From 3865d6b95e4354194753578c12872227076b912c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 7 Jun 2005 22:36:07 +0000
Subject: [PATCH] add xml

---
 refpolicy/policy/modules/kernel/kernel.if     | 946 +++++++++++++++---
 refpolicy/policy/modules/system/clock.if      |  28 +-
 refpolicy/policy/modules/system/getty.if      |  56 +-
 refpolicy/policy/modules/system/hostname.if   |  14 +-
 refpolicy/policy/modules/system/locallogin.if |  28 +-
 refpolicy/policy/modules/system/miscfiles.if  |  75 +-
 refpolicy/policy/modules/system/mount.if      |  27 +-
 refpolicy/policy/modules/system/sysnetwork.if |  26 +-
 refpolicy/policy/modules/system/udev.if       |  39 +-
 9 files changed, 1059 insertions(+), 180 deletions(-)

diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index a9050a2e..1f1dd8d8 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -5,8 +5,22 @@
 ## </summary>
 
 ########################################
-#
-# kernel_make_userland_entrypoint(domain,entrypoint)
+## <interface name="kernel_make_userland_entrypoint">
+## 	<description>
+##		Gives kernel an entrypoint to the caller via
+##		the entrypoint type.
+## 	</description>
+## 	<securitydesc>
+##		...
+## 	</securitydesc>
+## 	<parameter name="domain">
+##		The process type entered by kernel.
+## 	</parameter>
+## 	<parameter name="entrypoint">
+##		The executable type for the entrypoint.
+## 	</parameter>
+## 	<infoflow type="both" weight="10" />
+## </interface>
 #
 define(`kernel_make_userland_entrypoint',`
 	requires_block_template(`$0'_depend)
@@ -33,8 +47,20 @@ define(`kernel_make_userland_entrypoint_depend',`
 ')
 
 ########################################
-#
-# kernel_share_state(domain)
+## <interface name="kernel_share_state">
+## 	<description>
+## 		Allows the kernel to share state information with
+## 		the caller.
+## 	</description>
+## 	<securitydesc>
+## 		Gives a type access to state information about
+## 		kernel processes
+## 	</securitydesc>
+## 	<parameter name="domain">
+## 		The type of the process with which to share state information.
+## 	</parameter>
+## 	<infoflow type="read" weight="7" />
+## </interface>
 #
 define(`kernel_share_state',`
 	requires_block_template(`$0'_depend)
@@ -49,8 +75,18 @@ define(`kernel_share_state_depend',`
 ')
 
 ########################################
-#
-# kernel_use_file_descriptors(domain)
+## <interface name="kernel_use_file_descriptors">
+## 	<description>
+## 		Permits caller to use kernel file descriptors.
+## 	</description>
+## 	<securitydesc>
+## 		Permits use of kernel file descriptors.
+## 	</securitydesc>
+## 	<parameter name="domain">
+## 		The type of the process using the descriptors.
+## 	</parameter>
+## 	<infoflow type="both" weight="1" />
+## </interface>
 #
 define(`kernel_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
@@ -65,8 +101,20 @@ define(`kernel_use_file_descriptors_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_use_file_descriptors(domain)
+## <interface name="kernel_ignore_use_file_descriptors">
+## 	<description>
+## 		Do not audit attempts by the caller to use
+## 		kernel file descriptors.
+## 	</description>
+## 	<securitydesc>
+## 		Causes attempts to use kernel file descriptors
+## 		to not be audited for caller.
+## 	</securitydesc>
+## 	<parameter name="domain">
+## 		The type of process not to audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_ignore_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
@@ -81,8 +129,20 @@ define(`kernel_ignore_use_file_descriptors_depend',`
 ')
 
 ########################################
-#
-# kernel_make_root_filesystem_mountpoint(domain)
+## <interface name="kernel_make_root_filesystem_mountpoint">
+##	<description>
+## 		Allows the kernel to mount filesystems on
+## 		the caller.
+##	</description>
+##	<securitydesc>
+## 		Givers kernel permission to mount on directories
+## 		of the calling type.
+##	</securitydesc>
+##	<parameter name="mountpoint">
+##		The type of the directory to use as a mountpoint.
+##	</parameter>
+##	<infoflow type="both" weight="1"/>
+## </interface>
 #
 define(`kernel_make_root_filesystem_mountpoint',`
 	requires_block_template(`$0'_depend)
@@ -97,8 +157,19 @@ define(`kernel_make_root_filesystem_mountpoint_depend',`
 ')
 
 ########################################
-#
-# kernel_make_process_identity_change_constraint_exception(domain)
+## <interface name="kernel_make_process_identity_change_constraint_exception">
+##	<description>
+## 		Makes caller an exception to the constraint preventing
+## 		changing of user identity.
+##	</description>
+##	<securitydesc>
+## 		Allows changing of user identity in context of the calling process.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to make an exception to the constraint.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_make_process_identity_change_constraint_exception',`
 	requires_block_template(`$0'_depend)
@@ -111,8 +182,19 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
 ')
 
 ########################################
-#
-# kernel_make_role_change_constraint_exception(domain)
+## <interface name="kernel_make_role_change_constraint_exception">
+##	<description>
+## 		Makes caller an exception to the constraint preventing
+## 		changing of role.
+##	</description>
+##	<securitydesc>
+## 		Allows changing of role in the context of the calling process.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to make an exception to the constraint.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_make_role_change_constraint_exception',`
 	requires_block_template(`$0'_depend)
@@ -125,8 +207,19 @@ define(`kernel_make_role_change_constraint_exception_depend',`
 ')
 
 ########################################
-#
-# kernel_make_object_identity_change_constraint_exception(domain)
+## <interface name="kernel_make_object_identity_change_constraint_exception">
+##	<description>
+## 		Makes caller an exception to the constraint preventing 
+## 		changing the user identity in object contexts.
+##	</description>
+##	<securitydesc>
+## 		Allows caller to change user identities on objects
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to make an exception to the constraint.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_make_object_identity_change_constraint_exception',`
 	requires_block_template(`$0'_depend)
@@ -139,8 +232,19 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',`
 ')
 
 ########################################
-#
-# kernel_load_module(domain)
+## 
+## <interface name="kernel_load_module">
+##	<description>
+## 		Allows caller to load kernel modules
+##	</description>
+##	<securitydesc>
+## 		Allows loading of kernel modules. 
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to allow to load kernel modules.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`kernel_load_module',`
 	requires_block_template(`$0'_depend)
@@ -156,8 +260,20 @@ define(`kernel_load_module_depend',`
 ')
 
 ########################################
-#
-# kernel_get_selinux_enforcement_mode(domain)
+##
+## <interface name="kernel_get_selinux_enforcement_mode">
+##	<description>
+## 		Allows the caller to get the mode of policy enforcement
+## 		(enforcing or permissive mode).
+##	</description>
+##	<securitydesc>
+## 		Gives caller access to system state data.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to allow to get the enforcing mode.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_get_selinux_enforcement_mode',`
 	requires_block_template(`$0'_depend)
@@ -174,8 +290,19 @@ define(`kernel_get_selinux_enforcement_mode_depend',`
 ')
 
 ########################################
-#
-# kernel_set_selinux_enforcement_mode(domain)
+## <interface name="kernel_set_selinux_enforcement_mode">
+##	<description>
+## 		Allow caller to set the mode of policy enforcement
+## 		(enforcing or permissive mode).
+##	</description>
+##	<securitydesc>
+## 		Caller becomes able to disable enforcement of policy.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to allow to set the enforcement mode.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`kernel_set_selinux_enforcement_mode',`
 	requires_block_template(`$0'_depend)
@@ -198,8 +325,18 @@ define(`kernel_set_selinux_enforcement_mode_depend',`
 ')
 
 ########################################
-#
-# kernel_load_selinux_policy(domain)
+## <interface name="kernel_load_selinux_policy">
+##	<description>
+## 		Allow caller to load the policy into the kernel.
+##	</description>
+##	<securitydesc>
+## 		Caller can replace the policy being enforced.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type that will load the policy.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`kernel_load_selinux_policy',`
 	requires_block_template(`$0'_depend)
@@ -222,8 +359,23 @@ define(`kernel_load_selinux_policy_depend',`
 ')
 
 ########################################
-#
-# kernel_set_selinux_boolean(domain,[booltype])
+## <interface name="kernel_set_selinux_boolean">
+##	<description>
+## 		Allow caller to set the state of Booleans to
+## 		enable or disable conditional portions of the policy.
+##	</description>
+##	<securitydesc>
+## 		Caller can change which of the conditional portions of 
+## 		the policy are being enforced.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type allowed to set the Boolean.
+##	</parameter>
+##	<parameter name="booltype" optional="true">
+##		The type of Booleans the caller is allowed to set.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`kernel_set_selinux_boolean',`
 	requires_block_template(`$0'_depend)
@@ -250,8 +402,18 @@ define(`kernel_set_selinux_boolean_depend',`
 ')
 
 ########################################
-#
-# kernel_set_selinux_security_parameters(domain)
+## <interface name="kernel_set_selinux_security_parameters">
+##	<description>
+## 		Allow caller to set selinux security parameters.
+##	</description>
+##	<securitydesc>
+## 		Caller can change security parameters.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to allow to set security parameters.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`kernel_set_selinux_security_parameters',`
 	requires_block_template(`$0'_depend)
@@ -274,8 +436,18 @@ define(`kernel_set_selinux_security_parameters_depend',`
 ')
 
 ########################################
-#
-# kernel_validate_selinux_context(domain)
+## <interface name="kernel_validate_selinux_context">
+##	<description>
+## 		Allows caller to validate security contexts.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type permitted to validate contexts.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_validate_selinux_context',`
 	requires_block_template(`$0'_depend)
@@ -294,8 +466,18 @@ define(`kernel_validate_selinux_context_depend',`
 ')
 
 ########################################
-#
-# kernel_compute_selinux_access_vector(domain)
+## <interface name="kernel_compute_selinux_access_vector">
+##	<description>
+## 		Allows caller to compute an access vector.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type allowed to compute an access vector.
+##	</parameter>
+##	<infoflow type="both" weight="7"/>
+## </interface>
 #
 define(`kernel_compute_selinux_access_vector',`
 	requires_block_template(`$0'_depend)
@@ -314,8 +496,18 @@ define(`kernel_compute_selinux_access_vector_depend',`
 ')
 
 ########################################
-#
-# kernel_compute_selinux_create_context(domain)
+## <interface name="kernel_compute_selinux_create_context">
+##	<description>
+## 		
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_compute_selinux_create_context',`
 	requires_block_template(`$0'_depend)
@@ -334,8 +526,18 @@ define(`kernel_compute_selinux_create_context_depend',`
 ')
 
 ########################################
-#
-# kernel_compute_selinux_relabel_context(domain)
+## <interface name="kernel_compute_selinux_relabel_context">
+##	<description>
+## 		
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to 
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_compute_selinux_relabel_context',`
 	requires_block_template(`$0'_depend)
@@ -354,8 +556,18 @@ define(`kernel_compute_selinux_relabel_context_depend',`
 ')
 
 ########################################
-#
-# kernel_compute_selinux_reachable_user_contexts(domain)
+## <interface name="kernel_compute_selinux_reachable_user_contexts">
+##	<description>
+## 		Allows caller to compute possible contexts for a user.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type allowed to compute user contexts.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_compute_selinux_reachable_user_contexts',`
 	requires_block_template(`$0'_depend)
@@ -374,8 +586,18 @@ define(`kernel_compute_selinux_reachable_user_contexts_depend',`
 ')
 
 ########################################
-#
-# kernel_read_ring_buffer(domain)
+## <interface name="kernel_read_ring_buffer">
+##	<description>
+## 		Allows caller to read the ring buffer.
+##	</description>
+##	<securitydesc>
+## 		Buffer read could have sensitive information from multiple doamins.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type allowed to read the ring buffer.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_ring_buffer',`
 	requires_block_template(`$0'_depend)
@@ -390,8 +612,19 @@ define(`kernel_read_ring_buffer_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_read_ring_buffer(domain)
+## <interface name="kernel_ignore_read_ring_buffer">
+##	<description>
+## 		Ignore attempts by caller to read the ring buffer.
+##	</description>
+##	<securitydesc>
+## 		Causes attepts to read potentially sensitive information
+## 		from being audited.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The domain to not audit.
+##	</parameter>
+##	<infoflow type="" weight=""/>
+## </interface>
 #
 define(`kernel_ignore_read_ring_buffer',`
 	requires_block_template(`$0'_depend)
@@ -406,8 +639,18 @@ define(`kernel_ignore_read_ring_buffer_depend',`
 ')
 
 ########################################
-#
-# kernel_change_ring_buffer_level(domain)
+## <interface name="kernel_change_ring_buffer_level">
+##	<description>
+## 		
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		
+##	</parameter>
+##	<infoflow type="read" weight="7"/>
+## </interface>
 #
 define(`kernel_change_ring_buffer_level',`
 	requires_block_template(`$0'_depend)
@@ -422,8 +665,18 @@ define(`kernel_change_ring_buffer_level_depend',`
 ')
 
 ########################################
-#
-# kernel_clear_ring_buffer(domain)
+## <interface name="kernel_clear_ring_buffer">
+##	<description>
+## 		Allows the caller to clear the ring buffer.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type clearing the buffer.
+##	</parameter>
+##	<infoflow type="write" weight="8"/>
+## </interface>
 #
 define(`kernel_clear_ring_buffer',`
 	requires_block_template(`$0'_depend)
@@ -438,8 +691,18 @@ define(`kernel_clear_ring_buffer_depend',`
 ')
 
 ########################################
-#
-# kernel_get_sysvipc_info(domain)
+## <interface name="kernel_get_sysvipc_info">
+##	<description>
+## 		Allow caller to get information about an ipc socket.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		
+##	</parameter>
+##	<infoflow type="read" weight="7"/>
+## </interface>
 #
 define(`kernel_get_sysvipc_info',`
 	requires_block_template(`$0'_depend)
@@ -454,8 +717,18 @@ define(`kernel_get_sysvipc_info_depend',`
 ')
 
 ########################################
-#
-# kernel_get_selinuxfs_mount_point(domain)
+## <interface name="kernel_get_selinuxfs_mount_point">
+##	<description>
+## 		Gets the caller the mountpoint of the selinuxfs filesystem.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type requesting the selinuxfs mountpoint.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_get_selinuxfs_mount_point',`
 	requires_block_template(`$0'_depend)
@@ -475,8 +748,18 @@ define(`kernel_get_selinuxfs_mount_point_depend',`
 ')
 
 ########################################
-#
-# kernel_read_system_state(domain)
+## <interface name="kernel_read_system_state">
+##	<description>
+## 		Allows caller to read system state information.
+##	</description>
+##	<securitydesc>
+## 		State data contains information about multiple domains and may be privlaged.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading the system state information.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_system_state',`
 	requires_block_template(`$0'_depend)
@@ -495,8 +778,19 @@ define(`kernel_read_system_state_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_read_system_state(domain)
+## <interface name="kernel_ignore_read_system_state">
+##	<description>
+## 		Do not audit attempts by caller to 
+## 		read system state information.
+##	</description>
+##	<securitydesc>
+## 		Causes attempts to read system state data not to be auditted.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type not to audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_ignore_read_system_state',`
 	requires_block_template(`$0'_depend)
@@ -511,8 +805,18 @@ define(`kernel_ignore_read_system_state_depend',`
 ')
 
 #######################################
-#
-# kernel_read_software_raid_state(domain)
+## <interface name="kernel_read_software_raid_state">
+##	<description>
+## 		Allow caller to read the state information for software raid.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading software raid state.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_software_raid_state',`
 	requires_block_template(`$0'_depend)
@@ -529,8 +833,18 @@ define(`kernel_read_software_raid_state_depend',`
 ')
 
 ########################################
-#
-# kernel_get_core_interface_attributes(domain)
+## <interface name="kernel_get_core_interface_attributes">
+##	<description>
+## 		Allows caller to get attribues of core kernel interfaces.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type getting the attibutes.
+##	</parameter>
+##	<infoflow type="read" weight="7"/>
+## </interface>
 #
 define(`kernel_get_core_interface_attributes',`
 	requires_block_template(`$0'_depend)
@@ -547,8 +861,20 @@ define(`kernel_get_core_interface_attributes_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_get_core_interface_attributes(domain)
+## <interface name="kernel_ignore_get_core_interface_attributes">
+##	<description>
+## 		Do not audit attempts to get the attributes of 
+## 		core kernel interfaces.
+##	</description>
+##	<securitydesc>
+## 		Causes attempts to get attributes of kernel interfaces to 
+## 		not be auditted.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to not audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_ignore_get_core_interface_attributes',`
 	requires_block_template(`$0'_depend)
@@ -563,8 +889,18 @@ define(`kernel_ignore_get_core_interface_attributes_depend',`
 ')
 
 ########################################
-#
-# kernel_read_messages(domain)
+## <interface name="kernel_read_messages">
+##	<description>
+## 		Allow caller to receive and read kernel messages.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading the messages.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_messages',`
 	requires_block_template(`$0'_depend)
@@ -584,8 +920,19 @@ define(`kernel_read_messages_depend',`
 ')
 
 ########################################
-#
-# kernel_get_message_interface_attributes(domain)
+## <interface name="kernel_get_message_interface_attributes">
+##	<description>
+## 		Allow caller to get the attributes of kernel message
+## 		interfaces.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type getting the attributes.
+##	</parameter>
+##	<infoflow type="read" weight="7"/>
+## </interface>
 #
 define(`kernel_get_message_interface_attributes',`
 	requires_block_template(`$0'_depend)
@@ -602,8 +949,20 @@ define(`kernel_get_message_interface_attributes_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_get_message_interface_attributes(domain)
+## <interface name="kernel_ignore_get_message_interface_attributes">
+##	<description>
+## 		Do not audit attempts by caller to get the attributes of kernel 
+## 		message interfaces.
+##	</description>
+##	<securitydesc>
+## 		Causes attempts by caller to get the attributes of kernel 
+## 		message interfaces not to be auditted.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type not to audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_ignore_get_message_interface_attributes',`
 	requires_block_template(`$0'_depend)
@@ -618,8 +977,19 @@ define(`kernel_ignore_get_message_interface_attributes_depend',`
 ')
 
 ########################################
-#
-# kernel_read_network_state(domain)
+## <interface name="kernel_read_network_state">
+##	<description>
+## 		Allow caller to read the network state information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading the state.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+##
 #
 define(`kernel_read_network_state',`
 	requires_block_template(`$0'_depend)
@@ -637,8 +1007,19 @@ define(`kernel_read_network_state_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_search_sysctl_dir(domain)
+## <interface name="kernel_ignore_search_sysctl_dir">
+##	<description>
+## 		Do not audit attempts by caller to search the sysctl directory.
+##	</description>
+##	<securitydesc>
+## 		Causes attempts by caller to search the sysctl directy not to be auditted.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type not to audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
+##
 #
 define(`kernel_ignore_search_sysctl_dir',`
 	requires_block_template(`$0'_depend)
@@ -653,8 +1034,18 @@ define(`kernel_ignore_search_sysctl_dir_depend',`
 ')
 
 ########################################
-#
-# kernel_read_device_sysctl(domain)
+## <interface name="kernel_read_device_sysctl">
+##	<description>
+## 		Allow caller to read the sysctl device.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type to allow to read the sysctl device.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_device_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -673,8 +1064,18 @@ define(`kernel_read_device_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_device_sysctl(domain)
+## <interface name="kernel_modify_device_sysctl">
+##	<description>
+## 		Allows the caller to modify the sysctl device file.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying the sysctl device.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_device_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -692,8 +1093,19 @@ define(`kernel_modify_device_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_virtual_memory_sysctl(domain)
+## <interface name="kernel_read_virtual_memory_sysctl">
+##	<description>
+## 		Allow caller to read sysctl virtual memory.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+##
 #
 define(`kernel_read_virtual_memory_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -711,8 +1123,18 @@ define(`kernel_read_virtual_memory_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_virtual_memory_sysctl(domain)
+## <interface name="kernel_modify_virtual_memory_sysctl">
+##	<description>
+## 		Allow caller to modify contents of sysctl virtual memory.
+##	</description>
+##	<securitydesc>
+## 		Allows caller to modify sysctl virtual memory.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying sysctl virtual memory.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_virtual_memory_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -730,8 +1152,19 @@ define(`kernel_modify_virtual_memory_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_search_network_sysctl_dir(domain)
+## <interface name="kernel_ignore_search_network_sysctl_dir">
+##	<description>
+## 		Do not audit attempts by caller to search sysctl network directories.
+##	</description>
+##	<securitydesc>
+## 		Causes attempts by the caller to search the sysctl network 
+## 		directories not to be audited.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type not to audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_ignore_search_network_sysctl_dir',`
 	requires_block_template(`$0'_depend)
@@ -746,8 +1179,19 @@ define(`kernel_ignore_search_network_sysctl_dir_depend',`
 ')
 
 ########################################
-#
-# kernel_read_network_sysctl(domain)
+## <interface name="kernel_read_network_sysctl">
+##	<description>
+## 		Allow caller to read sysctl network files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading sysctl network files.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+##
 #
 define(`kernel_read_network_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -766,8 +1210,19 @@ define(`kernel_read_network_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_network_sysctl(domain)
+
+## <interface name="kernel_modify_network_sysctl">
+##	<description>
+## 		Allow caller to modiry contents of sysctl network files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying sysctl network files.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_network_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -786,8 +1241,18 @@ define(`kernel_modify_network_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_unix_sysctl(domain)
+## <interface name="kernel_read_unix_sysctl">
+##	<description>
+## 		Allow caller to read unix sysctl files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading unix sysctl files.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_unix_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -806,8 +1271,18 @@ define(`kernel_read_net_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_unix_sysctl(domain)
+## <interface name="kernel_modify_unix_sysctl">
+##	<description>
+## 		Allow caller to modify contents of unix sysctl files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying contents of unix sysctl files.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_unix_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -826,8 +1301,18 @@ define(`kernel_modify_net_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_hotplug_sysctl(domain)
+## <interface name="kernel_read_hotplug_sysctl">
+##	<description>
+## 		Allow caller to read data from hotplug.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading hotplug data.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_hotplug_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -846,8 +1331,18 @@ define(`kernel_read_hotplug_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_hotplug_sysctl(domain)
+## <interface name="kernel_modify_hotplug_sysctl">
+##	<description>
+## 		Allow caller to modify hotplug sysctl data.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying hotplug sysctl data.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_hotplug_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -866,8 +1361,18 @@ define(`kernel_modify_hotplug_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_modprobe_sysctl(domain)
+## <interface name="kernel_read_modprobe_sysctl">
+##	<description>
+## 		Allow caller to read files containing modprobe information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process domian reading modprobe information files.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_modprobe_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -886,8 +1391,18 @@ define(`kernel_read_modprobe_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_modprobe_sysctl(domain)
+## <interface name="kernel_modify_modprobe_sysctl">
+##	<description>
+## 		Allow caller to modify files containing modprobe information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process domian modifying modprobe information files.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_modprobe_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -906,8 +1421,18 @@ define(`kernel_modify_modprobe_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_kernel_sysctl(domain)
+## <interface name="kernel_read_kernel_sysctl">
+##	<description>
+## 		Allow caller to read kernel sysctl files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading kernel sysctl files.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_kernel_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -926,8 +1451,18 @@ define(`kernel_read_kernel_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_kernel_sysctl(domain)
+## <interface name="kernel_modify_kernel_sysctl">
+##	<description>
+## 		Allow caller to modify kernel sysctl files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying kernel sysctl files.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_kernel_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -946,8 +1481,18 @@ define(`kernel_modify_kernel_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_filesystem_sysctl(domain)
+## <interface name="kernel_read_filesystem_sysctl">
+##	<description>
+## 		Allow caller to read filesystem information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading filesystem information.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_filesystem_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -968,6 +1513,18 @@ define(`kernel_read_filesystem_sysctl_depend',`
 ########################################
 #
 # kernel_modify_filesystem_sysctl(domain)
+## <interface name="kernel_modify_filesystem_sysctl">
+##	<description>
+## 		Allow caller to modify filesystem information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying filesystem information.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_filesystem_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -986,8 +1543,18 @@ define(`kernel_modify_filesystem_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_irq_sysctl(domain)
+## <interface name="kernel_read_irq_sysctl">
+##	<description>
+## 		Allows caller to read interrupt request information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading interrupt request information.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_irq_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -1005,8 +1572,19 @@ define(`kernel_read_irq_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_irq_sysctl(domain)
+## <interface name="kernel_modify_irq_sysctl">
+##	<description>
+## 		Allows caller to modify interrupt request information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying interrupt request information.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+##
 #
 define(`kernel_modify_irq_sysctl',`
 	requires_block_template(`$0'_depend)
@@ -1064,8 +1642,18 @@ define(`kernel_modify_rpc_sysctl_depend',`
 ')
 
 ########################################
-#
-# kernel_read_all_sysctl(domain)
+## <interface name="kernel_read_all_sysctl">
+##	<description>
+## 		Allow caller to read all sysctl information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading the information.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_all_sysctl',`
 	kernel_read_device_sysctl($1)
@@ -1081,8 +1669,18 @@ define(`kernel_read_all_sysctl',`
 ')
 
 ########################################
-#
-# kernel_modify_all_sysctl(domain)
+## <interface name="kernel_modify_all_sysctl">
+##	<description>
+## 		Allow caller to modify all sysctl information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying the information.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_all_sysctl',`
 	kernel_modify_device_sysctl($1)
@@ -1121,8 +1719,18 @@ define(`kernel_search_hardware_state_dir_depend',`
 ')
 
 ########################################
-#
-# kernel_read_hardware_state(domain)
+## <interface name="kernel_read_hardware_state">
+##	<description>
+## 		Allow caller to read hardware state information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type reading hardware state information.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_hardware_state',`
 	requires_block_template(`$0'_depend)
@@ -1140,8 +1748,18 @@ define(`kernel_read_hardware_state_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_hardware_config_option(domain)
+## <interface name="kernel_modify_hardware_state">
+##	<description>
+## 		Allow caller to modify hardware state information.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying hardware state information.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_hardware_config_option',`
 	requires_block_template(`$0'_depend)
@@ -1275,8 +1893,20 @@ define(`kernel_sigchld_unlabeled_process_depend',`
 ')
 
 ########################################
-#
-# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+## <interface name="kernel_ignore_get_unlabeled_block_device_attributes">
+##	<description>
+## 		Do not audit attempts by caller to get attributes for 
+## 		unlabeled block devices.
+##	</description>
+##	<securitydesc>
+## 		Causes attempts by caller to get attributes on unlabeled 
+## 		block devices to not be auditted.
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type not to audit.
+##	</parameter>
+##	<infoflow type="none" />
+## </interface>
 #
 define(`kernel_ignore_get_unlabeled_block_device_attributes',`
 	requires_block_template(`$0'_depend)
@@ -1291,8 +1921,18 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
 ')
 
 ########################################
-#
-# kernel_relabel_unlabeled_object(domain)
+## <interface name="kernel_relabel_unlabeled_object">
+##	<description>
+## 		Allow caller to relabel unlabeled objects.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type relabeling the objects.
+##	</parameter>
+##	<infoflow type="read" weight=""/>
+## </interface>
 #
 define(`kernel_relabel_unlabeled_object',`
 	requires_block_template(`$0'_depend)
@@ -1336,8 +1976,18 @@ define(`kernel_search_usb_hardware_state_dir_depend',`
 ')
 
 ########################################
-#
-# kernel_list_usb_hardware(domain)
+## <interface name="kernel_list_usb_hardware">
+##	<description>
+## 		Allow caller to get a list of usb hardware.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type getting the list.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_list_usb_hardware',`
 	requires_block_template(`$0'_depend)
@@ -1383,8 +2033,18 @@ define(`kernel_read_usb_hardware_state_depend',`
 ')
 
 ########################################
-#
-# kernel_modify_usb_hardware_config_option(domain)
+## <interface name="kernel_modify_usb_hardware_config_option">
+##	<description>
+## 		Allow caller to modify usb hardware configuration files.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type modifying the options.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`kernel_modify_usb_hardware_config_option',`
 	requires_block_template(`$0'_depend)
@@ -1412,8 +2072,18 @@ define(`kernel_modify_usb_hardware_config_option_depend',`
 ###################################################################
 
 ########################################
-#
-# kernel_sigchld_from(domain)
+## <interface name="kernel_sigchld_from">
+##	<description>
+## 		Receive sigchild from kernel.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type receiving the signal.
+##	</parameter>
+##	<infoflow type="read" weight="1"/>
+## </interface>
 #
 define(`kernel_sigchld_from',`
 	requires_block_template(`$0'_depend)
@@ -1428,8 +2098,18 @@ define(`kernel_sigchld_from_depend',`
 ')
 
 ########################################
-#
-# kernel_unlabeled_sigchld_from(domain)
+## <interface name="kernel_unlabeled_sigchld_from">
+##	<description>
+## 		Receive sigchld from unlabeled processes.
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		The process type receiving the signal.
+##	</parameter>
+##	<infoflow type="read" weight="1"/>
+## </interface>
 #
 define(`kernel_unlabeled_sigchld_from',`
 	requires_block_template(`$0'_depend)
@@ -1444,8 +2124,18 @@ define(`kernel_unlabeled_sigchld_from_depend',`
 ')
 
 ########################################
-#
-# kernel_read_directory_from(domain)
+## <interface name="kernel_read_directory_from">
+##	<description>
+## 		XXX FIXME
+##	</description>
+##	<securitydesc>
+## 		
+##	</securitydesc>
+##	<parameter name="domain">
+##		
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`kernel_read_directory_from',`
 	requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 078b1e07..fa75c75c 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -1,4 +1,4 @@
-## <module name="clock" layer="keyservices">
+## <module name="clock" layer="system">
 ## <summary>Policy for reading and setting the hardware clock.</summary>
 
 ########################################
@@ -67,9 +67,16 @@ define(`clock_transition_add_role_use_terminal_depend',`
 	class chr_file { getattr read write ioctl };
 ')
 
-#######################################
-#
-# clock_execute(domain)
+########################################
+## <interface name="clock_execute">
+##     <description>
+##             Execute hwclock
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="execute" weight="10"/>
+## </interface>
 #
 define(`clock_execute',`
 	requires_block_template(`$0'_depend)
@@ -83,9 +90,16 @@ define(`clock_execute_depend',`
 	class file { getattr read execute execute_no_trans };
 ')
 
-#######################################
-#
-# clock_modify_drift_records(domain)
+########################################
+## <interface name="clock_modify_drift_records">
+##     <description>
+##             Allow executing domain to modify clock drift
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`clock_modify_drift_records',`
 	requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index ce277329..d7a84f63 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -1,7 +1,16 @@
+## <module name="getty" layer="system">
+## <summary>Policy for getty.</summary>
 
-#######################################
-#
-# getty_transition(domain)
+########################################
+## <interface name="getty_transition">
+##     <description>
+##             Execute gettys in the getty domain.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`getty_transition',`
 	requires_block_template(`$0'_depend)
@@ -26,9 +35,16 @@ define(`getty_transition_depend',`
 	class fifo_file rw_file_perms;
 ')
 
-#######################################
-#
-# getty_read_log_file(domain)
+########################################
+## <interface name="getty_read_log_file">
+##     <description>
+##             Allow process to read getty log file.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`getty_read_log_file',`
 	requires_block_template(`$0'_depend)
@@ -42,9 +58,16 @@ define(`getty_read_log_file_depend',`
 	class file { getattr read };
 ')
 
-#######################################
-#
-# getty_read_config_file(domain)
+########################################
+## <interface name="getty_read_config_file">
+##     <description>
+##             Allow process to read getty config file.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`getty_read_config_file',`
 	requires_block_template(`$0'_depend)
@@ -58,9 +81,16 @@ define(`getty_read_config_file_depend',`
 	class file { getattr read };
 ')
 
-#######################################
-#
-# getty_modify_config_file(domain)
+########################################
+## <interface name="getty_modify_config_file">
+##     <description>
+##             Allow process to edit getty config file.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read write" weight="10"/>
+## </interface>
 #
 define(`getty_modify_config_file',`
 	requires_block_template(`$0'_depend)
@@ -73,3 +103,5 @@ define(`getty_modify_config_file_depend',`
 
 	class file { getattr read write };
 ')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index a1144fd2..4efe9793 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,4 +1,4 @@
-## <module name="hostname" layer="keyservices">
+## <module name="hostname" layer="system">
 ## <summary>Policy for changing the system host name.</summary>
 
 ########################################
@@ -69,6 +69,18 @@ define(`hostname_transition_add_role_use_terminal_depend',`
 	class chr_file { getattr read write ioctl };
 ')
 
+########################################
+## <interface name="hostname_execute">
+##     <description>
+##             Execute hostname in the hostname domain, and
+##             Has a sigchld signal backchannel.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="write" weight="10"/>
+## </interface>
+#
 #######################################
 #
 # hostname_execute(domain)
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index 66ee967b..688e183c 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -1,7 +1,16 @@
+## <module name="locallogin" layer="system">
+## <summary>Policy for local logins.</summary>
 
-#######################################
-#
-# locallogin_transition(domain)
+########################################
+## <interface name="locallogin_transition">
+##     <description>
+##             Execute local logins in the locallogin domain.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`locallogin_transition',`
 	requires_block_template(`$0'_depend)
@@ -13,6 +22,17 @@ define(`locallogin_transition_depend',`
 	type local_login_t;
 ')
 
+########################################
+## <interface name="locallogin_use_file_descriptors">
+##     <description>
+##             Allow processes to inherit local login file descriptors
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
+#
 ########################################
 #
 # locallogin_use_file_descriptors(domain)
@@ -28,3 +48,5 @@ define(`locallogin_use_file_descriptors_depend',`
 
 	class fd use;
 ')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 63c6501f..d55dbe61 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -1,7 +1,20 @@
+## <module name="miscfiles" layer="system">
+## <summary>Miscelaneous files.</summary>
 
 ########################################
-#
-# miscfiles_manage_man_page_cache(domain)
+## <interface name="miscfiles_manage_man_page_cache">
+##     <description>
+##             Allow process to create files and dirs in /var/cache/man
+##             and /var/catman/
+##     </description>
+##      <securitydesc>
+##              ...
+##      </securitydesc>
+##     <parameter name="domain">
+##             Type type of the process performing this action.
+##     </parameter>
+##     <infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`miscfiles_manage_man_page_cache',`
 	requires_block_template(`$0'_depend)
@@ -19,8 +32,18 @@ define(`miscfiles_manage_man_page_cache_depend',`
 ')
 
 ########################################
-#
-# miscfiles_read_fonts(domain)
+## <interface name="miscfiles_read_fonts">
+##     <description>
+##             Allow process to read fonts files
+##     </description>
+##      <securitydesc>
+##              ...
+##      </securitydesc>
+##     <parameter name="domain">
+##             Type type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`miscfiles_read_fonts',`
 	requires_block_template(`$0'_depend)
@@ -40,8 +63,18 @@ define(`miscfiles_read_fonts_depend',`
 ')
 
 ########################################
-#
-# miscfiles_read_localization(domain)
+## <interface name="miscfiles_read_localization">
+##     <description>
+##             Allow process to read localization info
+##     </description>
+##      <securitydesc>
+##              ...
+##      </securitydesc>
+##     <parameter name="domain">
+##             Type type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`miscfiles_read_localization',`
 	requires_block_template(`$0'_depend)
@@ -65,8 +98,18 @@ define(`miscfiles_read_localization_depend',`
 ')
 
 ########################################
-#
-# miscfiles_legacy_read_localization(domain)
+## <interface name="miscfiles_legacy_read_localization">
+##     <description>
+##             Allow process to read legacy time localization info
+##     </description>
+##      <securitydesc>
+##              ...
+##      </securitydesc>
+##     <parameter name="domain">
+##             Type type of the process performing this action.
+##     </parameter>
+##     <infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`miscfiles_legacy_read_localization',`
 	requires_block_template(`$0'_depend)
@@ -82,8 +125,18 @@ define(`miscfiles_read_localization_depend',`
 ')
 
 ########################################
-#
-# miscfiles_read_man_pages(domain)
+## <interface name="miscfiles_read_man_pages">
+##     <description>
+##             Allow process to read manpages
+##     </description>
+##      <securitydesc>
+##              ...
+##      </securitydesc>
+##     <parameter name="domain">
+##             Type type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`miscfiles_read_man_pages',`
 	requires_block_template(`$0'_depend)
@@ -101,3 +154,5 @@ define(`miscfiles_read_man_pages_depend',`
 	class file { getattr read };
 	class lnk_file { getattr read };
 ')
+
+## </module>
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index 413bc8b3..11bcc8fb 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -68,9 +68,16 @@ define(`mount_transition_add_role_use_terminal_depend',`
 	class chr_file { getattr read write ioctl };
 ')
 
-#######################################
-#
-# mount_use_file_descriptors(domain)
+########################################
+## <interface name="mount_use_file_descriptors">
+##     <description>
+##             Use file descriptors for mount.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="use" weight="4"/>
+## </interface>
 #
 define(`mount_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
@@ -84,9 +91,17 @@ define(`mount_use_file_descriptors_depend',`
 	class fd use;
 ')
 
-#######################################
-#
-# mount_send_nfs_client_request(domain)
+########################################
+## <interface name="mount_send_nfs_client_request">
+##     <description>
+##             Allow the mount domain to send nfs requests for mounting
+##             network drives
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="write read " weight="10"/>
+## </interface>
 #
 define(`mount_send_nfs_client_request',`
 	requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index ad35f94e..3a2a61c2 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -1,9 +1,16 @@
 ## <module name="sysnetwork" layer="system">
 ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
 
-########################################
-#
-# sysnetwork_dhcpc_transition(domain)
+#######################################
+## <interface name="sysnetwork_dhcpc_transition">
+##     <description>
+##             Execute dhcp client in dhcpc domain.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="3"/>
+## </interface>
 #
 define(`sysnetwork_dhcpc_transition',`
 	requires_block_template(`$0'_depend)
@@ -95,9 +102,16 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
 	class chr_file { getattr read write ioctl };
 ')
 
-########################################
-#
-# sysnetwork_read_network_config(domain)
+#######################################
+## <interface name="sysnetwork_read_network_config">
+##     <description>
+##             Allow network init to read network config files.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="3"/>
+## </interface>
 #
 define(`sysnetwork_read_network_config',`
 	requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 2beaa000..87313f3a 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -1,7 +1,16 @@
+## <module name="udev" layer="system">
+## <summary>Policy for udev.</summary>
 
-#######################################
-#
-# udev_transition(domain)
+########################################
+## <interface name="udev_transition">
+##     <description>
+##             Execute udev in the udev domain.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="execute" weight="10"/>
+## </interface>
 #
 define(`udev_transition',`
 	requires_block_template(`$0'_depend)
@@ -27,8 +36,15 @@ define(`udev_transition_depend',`
 ')
 
 ########################################
-#
-# udev_read_database(domain)
+## <interface name="udev_read_database">
+##     <description>
+##             Allow process to read list of devices.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="read" weight="3"/>
+## </interface>
 #
 define(`udev_read_database',`
 	requires_block_template(`$0'_depend)
@@ -43,8 +59,15 @@ define(`udev_read_database_depend',`
 ')
 
 ########################################
-#
-# udev_modify_database(domain)
+## <interface name="udev_modify_database">
+##     <description>
+##             Allow process to modify list of devices.
+##     </description>
+##     <parameter name="domain">
+##             The type of the process performing this action.
+##     </parameter>
+##     <infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`udev_modify_database',`
 	requires_block_template(`$0'_depend)
@@ -57,3 +80,5 @@ define(`udev_modify_database_depend',`
 
 	class file { getattr read write append };
 ')
+
+## </module>