @@ define(`udev_modify_database_depend',`
class file { getattr read write append };
')
+
+##