update for new documentation method

2005-06-23 21:30:57 +00:00 · 2005-06-23 21:30:57 +00:00 · 414e415198
commit 414e415198
parent aad5b98eba
43 changed files with 3326 additions and 4377 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -274,7 +274,6 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
 	$(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
 		| m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
 		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
-	$(QUIET) echo "## </module>" >> $@

 $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
 	@echo "#" > $@
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@ -1,15 +1,12 @@
-## <module name="dmesg">
 ## <summary>Policy for dmesg.</summary>

 ########################################
-## <interface name="dmesg_domtrans">
-##	<desc>
-##		Execute dmesg in the dmesg domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute dmesg in the dmesg domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`dmesg_domtrans',`
 	gen_require(`
@ -29,14 +26,12 @@ interface(`dmesg_domtrans',`
 ')

 ########################################
-## <interface name="dmesg_exec">
-##	<desc>
-##		Execute dmesg in the caller domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute dmesg in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`dmesg_exec',`
 	gen_require(`
@ -47,4 +42,3 @@ interface(`dmesg_exec',`
 	can_exec($1,dmesg_exec_t)
 ')

-## </module>
--- a/refpolicy/policy/modules/admin/metadata.xml
+++ b/refpolicy/policy/modules/admin/metadata.xml
@ -1 +0,0 @@
-<layer name="admin">
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@ -1,15 +1,12 @@
-## <module name="rpm">
 ## <summary>Policy for the RPM package manager.</summary>

 ########################################
-## <interface name="rpm_domtrans">
-##	<desc>
-##		Execute rpm programs in the rpm domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute rpm programs in the rpm domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`rpm_domtrans',`
 	gen_require(`
@ -30,20 +27,18 @@ interface(`rpm_domtrans',`
 ')

 ########################################
-## <interface name="rpm_run">
-##	<desc>
-##		Execute RPM programs in the RPM domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to allow the RPM domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the RPM domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute RPM programs in the RPM domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the RPM domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the RPM domain to use.
+## </param>
 #
 interface(`rpm_run',`
 	gen_require(`
@ -58,14 +53,12 @@ interface(`rpm_run',`
 ')

 ########################################
-## <interface name="rpm_use_fd">
-##	<desc>
-##		Inherit and use file descriptors from RPM.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Inherit and use file descriptors from RPM.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`rpm_use_fd',`
 	gen_require(`
@ -77,14 +70,12 @@ interface(`rpm_use_fd',`
 ')

 ########################################
-## <interface name="rpm_read_pipe">
-##	<desc>
-##		Read from a RPM pipe.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read from a RPM pipe.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`rpm_read_pipe',`
 	gen_require(`
@ -96,14 +87,12 @@ interface(`rpm_read_pipe',`
 ')

 ########################################
-## <interface name="rpm_read_db">
-##	<desc>
-##		Read RPM package database.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read RPM package database.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`rpm_read_db',`
 	gen_require(`
@ -135,4 +124,3 @@ interface(`rpm_manage_db',`
 	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
 ')

-## </module>
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@ -1,15 +1,12 @@
-## <module name="usermanage">
 ## <summary>Policy for managing user accounts.</summary>

 ########################################
-## <interface name="usermanage_domtrans_chfn">
-##	<desc>
-##		Execute chfn in the chfn domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute chfn in the chfn domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`usermanage_domtrans_chfn',`
 	gen_require(`
@ -30,21 +27,19 @@ interface(`usermanage_domtrans_chfn',`
 ')

 ########################################
-## <interface name="usermanage_run_chfn">
-##	<desc>
-##		Execute chfn in the chfn domain, and
-##		allow the specified role the chfn domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the chfn domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the chfn domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute chfn in the chfn domain, and
+##	allow the specified role the chfn domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the chfn domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the chfn domain to use.
+## </param>
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
@ -58,14 +53,12 @@ interface(`usermanage_run_chfn',`
 ')

 ########################################
-## <interface name="usermanage_domtrans_groupadd">
-##	<desc>
-##		Execute groupadd in the groupadd domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute groupadd in the groupadd domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`usermanage_domtrans_groupadd',`
 	gen_require(`
@ -86,21 +79,19 @@ interface(`usermanage_domtrans_groupadd',`
 ')

 ########################################
-## <interface name="usermanage_run_groupadd">
-##	<desc>
-##		Execute groupadd in the groupadd domain, and
-##		allow the specified role the groupadd domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the groupadd domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the groupadd domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute groupadd in the groupadd domain, and
+##	allow the specified role the groupadd domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the groupadd domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the groupadd domain to use.
+## </param>
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
@ -114,14 +105,12 @@ interface(`usermanage_run_groupadd',`
 ')

 ########################################
-## <interface name="usermanage_domtrans_passwd">
-##	<desc>
-##		Execute passwd in the passwd domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute passwd in the passwd domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`usermanage_domtrans_passwd',`
 	gen_require(`
@ -142,21 +131,19 @@ interface(`usermanage_domtrans_passwd',`
 ')

 ########################################
-## <interface name="usermanage_run_passwd">
-##	<desc>
-##		Execute passwd in the passwd domain, and
-##		allow the specified role the passwd domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the passwd domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the passwd domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute passwd in the passwd domain, and
+##	allow the specified role the passwd domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the passwd domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the passwd domain to use.
+## </param>
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
@ -170,14 +157,12 @@ interface(`usermanage_run_passwd',`
 ')

 ########################################
-## <interface name="usermanage_domtrans_useradd">
-##	<desc>
-##		Execute useradd in the useradd domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute useradd in the useradd domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`usermanage_domtrans_useradd',`
 	gen_require(`
@ -198,21 +183,19 @@ interface(`usermanage_domtrans_useradd',`
 ')

 ########################################
-## <interface name="usermanage_run_useradd">
-##	<desc>
-##		Execute useradd in the useradd domain, and
-##		allow the specified role the useradd domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the useradd domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the useradd domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute useradd in the useradd domain, and
+##	allow the specified role the useradd domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the useradd domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the useradd domain to use.
+## </param>
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
@ -225,4 +208,3 @@ interface(`usermanage_run_useradd',`
 	allow useradd_t $3:chr_file rw_term_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@ -1,28 +1,26 @@
-## <module name="gpg">
 ## <summary>Policy for GNU Privacy Guard and related programs.</summary>

 #######################################
-## <template name="gpg_per_userdomain_template">
-##	<summary>
-##		The per-userdomain template for the gpg module.
-##	</summary>
-##	<desc>
-##		<p>
-##		This template creates the types and rules for GPG,
-##		GPG-agent, and GPG helper programs.  This protects
-##		the user keys and secrets, and runs the programs
-##		in domains specific to the user type.
-##		</p>
-##		<p>
-##		This is invoked	automatically for each user, and
-##		generally does not need to be statically invoked 
-##		directly by policy writers.
-##		</p>
-##	</desc>
-##	<param name="userdomain_prefix">
-##		The prefix of the user domain (e.g., user
-##		is the prefix for user_t).
-##	</param>
+## <summary>
+##	The per-userdomain template for the gpg module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates the types and rules for GPG,
+##	GPG-agent, and GPG helper programs.  This protects
+##	the user keys and secrets, and runs the programs
+##	in domains specific to the user type.
+##	</p>
+##	<p>
+##	This is invoked	automatically for each user, and
+##	generally does not need to be statically invoked
+##	directly by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
 #
 template(`gpg_per_userdomain_template',`
 	gen_require(`$0'_depend)
@ -368,6 +366,4 @@ template(`gpg_per_userdomain_template',`
 	') dnl end TODO
 ')

-## </template>

-## </module>
--- a/refpolicy/policy/modules/apps/metadata.xml
+++ b/refpolicy/policy/modules/apps/metadata.xml
@ -1 +0,0 @@
-<layer name="apps">
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@ -1,15 +1,12 @@
-## <module name="bootloader">
 ## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>

 ########################################
-## <interface name="bootloader_domtrans">
-##	<desc>
-##		Execute bootloader in the bootloader domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute bootloader in the bootloader domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_domtrans',`
 	gen_require(`
@ -28,21 +25,19 @@ interface(`bootloader_domtrans',`
 ')

 ########################################
-## <interface name="bootloader_run">
-##	<desc>
-##		Execute bootloader interactively and do
-##		a domain transition to the bootloader domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the bootloader domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the bootloader domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute bootloader interactively and do
+##	a domain transition to the bootloader domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the bootloader domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the bootloader domain to use.
+## </param>
 #
 interface(`bootloader_run',`
 	gen_require(`
@ -57,14 +52,12 @@ interface(`bootloader_run',`
 ')

 ########################################
-## <interface name="bootloader_search_boot_dir">
-##	<desc>
-##		Search the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Search the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_search_boot_dir',`
 	gen_require(`
@ -76,14 +69,12 @@ interface(`bootloader_search_boot_dir',`
 ')

 ########################################
-## <interface name="bootloader_dontaudit_search_boot">
-##	<desc>
-##		Do not audit attempts to search the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to search the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_dontaudit_search_boot',`
 	gen_require(`
@ -95,15 +86,13 @@ interface(`bootloader_dontaudit_search_boot',`
 ')

 ########################################
-## <interface name="bootloader_rw_boot_symlinks">
-##	<desc>
-##		Read and write symbolic links
-##		in the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write symbolic links
+##	in the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_rw_boot_symlinks',`
 	gen_require(`
@ -117,14 +106,12 @@ interface(`bootloader_rw_boot_symlinks',`
 ')

 ########################################
-## <interface name="bootloader_create_kernel">
-##	<desc>
-##		Install a kernel into the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Install a kernel into the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_create_kernel',`
 	gen_require(`
@ -140,14 +127,12 @@ interface(`bootloader_create_kernel',`
 ')

 ########################################
-## <interface name="bootloader_create_kernel_symbol_table">
-##	<desc>
-##		Install a system.map into the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Install a system.map into the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_create_kernel_symbol_table',`
 	gen_require(`
@ -161,14 +146,12 @@ interface(`bootloader_create_kernel_symbol_table',`
 ')

 ########################################
-## <interface name="bootloader_read_kernel_symbol_table">
-##	<desc>
-##		Read system.map in the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read system.map in the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_read_kernel_symbol_table',`
 	gen_require(`
@ -182,14 +165,12 @@ interface(`bootloader_read_kernel_symbol_table',`
 ')

 ########################################
-## <interface name="bootloader_delete_kernel">
-##	<desc>
-##		Delete a kernel from /boot.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Delete a kernel from /boot.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_delete_kernel',`
 	gen_require(`
@ -203,14 +184,12 @@ interface(`bootloader_delete_kernel',`
 ')

 ########################################
-## <interface name="bootloader_delete_kernel_symbol_table">
-##	<desc>
-##		Delete a system.map in the /boot directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Delete a system.map in the /boot directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_delete_kernel_symbol_table',`
 	gen_require(`
@ -224,14 +203,12 @@ interface(`bootloader_delete_kernel_symbol_table',`
 ')

 ########################################
-## <interface name="bootloader_read_config">
-##	<desc>
-##		Read the bootloader configuration file.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the bootloader configuration file.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_read_config',`
 	gen_require(`
@ -243,15 +220,13 @@ interface(`bootloader_read_config',`
 ')

 ########################################
-## <interface name="bootloader_rw_config">
-##	<desc>
-##		Read and write the bootloader
-##		configuration file.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the bootloader
+##	configuration file.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_rw_config',`
 	gen_require(`
@ -263,15 +238,13 @@ interface(`bootloader_rw_config',`
 ')

 ########################################
-## <interface name="bootloader_rw_tmp_file">
-##	<desc>
-##		Read and write the bootloader
-##		temporary data in /tmp.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the bootloader
+##	temporary data in /tmp.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_rw_tmp_file',`
 	gen_require(`
@ -284,15 +257,13 @@ interface(`bootloader_rw_tmp_file',`
 ')

 ########################################
-## <interface name="bootloader_create_runtime_file">
-##	<desc>
-##		Read and write the bootloader
-##		temporary data in /tmp.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the bootloader
+##	temporary data in /tmp.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_create_runtime_file',`
 	gen_require(`
@ -307,14 +278,12 @@ interface(`bootloader_create_runtime_file',`
 ')

 ########################################
-## <interface name="bootloader_list_kernel_modules">
-##	<desc>
-##		List the contents of the kernel module directories.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	List the contents of the kernel module directories.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_list_kernel_modules',`
 	gen_require(`
@ -326,14 +295,12 @@ interface(`bootloader_list_kernel_modules',`
 ')

 ########################################
-## <interface name="bootloader_read_kernel_modules">
-##	<desc>
-##		Read kernel module files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read kernel module files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_read_kernel_modules',`
 	gen_require(`
@ -349,14 +316,12 @@ interface(`bootloader_read_kernel_modules',`
 ')

 ########################################
-## <interface name="bootloader_write_kernel_modules">
-##	<desc>
-##		Write kernel module files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Write kernel module files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_write_kernel_modules',`
 	gen_require(`
@ -373,15 +338,13 @@ interface(`bootloader_write_kernel_modules',`
 ')

 ########################################
-## <interface name="bootloader_manage_kernel_modules">
-##	<desc>
-##		Create, read, write, and delete
-##		kernel module files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Create, read, write, and delete
+##	kernel module files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`bootloader_manage_kernel_modules',`
 	gen_require(`
@ -417,4 +380,3 @@ interface(`bootloader_create_private_module_dir_entry',`
 	')
 ')

-## </module>
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -1,16 +1,13 @@
-## <module name="corenetwork">
 ## <summary>Policy controlling access to network objects</summary>

 ########################################
-## <interface name="corenet_tcp_sendrecv_generic_if">
-##	<desc>
-##		Send and receive TCP network traffic on the general interfaces.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive TCP network traffic on the general interfaces.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_tcp_sendrecv_generic_if',`
 	gen_require(`
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@ -6,15 +6,13 @@

 define(`create_netif_interfaces',``
 ########################################
-## <interface name="corenet_tcp_sendrecv_$1">
-##	<desc>
-##		Send and receive TCP network traffic on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive TCP network traffic on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_tcp_sendrecv_$1',`
 	gen_require(`
@ -26,15 +24,13 @@ interface(`corenet_tcp_sendrecv_$1',`
 ')

 ########################################
-## <interface name="corenet_udp_send_$1">
-##	<desc>
-##		Send UDP network traffic on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="write" weight="10"/>
-## </interface>
+## <desc>
+##	Send UDP network traffic on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="write" weight="10"/>
 #
 interface(`corenet_udp_send_$1',`
 	gen_require(`
@ -46,15 +42,13 @@ interface(`corenet_udp_send_$1',`
 ')

 ########################################
-## <interface name="corenet_udp_receive_$1">
-##	<desc>
-##		Receive UDP network traffic on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="read" weight="10"/>
-## </interface>
+## <desc>
+##	Receive UDP network traffic on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`corenet_udp_receive_$1',`
 	gen_require(`
@ -66,15 +60,13 @@ interface(`corenet_udp_receive_$1',`
 ')

 ########################################
-## <interface name="corenetwork_sendrecv_udp_on_$1_interface">
-##	<desc>
-##		Send and receive UDP network traffic on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive UDP network traffic on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_udp_sendrecv_$1',`
 	corenet_udp_send_$1(dollarsone)
@ -82,15 +74,13 @@ interface(`corenet_udp_sendrecv_$1',`
 ')

 ########################################
-## <interface name="corenet_raw_send_$1">
-##	<desc>
-##		Send raw IP packets on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="write" weight="10"/>
-## </interface>
+## <desc>
+##	Send raw IP packets on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="write" weight="10"/>
 #
 interface(`corenet_raw_send_$1',`
 	gen_require(`
@ -104,15 +94,13 @@ interface(`corenet_raw_send_$1',`
 ')

 ########################################
-## <interface name="corenet_raw_receive_$1">
-##	<desc>
-##		Receive raw IP packets on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="read" weight="10"/>
-## </interface>
+## <desc>
+##	Receive raw IP packets on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`corenet_raw_receive_$1',`
 	gen_require(`
@ -124,15 +112,13 @@ interface(`corenet_raw_receive_$1',`
 ')

 ########################################
-## <interface name="corenet_raw_sendrecv_$1">
-##	<desc>
-##		Send and receive raw IP packets on the $1 interface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive raw IP packets on the $1 interface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_raw_sendrecv_$1',`
 	corenet_raw_send_$1(dollarsone)
@ -148,15 +134,13 @@ interface(`corenet_raw_sendrecv_$1',`

 define(`create_node_interfaces',``
 ########################################
-## <interface name="corenet_tcp_sendrecv_$1_node">
-##	<desc>
-##		Send and receive TCP traffic on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive TCP traffic on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_tcp_sendrecv_$1_node',`
 	gen_require(`
@ -168,15 +152,13 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 ')

 ########################################
-## <interface name="corenet_udp_send_$1_node">
-##	<desc>
-##		Send UDP traffic on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="write" weight="10"/>
-## </interface>
+## <desc>
+##	Send UDP traffic on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="write" weight="10"/>
 #
 interface(`corenet_udp_send_$1_node',`
 	gen_require(`
@ -188,15 +170,13 @@ interface(`corenet_udp_send_$1_node',`
 ')

 ########################################
-## <interface name="corenet_udp_receive_$1_node">
-##	<desc>
-##		Receive UDP traffic on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="read" weight="10"/>
-## </interface>
+## <desc>
+##	Receive UDP traffic on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`corenet_udp_receive_$1_node',`
 	gen_require(`
@ -208,15 +188,13 @@ interface(`corenet_udp_receive_$1_node',`
 ')

 ########################################
-## <interface name="corenet_udp_sendrecv_$1_node">
-##	<desc>
-##		Send and receive UDP traffic on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive UDP traffic on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_udp_sendrecv_$1_node',`
 	corenet_udp_send_$1_node(dollarsone)
@ -224,15 +202,13 @@ interface(`corenet_udp_sendrecv_$1_node',`
 ')

 ########################################
-## <interface name="corenet_raw_send_$1_node">
-##	<desc>
-##		Send raw IP packets on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="write" weight="10"/>
-## </interface>
+## <desc>
+##	Send raw IP packets on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="write" weight="10"/>
 #
 interface(`corenet_raw_send_$1_node',`
 	gen_require(`
@ -244,15 +220,13 @@ interface(`corenet_raw_send_$1_node',`
 ')

 ########################################
-## <interface name="corenet_raw_receive_$1_node">
-##	<desc>
-##		Receive raw IP packets on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="write" weight="10"/>
-## </interface>
+## <desc>
+##	Receive raw IP packets on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="write" weight="10"/>
 #
 interface(`corenet_raw_receive_$1_node',`
 	gen_require(`
@ -264,15 +238,13 @@ interface(`corenet_raw_receive_$1_node',`
 ')

 ########################################
-## <interface name="corenet_raw_sendrecv_$1_node">
-##	<desc>
-##		Send and receive raw IP packets on the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive raw IP packets on the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_raw_sendrecv_$1_node',`
 	corenet_raw_send_$1_node(dollarsone)
@ -280,15 +252,13 @@ interface(`corenet_raw_sendrecv_$1_node',`
 ')

 ########################################
-## <interface name="corenet_tcp_bind_$1_node">
-##	<desc>
-##		Bind TCP sockets to node $1.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="none"/>
-## </interface>
+## <desc>
+##	Bind TCP sockets to node $1.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="none"/>
 #
 interface(`corenet_tcp_bind_$1_node',`
 	gen_require(`
@ -300,15 +270,13 @@ interface(`corenet_tcp_bind_$1_node',`
 ')

 ########################################
-## <interface name="corenet_udp_bind_$1_node">
-##	<desc>
-##		Bind UDP sockets to the $1 node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="none"/>
-## </interface>
+## <desc>
+##	Bind UDP sockets to the $1 node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="none"/>
 #
 interface(`corenet_udp_bind_$1_node',`
 	gen_require(`
@ -328,15 +296,13 @@ interface(`corenet_udp_bind_$1_node',`

 define(`create_port_interfaces',``
 ########################################
-## <interface name="corenet_tcp_sendrecv_$1_port">
-##	<desc>
-##		Send and receive TCP traffic on the $1 port.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive TCP traffic on the $1 port.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_tcp_sendrecv_$1_port',`
 	gen_require(`
@ -348,15 +314,13 @@ interface(`corenet_tcp_sendrecv_$1_port',`
 ')

 ########################################
-## <interface name="corenet_udp_send_$1_port">
-##	<desc>
-##		Send UDP traffic on the $1 port.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="write" weight="10"/>
-## </interface>
+## <desc>
+##	Send UDP traffic on the $1 port.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="write" weight="10"/>
 #
 interface(`corenet_udp_send_$1_port',`
 	gen_require(`
@ -368,15 +332,13 @@ interface(`corenet_udp_send_$1_port',`
 ')

 ########################################
-## <interface name="corenet_udp_receive_$1_port">
-##	<desc>
-##		Receive UDP traffic on the $1 port.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="read" weight="10"/>
-## </interface>
+## <desc>
+##	Receive UDP traffic on the $1 port.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`corenet_udp_receive_$1_port',`
 	gen_require(`
@ -388,15 +350,13 @@ interface(`corenet_udp_receive_$1_port',`
 ')

 ########################################
-## <interface name="corenetwork_sendrecv_udp_on_$1_port">
-##	<desc>
-##		Send and receive UDP traffic on the $1 port.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="both" weight="10"/>
-## </interface>
+## <desc>
+##	Send and receive UDP traffic on the $1 port.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="both" weight="10"/>
 #
 interface(`corenet_udp_sendrecv_$1_port',`
 	corenet_udp_send_$1_port(dollarsone)
@ -404,15 +364,13 @@ interface(`corenet_udp_sendrecv_$1_port',`
 ')

 ########################################
-## <interface name="corenet_tcp_bind_$1_port">
-##	<desc>
-##		Bind TCP sockets to the $1 port.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="none"/>
-## </interface>
+## <desc>
+##	Bind TCP sockets to the $1 port.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="none"/>
 #
 interface(`corenet_tcp_bind_$1_port',`
 	gen_require(`
@ -425,15 +383,13 @@ interface(`corenet_tcp_bind_$1_port',`
 ')

 ########################################
-## <interface name="corenet_udp_bind_$1_port">
-##	<desc>
-##		Bind UDP sockets to the $1 port.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<infoflow type="none"/>
-## </interface>
+## <desc>
+##	Bind UDP sockets to the $1 port.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <infoflow type="none"/>
 #
 interface(`corenet_udp_bind_$1_port',`
 	gen_require(`
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
--- a/refpolicy/policy/modules/kernel/metadata.xml
+++ b/refpolicy/policy/modules/kernel/metadata.xml
@ -1 +0,0 @@
-<layer name="kernel">
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@ -1,17 +1,14 @@
-## <module name="selinux">
 ## <summary>
-##	Policy for kernel security interface, in particular, selinuxfs.
+## Policy for kernel security interface, in particular, selinuxfs.
 ## </summary>

 ########################################
-## <interface name="selinux_get_fs_mount">
-##	<desc>
-## 		Gets the caller the mountpoint of the selinuxfs filesystem.
-##	</desc>
-##	<param name="domain">
-##		The process type requesting the selinuxfs mountpoint.
-##	</param>
-## </interface>
+## <desc>
+##	Gets the caller the mountpoint of the selinuxfs filesystem.
+## </desc>
+## <param name="domain">
+##	The process type requesting the selinuxfs mountpoint.
+## </param>
 #
 interface(`selinux_get_fs_mount',`
 	# read /proc/filesystems to see if selinuxfs is supported
@ -20,15 +17,13 @@ interface(`selinux_get_fs_mount',`
 ')

 ########################################
-## <interface name="selinux_get_enforce_mode">
-##	<desc>
-## 		Allows the caller to get the mode of policy enforcement
-## 		(enforcing or permissive mode).
-##	</desc>
-##	<param name="domain">
-##		The process type to allow to get the enforcing mode.
-##	</param>
-## </interface>
+## <desc>
+##	Allows the caller to get the mode of policy enforcement
+##	(enforcing or permissive mode).
+## </desc>
+## <param name="domain">
+##	The process type to allow to get the enforcing mode.
+## </param>
 #
 interface(`selinux_get_enforce_mode',`
 	gen_require(`
@ -42,15 +37,13 @@ interface(`selinux_get_enforce_mode',`
 ')

 ########################################
-## <interface name="selinux_set_enforce_mode">
-##	<desc>
-## 		Allow caller to set the mode of policy enforcement
-## 		(enforcing or permissive mode).
-##	</desc>
-##	<param name="domain">
-##		The process type to allow to set the enforcement mode.
-##	</param>
-## </interface>
+## <desc>
+##	Allow caller to set the mode of policy enforcement
+##	(enforcing or permissive mode).
+## </desc>
+## <param name="domain">
+##	The process type to allow to set the enforcement mode.
+## </param>
 #
 interface(`selinux_set_enforce_mode',`
 	gen_require(`
@ -69,14 +62,12 @@ interface(`selinux_set_enforce_mode',`
 ')

 ########################################
-## <interface name="selinux_load_policy">
-##	<desc>
-## 		Allow caller to load the policy into the kernel.
-##	</desc>
-##	<param name="domain">
-##		The process type that will load the policy.
-##	</param>
-## </interface>
+## <desc>
+##	Allow caller to load the policy into the kernel.
+## </desc>
+## <param name="domain">
+##	The process type that will load the policy.
+## </param>
 #
 interface(`selinux_load_policy',`
 	gen_require(`
@ -95,18 +86,16 @@ interface(`selinux_load_policy',`
 ')

 ########################################
-## <interface name="selinux_set_boolean">
-##	<desc>
-## 		Allow caller to set the state of Booleans to
-## 		enable or disable conditional portions of the policy.
-##	</desc>
-##	<param name="domain">
-##		The process type allowed to set the Boolean.
-##	</param>
-##	<param name="booltype" optional="true">
-##		The type of Booleans the caller is allowed to set.
-##	</param>
-## </interface>
+## <desc>
+##	Allow caller to set the state of Booleans to
+##	enable or disable conditional portions of the policy.
+## </desc>
+## <param name="domain">
+##	The process type allowed to set the Boolean.
+## </param>
+## <param name="booltype" optional="true">
+##	The type of Booleans the caller is allowed to set.
+## </param>
 #
 interface(`selinux_set_boolean',`
 	gen_require(`
@ -130,14 +119,12 @@ interface(`selinux_set_boolean',`
 ')

 ########################################
-## <interface name="selinux_set_parameters">
-##	<desc>
-## 		Allow caller to set selinux security parameters.
-##	</desc>
-##	<param name="domain">
-##		The process type to allow to set security parameters.
-##	</param>
-## </interface>
+## <desc>
+##	Allow caller to set selinux security parameters.
+## </desc>
+## <param name="domain">
+##	The process type to allow to set security parameters.
+## </param>
 #
 interface(`selinux_set_parameters',`
 	gen_require(`
@ -156,14 +143,12 @@ interface(`selinux_set_parameters',`
 ')

 ########################################
-## <interface name="selinux_validate_context">
-##	<desc>
-## 		Allows caller to validate security contexts.
-##	</desc>
-##	<param name="domain">
-##		The process type permitted to validate contexts.
-##	</param>
-## </interface>
+## <desc>
+##	Allows caller to validate security contexts.
+## </desc>
+## <param name="domain">
+##	The process type permitted to validate contexts.
+## </param>
 #
 interface(`selinux_validate_context',`
 	gen_require(`
@ -179,14 +164,12 @@ interface(`selinux_validate_context',`
 ')

 ########################################
-## <interface name="selinux_compute_access_vector">
-##	<desc>
-## 		Allows caller to compute an access vector.
-##	</desc>
-##	<param name="domain">
-##		The process type allowed to compute an access vector.
-##	</param>
-## </interface>
+## <desc>
+##	Allows caller to compute an access vector.
+## </desc>
+## <param name="domain">
+##	The process type allowed to compute an access vector.
+## </param>
 #
 interface(`selinux_compute_access_vector',`
 	gen_require(`
@ -202,14 +185,12 @@ interface(`selinux_compute_access_vector',`
 ')

 ########################################
-## <interface name="selinux_compute_create_context">
-##	<desc>
-## 		
-##	</desc>
-##	<param name="domain">
-##		
-##	</param>
-## </interface>
+## <desc>
+##	
+## </desc>
+## <param name="domain">
+##	
+## </param>
 #
 interface(`selinux_compute_create_context',`
 	gen_require(`
@ -225,14 +206,12 @@ interface(`selinux_compute_create_context',`
 ')

 ########################################
-## <interface name="selinux_compute_relabel_context">
-##	<desc>
-## 		
-##	</desc>
-##	<param name="domain">
-##		The process type to 
-##	</param>
-## </interface>
+## <desc>
+##	
+## </desc>
+## <param name="domain">
+##	The process type to
+## </param>
 #
 interface(`selinux_compute_relabel_context',`
 	gen_require(`
@ -248,14 +227,12 @@ interface(`selinux_compute_relabel_context',`
 ')

 ########################################
-## <interface name="selinux_compute_user_contexts">
-##	<desc>
-## 		Allows caller to compute possible contexts for a user.
-##	</desc>
-##	<param name="domain">
-##		The process type allowed to compute user contexts.
-##	</param>
-## </interface>
+## <desc>
+##	Allows caller to compute possible contexts for a user.
+## </desc>
+## <param name="domain">
+##	The process type allowed to compute user contexts.
+## </param>
 #
 interface(`selinux_compute_user_contexts',`
 	gen_require(`
@ -270,4 +247,3 @@ interface(`selinux_compute_user_contexts',`
 	allow $1 security_t:security compute_user;
 ')

-## </module>
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -1,16 +1,13 @@
-## <module name="storage">
 ## <summary>Policy controlling access to storage devices</summary>

 ########################################
-## <interface name="storage_getattr_fixed_disk">
-##	<desc>
-##		Allow the caller to get the attributes of fixed disk
-##		device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to get the attributes of fixed disk
+##	device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_getattr_fixed_disk',`
 	gen_require(`
@ -23,15 +20,13 @@ interface(`storage_getattr_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_dontaudit_getattr_fixed_disk">
-##	<desc>
-##		Do not audit attempts made by the caller to get
-##		the attributes of fixed disk device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts made by the caller to get
+##	the attributes of fixed disk device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`storage_dontaudit_getattr_fixed_disk',`
 	gen_require(`
@ -43,15 +38,13 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_setattr_fixed_disk">
-##	<desc>
-##		Allow the caller to set the attributes of fixed disk
-##		device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to set the attributes of fixed disk
+##	device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_setattr_fixed_disk',`
 	gen_require(`
@ -64,15 +57,13 @@ interface(`storage_setattr_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_dontaudit_setattr_fixed_disk">
-##	<desc>
-##		Do not audit attempts made by the caller to set
-##		the attributes of fixed disk device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts made by the caller to set
+##	the attributes of fixed disk device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`storage_dontaudit_setattr_fixed_disk',`
 	gen_require(`
@ -84,17 +75,15 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_raw_read_fixed_disk">
-##	<desc>
-##		Allow the caller to directly read from a fixed disk.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read from a fixed disk.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_raw_read_fixed_disk',`
 	gen_require(`
@ -109,17 +98,15 @@ interface(`storage_raw_read_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_raw_write_fixed_disk">
-##	<desc>
-##		Allow the caller to directly write to a fixed disk.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly write to a fixed disk.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_raw_write_fixed_disk',`
 	gen_require(`
@ -134,14 +121,12 @@ interface(`storage_raw_write_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_create_fixed_disk">
-##	<desc>
-##		Create block devices in /dev with the fixed disk type.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Create block devices in /dev with the fixed disk type.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_create_fixed_disk_dev_entry',`
 	gen_require(`
@ -156,14 +141,12 @@ interface(`storage_create_fixed_disk_dev_entry',`
 ')

 ########################################
-## <interface name="storage_manage_fixed_disk">
-##	<desc>
-##		Create, read, write, and delete fixed disk device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Create, read, write, and delete fixed disk device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_manage_fixed_disk',`
 	gen_require(`
@ -178,17 +161,15 @@ interface(`storage_manage_fixed_disk',`
 ')

 ########################################
-## <interface name="storage_raw_read_lvm_volume">
-##	<desc>
-##		Allow the caller to directly read from a logical volume.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read from a logical volume.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_raw_read_lvm_volume',`
 	gen_require(`
@ -203,17 +184,15 @@ interface(`storage_raw_read_lvm_volume',`
 ')

 ########################################
-## <interface name="storage_raw_write_lvm_volume">
-##	<desc>
-##		Allow the caller to directly read from a logical volume.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read from a logical volume.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_raw_write_lvm_volume',`
 	gen_require(`
@ -228,15 +207,13 @@ interface(`storage_raw_write_lvm_volume',`
 ')

 ########################################
-## <interface name="storage_getattr_scsi_generic">
-##	<desc>
-##		Allow the caller to get the attributes of
-##		the generic SCSI interface device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to get the attributes of
+##	the generic SCSI interface device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_getattr_scsi_generic',`
 	gen_require(`
@ -249,15 +226,13 @@ interface(`storage_getattr_scsi_generic',`
 ')

 ########################################
-## <interface name="storage_setattr_scsi_generic">
-##	<desc>
-##		Allow the caller to set the attributes of
-##		the generic SCSI interface device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to set the attributes of
+##	the generic SCSI interface device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_setattr_scsi_generic',`
 	gen_require(`
@ -270,18 +245,16 @@ interface(`storage_setattr_scsi_generic',`
 ')

 ########################################
-## <interface name="storage_read_scsi_generic">
-##	<desc>
-##		Allow the caller to directly read, in a
-##		generic fashion, from any SCSI device.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read, in a
+##	generic fashion, from any SCSI device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_read_scsi_generic',`
 	gen_require(`
@ -296,18 +269,16 @@ interface(`storage_read_scsi_generic',`
 ')

 ########################################
-## <interface name="storage_write_scsi_generic">
-##	<desc>
-##		Allow the caller to directly write, in a
-##		generic fashion, from any SCSI device.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly write, in a
+##	generic fashion, from any SCSI device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_write_scsi_generic',`
 	gen_require(`
@ -322,15 +293,13 @@ interface(`storage_write_scsi_generic',`
 ')

 ########################################
-## <interface name="storage_getattr_scsi_generic">
-##	<desc>
-##		Get attributes of the device nodes
-##		for the SCSI generic inerface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Get attributes of the device nodes
+##	for the SCSI generic inerface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_getattr_scsi_generic',`
 	gen_require(`
@ -343,15 +312,13 @@ interface(`storage_getattr_scsi_generic',`
 ')

 ########################################
-## <interface name="storage_setattr_scsi_generic">
-##	<desc>
-##		Set attributes of the device nodes
-##		for the SCSI generic inerface.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Set attributes of the device nodes
+##	for the SCSI generic inerface.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_set_scsi_generic_attributes',`
 	gen_require(`
@ -364,15 +331,13 @@ interface(`storage_set_scsi_generic_attributes',`
 ')

 ########################################
-## <interface name="storage_getattr_removable_device">
-##	<desc>
-##		Allow the caller to get the attributes of removable
-##		devices device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to get the attributes of removable
+##	devices device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_getattr_removable_device',`
 	gen_require(`
@ -385,15 +350,13 @@ interface(`storage_getattr_removable_device',`
 ')

 ########################################
-## <interface name="storage_dontaudit_getattr_removable_device">
-##	<desc>
-##		Do not audit attempts made by the caller to get
-##		the attributes of removable devices device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts made by the caller to get
+##	the attributes of removable devices device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`storage_dontaudit_getattr_removable_device',`
 	gen_require(`
@ -405,15 +368,13 @@ interface(`storage_dontaudit_getattr_removable_device',`
 ')

 ########################################
-## <interface name="storage_setattr_removable_device">
-##	<desc>
-##		Allow the caller to set the attributes of removable
-##		devices device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to set the attributes of removable
+##	devices device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_setattr_removable_device',`
 	gen_require(`
@ -426,15 +387,13 @@ interface(`storage_setattr_removable_device',`
 ')

 ########################################
-## <interface name="storage_dontaudit_setattr_removable_device">
-##	<desc>
-##		Do not audit attempts made by the caller to set
-##		the attributes of removable devices device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts made by the caller to set
+##	the attributes of removable devices device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`storage_dontaudit_setattr_removable_device',`
 	gen_require(`
@ -446,18 +405,16 @@ interface(`storage_dontaudit_setattr_removable_device',`
 ')

 ########################################
-## <interface name="storage_raw_read_removable_device">
-##	<desc>
-##		Allow the caller to directly read from
-##		a removable device.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read from
+##	a removable device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_raw_read_removable_device',`
 	gen_require(`
@ -470,18 +427,16 @@ interface(`storage_raw_read_removable_device',`
 ')

 ########################################
-## <interface name="storage_raw_write_removable_device">
-##	<desc>
-##		Allow the caller to directly write to
-##		a removable device.
-##		This is extremly dangerous as it can bypass the
-##		SELinux protections for filesystem objects, and
-##		should only be used by trusted domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly write to
+##	a removable device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_raw_write_removable_device',`
 	gen_require(`
@ -494,15 +449,13 @@ interface(`storage_raw_write_removable_device',`
 ')

 ########################################
-## <interface name="storage_read_tape_device">
-##	<desc>
-##		Allow the caller to directly read
-##		a tape device.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read
+##	a tape device.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_read_tape_device',`
 	gen_require(`
@ -515,15 +468,13 @@ interface(`storage_read_tape_device',`
 ')

 ########################################
-## <interface name="storage_write_tape_device">
-##	<desc>
-##		Allow the caller to directly read
-##		a tape device.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to directly read
+##	a tape device.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_write_tape_device',`
 	gen_require(`
@ -536,15 +487,13 @@ interface(`storage_write_tape_device',`
 ')

 ########################################
-## <interface name="storage_getattr_tape_device">
-##	<desc>
-##		Allow the caller to get the attributes
-##		of device nodes of tape devices.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to get the attributes
+##	of device nodes of tape devices.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_getattr_tape_device',`
 	gen_require(`
@ -557,15 +506,13 @@ interface(`storage_getattr_tape_device',`
 ')

 ########################################
-## <interface name="storage_setattr_tape_device">
-##	<desc>
-##		Allow the caller to set the attributes
-##		of device nodes of tape devices.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to set the attributes
+##	of device nodes of tape devices.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`storage_setattr_tape_device',`
 	gen_require(`
@ -577,4 +524,3 @@ interface(`storage_setattr_tape_device',`
 	allow $1 tape_device_t:blk_file setattr;
 ')

-## </module>
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -1,15 +1,12 @@
-## <module name="terminal">
 ## <summary>Policy for terminals.</summary>

 ########################################
-## <interface name="term_pty">
-##	<desc>
-##		Transform specified type into a pty type.
-##	</desc>
-##	<param name="pty_type">
-##		An object type that will applied to a pty.
-##	</param>
-## </interface>
+## <desc>
+##	Transform specified type into a pty type.
+## </desc>
+## <param name="pty_type">
+##	An object type that will applied to a pty.
+## </param>
 #
 interface(`term_pty',`
 	gen_require(`
@ -23,20 +20,18 @@ interface(`term_pty',`
 ')

 ########################################
-## <interface name="term_user_pty">
-##	<desc>
-##		Transform specified type into an user
-##		pty type. This allows it to be relabeled via
-##		type change by login programs such as ssh.
-##	</desc>
-##	<param name="userdomain">
-##		The type of the user domain associated with
-##		this pty.
-##	</param>
-##	<param name="object_type">
-##		An object type that will applied to a pty.
-##	</param>
-## </interface>
+## <desc>
+##	Transform specified type into an user
+##	pty type. This allows it to be relabeled via
+##	type change by login programs such as ssh.
+## </desc>
+## <param name="userdomain">
+##	The type of the user domain associated with
+##	this pty.
+## </param>
+## <param name="object_type">
+##	An object type that will applied to a pty.
+## </param>
 #
 interface(`term_user_pty',`
 	gen_require(`
@ -48,15 +43,13 @@ interface(`term_user_pty',`
 ')

 ########################################
-## <interface name="term_login_pty">
-##	<desc>
-##		Transform specified type into a pty type
-##		used by login programs, such as sshd.
-##	</desc>
-##	<param name="pty_type">
-##		An object type that will applied to a pty.
-##	</param>
-## </interface>
+## <desc>
+##	Transform specified type into a pty type
+##	used by login programs, such as sshd.
+## </desc>
+## <param name="pty_type">
+##	An object type that will applied to a pty.
+## </param>
 #
 interface(`term_login_pty',`
 	gen_require(`
@ -68,14 +61,12 @@ interface(`term_login_pty',`
 ')

 ########################################
-## <interface name="term_tty">
-##	<desc>
-##		Transform specified type into a tty type.
-##	</desc>
-##	<param name="tty_type">
-##		An object type that will applied to a tty.
-##	</param>
-## </interface>
+## <desc>
+##	Transform specified type into a tty type.
+## </desc>
+## <param name="tty_type">
+##	An object type that will applied to a tty.
+## </param>
 #
 interface(`term_tty',`
 	gen_require(`
@ -98,17 +89,15 @@ interface(`term_tty',`
 ')

 ########################################
-## <interface name="term_create_pty">
-##	<desc>
-##		Create a pty in the /dev/pts directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process creating the pty.
-##	</param>
-##	<param name="pty_type">
-##		The type of the pty.
-##	</param>
-## </interface>
+## <desc>
+##	Create a pty in the /dev/pts directory.
+## </desc>
+## <param name="domain">
+##	The type of the process creating the pty.
+## </param>
+## <param name="pty_type">
+##	The type of the pty.
+## </param>
 #
 interface(`term_create_pty',`
 	gen_require(`
@ -128,15 +117,13 @@ interface(`term_create_pty',`
 ')

 ########################################
-## <interface name="term_use_all_terms">
-##	<desc>
-##		Read and write the console, all
-##		ttys and all ptys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the console, all
+##	ttys and all ptys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_all_terms',`
 	gen_require(`
@ -152,14 +139,12 @@ interface(`term_use_all_terms',`
 ')

 ########################################
-## <interface name="term_write_console">
-##	<desc>
-##		Write to the console.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Write to the console.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_write_console',`
 	gen_require(`
@ -172,14 +157,12 @@ interface(`term_write_console',`
 ')

 ########################################
-## <interface name="term_use_console">
-##	<desc>
-##		Read from and write to the console.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read from and write to the console.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_console',`
 	gen_require(`
@ -192,15 +175,13 @@ interface(`term_use_console',`
 ')

 ########################################
-## <interface name="term_dontaudit_use_console">
-##	<desc>
-##		Do not audit attemtps to read from
-##		or write to the console.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attemtps to read from
+##	or write to the console.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_dontaudit_use_console',`
 	gen_require(`
@ -212,15 +193,13 @@ interface(`term_dontaudit_use_console',`
 ')

 ########################################
-## <interface name="term_setattr_console">
-##	<desc>
-##		Set the attributes of the console
-##		device node.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Set the attributes of the console
+##	device node.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_setattr_console',`
 	gen_require(`
@ -233,15 +212,13 @@ interface(`term_setattr_console',`
 ')

 ########################################
-## <interface name="term_list_ptys">
-##	<desc>
-##		Read the /dev/pts directory to
-##		list all ptys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the /dev/pts directory to
+##	list all ptys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_list_ptys',`
 	gen_require(`
@ -254,15 +231,13 @@ interface(`term_list_ptys',`
 ')

 ########################################
-## <interface name="term_dontaudit_list_ptys">
-##	<desc>
-##		Do not audit attempts to read the
-##		/dev/pts directory to.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read the
+##	/dev/pts directory to.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`term_dontaudit_list_ptys',`
 	gen_require(`
@ -274,16 +249,14 @@ interface(`term_dontaudit_list_ptys',`
 ')

 ########################################
-## <interface name="term_use_generic_pty">
-##	<desc>
-##		Read and write the generic pty
-##		type.  This is generally only used in
-##		the targeted policy.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the generic pty
+##	type.  This is generally only used in
+##	the targeted policy.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_generic_pty',`
 	gen_require(`
@ -296,16 +269,14 @@ interface(`term_use_generic_pty',`
 ')

 ########################################
-## <interface name="term_dontaudit_use_generic_pty">
-##	<desc>
-##		Dot not audit attempts to read and
-##		write the generic pty type.  This is
-##		generally only used in the targeted policy.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Dot not audit attempts to read and
+##	write the generic pty type.  This is
+##	generally only used in the targeted policy.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`term_dontaudit_use_generic_pty',`
 	gen_require(`
@ -317,15 +288,13 @@ interface(`term_dontaudit_use_generic_pty',`
 ')

 ########################################
-## <interface name="term_use_controlling_term">
-##	<desc>
-##		Read and write the controlling
-##		terminal (/dev/tty).
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the controlling
+##	terminal (/dev/tty).
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_controlling_term',`
 	gen_require(`
@ -338,15 +307,13 @@ interface(`term_use_controlling_term',`
 ')

 ########################################
-## <interface name="term_dontaudit_use_ptmx">
-##	<desc>
-##		Do not audit attempts to read and
-##		write the pty multiplexor (/dev/ptmx).
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read and
+##	write the pty multiplexor (/dev/ptmx).
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`term_dontaudit_use_ptmx',`
 	gen_require(`
@ -358,15 +325,13 @@ interface(`term_dontaudit_use_ptmx',`
 ')

 ########################################
-## <interface name="term_getattr_all_user_ptys">
-##	<desc>
-##		Get the attributes of all user
-##		pty device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Get the attributes of all user
+##	pty device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_getattr_all_user_ptys',`
 	gen_require(`
@ -381,14 +346,12 @@ interface(`term_getattr_all_user_ptys',`
 ')

 ########################################
-## <interface name="term_use_all_user_ptys">
-##	<desc>
-##		Read and write all user ptys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write all user ptys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_all_user_ptys',`
 	gen_require(`
@ -403,15 +366,13 @@ interface(`term_use_all_user_ptys',`
 ')

 ########################################
-## <interface name="term_dontaudit_use_all_user_ptys">
-##	<desc>
-##		Do not audit attempts to read any
-##		user ptys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read any
+##	user ptys.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`term_dontaudit_use_all_user_ptys',`
 	gen_require(`
@ -423,15 +384,13 @@ interface(`term_dontaudit_use_all_user_ptys',`
 ')

 ########################################
-## <interface name="term_relabel_all_user_ptys">
-##	<desc>
-##		Relabel from and to all user
-##		user pty device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Relabel from and to all user
+##	user pty device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_relabel_all_user_ptys',`
 	gen_require(`
@ -444,15 +403,13 @@ interface(`term_relabel_all_user_ptys',`
 ')

 ########################################
-## <interface name="term_getattr_unallocated_ttys">
-##	<desc>
-##		Get the attributes of all unallocated
-##		tty device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Get the attributes of all unallocated
+##	tty device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_getattr_unallocated_ttys',`
 	gen_require(`
@ -465,15 +422,13 @@ interface(`term_getattr_unallocated_ttys',`
 ')

 ########################################
-## <interface name="term_setattr_unallocated_ttys">
-##	<desc>
-##		Set the attributes of all unallocated
-##		tty device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Set the attributes of all unallocated
+##	tty device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_setattr_unallocated_ttys',`
 	gen_require(`
@ -486,15 +441,13 @@ interface(`term_setattr_unallocated_ttys',`
 ')

 ########################################
-## <interface name="term_relabel_unallocated_ttys">
-##	<desc>
-##		Relabel from and to the unallocated
-##		tty type.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Relabel from and to the unallocated
+##	tty type.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_relabel_unallocated_ttys',`
 	gen_require(`
@ -507,15 +460,13 @@ interface(`term_relabel_unallocated_ttys',`
 ')

 ########################################
-## <interface name="term_reset_tty_labels">
-##	<desc>
-##		Relabel from all user tty types to
-##		the unallocated tty type.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Relabel from all user tty types to
+##	the unallocated tty type.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_reset_tty_labels',`
 	gen_require(`
@ -530,14 +481,12 @@ interface(`term_reset_tty_labels',`
 ')

 ########################################
-## <interface name="term_write_unallocated_ttys">
-##	<desc>
-##		Write to unallocated ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Write to unallocated ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_write_unallocated_ttys',`
 	gen_require(`
@ -550,14 +499,12 @@ interface(`term_write_unallocated_ttys',`
 ')

 ########################################
-## <interface name="term_use_unallocated_tty">
-##	<desc>
-##		Read and write unallocated ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write unallocated ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_unallocated_tty',`
 	gen_require(`
@ -570,15 +517,13 @@ interface(`term_use_unallocated_tty',`
 ')

 ########################################
-## <interface name="term_dontaudit_use_unallocated_tty">
-##	<desc>
-##		Do not audit attempts to read or
-##		write unallocated ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read or
+##	write unallocated ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
 #
 interface(`term_dontaudit_use_unallocated_tty',`
 	gen_require(`
@ -590,15 +535,13 @@ interface(`term_dontaudit_use_unallocated_tty',`
 ')

 ########################################
-## <interface name="term_getattr_all_user_ttys">
-##	<desc>
-##		Get the attributes of all user tty
-##		device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Get the attributes of all user tty
+##	device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_getattr_all_user_ttys',`
 	gen_require(`
@ -611,16 +554,14 @@ interface(`term_getattr_all_user_ttys',`
 ')

 ########################################
-## <interface name="term_dontaudit_getattr_all_user_ttys">
-##	<desc>
-##		Do not audit attempts to get the 
-##		attributes of any user tty
-##		device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to get the
+##	attributes of any user tty
+##	device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_dontaudit_getattr_all_user_ttys',`
 	gen_require(`
@ -633,15 +574,13 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ')

 ########################################
-## <interface name="term_setattr_all_user_ttys">
-##	<desc>
-##		Set the attributes of all user tty
-##		device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Set the attributes of all user tty
+##	device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_setattr_all_user_ttys',`
 	gen_require(`
@ -654,15 +593,13 @@ interface(`term_setattr_all_user_ttys',`
 ')

 ########################################
-## <interface name="term_relabel_all_user_ttys">
-##	<desc>
-##		Relabel from and to all user
-##		user tty device nodes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Relabel from and to all user
+##	user tty device nodes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_relabel_all_user_ttys',`
 	gen_require(`
@ -675,14 +612,12 @@ interface(`term_relabel_all_user_ttys',`
 ')

 ########################################
-## <interface name="term_write_all_user_ttys">
-##	<desc>
-##		Write to all user ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Write to all user ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_write_all_user_ttys',`
 	gen_require(`
@ -695,14 +630,12 @@ interface(`term_write_all_user_ttys',`
 ')

 ########################################
-## <interface name="term_use_all_user_ttys">
-##	<desc>
-##		Read and write all user to all user ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write all user to all user ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_use_all_user_ttys',`
 	gen_require(`
@ -715,15 +648,13 @@ interface(`term_use_all_user_ttys',`
 ')

 ########################################
-## <interface name="term_dontaudit_use_all_user_ttys">
-##	<desc>
-##		Do not audit attempts to read or write
-##		any user ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read or write
+##	any user ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`term_dontaudit_use_all_user_ttys',`
 	gen_require(`
@ -734,4 +665,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
 	dontaudit $1 ttynode:chr_file { read write };
 ')

-## </module>
--- a/refpolicy/policy/modules/services/metadata.xml
+++ b/refpolicy/policy/modules/services/metadata.xml
@ -1 +0,0 @@
-<layer name="services">
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -1,4 +1,3 @@
-## <module name="mta">
 ## <summary>Policy common to all email tranfer agents.</summary>

 #######################################
@ -194,14 +193,12 @@ interface(`mta_exec',`
 ')

 ########################################
-## <interface name="mta_read_aliases">
-##	<desc>
-##		Read mail address aliases.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read mail address aliases.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`mta_read_aliases',`
 	gen_require(`
@ -293,4 +290,3 @@ interface(`mta_manage_queue',`
 	allow $1 mqueue_spool_t:file create_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@ -1,15 +1,12 @@
-## <module name="remotelogin">
 ## <summary>Policy for rshd, rlogind, and telnetd.</summary>

 ########################################
-## <interface name="remotelogin_domtrans">
-##	<desc>
-##		Domain transition to the remote login domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Domain transition to the remote login domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`remotelogin_domtrans',`
 	gen_require(`
@ -19,4 +16,3 @@ interface(`remotelogin_domtrans',`
 	auth_domtrans_login_program($1,remote_login_t)
 ')

-## </module>
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@ -1,15 +1,12 @@
-## <module name="sendmail">
 ## <summary>Policy for sendmail.</summary>

 ########################################
-## <interface name="sendmail_domtrans">
-##	<desc>
-##		Domain transition to sendmail.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Domain transition to sendmail.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`sendmail_domtrans',`
 	gen_require(`
@ -29,4 +26,3 @@ interface(`sendmail_domtrans',`
 	allow sendmail_t $1:process sigchld;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -1,4 +1,3 @@
-## <module name="authlogin">
 ## <summary>Common policy for authentication and user login.</summary>

 #######################################
@ -89,14 +88,12 @@ interface(`authlogin_per_userdomain_template',`
 ') dnl end authlogin_per_userdomain_template

 ########################################
-## <interface name="auth_login_entry_type">
-##	<desc>
-##		Use the login program as an entry point program.
-##	</desc>
-##	<param name="domain">
-##		The type of process using the login program as entry point.
-##	</param>
-## </interface>
+## <desc>
+##	Use the login program as an entry point program.
+## </desc>
+## <param name="domain">
+##	The type of process using the login program as entry point.
+## </param>
 #
 interface(`auth_login_entry_type',`
 	gen_require(`
@ -107,17 +104,15 @@ interface(`auth_login_entry_type',`
 ')

 ########################################
-## <interface name="auth_domtrans_login_program">
-##	<desc>
-##		Execute a login_program in the target domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="target_domain">
-##		The type of the login_program process.
-##	</param>
-## </interface>
+## <desc>
+##	Execute a login_program in the target domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the login_program process.
+## </param>
 #
 interface(`auth_domtrans_login_program',`
 	gen_require(`
@ -137,14 +132,12 @@ interface(`auth_domtrans_login_program',`
 ')

 ########################################
-## <interface name="auth_domtrans_chk_passwd">
-##	<desc>
-##		Run unix_chkpwd to check a password.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Run unix_chkpwd to check a password.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
@ -181,14 +174,12 @@ interface(`auth_domtrans_chk_passwd',`
 ')

 ########################################
-## <interface name="auth_dontaudit_getattr_shadow">
-##	<desc>
-##		
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_dontaudit_getattr_shadow',`
 	gen_require(`
@ -200,14 +191,12 @@ interface(`auth_dontaudit_getattr_shadow',`
 ')

 ########################################
-## <interface name="auth_read_shadow">
-##	<desc>
-##		Read the shadow passwords file (/etc/shadow)
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the shadow passwords file (/etc/shadow)
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_read_shadow',`
 	gen_require(`
@ -222,15 +211,13 @@ interface(`auth_read_shadow',`
 ')

 ########################################
-## <interface name="auth_dontaudit_read_shadow">
-##	<desc>
-##		Do not audit attempts to read the shadow
-##		password file (/etc/shadow).
-##	</desc>
-##	<param name="domain">
-##		The type of the domain to not audit.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read the shadow
+##	password file (/etc/shadow).
+## </desc>
+## <param name="domain">
+##	The type of the domain to not audit.
+## </param>
 #
 interface(`auth_dontaudit_read_shadow',`
 	gen_require(`
@ -242,14 +229,12 @@ interface(`auth_dontaudit_read_shadow',`
 ')

 ########################################
-## <interface name="auth_rw_shadow">
-##	<desc>
-##		Read and write the shadow password file (/etc/shadow).
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write the shadow password file (/etc/shadow).
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_rw_shadow',`
 	gen_require(`
@ -325,14 +310,12 @@ interface(`auth_rw_lastlog',`
 ')

 ########################################
-## <interface name="auth_domtrans_pam">
-##	<desc>
-##		Execute pam programs in the pam domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute pam programs in the pam domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_domtrans_pam',`
 	gen_require(`
@ -351,20 +334,18 @@ interface(`auth_domtrans_pam',`
 ')

 ########################################
-## <interface name="auth_run_pam">
-##	<desc>
-##		Execute pam programs in the PAM domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to allow the PAM domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the PAM domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute pam programs in the PAM domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the PAM domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the PAM domain to use.
+## </param>
 #
 interface(`auth_run_pam',`
 	gen_require(`
@ -378,14 +359,12 @@ interface(`auth_run_pam',`
 ')

 ########################################
-## <interface name="auth_exec_pam">
-##	<desc>
-##		Execute the pam program.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute the pam program.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_exec_pam',`
 	gen_require(`
@ -413,14 +392,12 @@ interface(`auth_read_pam_pid',`
 ')

 ########################################
-## <interface name="auth_delete_pam_pid">
-##	<desc>
-##		Delete pam PID files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Delete pam PID files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_delete_pam_pid',`
 	gen_require(`
@ -507,19 +484,17 @@ interface(`auth_manage_pam_console_data',`
 ')

 ########################################
-## <interface name="auth_relabel_all_files_except_shadow">
-##	<desc>
-##		Relabel all files on the filesystem, except
-##		the shadow passwords and listed exceptions.
-##	</desc>
-##	<param name="domain">
-##		The type of the domain perfoming this action.
-##	</param>
-##	<param name="exception_types" optional="true">
-##		The types to be excluded.  Each type or attribute
-##		must be negated by the caller.
-##	</param>
-## </interface>
+## <desc>
+##	Relabel all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </desc>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
 #

 interface(`auth_relabel_all_files_except_shadow',`
@ -531,19 +506,17 @@ interface(`auth_relabel_all_files_except_shadow',`
 ')

 ########################################
-## <interface name="auth_manage_all_files_except_shadow">
-##	<desc>
-##		Manage all files on the filesystem, except
-##		the shadow passwords and listed exceptions.
-##	</desc>
-##	<param name="domain">
-##		The type of the domain perfoming this action.
-##	</param>
-##	<param name="exception_types" optional="true">
-##		The types to be excluded.  Each type or attribute
-##		must be negated by the caller.
-##	</param>
-## </interface>
+## <desc>
+##	Manage all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </desc>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
 #

 interface(`auth_manage_all_files_except_shadow',`
@ -555,14 +528,12 @@ interface(`auth_manage_all_files_except_shadow',`
 ')

 ########################################
-## <interface name="auth_domtrans_utempter">
-##	<desc>
-##		Execute utempter programs in the utempter domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute utempter programs in the utempter domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`auth_domtrans_utempter',`
 	gen_require(`
@ -581,20 +552,18 @@ interface(`auth_domtrans_utempter',`
 ')

 ########################################
-## <interface name="auth_run_utempter">
-##	<desc>
-##		Execute utempter programs in the utempter domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to allow the utempter domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the utempter domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute utempter programs in the utempter domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the utempter domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the utempter domain to use.
+## </param>
 #
 interface(`auth_run_utempter',`
 	gen_require(`
@ -648,4 +617,3 @@ interface(`auth_rw_login_records',`
 	logging_search_logs($1)
 ')

-## </module>
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@ -1,15 +1,12 @@
-## <module name="clock">
 ## <summary>Policy for reading and setting the hardware clock.</summary>

 ########################################
-## <interface name="clock_domtrans">
-##	<desc>
-##		Execute hwclock in the clock domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute hwclock in the clock domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`clock_domtrans',`
 	gen_require(`
@ -27,21 +24,19 @@ interface(`clock_domtrans',`
 ')

 ########################################
-## <interface name="clock_run">
-##	<desc>
-##		Execute hwclock in the clock domain, and
-##		allow the specified role the hwclock domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the clock domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the clock domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute hwclock in the clock domain, and
+##	allow the specified role the hwclock domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the clock domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the clock domain to use.
+## </param>
 #
 interface(`clock_run',`
 	gen_require(`
@ -55,14 +50,12 @@ interface(`clock_run',`
 ')

 ########################################
-## <interface name="clock_exec">
 ##     <desc>
 ##             Execute hwclock
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`clock_exec',`
 	gen_require(`
@ -73,14 +66,12 @@ interface(`clock_exec',`
 ')

 ########################################
-## <interface name="clock_rw_adjtime">
 ##     <desc>
 ##             Allow executing domain to modify clock drift
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`clock_rw_adjtime',`
 	gen_require(`
@ -92,4 +83,3 @@ interface(`clock_rw_adjtime',`
 	files_list_etc($1)
 ')

-## </module>
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -1,7 +1,6 @@
-## <module name="corecommands">
 ## <summary>
-##	Core policy for shells, and generic programs
-##	in /bin, /sbin, /usr/bin, and /usr/sbin.
+## Core policy for shells, and generic programs
+## in /bin, /sbin, /usr/bin, and /usr/sbin.
 ## </summary>

 #######################################
@ -148,19 +147,17 @@ interface(`corecmd_exec_ls',`
 ')

 ########################################
-## <interface name="corecmd_shell_spec_domtrans">
-##	<desc>
-##		Execute a shell in the target domain.  This
-##		is an explicit transition, requiring the
-##		caller to use setexeccon().
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="target_domain">
-##		The type of the shell process.
-##	</param>
-## </interface>
+## <desc>
+##	Execute a shell in the target domain.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the shell process.
+## </param>
 #
 interface(`corecmd_shell_spec_domtrans',`
 	gen_require(`
@ -184,17 +181,15 @@ interface(`corecmd_shell_spec_domtrans',`
 ')

 ########################################
-## <interface name="corecmd_domtrans_shell">
-##	<desc>
-##		Execute a shell in the target domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="target_domain">
-##		The type of the shell process.
-##	</param>
-## </interface>
+## <desc>
+##	Execute a shell in the target domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="target_domain">
+##	The type of the shell process.
+## </param>
 #
 interface(`corecmd_domtrans_shell',`
 	gen_require(`
@ -219,4 +214,3 @@ interface(`corecmd_chroot_exec_chroot',`
 	allow $1 self:capability sys_chroot;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -1,4 +1,3 @@
-## <module name="domain">
 ## <summary>Core policy for domains.</summary>

 ########################################
@ -92,15 +91,13 @@ interface(`domain_dyntrans_type',`
 ')

 ########################################
-## <interface name="domain_subj_id_change_exempt">
-##	<desc>
-## 		Makes caller an exception to the constraint preventing
-## 		changing of user identity.
-##	</desc>
-##	<param name="domain">
-##		The process type to make an exception to the constraint.
-##	</param>
-## </interface>
+## <desc>
+##	Makes caller an exception to the constraint preventing
+##	changing of user identity.
+## </desc>
+## <param name="domain">
+##	The process type to make an exception to the constraint.
+## </param>
 #
 interface(`domain_subj_id_change_exempt',`
 	gen_require(`
@ -111,15 +108,13 @@ interface(`domain_subj_id_change_exempt',`
 ')

 ########################################
-## <interface name="domain_role_change_exempt">
-##	<desc>
-## 		Makes caller an exception to the constraint preventing
-## 		changing of role.
-##	</desc>
-##	<param name="domain">
-##		The process type to make an exception to the constraint.
-##	</param>
-## </interface>
+## <desc>
+##	Makes caller an exception to the constraint preventing
+##	changing of role.
+## </desc>
+## <param name="domain">
+##	The process type to make an exception to the constraint.
+## </param>
 #
 interface(`domain_role_change_exempt',`
 	gen_require(`
@ -130,15 +125,13 @@ interface(`domain_role_change_exempt',`
 ')

 ########################################
-## <interface name="domain_obj_id_change_exempt">
-##	<desc>
-## 		Makes caller an exception to the constraint preventing 
-## 		changing the user identity in object contexts.
-##	</desc>
-##	<param name="domain">
-##		The process type to make an exception to the constraint.
-##	</param>
-## </interface>
+## <desc>
+##	Makes caller an exception to the constraint preventing
+##	changing the user identity in object contexts.
+## </desc>
+## <param name="domain">
+##	The process type to make an exception to the constraint.
+## </param>
 #
 interface(`domain_obj_id_change_exempt',`
 	gen_require(`
@ -188,14 +181,12 @@ interface(`domain_setpriority_all_domains',`
 ')

 ########################################
-## <interface name="domain_signal_all_domains">
-##	<desc>
-##		Send general signals to all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send general signals to all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_signal_all_domains',`
 	gen_require(`
@ -207,14 +198,12 @@ interface(`domain_signal_all_domains',`
 ')

 ########################################
-## <interface name="domain_signull_all_domains">
-##	<desc>
-##		Send a null signal to all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send a null signal to all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_signull_all_domains',`
 	gen_require(`
@ -226,14 +215,12 @@ interface(`domain_signull_all_domains',`
 ')

 ########################################
-## <interface name="domain_sigstop_all_domains">
-##	<desc>
-##		Send a stop signal to all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send a stop signal to all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_sigstop_all_domains',`
 	gen_require(`
@ -245,14 +232,12 @@ interface(`domain_sigstop_all_domains',`
 ')

 ########################################
-## <interface name="domain_sigchld_all_domains">
-##	<desc>
-##		Send a child terminated signal to all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send a child terminated signal to all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_sigchld_all_domains',`
 	gen_require(`
@ -264,14 +249,12 @@ interface(`domain_sigchld_all_domains',`
 ')

 ########################################
-## <interface name="domain_kill_all_domains">
-##	<desc>
-##		Send a kill signal to all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send a kill signal to all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_kill_all_domains',`
 	gen_require(`
@ -285,14 +268,12 @@ interface(`domain_kill_all_domains',`
 ')

 ########################################
-## <interface name="domain_read_all_domains_state">
-##	<desc>
-##		Read the process state (/proc/pid) of all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the process state (/proc/pid) of all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_read_all_domains_state',`
 	gen_require(`
@ -316,15 +297,13 @@ interface(`domain_read_all_domains_state',`
 ')

 ########################################
-## <interface name="domain_dontaudit_list_all_domains_proc">
-##	<desc>
-##		Do not audit attempts to read the process state
-##		directories of all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to read the process state
+##	directories of all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_dontaudit_list_all_domains_proc',`
 	gen_require(`
@ -336,14 +315,12 @@ interface(`domain_dontaudit_list_all_domains_proc',`
 ')

 ########################################
-## <interface name="domain_getsession_all_domains">
-##	<desc>
-##		Get the session ID of all domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Get the session ID of all domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_getsession_all_domains',`
 	gen_require(`
@ -355,15 +332,13 @@ interface(`domain_getsession_all_domains',`
 ')

 ########################################
-## <interface name="domain_dontaudit_getattr_all_udp_sockets">
-##	<desc>
-##		Do not audit attempts to get the attributes
-##		of all domains UDP sockets.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to get the attributes
+##	of all domains UDP sockets.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_dontaudit_getattr_all_udp_sockets',`
 	gen_require(`
@ -375,15 +350,13 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ')

 ########################################
-## <interface name="domain_dontaudit_getattr_all_tcp_sockets">
-##	<desc>
-##		Do not audit attempts to get the attributes
-##		of all domains TCP sockets.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to get the attributes
+##	of all domains TCP sockets.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 	gen_require(`
@ -395,15 +368,13 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 ')

 ########################################
-## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets">
-##	<desc>
-##		Do not audit attempts to get the attributes
-##		of all domains unix datagram sockets.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to get the attributes
+##	of all domains unix datagram sockets.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
 	gen_require(`
@ -415,15 +386,13 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
 ')

 ########################################
-## <interface name="domain_dontaudit_getattr_all_unnamed_pipes">
-##	<desc>
-##		Do not audit attempts to get the attributes
-##		of all domains unnamed pipes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to get the attributes
+##	of all domains unnamed pipes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
 	gen_require(`
@ -461,7 +430,6 @@ interface(`domain_read_all_entry_files',`
 	allow $1 entry_type:file r_file_perms;
 ')

-## </module>

 #
 # These next macros are not interfaces, but actually are 
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -1,19 +1,18 @@
-## <module name="files">
 ## <summary>
-##	Basic filesystem types and interfaces.
+## Basic filesystem types and interfaces.
 ## </summary>
 ## <desc>
-##	<p>
-## 	This module contains basic filesystem types and interfaces. This
-##	includes:
-##	<ul>
-##		<li>The concept of different file types including basic
-##		files, mount points, tmp files, etc.</li>
-##		<li>Access to groups of files and all files.</li>
-##		<li>Types and interfaces for the basic filesystem layout
-##		(/, /etc, /tmp, /usr, etc.).</li>
-##	</ul>
-##	</p>
+## <p>
+## This module contains basic filesystem types and interfaces. This
+## includes:
+## <ul>
+##	<li>The concept of different file types including basic
+##	files, mount points, tmp files, etc.</li>
+##	<li>Access to groups of files and all files.</li>
+##	<li>Types and interfaces for the basic filesystem layout
+##	(/, /etc, /tmp, /usr, etc.).</li>
+## </ul>
+## </p>
 ## </desc>

 ########################################
@ -83,15 +82,13 @@ interface(`files_tmp_file',`
 ')

 ########################################
-## <interface name="files_tmpfs_file">
-##	<desc>
-##		Transform the type into a file, for use on a
-##		virtual memory filesystem (tmpfs).
-##	</desc>
-##	<param name="type">
-##		The type to be transformed.
-##	</param>
-## </interface>
+## <desc>
+##	Transform the type into a file, for use on a
+##	virtual memory filesystem (tmpfs).
+## </desc>
+## <param name="type">
+##	The type to be transformed.
+## </param>
 #
 interface(`files_tmpfs_file',`
 	gen_require(`
@ -125,19 +122,17 @@ interface(`files_getattr_all_files',`
 ')

 ########################################
-## <interface name="files_relabel_all_files">
-##	<desc>
-##		Relabel all files on the filesystem, except
-##		the listed exceptions.
-##	</desc>
-##	<param name="domain">
-##		The type of the domain perfoming this action.
-##	</param>
-##	<param name="exception_types" optional="true">
-##		The types to be excluded.  Each type or attribute
-##		must be negated by the caller.
-##	</param>
-## </interface>
+## <desc>
+##	Relabel all files on the filesystem, except
+##	the listed exceptions.
+## </desc>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
 #
 interface(`files_relabel_all_files',`
 	gen_require(`
@ -164,19 +159,17 @@ interface(`files_relabel_all_files',`
 ')

 ########################################
-## <interface name="files_manage_all_files">
-##	<desc>
-##		Manage all files on the filesystem, except
-##		the listed exceptions.
-##	</desc>
-##	<param name="domain">
-##		The type of the domain perfoming this action.
-##	</param>
-##	<param name="exception_types" optional="true">
-##		The types to be excluded.  Each type or attribute
-##		must be negated by the caller.
-##	</param>
-## </interface>
+## <desc>
+##	Manage all files on the filesystem, except
+##	the listed exceptions.
+## </desc>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
 #
 interface(`files_manage_all_files',`
 	gen_require(`
@ -306,25 +299,23 @@ interface(`files_list_root',`
 ')

 ########################################
-## <interface name="files_create_root">
-##	<desc>
-##		Create an object in the root directory, with a private
-##		type.  If no object class is specified, the
-##		default is file.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="private type" optional="true">
-##		The type of the object to be created.  If no type
-##		is specified, the type of the root directory will
-##		be used.
-##	</param>
-##	<param name="object" optional="true">
-##		The object class of the object being created.  If
-##		no class is specified, file will be used.
-##	</param>
-## </interface>
+## <desc>
+##	Create an object in the root directory, with a private
+##	type.  If no object class is specified, the
+##	default is file.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="private type" optional="true">
+##	The type of the object to be created.  If no type
+##	is specified, the type of the root directory will
+##	be used.
+## </param>
+## <param name="object" optional="true">
+##	The object class of the object being created.  If
+##	no class is specified, file will be used.
+## </param>
 #
 interface(`files_create_root',`
 	gen_require(`
@ -498,14 +489,12 @@ interface(`files_manage_generic_etc_files',`
 ')

 ########################################
-## <interface name="files_delete_generic_etc_files">
-##	<desc>
-##		Delete system configuration files in /etc.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Delete system configuration files in /etc.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_delete_generic_etc_files',`
 	gen_require(`
@ -642,14 +631,12 @@ interface(`files_dontaudit_search_isid_type_dir',`
 ')

 ########################################
-## <interface name="files_list_home">
-##	<desc>
-##		Get listing home home directories.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Get listing home home directories.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_list_home',`
 	gen_require(`
@ -743,14 +730,12 @@ interface(`files_read_usr_files',`
 ')

 ########################################
-## <interface name="files_exec_usr_files">
-##	<desc>
-##		Execute programs in /usr/src in the caller domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute programs in /usr/src in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_exec_usr_files',`
 	gen_require(`
@ -810,14 +795,12 @@ interface(`files_dontaudit_search_var',`
 ')

 ########################################
-## <interface name="files_search_var_lib">
-##	<desc>
-##		Search the /var/lib directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Search the /var/lib directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_search_var_lib',`
 	gen_require(`
@ -987,14 +970,12 @@ interface(`files_rw_generic_pids',`
 ')

 ########################################
-## <interface name="files_dontaudit_write_all_pids">
-##	<desc>
-##		Do not audit attempts to write to daemon runtime data files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to write to daemon runtime data files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_dontaudit_write_all_pids',`
 	gen_require(`
@ -1006,14 +987,12 @@ interface(`files_dontaudit_write_all_pids',`
 ')

 ########################################
-## <interface name="files_dontaudit_ioctl_all_pids">
-##	<desc>
-##		Do not audit attempts to ioctl daemon runtime data files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to ioctl daemon runtime data files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`files_dontaudit_ioctl_all_pids',`
 	gen_require(`
@ -1123,4 +1102,3 @@ interface(`files_manage_spools',`
 	allow $1 var_spool_t:file create_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@ -1,15 +1,12 @@
-## <module name="getty">
 ## <summary>Policy for getty.</summary>

 ########################################
-## <interface name="getty_domtrans">
 ##     <desc>
 ##             Execute gettys in the getty domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`getty_domtrans',`
 	gen_require(`
@ -29,14 +26,12 @@ interface(`getty_domtrans',`
 ')

 ########################################
-## <interface name="getty_read_log">
 ##     <desc>
 ##             Allow process to read getty log file.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`getty_read_log',`
 	gen_require(`
@ -49,14 +44,12 @@ interface(`getty_read_log',`
 ')

 ########################################
-## <interface name="getty_read_config">
 ##     <desc>
 ##             Allow process to read getty config file.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`getty_read_config',`
 	gen_require(`
@ -69,14 +62,12 @@ interface(`getty_read_config',`
 ')

 ########################################
-## <interface name="getty_modify_config">
 ##     <desc>
 ##             Allow process to edit getty config file.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`getty_modify_config',`
 	gen_require(`
@ -88,4 +79,3 @@ interface(`getty_modify_config',`
 	allow $1 getty_etc_t:file rw_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@ -1,16 +1,13 @@
-## <module name="hostname">
 ## <summary>Policy for changing the system host name.</summary>

 ########################################
-## <interface name="hostname_domtrans">
-##	<desc>
-##		Execute hostname in the hostname domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##		Has a sigchld signal backchannel.
-##	</param>
-## </interface>
+## <desc>
+##	Execute hostname in the hostname domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+##	Has a sigchld signal backchannel.
+## </param>
 #
 interface(`hostname_domtrans',`
 	gen_require(`
@ -30,22 +27,20 @@ interface(`hostname_domtrans',`
 ')

 ########################################
-## <interface name="hostname_run">
-##	<desc>
-##		Execute hostname in the hostname domain, and
-##		allow the specified role the hostname domain.
-##		Has a sigchld signal backchannel.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the hostname domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the hostname domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute hostname in the hostname domain, and
+##	allow the specified role the hostname domain.
+##	Has a sigchld signal backchannel.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the hostname domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the hostname domain to use.
+## </param>
 #
 interface(`hostname_run',`
 	gen_require(`
@ -59,7 +54,6 @@ interface(`hostname_run',`
 ')

 ########################################
-## <interface name="hostname_exec">
 ##     <desc>
 ##             Execute hostname in the hostname domain, and
 ##             Has a sigchld signal backchannel.
@ -67,7 +61,6 @@ interface(`hostname_run',`
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`hostname_exec',`
 	gen_require(`
@ -77,4 +70,3 @@ interface(`hostname_exec',`
 	can_exec($1,hostname_exec_t)
 ')

-## </module>
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@ -1,7 +1,6 @@
-## <module name="hotplug">
 ## <summary>
-##	Policy for hotplug system, for supporting the
-##	connection and disconnection of devices at runtime.
+## Policy for hotplug system, for supporting the
+## connection and disconnection of devices at runtime.
 ## </summary>

 #######################################
@ -78,14 +77,12 @@ interface(`hotplug_dontaudit_search_config',`
 ')

 ########################################
-## <interface name="hotplug_read_config">
-##	<desc>
-##		Read the configuration files for hotplug.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the configuration files for hotplug.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`hotplug_read_config',`
 	gen_require(`
@ -101,4 +98,3 @@ interface(`hotplug_read_config',`
 	allow $1 hotplug_etc_t:lnk_file r_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -1,4 +1,3 @@
-## <module name="init">
 ## <summary>System initialization programs (init and init scripts).</summary>

 ########################################
@ -260,14 +259,12 @@ interface(`init_exec_script',`
 ')

 ########################################
-## <interface name="init_read_script_process_state">
-##	<desc>
-##		Read the process state (/proc/pid) of the init scripts.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the process state (/proc/pid) of the init scripts.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`init_read_script_process_state',`
 	gen_require(`
@ -330,14 +327,12 @@ interface(`init_get_script_process_group',`
 ')

 ########################################
-## <interface name="init_rw_script_pipe">
-##	<desc>
-##		Read and write init script unnamed pipes.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write init script unnamed pipes.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`init_rw_script_pipe',`
 	gen_require(`
@ -376,14 +371,12 @@ interface(`init_dontaudit_use_script_pty',`
 ')

 ########################################
-## <interface name="init_rw_script_tmp_files">
-##	<desc>
-##		Read and write init script temporary data.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write init script temporary data.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`init_rw_script_tmp_files',`
 	gen_require(`
@ -449,4 +442,3 @@ interface(`init_dontaudit_rw_script_pid',`
 	dontaudit $1 initrc_var_run_t:file { getattr read write append };
 ')

-## </module>
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@ -1,15 +1,12 @@
-## <module name="iptables">
 ## <summary>Policy for iptables.</summary>

 ########################################
-## <interface name="iptables_domtrans">
-##	<desc>
-##		Execute iptables in the iptables domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute iptables in the iptables domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`iptables_domtrans',`
 	gen_require(`
@ -29,21 +26,19 @@ interface(`iptables_domtrans',`
 ')

 ########################################
-## <interface name="iptables_run">
-##	<desc>
-##		Execute iptables in the iptables domain, and
-##		allow the specified role the iptables domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the iptables domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the iptables domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute iptables in the iptables domain, and
+##	allow the specified role the iptables domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the iptables domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the iptables domain to use.
+## </param>
 #
 interface(`iptables_run',`
 	gen_require(`
@ -57,14 +52,12 @@ interface(`iptables_run',`
 ')

 ########################################
-## <interface name="iptables_exec">
-##	<desc>
-##		Execute iptables in the caller domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute iptables in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`iptables_exec',`
 	gen_require(`
@ -75,4 +68,3 @@ interface(`iptables_exec',`
 	can_exec($1,iptables_exec_t)
 ')

-## </module>
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -1,15 +1,12 @@
-## <module name="libraries">
 ## <summary>Policy for system libraries.</summary>

 ########################################
-## <interface name="libs_domtrans_ldconfig">
-##	<desc>
-##		Execute ldconfig in the ldconfig domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute ldconfig in the ldconfig domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_domtrans_ldconfig',`
 	gen_require(`
@ -29,20 +26,18 @@ interface(`libs_domtrans_ldconfig',`
 ')

 ########################################
-## <interface name="libs_run_ldconfig">
-##	<desc>
-##		Execute ldconfig in the ldconfig domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to allow the ldconfig domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the ldconfig domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute ldconfig in the ldconfig domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the ldconfig domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the ldconfig domain to use.
+## </param>
 #
 interface(`libs_run_ldconfig',`
 	gen_require(`
@ -56,15 +51,13 @@ interface(`libs_run_ldconfig',`
 ')

 ########################################
-## <interface name="libs_use_ld_so">
-##	<desc>
-##		Use the dynamic link/loader for automatic loading
-##		of shared libraries.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Use the dynamic link/loader for automatic loading
+##	of shared libraries.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_use_ld_so',`
 	gen_require(`
@ -83,15 +76,13 @@ interface(`libs_use_ld_so',`
 ')

 ########################################
-## <interface name="libs_legacy_use_ld_so">
-##	<desc>
-##		Use the dynamic link/loader for automatic loading
-##		of shared libraries with legacy support.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Use the dynamic link/loader for automatic loading
+##	of shared libraries with legacy support.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_legacy_use_ld_so',`
 	gen_require(`
@ -105,16 +96,14 @@ interface(`libs_legacy_use_ld_so',`
 ')

 ########################################
-## <interface name="libs_exec_ld_so">
-##	<desc>
-##		Execute the dynamic link/loader in the caller's
-##		domain.  This is commonly needed for the
-##		/usr/bin/ldd program.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute the dynamic link/loader in the caller's
+##	domain.  This is commonly needed for the
+##	/usr/bin/ldd program.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_exec_ld_so',`
 	gen_require(`
@ -130,15 +119,13 @@ interface(`libs_exec_ld_so',`
 ')

 ########################################
-## <interface name="libs_rw_ld_so_cache">
-##	<desc>
-##		Modify the dynamic link/loader's cached listing
-##		of shared libraries.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Modify the dynamic link/loader's cached listing
+##	of shared libraries.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_rw_ld_so_cache',`
 	gen_require(`
@ -151,14 +138,12 @@ interface(`libs_rw_ld_so_cache',`
 ')

 ########################################
-## <interface name="libs_search_lib">
-##	<desc>
-##		Search lib directories.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Search lib directories.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_search_lib',`
 	gen_require(`
@ -170,15 +155,13 @@ interface(`libs_search_lib',`
 ')

 ########################################
-## <interface name="libs_read_lib">
-##	<desc>
-##		Read files in the library directories, such
-##		as static libraries.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read files in the library directories, such
+##	as static libraries.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_read_lib',`
 	gen_require(`
@ -194,14 +177,12 @@ interface(`libs_read_lib',`
 ')

 ########################################
-## <interface name="libs_exec_lib_files">
-##	<desc>
-##		Execute library scripts in the caller domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute library scripts in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_exec_lib_files',`
 	gen_require(`
@ -217,14 +198,12 @@ interface(`libs_exec_lib_files',`
 ')

 ########################################
-## <interface name="libs_use_shared_libs">
-##	<desc>
-##		Load and execute functions from shared libraries.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Load and execute functions from shared libraries.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_use_shared_libs',`
 	gen_require(`
@ -242,15 +221,13 @@ interface(`libs_use_shared_libs',`
 ')

 ########################################
-## <interface name="libs_legacy_use_shared_libs">
-##	<desc>
-##		Load and execute functions from shared libraries,
-##		with legacy support.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Load and execute functions from shared libraries,
+##	with legacy support.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`libs_legacy_use_shared_libs',`
 	gen_require(`
@ -262,4 +239,3 @@ interface(`libs_legacy_use_shared_libs',`
 	allow $1 { shlib_t texrel_shlib_t }:file execmod;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@ -1,15 +1,12 @@
-## <module name="locallogin">
 ## <summary>Policy for local logins.</summary>

 ########################################
-## <interface name="locallogin_domtrans">
 ##     <desc>
 ##             Execute local logins in the locallogin domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`locallogin_domtrans',`
 	gen_require(`
@ -20,14 +17,12 @@ interface(`locallogin_domtrans',`
 ')

 ########################################
-## <interface name="locallogin_use_fd">
 ##     <desc>
 ##             Allow processes to inherit local login file descriptors
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`locallogin_use_fd',`
 	gen_require(`
@ -38,4 +33,3 @@ interface(`locallogin_use_fd',`
 	allow $1 local_login_t:fd use;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -1,4 +1,3 @@
-## <module name="logging">
 ## <summary>Policy for the kernel message logger and system logging daemon.</summary>

 #######################################
@ -60,16 +59,14 @@ interface(`logging_send_syslog_msg',`
 ')

 ########################################
-## <interface name="logging_search_logs">
-##	<desc>
-##		Allows the domain to open a file in the
-##		log directory, but does not allow the listing
-##		of the contents of the log directory.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allows the domain to open a file in the
+##	log directory, but does not allow the listing
+##	of the contents of the log directory.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`logging_search_logs',`
 	gen_require(`
@ -176,4 +173,3 @@ interface(`logging_rw_generic_logs',`
 	allow $1 var_log_t:file rw_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@ -1,15 +1,12 @@
-## <module name="lvm">
 ## <summary>Policy for logical volume management programs.</summary>

 ########################################
-## <interface name="lvm_domtrans">
-##	<desc>
-##		Execute lvm programs in the lvm domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute lvm programs in the lvm domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`lvm_domtrans',`
 	gen_require(`
@ -29,20 +26,18 @@ interface(`lvm_domtrans',`
 ')

 ########################################
-## <interface name="lvm_run">
-##	<desc>
-##		Execute lvm programs in the lvm domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to allow the LVM domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the LVM domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute lvm programs in the lvm domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to allow the LVM domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the LVM domain to use.
+## </param>
 #
 interface(`lvm_run',`
 	gen_require(`
@ -56,14 +51,12 @@ interface(`lvm_run',`
 ')

 ########################################
-## <interface name="lvm_read_config">
-##	<desc>
-##		Read LVM configuration files.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read LVM configuration files.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`lvm_read_config',`
 	gen_require(`
@ -77,4 +70,3 @@ interface(`lvm_read_config',`
 	allow $1 lvm_etc_t:file r_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/metadata.xml
+++ b/refpolicy/policy/modules/system/metadata.xml
@ -1 +0,0 @@
-<layer name="system">
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -1,8 +1,6 @@
-## <module name="miscfiles">
 ## <summary>Miscelaneous files.</summary>

 ########################################
-## <interface name="miscfiles_rw_man_cache">
 ##     <desc>
 ##             Allow process to create files and dirs in /var/cache/man
 ##             and /var/catman/
@ -10,7 +8,6 @@
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`miscfiles_rw_man_cache',`
 	gen_require(`
@ -25,14 +22,12 @@ interface(`miscfiles_rw_man_cache',`
 ')

 ########################################
-## <interface name="miscfiles_read_fonts">
 ##     <desc>
 ##             Allow process to read fonts files
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`miscfiles_read_fonts',`
 	gen_require(`
@ -50,14 +45,12 @@ interface(`miscfiles_read_fonts',`
 ')

 ########################################
-## <interface name="miscfiles_read_localization">
 ##     <desc>
 ##             Allow process to read localization info
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`miscfiles_read_localization',`
 	gen_require(`
@ -79,14 +72,12 @@ interface(`miscfiles_read_localization',`
 ')

 ########################################
-## <interface name="miscfiles_legacy_read_localization">
 ##     <desc>
 ##             Allow process to read legacy time localization info
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`miscfiles_legacy_read_localization',`
 	gen_require(`
@ -99,14 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
 ')

 ########################################
-## <interface name="miscfiles_read_man_pages">
 ##     <desc>
 ##             Allow process to read manpages
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
@ -122,4 +111,3 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@ -1,15 +1,12 @@
-## <module name="modutils">
 ## <summary>Policy for kernel module utilities</summary>

 ########################################
-## <interface name="modutils_read_kernel_module_dependencies">
-##	<desc>
-##		Read the dependencies of kernel modules.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the dependencies of kernel modules.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`modutils_read_kernel_module_dependencies',`
 	gen_require(`
@ -22,15 +19,13 @@ interface(`modutils_read_kernel_module_dependencies',`
 ')

 ########################################
-## <interface name="modutils_read_module_conf">
-##	<desc>
-##		Read the configuration options used when
-##		loading modules.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read the configuration options used when
+##	loading modules.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`modutils_read_module_conf',`
 	gen_require(`
@ -47,14 +42,12 @@ interface(`modutils_read_module_conf',`
 ')

 ########################################
-## <interface name="modutils_domtrans_insmod">
-##	<desc>
-##		Execute insmod in the insmod domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute insmod in the insmod domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`modutils_domtrans_insmod',`
 	gen_require(`
@ -74,23 +67,21 @@ interface(`modutils_domtrans_insmod',`
 ')

 ########################################
-## <interface name="modutils_run_insmod">
-##	<desc>
-##		Execute insmod in the insmod domain, and
-##		allow the specified role the insmod domain,
-##		and use the caller's terminal.  Has a sigchld
-##		backchannel.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the insmod domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the insmod domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute insmod in the insmod domain, and
+##	allow the specified role the insmod domain,
+##	and use the caller's terminal.  Has a sigchld
+##	backchannel.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the insmod domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the insmod domain to use.
+## </param>
 #
 interface(`modutils_run_insmod',`
 	gen_require(`
@ -117,14 +108,12 @@ interface(`modutils_exec_insmod',`
 ')

 ########################################
-## <interface name="modutils_domtrans_depmod">
-##	<desc>
-##		Execute depmod in the depmod domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute depmod in the depmod domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`modutils_domtrans_depmod',`
 	gen_require(`
@ -144,20 +133,18 @@ interface(`modutils_domtrans_depmod',`
 ')

 ########################################
-## <interface name="modutils_run_depmod">
-##	<desc>
-##		Execute depmod in the depmod domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the depmod domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the depmod domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute depmod in the depmod domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the depmod domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the depmod domain to use.
+## </param>
 #
 interface(`modutils_run_depmod',`
 	gen_require(`
@ -184,14 +171,12 @@ interface(`modutils_exec_depmod',`
 ')

 ########################################
-## <interface name="modutils_domtrans_update_mods">
-##	<desc>
-##		Execute depmod in the depmod domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute depmod in the depmod domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`modutils_domtrans_update_mods',`
 	gen_require(`
@ -211,20 +196,18 @@ interface(`modutils_domtrans_update_mods',`
 ')

 ########################################
-## <interface name="modutils_run_update_mods">
-##	<desc>
-##		Execute update_modules in the update_modules domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the update_modules domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the update_modules domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute update_modules in the update_modules domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the update_modules domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the update_modules domain to use.
+## </param>
 #
 interface(`modutils_run_update_mods',`
 	gen_require(`
@ -250,4 +233,3 @@ interface(`modutils_exec_update_mods',`
 	can_exec($1, update_modules_exec_t)
 ')

-## </module>
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@ -1,15 +1,12 @@
-## <module name="mount">
 ## <summary>Policy for mount.</summary>

 ########################################
-## <interface name="mount_domtrans">
-##	<desc>
-##		Execute mount in the mount domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute mount in the mount domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`mount_domtrans',`
 	gen_require(`
@ -28,22 +25,20 @@ interface(`mount_domtrans',`
 ')

 ########################################
-## <interface name="mount_run">
-##	<desc>
-##		Execute mount in the mount domain, and
-##		allow the specified role the mount domain,
-##		and use the caller's terminal.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the mount domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the mount domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute mount in the mount domain, and
+##	allow the specified role the mount domain,
+##	and use the caller's terminal.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the mount domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the mount domain to use.
+## </param>
 #
 interface(`mount_run',`
 	gen_require(`
@ -57,14 +52,12 @@ interface(`mount_run',`
 ')

 ########################################
-## <interface name="mount_use_fd">
 ##     <desc>
 ##             Use file descriptors for mount.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`mount_use_fd',`
 	gen_require(`
@ -76,7 +69,6 @@ interface(`mount_use_fd',`
 ')

 ########################################
-## <interface name="mount_send_nfs_client_request">
 ##     <desc>
 ##             Allow the mount domain to send nfs requests for mounting
 ##             network drives
@ -84,7 +76,6 @@ interface(`mount_use_fd',`
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`mount_send_nfs_client_request',`
 	gen_require(`
@ -95,4 +86,3 @@ interface(`mount_send_nfs_client_request',`
 	allow $1 mount_t:udp_socket rw_socket_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@ -1,15 +1,12 @@
-## <module name="selinuxutil">
 ## <summary>Policy for SELinux policy and userland applications.</summary>

 #######################################
-## <interface name="seutil_domtrans_checkpol">
-##	<desc>
-##		Execute checkpolicy in the checkpolicy domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute checkpolicy in the checkpolicy domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_domtrans_checkpol',`
 	gen_require(`
@ -30,23 +27,21 @@ interface(`seutil_domtrans_checkpol',`
 ')

 ########################################
-## <interface name="seutil_run_checkpol">
-##	<desc>
-##		Execute checkpolicy in the checkpolicy domain, and
-##		allow the specified role the checkpolicy domain,
-##		and use the caller's terminal.
-##		Has a SIGCHLD signal backchannel.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the checkpolicy domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the checkpolicy domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute checkpolicy in the checkpolicy domain, and
+##	allow the specified role the checkpolicy domain,
+##	and use the caller's terminal.
+##	Has a SIGCHLD signal backchannel.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the checkpolicy domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the checkpolicy domain to use.
+## </param>
 #
 interface(`seutil_run_checkpol',`
 	gen_require(`
@ -74,14 +69,12 @@ interface(`seutil_exec_checkpol',`
 ')

 #######################################
-## <interface name="seutil_domtrans_loadpol">
-##	<desc>
-##		Execute load_policy in the load_policy domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute load_policy in the load_policy domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_domtrans_loadpol',`
 	gen_require(`
@ -101,23 +94,21 @@ interface(`seutil_domtrans_loadpol',`
 ')

 ########################################
-## <interface name="seutil_run_loadpol">
-##	<desc>
-##		Execute load_policy in the load_policy domain, and
-##		allow the specified role the load_policy domain,
-##		and use the caller's terminal.
-##		Has a SIGCHLD signal backchannel.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the load_policy domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the load_policy domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute load_policy in the load_policy domain, and
+##	allow the specified role the load_policy domain,
+##	and use the caller's terminal.
+##	Has a SIGCHLD signal backchannel.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the load_policy domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the load_policy domain to use.
+## </param>
 #
 interface(`seutil_run_loadpol',`
 	gen_require(`
@ -158,14 +149,12 @@ interface(`seutil_read_loadpol',`
 ')

 #######################################
-## <interface name="seutil_domtrans_newrole">
-##	<desc>
-##		Execute newrole in the load_policy domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute newrole in the load_policy domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_domtrans_newrole',`
 	gen_require(`
@ -186,22 +175,20 @@ interface(`seutil_domtrans_newrole',`
 ')

 ########################################
-## <interface name="seutil_run_newrole">
-##	<desc>
-##		Execute newrole in the newrole domain, and
-##		allow the specified role the newrole domain,
-##		and use the caller's terminal.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the newrole domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the newrole domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute newrole in the newrole domain, and
+##	allow the specified role the newrole domain,
+##	and use the caller's terminal.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the newrole domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the newrole domain to use.
+## </param>
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
@ -229,15 +216,13 @@ interface(`seutil_exec_newrole',`
 ')

 ########################################
-## <interface name="seutil_dontaudit_newrole_signal">
-##	<desc>
-##		Do not audit the caller attempts to send
-##		a signal to newrole.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit the caller attempts to send
+##	a signal to newrole.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_dontaudit_newrole_signal',`
 	gen_require(`
@ -275,14 +260,12 @@ interface(`seutil_use_newrole_fd',`
 ')

 #######################################
-## <interface name="seutil_domtrans_restorecon">
-##	<desc>
-##		Execute restorecon in the restorecon domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute restorecon in the restorecon domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_domtrans_restorecon',`
 	gen_require(`
@ -302,22 +285,20 @@ interface(`seutil_domtrans_restorecon',`
 ')

 ########################################
-## <interface name="seutil_run_restorecon">
-##	<desc>
-##		Execute restorecon in the restorecon domain, and
-##		allow the specified role the restorecon domain,
-##		and use the caller's terminal.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the restorecon domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the restorecon domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute restorecon in the restorecon domain, and
+##	allow the specified role the restorecon domain,
+##	and use the caller's terminal.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the restorecon domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the restorecon domain to use.
+## </param>
 #
 interface(`seutil_run_restorecon',`
 	gen_require(`
@ -344,14 +325,12 @@ interface(`seutil_exec_restorecon',`
 ')

 ########################################
-## <interface name="seutil_domtrans_runinit">
-##	<desc>
-##		Execute run_init in the run_init domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute run_init in the run_init domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_domtrans_runinit',`
 	gen_require(`
@ -372,22 +351,20 @@ interface(`seutil_domtrans_runinit',`
 ')

 ########################################
-## <interface name="seutil_run_runinit">
-##	<desc>
-##		Execute run_init in the run_init domain, and
-##		allow the specified role the run_init domain,
-##		and use the caller's terminal.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the run_init domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the run_init domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute run_init in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the run_init domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the run_init domain to use.
+## </param>
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
@ -414,14 +391,12 @@ interface(`seutil_use_runinit_fd',`
 ')

 ########################################
-## <interface name="seutil_domtrans_setfiles">
-##	<desc>
-##		Execute setfiles in the setfiles domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute setfiles in the setfiles domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_domtrans_setfiles',`
 	gen_require(`
@ -442,22 +417,20 @@ interface(`seutil_domtrans_setfiles',`
 ')

 ########################################
-## <interface name="seutil_run_setfiles">
-##	<desc>
-##		Execute setfiles in the setfiles domain, and
-##		allow the specified role the setfiles domain,
-##		and use the caller's terminal.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the setfiles domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the setfiles domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute setfiles in the setfiles domain, and
+##	allow the specified role the setfiles domain,
+##	and use the caller's terminal.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the setfiles domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the setfiles domain to use.
+## </param>
 #
 interface(`seutil_run_setfiles',`
 	gen_require(`
@ -571,14 +544,12 @@ interface(`seutil_create_binary_pol',`
 ')

 ########################################
-## <interface name="seutil_relabelto_binary_pol">
-##	<desc>
-##		Allow the caller to relabel a file to the binary policy type.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Allow the caller to relabel a file to the binary policy type.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`seutil_relabelto_binary_pol',`
 	gen_require(`
@ -644,4 +615,3 @@ interface(`seutil_manage_src_pol',`
 	allow $1 policy_src_t:file create_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -1,15 +1,12 @@
-## <module name="sysnetwork">
 ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>

 #######################################
-## <interface name="sysnet_domtrans_dhcpc">
 ##     <desc>
 ##             Execute dhcp client in dhcpc domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`sysnet_domtrans_dhcpc',`
 	gen_require(`
@ -29,14 +26,12 @@ interface(`sysnet_domtrans_dhcpc',`
 ')

 #######################################
-## <interface name="sysnet_domtrans_ifconfig">
-##	<desc>
-##		Execute ifconfig in the ifconfig domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute ifconfig in the ifconfig domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`sysnet_domtrans_ifconfig',`
 	gen_require(`
@ -56,22 +51,20 @@ interface(`sysnet_domtrans_ifconfig',`
 ')

 ########################################
-## <interface name="sysnet_run_ifconfig">
-##	<desc>
-##		Execute ifconfig in the ifconfig domain, and
-##		allow the specified role the ifconfig domain,
-##		and use the caller's terminal.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-##	<param name="role">
-##		The role to be allowed the ifconfig domain.
-##	</param>
-##	<param name="terminal">
-##		The type of the terminal allow the ifconfig domain to use.
-##	</param>
-## </interface>
+## <desc>
+##	Execute ifconfig in the ifconfig domain, and
+##	allow the specified role the ifconfig domain,
+##	and use the caller's terminal.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the ifconfig domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the ifconfig domain to use.
+## </param>
 #
 interface(`sysnet_run_ifconfig',`
 	gen_require(`
@ -86,14 +79,12 @@ interface(`sysnet_run_ifconfig',`
 ')

 #######################################
-## <interface name="sysnet_read_config">
 ##     <desc>
 ##             Allow network init to read network config files.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`sysnet_read_config',`
 	gen_require(`
@ -105,4 +96,3 @@ interface(`sysnet_read_config',`
 	allow $1 net_conf_t:file r_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@ -1,15 +1,12 @@
-## <module name="udev">
 ## <summary>Policy for udev.</summary>

 ########################################
-## <interface name="udev_domtrans">
 ##     <desc>
 ##             Execute udev in the udev domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`udev_domtrans',`
 	gen_require(`
@ -28,14 +25,12 @@ interface(`udev_domtrans',`
 ')

 ########################################
-## <interface name="udev_read_db">
 ##     <desc>
 ##             Allow process to read list of devices.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`udev_read_db',`
 	gen_require(`
@ -48,14 +43,12 @@ interface(`udev_read_db',`
 ')

 ########################################
-## <interface name="udev_rw_db">
 ##     <desc>
 ##             Allow process to modify list of devices.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
-## </interface>
 #
 interface(`udev_rw_db',`
 	gen_require(`
@ -67,4 +60,3 @@ interface(`udev_rw_db',`
 	allow $1 udev_tdb_t:file rw_file_perms;
 ')

-## </module>
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -1,4 +1,3 @@
-## <module name="userdomain">
 ## <summary>Policy for user domains</summary>

 ########################################
@ -809,16 +808,14 @@ template(`admin_domain_template',`
 ')

 ########################################
-## <interface name="userdom_spec_domtrans_all_users">
-##	<desc>
-##		Execute a shell in all user domains.  This
-##		is an explicit transition, requiring the
-##		caller to use setexeccon().
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute a shell in all user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_spec_domtrans_all_users',`
 	gen_require(`
@ -829,16 +826,14 @@ interface(`userdom_spec_domtrans_all_users',`
 ')

 ########################################
-## <interface name="userdom_spec_domtrans_unpriv_users">
-##	<desc>
-##		Execute a shell in all unprivileged user domains.  This
-##		is an explicit transition, requiring the
-##		caller to use setexeccon().
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute a shell in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_spec_domtrans_unpriv_users',`
 	gen_require(`
@ -849,14 +844,12 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 ')

 ########################################
-## <interface name="userdom_shell_domtrans_sysadm">
-##	<desc>
-##		Execute a shell in the sysadm domain.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Execute a shell in the sysadm domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_shell_domtrans_sysadm',`
 	gen_require(`
@ -867,14 +860,12 @@ interface(`userdom_shell_domtrans_sysadm',`
 ')

 ########################################
-## <interface name="userdom_use_sysadm_tty">
-##	<desc>
-##		Read and write sysadm ttys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write sysadm ttys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_use_sysadm_tty',`
 	gen_require(`
@ -888,14 +879,12 @@ interface(`userdom_use_sysadm_tty',`
 ')

 ########################################
-## <interface name="userdom_use_sysadm_terms">
-##	<desc>
-##		Read and write sysadm ttys and ptys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read and write sysadm ttys and ptys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_use_sysadm_terms',`
 	gen_require(`
@ -909,14 +898,12 @@ interface(`userdom_use_sysadm_terms',`
 ')

 ########################################
-## <interface name="userdom_dontaudit_use_sysadm_terms">
-##	<desc>
-##		Do not audit attempts to use admin ttys and ptys.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to use admin ttys and ptys.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_dontaudit_use_sysadm_terms',`
 	gen_require(`
@ -928,14 +915,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ')

 ########################################
-## <interface name="userdom_search_all_users_home">
-##	<desc>
-##		Search all users home directories.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Search all users home directories.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_search_all_users_home',`
 	gen_require(`
@ -948,14 +933,12 @@ interface(`userdom_search_all_users_home',`
 ')

 ########################################
-## <interface name="userdom_read_all_user_data">
-##	<desc>
-##		Read all files in all users home directories.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Read all files in all users home directories.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_read_all_user_data',`
 	gen_require(`
@ -970,14 +953,12 @@ interface(`userdom_read_all_user_data',`
 ')

 ########################################
-## <interface name="userdom_use_all_user_fd">
-##	<desc>
-##		Inherit the file descriptors from all user domains
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Inherit the file descriptors from all user domains
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_use_all_user_fd',`
 	gen_require(`
@ -989,14 +970,12 @@ interface(`userdom_use_all_user_fd',`
 ')

 ########################################
-## <interface name="userdom_signal_all_users">
-##	<desc>
-##		Send general signals to all user domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send general signals to all user domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_signal_all_users',`
 	gen_require(`
@ -1008,14 +987,12 @@ interface(`userdom_signal_all_users',`
 ')

 ########################################
-## <interface name="userdom_signal_unpriv_users">
-##	<desc>
-##		Send general signals to unprivileged user domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Send general signals to unprivileged user domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_signal_unpriv_users',`
 	gen_require(`
@ -1027,14 +1004,12 @@ interface(`userdom_signal_unpriv_users',`
 ')

 ########################################
-## <interface name="userdom_use_unpriv_users_fd">
-##	<desc>
-##		Inherit the file descriptors from all user domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Inherit the file descriptors from all user domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_use_unpriv_users_fd',`
 	gen_require(`
@ -1046,15 +1021,13 @@ interface(`userdom_use_unpriv_users_fd',`
 ')

 ########################################
-## <interface name="userdom_dontaudit_use_unpriv_user_fd">
-##	<desc>
-##		Do not audit attempts to inherit the
-##		file descriptors from all user domains.
-##	</desc>
-##	<param name="domain">
-##		The type of the process performing this action.
-##	</param>
-## </interface>
+## <desc>
+##	Do not audit attempts to inherit the
+##	file descriptors from all user domains.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	gen_require(`
@ -1065,4 +1038,3 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	dontaudit $1 unpriv_userdomain:fd use;
 ')

-## </module>