update for new documentation method

2005-06-23 21:30:57 +00:00 · 2005-06-23 21:30:57 +00:00 · 414e415198
commit 414e415198
parent aad5b98eba
43 changed files with 3326 additions and 4377 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -274,7 +274,6 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
 	$(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
 		| m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
 		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
 	$(QUIET) echo "## </module>" >> $@
 $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
 	@echo "#" > $@
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@ -1,15 +1,12 @@
 ## <module name="dmesg">
 ## <summary>Policy for dmesg.</summary>
 ########################################
 ## <interface name="dmesg_domtrans">
 ## <desc>
 ##	Execute dmesg in the dmesg domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`dmesg_domtrans',`
 	gen_require(`
@ -29,14 +26,12 @@ interface(`dmesg_domtrans',`
 ')
 ########################################
 ## <interface name="dmesg_exec">
 ## <desc>
 ##	Execute dmesg in the caller domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`dmesg_exec',`
 	gen_require(`
@ -47,4 +42,3 @@ interface(`dmesg_exec',`
 	can_exec($1,dmesg_exec_t)
 ')
 ## </module>
--- a/refpolicy/policy/modules/admin/metadata.xml
+++ b/refpolicy/policy/modules/admin/metadata.xml
@ -1 +0,0 @@
 <layer name="admin">
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@ -1,15 +1,12 @@
 ## <module name="rpm">
 ## <summary>Policy for the RPM package manager.</summary>
 ########################################
 ## <interface name="rpm_domtrans">
 ## <desc>
 ##	Execute rpm programs in the rpm domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`rpm_domtrans',`
 	gen_require(`
@ -30,7 +27,6 @@ interface(`rpm_domtrans',`
 ')
 ########################################
 ## <interface name="rpm_run">
 ## <desc>
 ##	Execute RPM programs in the RPM domain.
 ## </desc>
@ -43,7 +39,6 @@ interface(`rpm_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the RPM domain to use.
 ## </param>
 ## </interface>
 #
 interface(`rpm_run',`
 	gen_require(`
@ -58,14 +53,12 @@ interface(`rpm_run',`
 ')
 ########################################
 ## <interface name="rpm_use_fd">
 ## <desc>
 ##	Inherit and use file descriptors from RPM.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`rpm_use_fd',`
 	gen_require(`
@ -77,14 +70,12 @@ interface(`rpm_use_fd',`
 ')
 ########################################
 ## <interface name="rpm_read_pipe">
 ## <desc>
 ##	Read from a RPM pipe.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`rpm_read_pipe',`
 	gen_require(`
@ -96,14 +87,12 @@ interface(`rpm_read_pipe',`
 ')
 ########################################
 ## <interface name="rpm_read_db">
 ## <desc>
 ##	Read RPM package database.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`rpm_read_db',`
 	gen_require(`
@ -135,4 +124,3 @@ interface(`rpm_manage_db',`
 	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
 ')
 ## </module>
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@ -1,15 +1,12 @@
 ## <module name="usermanage">
 ## <summary>Policy for managing user accounts.</summary>
 ########################################
 ## <interface name="usermanage_domtrans_chfn">
 ## <desc>
 ##	Execute chfn in the chfn domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_domtrans_chfn',`
 	gen_require(`
@ -30,7 +27,6 @@ interface(`usermanage_domtrans_chfn',`
 ')
 ########################################
 ## <interface name="usermanage_run_chfn">
 ## <desc>
 ##	Execute chfn in the chfn domain, and
 ##	allow the specified role the chfn domain.
@ -44,7 +40,6 @@ interface(`usermanage_domtrans_chfn',`
 ## <param name="terminal">
 ##	The type of the terminal allow the chfn domain to use.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
@ -58,14 +53,12 @@ interface(`usermanage_run_chfn',`
 ')
 ########################################
 ## <interface name="usermanage_domtrans_groupadd">
 ## <desc>
 ##	Execute groupadd in the groupadd domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_domtrans_groupadd',`
 	gen_require(`
@ -86,7 +79,6 @@ interface(`usermanage_domtrans_groupadd',`
 ')
 ########################################
 ## <interface name="usermanage_run_groupadd">
 ## <desc>
 ##	Execute groupadd in the groupadd domain, and
 ##	allow the specified role the groupadd domain.
@ -100,7 +92,6 @@ interface(`usermanage_domtrans_groupadd',`
 ## <param name="terminal">
 ##	The type of the terminal allow the groupadd domain to use.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
@ -114,14 +105,12 @@ interface(`usermanage_run_groupadd',`
 ')
 ########################################
 ## <interface name="usermanage_domtrans_passwd">
 ## <desc>
 ##	Execute passwd in the passwd domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_domtrans_passwd',`
 	gen_require(`
@ -142,7 +131,6 @@ interface(`usermanage_domtrans_passwd',`
 ')
 ########################################
 ## <interface name="usermanage_run_passwd">
 ## <desc>
 ##	Execute passwd in the passwd domain, and
 ##	allow the specified role the passwd domain.
@ -156,7 +144,6 @@ interface(`usermanage_domtrans_passwd',`
 ## <param name="terminal">
 ##	The type of the terminal allow the passwd domain to use.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
@ -170,14 +157,12 @@ interface(`usermanage_run_passwd',`
 ')
 ########################################
 ## <interface name="usermanage_domtrans_useradd">
 ## <desc>
 ##	Execute useradd in the useradd domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_domtrans_useradd',`
 	gen_require(`
@ -198,7 +183,6 @@ interface(`usermanage_domtrans_useradd',`
 ')
 ########################################
 ## <interface name="usermanage_run_useradd">
 ## <desc>
 ##	Execute useradd in the useradd domain, and
 ##	allow the specified role the useradd domain.
@ -212,7 +196,6 @@ interface(`usermanage_domtrans_useradd',`
 ## <param name="terminal">
 ##	The type of the terminal allow the useradd domain to use.
 ## </param>
 ## </interface>
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
@ -225,4 +208,3 @@ interface(`usermanage_run_useradd',`
 	allow useradd_t $3:chr_file rw_term_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@ -1,8 +1,6 @@
 ## <module name="gpg">
 ## <summary>Policy for GNU Privacy Guard and related programs.</summary>
 #######################################
 ## <template name="gpg_per_userdomain_template">
 ## <summary>
 ##	The per-userdomain template for the gpg module.
 ## </summary>
@ -368,6 +366,4 @@ template(`gpg_per_userdomain_template',`
 	') dnl end TODO
 ')
 ## </template>
 ## </module>
--- a/refpolicy/policy/modules/apps/metadata.xml
+++ b/refpolicy/policy/modules/apps/metadata.xml
@ -1 +0,0 @@
 <layer name="apps">
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@ -1,15 +1,12 @@
 ## <module name="bootloader">
 ## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
 ########################################
 ## <interface name="bootloader_domtrans">
 ## <desc>
 ##	Execute bootloader in the bootloader domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_domtrans',`
 	gen_require(`
@ -28,7 +25,6 @@ interface(`bootloader_domtrans',`
 ')
 ########################################
 ## <interface name="bootloader_run">
 ## <desc>
 ##	Execute bootloader interactively and do
 ##	a domain transition to the bootloader domain.
@ -42,7 +38,6 @@ interface(`bootloader_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the bootloader domain to use.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_run',`
 	gen_require(`
@ -57,14 +52,12 @@ interface(`bootloader_run',`
 ')
 ########################################
 ## <interface name="bootloader_search_boot_dir">
 ## <desc>
 ##	Search the /boot directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_search_boot_dir',`
 	gen_require(`
@ -76,14 +69,12 @@ interface(`bootloader_search_boot_dir',`
 ')
 ########################################
 ## <interface name="bootloader_dontaudit_search_boot">
 ## <desc>
 ##	Do not audit attempts to search the /boot directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_dontaudit_search_boot',`
 	gen_require(`
@ -95,7 +86,6 @@ interface(`bootloader_dontaudit_search_boot',`
 ')
 ########################################
 ## <interface name="bootloader_rw_boot_symlinks">
 ## <desc>
 ##	Read and write symbolic links
 ##	in the /boot directory.
@ -103,7 +93,6 @@ interface(`bootloader_dontaudit_search_boot',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_rw_boot_symlinks',`
 	gen_require(`
@ -117,14 +106,12 @@ interface(`bootloader_rw_boot_symlinks',`
 ')
 ########################################
 ## <interface name="bootloader_create_kernel">
 ## <desc>
 ##	Install a kernel into the /boot directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_create_kernel',`
 	gen_require(`
@ -140,14 +127,12 @@ interface(`bootloader_create_kernel',`
 ')
 ########################################
 ## <interface name="bootloader_create_kernel_symbol_table">
 ## <desc>
 ##	Install a system.map into the /boot directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_create_kernel_symbol_table',`
 	gen_require(`
@ -161,14 +146,12 @@ interface(`bootloader_create_kernel_symbol_table',`
 ')
 ########################################
 ## <interface name="bootloader_read_kernel_symbol_table">
 ## <desc>
 ##	Read system.map in the /boot directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_read_kernel_symbol_table',`
 	gen_require(`
@ -182,14 +165,12 @@ interface(`bootloader_read_kernel_symbol_table',`
 ')
 ########################################
 ## <interface name="bootloader_delete_kernel">
 ## <desc>
 ##	Delete a kernel from /boot.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_delete_kernel',`
 	gen_require(`
@ -203,14 +184,12 @@ interface(`bootloader_delete_kernel',`
 ')
 ########################################
 ## <interface name="bootloader_delete_kernel_symbol_table">
 ## <desc>
 ##	Delete a system.map in the /boot directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_delete_kernel_symbol_table',`
 	gen_require(`
@ -224,14 +203,12 @@ interface(`bootloader_delete_kernel_symbol_table',`
 ')
 ########################################
 ## <interface name="bootloader_read_config">
 ## <desc>
 ##	Read the bootloader configuration file.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_read_config',`
 	gen_require(`
@ -243,7 +220,6 @@ interface(`bootloader_read_config',`
 ')
 ########################################
 ## <interface name="bootloader_rw_config">
 ## <desc>
 ##	Read and write the bootloader
 ##	configuration file.
@ -251,7 +227,6 @@ interface(`bootloader_read_config',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_rw_config',`
 	gen_require(`
@ -263,7 +238,6 @@ interface(`bootloader_rw_config',`
 ')
 ########################################
 ## <interface name="bootloader_rw_tmp_file">
 ## <desc>
 ##	Read and write the bootloader
 ##	temporary data in /tmp.
@ -271,7 +245,6 @@ interface(`bootloader_rw_config',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_rw_tmp_file',`
 	gen_require(`
@ -284,7 +257,6 @@ interface(`bootloader_rw_tmp_file',`
 ')
 ########################################
 ## <interface name="bootloader_create_runtime_file">
 ## <desc>
 ##	Read and write the bootloader
 ##	temporary data in /tmp.
@ -292,7 +264,6 @@ interface(`bootloader_rw_tmp_file',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_create_runtime_file',`
 	gen_require(`
@ -307,14 +278,12 @@ interface(`bootloader_create_runtime_file',`
 ')
 ########################################
 ## <interface name="bootloader_list_kernel_modules">
 ## <desc>
 ##	List the contents of the kernel module directories.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_list_kernel_modules',`
 	gen_require(`
@ -326,14 +295,12 @@ interface(`bootloader_list_kernel_modules',`
 ')
 ########################################
 ## <interface name="bootloader_read_kernel_modules">
 ## <desc>
 ##	Read kernel module files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_read_kernel_modules',`
 	gen_require(`
@ -349,14 +316,12 @@ interface(`bootloader_read_kernel_modules',`
 ')
 ########################################
 ## <interface name="bootloader_write_kernel_modules">
 ## <desc>
 ##	Write kernel module files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_write_kernel_modules',`
 	gen_require(`
@ -373,7 +338,6 @@ interface(`bootloader_write_kernel_modules',`
 ')
 ########################################
 ## <interface name="bootloader_manage_kernel_modules">
 ## <desc>
 ##	Create, read, write, and delete
 ##	kernel module files.
@ -381,7 +345,6 @@ interface(`bootloader_write_kernel_modules',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`bootloader_manage_kernel_modules',`
 	gen_require(`
@ -417,4 +380,3 @@ interface(`bootloader_create_private_module_dir_entry',`
 	')
 ')
 ## </module>
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -1,8 +1,6 @@
 ## <module name="corenetwork">
 ## <summary>Policy controlling access to network objects</summary>
 ########################################
 ## <interface name="corenet_tcp_sendrecv_generic_if">
 ## <desc>
 ##	Send and receive TCP network traffic on the general interfaces.
 ## </desc>
@ -10,7 +8,6 @@
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_tcp_sendrecv_generic_if',`
 	gen_require(`
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@ -6,7 +6,6 @@
 define(`create_netif_interfaces',``
 ########################################
 ## <interface name="corenet_tcp_sendrecv_$1">
 ## <desc>
 ##	Send and receive TCP network traffic on the $1 interface.
 ## </desc>
@ -14,7 +13,6 @@ define(`create_netif_interfaces',``
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_tcp_sendrecv_$1',`
 	gen_require(`
@ -26,7 +24,6 @@ interface(`corenet_tcp_sendrecv_$1',`
 ')
 ########################################
 ## <interface name="corenet_udp_send_$1">
 ## <desc>
 ##	Send UDP network traffic on the $1 interface.
 ## </desc>
@ -34,7 +31,6 @@ interface(`corenet_tcp_sendrecv_$1',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="write" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_send_$1',`
 	gen_require(`
@ -46,7 +42,6 @@ interface(`corenet_udp_send_$1',`
 ')
 ########################################
 ## <interface name="corenet_udp_receive_$1">
 ## <desc>
 ##	Receive UDP network traffic on the $1 interface.
 ## </desc>
@ -54,7 +49,6 @@ interface(`corenet_udp_send_$1',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="read" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_receive_$1',`
 	gen_require(`
@ -66,7 +60,6 @@ interface(`corenet_udp_receive_$1',`
 ')
 ########################################
 ## <interface name="corenetwork_sendrecv_udp_on_$1_interface">
 ## <desc>
 ##	Send and receive UDP network traffic on the $1 interface.
 ## </desc>
@ -74,7 +67,6 @@ interface(`corenet_udp_receive_$1',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_sendrecv_$1',`
 	corenet_udp_send_$1(dollarsone)
@ -82,7 +74,6 @@ interface(`corenet_udp_sendrecv_$1',`
 ')
 ########################################
 ## <interface name="corenet_raw_send_$1">
 ## <desc>
 ##	Send raw IP packets on the $1 interface.
 ## </desc>
@ -90,7 +81,6 @@ interface(`corenet_udp_sendrecv_$1',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="write" weight="10"/>
 ## </interface>
 #
 interface(`corenet_raw_send_$1',`
 	gen_require(`
@ -104,7 +94,6 @@ interface(`corenet_raw_send_$1',`
 ')
 ########################################
 ## <interface name="corenet_raw_receive_$1">
 ## <desc>
 ##	Receive raw IP packets on the $1 interface.
 ## </desc>
@ -112,7 +101,6 @@ interface(`corenet_raw_send_$1',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="read" weight="10"/>
 ## </interface>
 #
 interface(`corenet_raw_receive_$1',`
 	gen_require(`
@ -124,7 +112,6 @@ interface(`corenet_raw_receive_$1',`
 ')
 ########################################
 ## <interface name="corenet_raw_sendrecv_$1">
 ## <desc>
 ##	Send and receive raw IP packets on the $1 interface.
 ## </desc>
@ -132,7 +119,6 @@ interface(`corenet_raw_receive_$1',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_raw_sendrecv_$1',`
 	corenet_raw_send_$1(dollarsone)
@ -148,7 +134,6 @@ interface(`corenet_raw_sendrecv_$1',`
 define(`create_node_interfaces',``
 ########################################
 ## <interface name="corenet_tcp_sendrecv_$1_node">
 ## <desc>
 ##	Send and receive TCP traffic on the $1 node.
 ## </desc>
@ -156,7 +141,6 @@ define(`create_node_interfaces',``
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_tcp_sendrecv_$1_node',`
 	gen_require(`
@ -168,7 +152,6 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_udp_send_$1_node">
 ## <desc>
 ##	Send UDP traffic on the $1 node.
 ## </desc>
@ -176,7 +159,6 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="write" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_send_$1_node',`
 	gen_require(`
@ -188,7 +170,6 @@ interface(`corenet_udp_send_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_udp_receive_$1_node">
 ## <desc>
 ##	Receive UDP traffic on the $1 node.
 ## </desc>
@ -196,7 +177,6 @@ interface(`corenet_udp_send_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="read" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_receive_$1_node',`
 	gen_require(`
@ -208,7 +188,6 @@ interface(`corenet_udp_receive_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_udp_sendrecv_$1_node">
 ## <desc>
 ##	Send and receive UDP traffic on the $1 node.
 ## </desc>
@ -216,7 +195,6 @@ interface(`corenet_udp_receive_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_sendrecv_$1_node',`
 	corenet_udp_send_$1_node(dollarsone)
@ -224,7 +202,6 @@ interface(`corenet_udp_sendrecv_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_raw_send_$1_node">
 ## <desc>
 ##	Send raw IP packets on the $1 node.
 ## </desc>
@ -232,7 +209,6 @@ interface(`corenet_udp_sendrecv_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="write" weight="10"/>
 ## </interface>
 #
 interface(`corenet_raw_send_$1_node',`
 	gen_require(`
@ -244,7 +220,6 @@ interface(`corenet_raw_send_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_raw_receive_$1_node">
 ## <desc>
 ##	Receive raw IP packets on the $1 node.
 ## </desc>
@ -252,7 +227,6 @@ interface(`corenet_raw_send_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="write" weight="10"/>
 ## </interface>
 #
 interface(`corenet_raw_receive_$1_node',`
 	gen_require(`
@ -264,7 +238,6 @@ interface(`corenet_raw_receive_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_raw_sendrecv_$1_node">
 ## <desc>
 ##	Send and receive raw IP packets on the $1 node.
 ## </desc>
@ -272,7 +245,6 @@ interface(`corenet_raw_receive_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_raw_sendrecv_$1_node',`
 	corenet_raw_send_$1_node(dollarsone)
@ -280,7 +252,6 @@ interface(`corenet_raw_sendrecv_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_tcp_bind_$1_node">
 ## <desc>
 ##	Bind TCP sockets to node $1.
 ## </desc>
@ -288,7 +259,6 @@ interface(`corenet_raw_sendrecv_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="none"/>
 ## </interface>
 #
 interface(`corenet_tcp_bind_$1_node',`
 	gen_require(`
@ -300,7 +270,6 @@ interface(`corenet_tcp_bind_$1_node',`
 ')
 ########################################
 ## <interface name="corenet_udp_bind_$1_node">
 ## <desc>
 ##	Bind UDP sockets to the $1 node.
 ## </desc>
@ -308,7 +277,6 @@ interface(`corenet_tcp_bind_$1_node',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="none"/>
 ## </interface>
 #
 interface(`corenet_udp_bind_$1_node',`
 	gen_require(`
@ -328,7 +296,6 @@ interface(`corenet_udp_bind_$1_node',`
 define(`create_port_interfaces',``
 ########################################
 ## <interface name="corenet_tcp_sendrecv_$1_port">
 ## <desc>
 ##	Send and receive TCP traffic on the $1 port.
 ## </desc>
@ -336,7 +303,6 @@ define(`create_port_interfaces',``
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_tcp_sendrecv_$1_port',`
 	gen_require(`
@ -348,7 +314,6 @@ interface(`corenet_tcp_sendrecv_$1_port',`
 ')
 ########################################
 ## <interface name="corenet_udp_send_$1_port">
 ## <desc>
 ##	Send UDP traffic on the $1 port.
 ## </desc>
@ -356,7 +321,6 @@ interface(`corenet_tcp_sendrecv_$1_port',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="write" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_send_$1_port',`
 	gen_require(`
@ -368,7 +332,6 @@ interface(`corenet_udp_send_$1_port',`
 ')
 ########################################
 ## <interface name="corenet_udp_receive_$1_port">
 ## <desc>
 ##	Receive UDP traffic on the $1 port.
 ## </desc>
@ -376,7 +339,6 @@ interface(`corenet_udp_send_$1_port',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="read" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_receive_$1_port',`
 	gen_require(`
@ -388,7 +350,6 @@ interface(`corenet_udp_receive_$1_port',`
 ')
 ########################################
 ## <interface name="corenetwork_sendrecv_udp_on_$1_port">
 ## <desc>
 ##	Send and receive UDP traffic on the $1 port.
 ## </desc>
@ -396,7 +357,6 @@ interface(`corenet_udp_receive_$1_port',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="both" weight="10"/>
 ## </interface>
 #
 interface(`corenet_udp_sendrecv_$1_port',`
 	corenet_udp_send_$1_port(dollarsone)
@ -404,7 +364,6 @@ interface(`corenet_udp_sendrecv_$1_port',`
 ')
 ########################################
 ## <interface name="corenet_tcp_bind_$1_port">
 ## <desc>
 ##	Bind TCP sockets to the $1 port.
 ## </desc>
@ -412,7 +371,6 @@ interface(`corenet_udp_sendrecv_$1_port',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="none"/>
 ## </interface>
 #
 interface(`corenet_tcp_bind_$1_port',`
 	gen_require(`
@ -425,7 +383,6 @@ interface(`corenet_tcp_bind_$1_port',`
 ')
 ########################################
 ## <interface name="corenet_udp_bind_$1_port">
 ## <desc>
 ##	Bind UDP sockets to the $1 port.
 ## </desc>
@ -433,7 +390,6 @@ interface(`corenet_tcp_bind_$1_port',`
 ##	The type of the process performing this action.
 ## </param>
 ## <infoflow type="none"/>
 ## </interface>
 #
 interface(`corenet_udp_bind_$1_port',`
 	gen_require(`
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -1,11 +1,9 @@
 ## <module name="kernel">
 ## <summary>
 ## Policy for kernel threads, proc filesystem,
 ## and unlabeled processes and objects.
 ## </summary>
 ########################################
 ## <interface name="kernel_userland_entry">
 ## <desc>
 ##	Allows to start userland processes
 ##	by transitioning to the specified domain.
@ -16,7 +14,6 @@
 ## <param name="entrypoint">
 ##	The executable type for the entrypoint.
 ## </param>
 ## </interface>
 #
 interface(`kernel_userland_entry',`
 	gen_require(`
@ -35,7 +32,6 @@ interface(`kernel_userland_entry',`
 ')
 ########################################
 ## <interface name="kernel_rootfs_mountpoint">
 ## <desc>
 ##	Allows the kernel to mount filesystems on
 ##	the specified directory type.
@ -43,7 +39,6 @@ interface(`kernel_userland_entry',`
 ## <param name="directory_type">
 ##	The type of the directory to use as a mountpoint.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rootfs_mountpoint',`
 	gen_require(`
@ -55,14 +50,12 @@ interface(`kernel_rootfs_mountpoint',`
 ')
 ########################################
 ## <interface name="kernel_sigchld">
 ## <desc>
 ##	Send a SIGCHLD signal to kernel threads.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process sending the signal.
 ## </param>
 ## </interface>
 #
 interface(`kernel_sigchld',`
 	gen_require(`
@ -74,7 +67,6 @@ interface(`kernel_sigchld',`
 ')
 ########################################
 ## <interface name="kernel_share_state">
 ## <desc>
 ##	Allows the kernel to share state information with
 ##	the caller.
@ -82,7 +74,6 @@ interface(`kernel_sigchld',`
 ## <param name="domain">
 ##	The type of the process with which to share state information.
 ## </param>
 ## </interface>
 #
 interface(`kernel_share_state',`
 	gen_require(`
@ -94,14 +85,12 @@ interface(`kernel_share_state',`
 ')
 ########################################
 ## <interface name="kernel_use_fd">
 ## <desc>
 ##	Permits caller to use kernel file descriptors.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process using the descriptors.
 ## </param>
 ## </interface>
 #
 interface(`kernel_use_fd',`
 	gen_require(`
@ -113,7 +102,6 @@ interface(`kernel_use_fd',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_use_fd">
 ## <desc>
 ##	Do not audit attempts to use
 ##	kernel file descriptors.
@ -121,7 +109,6 @@ interface(`kernel_use_fd',`
 ## <param name="domain">
 ##	The type of process not to audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_use_fd',`
 	gen_require(`
@ -133,14 +120,12 @@ interface(`kernel_dontaudit_use_fd',`
 ')
 ########################################
 ## <interface name="kernel_load_module">
 ## <desc>
 ##	Allows caller to load kernel modules
 ## </desc>
 ## <param name="domain">
 ##	The process type to allow to load kernel modules.
 ## </param>
 ## </interface>
 #
 interface(`kernel_load_module',`
 	gen_require(`
@ -153,14 +138,12 @@ interface(`kernel_load_module',`
 ')
 ########################################
 ## <interface name="kernel_read_ring_buffer">
 ## <desc>
 ##	Allows caller to read the ring buffer.
 ## </desc>
 ## <param name="domain">
 ##	The process type allowed to read the ring buffer.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_ring_buffer',`
 	gen_require(`
@ -172,14 +155,12 @@ interface(`kernel_read_ring_buffer',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_read_ring_buffer">
 ## <desc>
 ##	Do not audit attempts to read the ring buffer.
 ## </desc>
 ## <param name="domain">
 ##	The domain to not audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_read_ring_buffer',`
 	gen_require(`
@ -191,14 +172,12 @@ interface(`kernel_dontaudit_read_ring_buffer',`
 ')
 ########################################
 ## <interface name="kernel_change_ring_buffer_level">
 ## <desc>
 ##	
 ## </desc>
 ## <param name="domain">
 ##	
 ## </param>
 ## </interface>
 #
 interface(`kernel_change_ring_buffer_level',`
 	gen_require(`
@ -210,14 +189,12 @@ interface(`kernel_change_ring_buffer_level',`
 ')
 ########################################
 ## <interface name="kernel_clear_ring_buffer">
 ## <desc>
 ##	Allows the caller to clear the ring buffer.
 ## </desc>
 ## <param name="domain">
 ##	The process type clearing the buffer.
 ## </param>
 ## </interface>
 #
 interface(`kernel_clear_ring_buffer',`
 	gen_require(`
@ -229,14 +206,12 @@ interface(`kernel_clear_ring_buffer',`
 ')
 ########################################
 ## <interface name="kernel_get_sysvipc_info">
 ## <desc>
 ##	Get information on all System V IPC objects.
 ## </desc>
 ## <param name="domain">
 ##	
 ## </param>
 ## </interface>
 #
 interface(`kernel_get_sysvipc_info',`
 	gen_require(`
@ -248,14 +223,12 @@ interface(`kernel_get_sysvipc_info',`
 ')
 ########################################
 ## <interface name="kernel_read_system_state">
 ## <desc>
 ##	Allows caller to read system state information.
 ## </desc>
 ## <param name="domain">
 ##	The process type reading the system state information.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_system_state',`
 	gen_require(`
@ -271,7 +244,6 @@ interface(`kernel_read_system_state',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_read_system_state">
 ## <desc>
 ##	Do not audit attempts by caller to
 ##	read system state information.
@ -279,7 +251,6 @@ interface(`kernel_read_system_state',`
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_read_system_state',`
 	gen_require(`
@ -291,14 +262,12 @@ interface(`kernel_dontaudit_read_system_state',`
 ')
 #######################################
 ## <interface name="kernel_read_software_raid_state">
 ## <desc>
 ##	Allow caller to read the state information for software raid.
 ## </desc>
 ## <param name="domain">
 ##	The process type reading software raid state.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_software_raid_state',`
 	gen_require(`
@ -312,14 +281,12 @@ interface(`kernel_read_software_raid_state',`
 ')
 ########################################
 ## <interface name="kernel_getattr_core">
 ## <desc>
 ##	Allows caller to get attribues of core kernel interface.
 ## </desc>
 ## <param name="domain">
 ##	The process type getting the attibutes.
 ## </param>
 ## </interface>
 #
 interface(`kernel_getattr_core',`
 	gen_require(`
@ -333,7 +300,6 @@ interface(`kernel_getattr_core',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_getattr_core">
 ## <desc>
 ##	Do not audit attempts to get the attributes of
 ##	core kernel interfaces.
@ -341,7 +307,6 @@ interface(`kernel_getattr_core',`
 ## <param name="domain">
 ##	The process type to not audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_getattr_core',`
 	gen_require(`
@ -353,7 +318,6 @@ interface(`kernel_dontaudit_getattr_core',`
 ')
 ########################################
 ## <interface name="kernel_read_messages">
 ## <desc>
 ##	Allow caller to read kernel messages
 ##	using the /proc/kmsg interface.
@ -361,7 +325,6 @@ interface(`kernel_dontaudit_getattr_core',`
 ## <param name="domain">
 ##	The process type reading the messages.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_messages',`
 	gen_require(`
@ -377,7 +340,6 @@ interface(`kernel_read_messages',`
 ')
 ########################################
 ## <interface name="kernel_getattr_message_if">
 ## <desc>
 ##	Allow caller to get the attributes of kernel message
 ##	interface (/proc/kmsg).
@ -385,7 +347,6 @@ interface(`kernel_read_messages',`
 ## <param name="domain">
 ##	The process type getting the attributes.
 ## </param>
 ## </interface>
 #
 interface(`kernel_getattr_message_if',`
 	gen_require(`
@ -399,7 +360,6 @@ interface(`kernel_getattr_message_if',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_getattr_message_if">
 ## <desc>
 ##	Do not audit attempts by caller to get the attributes of kernel
 ##	message interfaces.
@ -407,7 +367,6 @@ interface(`kernel_getattr_message_if',`
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_getattr_message_if',`
 	gen_require(`
@ -419,14 +378,12 @@ interface(`kernel_dontaudit_getattr_message_if',`
 ')
 ########################################
 ## <interface name="kernel_read_network_state">
 ## <desc>
 ##	Allow caller to read the network state information.
 ## </desc>
 ## <param name="domain">
 ##	The process type reading the state.
 ## </param>
 ## </interface>
 ##
 #
 interface(`kernel_read_network_state',`
@ -442,14 +399,12 @@ interface(`kernel_read_network_state',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_search_sysctl_dir">
 ## <desc>
 ##	Do not audit attempts by caller to search the sysctl directory.
 ## </desc>
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 ## </interface>
 ##
 #
 interface(`kernel_dontaudit_search_sysctl_dir',`
@ -462,14 +417,12 @@ interface(`kernel_dontaudit_search_sysctl_dir',`
 ')
 ########################################
 ## <interface name="kernel_read_device_sysctl">
 ## <desc>
 ##	Allow caller to read the device sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The process type to allow to read the device sysctls.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_device_sysctl',`
 	gen_require(`
@ -485,14 +438,12 @@ interface(`kernel_read_device_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_device_sysctl">
 ## <desc>
 ##	Read and write device sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_device_sysctl',`
 	gen_require(`
@ -507,14 +458,12 @@ interface(`kernel_rw_device_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_vm_sysctl">
 ## <desc>
 ##	Allow caller to read virtual memory sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 ##
 #
 interface(`kernel_read_vm_sysctl',`
@ -530,14 +479,12 @@ interface(`kernel_read_vm_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_vm_sysctl">
 ## <desc>
 ##	Read and write virtual memory sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_vm_sysctl',`
 	gen_require(`
@ -552,14 +499,12 @@ interface(`kernel_rw_vm_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_search_network_sysctl_dir">
 ## <desc>
 ##	Do not audit attempts by caller to search sysctl network directories.
 ## </desc>
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_search_network_sysctl_dir',`
 	gen_require(`
@ -571,14 +516,12 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',`
 ')
 ########################################
 ## <interface name="kernel_read_net_sysctl">
 ## <desc>
 ##	Allow caller to read network sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 ##
 #
 interface(`kernel_read_net_sysctl',`
@ -595,14 +538,12 @@ interface(`kernel_read_net_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_net_sysctl">
 ## <desc>
 ##	Allow caller to modiry contents of sysctl network files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_net_sysctl',`
 	gen_require(`
@ -618,7 +559,6 @@ interface(`kernel_rw_net_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_unix_sysctl">
 ## <desc>
 ##	Allow caller to read unix domain
 ##	socket sysctls.
@ -626,7 +566,6 @@ interface(`kernel_rw_net_sysctl',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_unix_sysctl',`
 	gen_require(`
@ -642,7 +581,6 @@ interface(`kernel_read_unix_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_unix_sysctl">
 ## <desc>
 ##	Read and write unix domain
 ##	socket sysctls.
@ -650,7 +588,6 @@ interface(`kernel_read_unix_sysctl',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_unix_sysctl',`
 	gen_require(`
@ -666,14 +603,12 @@ interface(`kernel_rw_unix_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_hotplug_sysctl">
 ## <desc>
 ##	Read the hotplug sysctl.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_hotplug_sysctl',`
 	gen_require(`
@ -689,14 +624,12 @@ interface(`kernel_read_hotplug_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_hotplug_sysctl">
 ## <desc>
 ##	Read and write the hotplug sysctl.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_hotplug_sysctl',`
 	gen_require(`
@ -712,14 +645,12 @@ interface(`kernel_rw_hotplug_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_modprobe_sysctl">
 ## <desc>
 ##	Read the modprobe sysctl.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_modprobe_sysctl',`
 	gen_require(`
@ -735,14 +666,12 @@ interface(`kernel_read_modprobe_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_modprobe_sysctl">
 ## <desc>
 ##	Read and write the modprobe sysctl.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_modprobe_sysctl',`
 	gen_require(`
@ -758,14 +687,12 @@ interface(`kernel_rw_modprobe_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_kernel_sysctl">
 ## <desc>
 ##	Read generic kernel sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_kernel_sysctl',`
 	gen_require(`
@ -781,14 +708,12 @@ interface(`kernel_read_kernel_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_kernel_sysctl">
 ## <desc>
 ##	Read and write generic kernel sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_kernel_sysctl',`
 	gen_require(`
@ -804,14 +729,12 @@ interface(`kernel_rw_kernel_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_fs_sysctl">
 ## <desc>
 ##	Read filesystem sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_fs_sysctl',`
 	gen_require(`
@ -827,14 +750,12 @@ interface(`kernel_read_fs_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_fs_sysctl">
 ## <desc>
 ##	Read and write fileystem sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_fs_sysctl',`
 	gen_require(`
@ -850,14 +771,12 @@ interface(`kernel_rw_fs_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_irq_sysctl">
 ## <desc>
 ##	Read IRQ sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_irq_sysctl',`
 	gen_require(`
@ -872,14 +791,12 @@ interface(`kernel_read_irq_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_irq_sysctl">
 ## <desc>
 ##	Read and write IRQ sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 ##
 #
 interface(`kernel_rw_irq_sysctl',`
@ -929,14 +846,12 @@ interface(`kernel_rw_rpc_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_read_all_sysctl">
 ## <desc>
 ##	Allow caller to read all sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_read_all_sysctl',`
 	kernel_read_device_sysctl($1)
@ -952,14 +867,12 @@ interface(`kernel_read_all_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_rw_all_sysctl">
 ## <desc>
 ##	Read and write all sysctls.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_rw_all_sysctl',`
 	kernel_rw_device_sysctl($1)
@ -975,14 +888,12 @@ interface(`kernel_rw_all_sysctl',`
 ')
 ########################################
 ## <interface name="kernel_kill_unlabeled">
 ## <desc>
 ##	Send a kill signal to unlabeled processes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_kill_unlabeled',`
 	gen_require(`
@ -994,14 +905,12 @@ interface(`kernel_kill_unlabeled',`
 ')
 ########################################
 ## <interface name="kernel_signal_unlabeled">
 ## <desc>
 ##	Send general signals to unlabeled processes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_signal_unlabeled',`
 	gen_require(`
@ -1013,14 +922,12 @@ interface(`kernel_signal_unlabeled',`
 ')
 ########################################
 ## <interface name="kernel_signull_unlabeled">
 ## <desc>
 ##	Send a null signal to unlabeled processes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_signull_unlabeled',`
 	gen_require(`
@ -1032,14 +939,12 @@ interface(`kernel_signull_unlabeled',`
 ')
 ########################################
 ## <interface name="kernel_sigstop_unlabeled">
 ## <desc>
 ##	Send a stop signal to unlabeled processes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_sigstop_unlabeled',`
 	gen_require(`
@ -1051,14 +956,12 @@ interface(`kernel_sigstop_unlabeled',`
 ')
 ########################################
 ## <interface name="kernel_sigchld_unlabeled">
 ## <desc>
 ##	Send a child terminated signal to unlabeled processes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`kernel_sigchld_unlabeled',`
 	gen_require(`
@ -1070,7 +973,6 @@ interface(`kernel_sigchld_unlabeled',`
 ')
 ########################################
 ## <interface name="kernel_dontaudit_getattr_unlabeled_blk_dev">
 ## <desc>
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled block devices.
@ -1078,7 +980,6 @@ interface(`kernel_sigchld_unlabeled',`
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 ## </interface>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
 	gen_require(`
@ -1090,14 +991,12 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
 ')
 ########################################
 ## <interface name="kernel_relabel_unlabeled">
 ## <desc>
 ##	Allow caller to relabel unlabeled objects.
 ## </desc>
 ## <param name="domain">
 ##	The process type relabeling the objects.
 ## </param>
 ## </interface>
 #
 interface(`kernel_relabel_unlabeled',`
 	gen_require(`
@ -1114,4 +1013,3 @@ interface(`kernel_relabel_unlabeled',`
 	allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
 ')
 ## </module>
--- a/refpolicy/policy/modules/kernel/metadata.xml
+++ b/refpolicy/policy/modules/kernel/metadata.xml
@ -1 +0,0 @@
 <layer name="kernel">
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@ -1,17 +1,14 @@
 ## <module name="selinux">
 ## <summary>
 ## Policy for kernel security interface, in particular, selinuxfs.
 ## </summary>
 ########################################
 ## <interface name="selinux_get_fs_mount">
 ## <desc>
 ##	Gets the caller the mountpoint of the selinuxfs filesystem.
 ## </desc>
 ## <param name="domain">
 ##	The process type requesting the selinuxfs mountpoint.
 ## </param>
 ## </interface>
 #
 interface(`selinux_get_fs_mount',`
 	# read /proc/filesystems to see if selinuxfs is supported
@ -20,7 +17,6 @@ interface(`selinux_get_fs_mount',`
 ')
 ########################################
 ## <interface name="selinux_get_enforce_mode">
 ## <desc>
 ##	Allows the caller to get the mode of policy enforcement
 ##	(enforcing or permissive mode).
@ -28,7 +24,6 @@ interface(`selinux_get_fs_mount',`
 ## <param name="domain">
 ##	The process type to allow to get the enforcing mode.
 ## </param>
 ## </interface>
 #
 interface(`selinux_get_enforce_mode',`
 	gen_require(`
@ -42,7 +37,6 @@ interface(`selinux_get_enforce_mode',`
 ')
 ########################################
 ## <interface name="selinux_set_enforce_mode">
 ## <desc>
 ##	Allow caller to set the mode of policy enforcement
 ##	(enforcing or permissive mode).
@ -50,7 +44,6 @@ interface(`selinux_get_enforce_mode',`
 ## <param name="domain">
 ##	The process type to allow to set the enforcement mode.
 ## </param>
 ## </interface>
 #
 interface(`selinux_set_enforce_mode',`
 	gen_require(`
@ -69,14 +62,12 @@ interface(`selinux_set_enforce_mode',`
 ')
 ########################################
 ## <interface name="selinux_load_policy">
 ## <desc>
 ##	Allow caller to load the policy into the kernel.
 ## </desc>
 ## <param name="domain">
 ##	The process type that will load the policy.
 ## </param>
 ## </interface>
 #
 interface(`selinux_load_policy',`
 	gen_require(`
@ -95,7 +86,6 @@ interface(`selinux_load_policy',`
 ')
 ########################################
 ## <interface name="selinux_set_boolean">
 ## <desc>
 ##	Allow caller to set the state of Booleans to
 ##	enable or disable conditional portions of the policy.
@ -106,7 +96,6 @@ interface(`selinux_load_policy',`
 ## <param name="booltype" optional="true">
 ##	The type of Booleans the caller is allowed to set.
 ## </param>
 ## </interface>
 #
 interface(`selinux_set_boolean',`
 	gen_require(`
@ -130,14 +119,12 @@ interface(`selinux_set_boolean',`
 ')
 ########################################
 ## <interface name="selinux_set_parameters">
 ## <desc>
 ##	Allow caller to set selinux security parameters.
 ## </desc>
 ## <param name="domain">
 ##	The process type to allow to set security parameters.
 ## </param>
 ## </interface>
 #
 interface(`selinux_set_parameters',`
 	gen_require(`
@ -156,14 +143,12 @@ interface(`selinux_set_parameters',`
 ')
 ########################################
 ## <interface name="selinux_validate_context">
 ## <desc>
 ##	Allows caller to validate security contexts.
 ## </desc>
 ## <param name="domain">
 ##	The process type permitted to validate contexts.
 ## </param>
 ## </interface>
 #
 interface(`selinux_validate_context',`
 	gen_require(`
@ -179,14 +164,12 @@ interface(`selinux_validate_context',`
 ')
 ########################################
 ## <interface name="selinux_compute_access_vector">
 ## <desc>
 ##	Allows caller to compute an access vector.
 ## </desc>
 ## <param name="domain">
 ##	The process type allowed to compute an access vector.
 ## </param>
 ## </interface>
 #
 interface(`selinux_compute_access_vector',`
 	gen_require(`
@ -202,14 +185,12 @@ interface(`selinux_compute_access_vector',`
 ')
 ########################################
 ## <interface name="selinux_compute_create_context">
 ## <desc>
 ##	
 ## </desc>
 ## <param name="domain">
 ##	
 ## </param>
 ## </interface>
 #
 interface(`selinux_compute_create_context',`
 	gen_require(`
@ -225,14 +206,12 @@ interface(`selinux_compute_create_context',`
 ')
 ########################################
 ## <interface name="selinux_compute_relabel_context">
 ## <desc>
 ##	
 ## </desc>
 ## <param name="domain">
 ##	The process type to
 ## </param>
 ## </interface>
 #
 interface(`selinux_compute_relabel_context',`
 	gen_require(`
@ -248,14 +227,12 @@ interface(`selinux_compute_relabel_context',`
 ')
 ########################################
 ## <interface name="selinux_compute_user_contexts">
 ## <desc>
 ##	Allows caller to compute possible contexts for a user.
 ## </desc>
 ## <param name="domain">
 ##	The process type allowed to compute user contexts.
 ## </param>
 ## </interface>
 #
 interface(`selinux_compute_user_contexts',`
 	gen_require(`
@ -270,4 +247,3 @@ interface(`selinux_compute_user_contexts',`
 	allow $1 security_t:security compute_user;
 ')
 ## </module>
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -1,8 +1,6 @@
 ## <module name="storage">
 ## <summary>Policy controlling access to storage devices</summary>
 ########################################
 ## <interface name="storage_getattr_fixed_disk">
 ## <desc>
 ##	Allow the caller to get the attributes of fixed disk
 ##	device nodes.
@ -10,7 +8,6 @@
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_getattr_fixed_disk',`
 	gen_require(`
@ -23,7 +20,6 @@ interface(`storage_getattr_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_dontaudit_getattr_fixed_disk">
 ## <desc>
 ##	Do not audit attempts made by the caller to get
 ##	the attributes of fixed disk device nodes.
@ -31,7 +27,6 @@ interface(`storage_getattr_fixed_disk',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`storage_dontaudit_getattr_fixed_disk',`
 	gen_require(`
@ -43,7 +38,6 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_setattr_fixed_disk">
 ## <desc>
 ##	Allow the caller to set the attributes of fixed disk
 ##	device nodes.
@ -51,7 +45,6 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_setattr_fixed_disk',`
 	gen_require(`
@ -64,7 +57,6 @@ interface(`storage_setattr_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_dontaudit_setattr_fixed_disk">
 ## <desc>
 ##	Do not audit attempts made by the caller to set
 ##	the attributes of fixed disk device nodes.
@ -72,7 +64,6 @@ interface(`storage_setattr_fixed_disk',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`storage_dontaudit_setattr_fixed_disk',`
 	gen_require(`
@ -84,7 +75,6 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_raw_read_fixed_disk">
 ## <desc>
 ##	Allow the caller to directly read from a fixed disk.
 ##	This is extremly dangerous as it can bypass the
@ -94,7 +84,6 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_raw_read_fixed_disk',`
 	gen_require(`
@ -109,7 +98,6 @@ interface(`storage_raw_read_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_raw_write_fixed_disk">
 ## <desc>
 ##	Allow the caller to directly write to a fixed disk.
 ##	This is extremly dangerous as it can bypass the
@ -119,7 +107,6 @@ interface(`storage_raw_read_fixed_disk',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_raw_write_fixed_disk',`
 	gen_require(`
@ -134,14 +121,12 @@ interface(`storage_raw_write_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_create_fixed_disk">
 ## <desc>
 ##	Create block devices in /dev with the fixed disk type.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_create_fixed_disk_dev_entry',`
 	gen_require(`
@ -156,14 +141,12 @@ interface(`storage_create_fixed_disk_dev_entry',`
 ')
 ########################################
 ## <interface name="storage_manage_fixed_disk">
 ## <desc>
 ##	Create, read, write, and delete fixed disk device nodes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_manage_fixed_disk',`
 	gen_require(`
@ -178,7 +161,6 @@ interface(`storage_manage_fixed_disk',`
 ')
 ########################################
 ## <interface name="storage_raw_read_lvm_volume">
 ## <desc>
 ##	Allow the caller to directly read from a logical volume.
 ##	This is extremly dangerous as it can bypass the
@ -188,7 +170,6 @@ interface(`storage_manage_fixed_disk',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_raw_read_lvm_volume',`
 	gen_require(`
@ -203,7 +184,6 @@ interface(`storage_raw_read_lvm_volume',`
 ')
 ########################################
 ## <interface name="storage_raw_write_lvm_volume">
 ## <desc>
 ##	Allow the caller to directly read from a logical volume.
 ##	This is extremly dangerous as it can bypass the
@ -213,7 +193,6 @@ interface(`storage_raw_read_lvm_volume',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_raw_write_lvm_volume',`
 	gen_require(`
@ -228,7 +207,6 @@ interface(`storage_raw_write_lvm_volume',`
 ')
 ########################################
 ## <interface name="storage_getattr_scsi_generic">
 ## <desc>
 ##	Allow the caller to get the attributes of
 ##	the generic SCSI interface device nodes.
@ -236,7 +214,6 @@ interface(`storage_raw_write_lvm_volume',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_getattr_scsi_generic',`
 	gen_require(`
@ -249,7 +226,6 @@ interface(`storage_getattr_scsi_generic',`
 ')
 ########################################
 ## <interface name="storage_setattr_scsi_generic">
 ## <desc>
 ##	Allow the caller to set the attributes of
 ##	the generic SCSI interface device nodes.
@ -257,7 +233,6 @@ interface(`storage_getattr_scsi_generic',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_setattr_scsi_generic',`
 	gen_require(`
@ -270,7 +245,6 @@ interface(`storage_setattr_scsi_generic',`
 ')
 ########################################
 ## <interface name="storage_read_scsi_generic">
 ## <desc>
 ##	Allow the caller to directly read, in a
 ##	generic fashion, from any SCSI device.
@ -281,7 +255,6 @@ interface(`storage_setattr_scsi_generic',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_read_scsi_generic',`
 	gen_require(`
@ -296,7 +269,6 @@ interface(`storage_read_scsi_generic',`
 ')
 ########################################
 ## <interface name="storage_write_scsi_generic">
 ## <desc>
 ##	Allow the caller to directly write, in a
 ##	generic fashion, from any SCSI device.
@ -307,7 +279,6 @@ interface(`storage_read_scsi_generic',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_write_scsi_generic',`
 	gen_require(`
@ -322,7 +293,6 @@ interface(`storage_write_scsi_generic',`
 ')
 ########################################
 ## <interface name="storage_getattr_scsi_generic">
 ## <desc>
 ##	Get attributes of the device nodes
 ##	for the SCSI generic inerface.
@ -330,7 +300,6 @@ interface(`storage_write_scsi_generic',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_getattr_scsi_generic',`
 	gen_require(`
@ -343,7 +312,6 @@ interface(`storage_getattr_scsi_generic',`
 ')
 ########################################
 ## <interface name="storage_setattr_scsi_generic">
 ## <desc>
 ##	Set attributes of the device nodes
 ##	for the SCSI generic inerface.
@ -351,7 +319,6 @@ interface(`storage_getattr_scsi_generic',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_set_scsi_generic_attributes',`
 	gen_require(`
@ -364,7 +331,6 @@ interface(`storage_set_scsi_generic_attributes',`
 ')
 ########################################
 ## <interface name="storage_getattr_removable_device">
 ## <desc>
 ##	Allow the caller to get the attributes of removable
 ##	devices device nodes.
@ -372,7 +338,6 @@ interface(`storage_set_scsi_generic_attributes',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_getattr_removable_device',`
 	gen_require(`
@ -385,7 +350,6 @@ interface(`storage_getattr_removable_device',`
 ')
 ########################################
 ## <interface name="storage_dontaudit_getattr_removable_device">
 ## <desc>
 ##	Do not audit attempts made by the caller to get
 ##	the attributes of removable devices device nodes.
@ -393,7 +357,6 @@ interface(`storage_getattr_removable_device',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`storage_dontaudit_getattr_removable_device',`
 	gen_require(`
@ -405,7 +368,6 @@ interface(`storage_dontaudit_getattr_removable_device',`
 ')
 ########################################
 ## <interface name="storage_setattr_removable_device">
 ## <desc>
 ##	Allow the caller to set the attributes of removable
 ##	devices device nodes.
@ -413,7 +375,6 @@ interface(`storage_dontaudit_getattr_removable_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_setattr_removable_device',`
 	gen_require(`
@ -426,7 +387,6 @@ interface(`storage_setattr_removable_device',`
 ')
 ########################################
 ## <interface name="storage_dontaudit_setattr_removable_device">
 ## <desc>
 ##	Do not audit attempts made by the caller to set
 ##	the attributes of removable devices device nodes.
@ -434,7 +394,6 @@ interface(`storage_setattr_removable_device',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`storage_dontaudit_setattr_removable_device',`
 	gen_require(`
@ -446,7 +405,6 @@ interface(`storage_dontaudit_setattr_removable_device',`
 ')
 ########################################
 ## <interface name="storage_raw_read_removable_device">
 ## <desc>
 ##	Allow the caller to directly read from
 ##	a removable device.
@ -457,7 +415,6 @@ interface(`storage_dontaudit_setattr_removable_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_raw_read_removable_device',`
 	gen_require(`
@ -470,7 +427,6 @@ interface(`storage_raw_read_removable_device',`
 ')
 ########################################
 ## <interface name="storage_raw_write_removable_device">
 ## <desc>
 ##	Allow the caller to directly write to
 ##	a removable device.
@ -481,7 +437,6 @@ interface(`storage_raw_read_removable_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_raw_write_removable_device',`
 	gen_require(`
@ -494,7 +449,6 @@ interface(`storage_raw_write_removable_device',`
 ')
 ########################################
 ## <interface name="storage_read_tape_device">
 ## <desc>
 ##	Allow the caller to directly read
 ##	a tape device.
@ -502,7 +456,6 @@ interface(`storage_raw_write_removable_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_read_tape_device',`
 	gen_require(`
@ -515,7 +468,6 @@ interface(`storage_read_tape_device',`
 ')
 ########################################
 ## <interface name="storage_write_tape_device">
 ## <desc>
 ##	Allow the caller to directly read
 ##	a tape device.
@ -523,7 +475,6 @@ interface(`storage_read_tape_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_write_tape_device',`
 	gen_require(`
@ -536,7 +487,6 @@ interface(`storage_write_tape_device',`
 ')
 ########################################
 ## <interface name="storage_getattr_tape_device">
 ## <desc>
 ##	Allow the caller to get the attributes
 ##	of device nodes of tape devices.
@ -544,7 +494,6 @@ interface(`storage_write_tape_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_getattr_tape_device',`
 	gen_require(`
@ -557,7 +506,6 @@ interface(`storage_getattr_tape_device',`
 ')
 ########################################
 ## <interface name="storage_setattr_tape_device">
 ## <desc>
 ##	Allow the caller to set the attributes
 ##	of device nodes of tape devices.
@ -565,7 +513,6 @@ interface(`storage_getattr_tape_device',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`storage_setattr_tape_device',`
 	gen_require(`
@ -577,4 +524,3 @@ interface(`storage_setattr_tape_device',`
 	allow $1 tape_device_t:blk_file setattr;
 ')
 ## </module>
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -1,15 +1,12 @@
 ## <module name="terminal">
 ## <summary>Policy for terminals.</summary>
 ########################################
 ## <interface name="term_pty">
 ## <desc>
 ##	Transform specified type into a pty type.
 ## </desc>
 ## <param name="pty_type">
 ##	An object type that will applied to a pty.
 ## </param>
 ## </interface>
 #
 interface(`term_pty',`
 	gen_require(`
@ -23,7 +20,6 @@ interface(`term_pty',`
 ')
 ########################################
 ## <interface name="term_user_pty">
 ## <desc>
 ##	Transform specified type into an user
 ##	pty type. This allows it to be relabeled via
@ -36,7 +32,6 @@ interface(`term_pty',`
 ## <param name="object_type">
 ##	An object type that will applied to a pty.
 ## </param>
 ## </interface>
 #
 interface(`term_user_pty',`
 	gen_require(`
@ -48,7 +43,6 @@ interface(`term_user_pty',`
 ')
 ########################################
 ## <interface name="term_login_pty">
 ## <desc>
 ##	Transform specified type into a pty type
 ##	used by login programs, such as sshd.
@ -56,7 +50,6 @@ interface(`term_user_pty',`
 ## <param name="pty_type">
 ##	An object type that will applied to a pty.
 ## </param>
 ## </interface>
 #
 interface(`term_login_pty',`
 	gen_require(`
@ -68,14 +61,12 @@ interface(`term_login_pty',`
 ')
 ########################################
 ## <interface name="term_tty">
 ## <desc>
 ##	Transform specified type into a tty type.
 ## </desc>
 ## <param name="tty_type">
 ##	An object type that will applied to a tty.
 ## </param>
 ## </interface>
 #
 interface(`term_tty',`
 	gen_require(`
@ -98,7 +89,6 @@ interface(`term_tty',`
 ')
 ########################################
 ## <interface name="term_create_pty">
 ## <desc>
 ##	Create a pty in the /dev/pts directory.
 ## </desc>
@ -108,7 +98,6 @@ interface(`term_tty',`
 ## <param name="pty_type">
 ##	The type of the pty.
 ## </param>
 ## </interface>
 #
 interface(`term_create_pty',`
 	gen_require(`
@ -128,7 +117,6 @@ interface(`term_create_pty',`
 ')
 ########################################
 ## <interface name="term_use_all_terms">
 ## <desc>
 ##	Read and write the console, all
 ##	ttys and all ptys.
@ -136,7 +124,6 @@ interface(`term_create_pty',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_all_terms',`
 	gen_require(`
@ -152,14 +139,12 @@ interface(`term_use_all_terms',`
 ')
 ########################################
 ## <interface name="term_write_console">
 ## <desc>
 ##	Write to the console.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_write_console',`
 	gen_require(`
@ -172,14 +157,12 @@ interface(`term_write_console',`
 ')
 ########################################
 ## <interface name="term_use_console">
 ## <desc>
 ##	Read from and write to the console.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_console',`
 	gen_require(`
@ -192,7 +175,6 @@ interface(`term_use_console',`
 ')
 ########################################
 ## <interface name="term_dontaudit_use_console">
 ## <desc>
 ##	Do not audit attemtps to read from
 ##	or write to the console.
@ -200,7 +182,6 @@ interface(`term_use_console',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_use_console',`
 	gen_require(`
@ -212,7 +193,6 @@ interface(`term_dontaudit_use_console',`
 ')
 ########################################
 ## <interface name="term_setattr_console">
 ## <desc>
 ##	Set the attributes of the console
 ##	device node.
@ -220,7 +200,6 @@ interface(`term_dontaudit_use_console',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_setattr_console',`
 	gen_require(`
@ -233,7 +212,6 @@ interface(`term_setattr_console',`
 ')
 ########################################
 ## <interface name="term_list_ptys">
 ## <desc>
 ##	Read the /dev/pts directory to
 ##	list all ptys.
@ -241,7 +219,6 @@ interface(`term_setattr_console',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_list_ptys',`
 	gen_require(`
@ -254,7 +231,6 @@ interface(`term_list_ptys',`
 ')
 ########################################
 ## <interface name="term_dontaudit_list_ptys">
 ## <desc>
 ##	Do not audit attempts to read the
 ##	/dev/pts directory to.
@ -262,7 +238,6 @@ interface(`term_list_ptys',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_list_ptys',`
 	gen_require(`
@ -274,7 +249,6 @@ interface(`term_dontaudit_list_ptys',`
 ')
 ########################################
 ## <interface name="term_use_generic_pty">
 ## <desc>
 ##	Read and write the generic pty
 ##	type.  This is generally only used in
@ -283,7 +257,6 @@ interface(`term_dontaudit_list_ptys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_generic_pty',`
 	gen_require(`
@ -296,7 +269,6 @@ interface(`term_use_generic_pty',`
 ')
 ########################################
 ## <interface name="term_dontaudit_use_generic_pty">
 ## <desc>
 ##	Dot not audit attempts to read and
 ##	write the generic pty type.  This is
@ -305,7 +277,6 @@ interface(`term_use_generic_pty',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_use_generic_pty',`
 	gen_require(`
@ -317,7 +288,6 @@ interface(`term_dontaudit_use_generic_pty',`
 ')
 ########################################
 ## <interface name="term_use_controlling_term">
 ## <desc>
 ##	Read and write the controlling
 ##	terminal (/dev/tty).
@ -325,7 +295,6 @@ interface(`term_dontaudit_use_generic_pty',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_controlling_term',`
 	gen_require(`
@ -338,7 +307,6 @@ interface(`term_use_controlling_term',`
 ')
 ########################################
 ## <interface name="term_dontaudit_use_ptmx">
 ## <desc>
 ##	Do not audit attempts to read and
 ##	write the pty multiplexor (/dev/ptmx).
@ -346,7 +314,6 @@ interface(`term_use_controlling_term',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_use_ptmx',`
 	gen_require(`
@ -358,7 +325,6 @@ interface(`term_dontaudit_use_ptmx',`
 ')
 ########################################
 ## <interface name="term_getattr_all_user_ptys">
 ## <desc>
 ##	Get the attributes of all user
 ##	pty device nodes.
@ -366,7 +332,6 @@ interface(`term_dontaudit_use_ptmx',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_getattr_all_user_ptys',`
 	gen_require(`
@ -381,14 +346,12 @@ interface(`term_getattr_all_user_ptys',`
 ')
 ########################################
 ## <interface name="term_use_all_user_ptys">
 ## <desc>
 ##	Read and write all user ptys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_all_user_ptys',`
 	gen_require(`
@ -403,7 +366,6 @@ interface(`term_use_all_user_ptys',`
 ')
 ########################################
 ## <interface name="term_dontaudit_use_all_user_ptys">
 ## <desc>
 ##	Do not audit attempts to read any
 ##	user ptys.
@ -411,7 +373,6 @@ interface(`term_use_all_user_ptys',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_use_all_user_ptys',`
 	gen_require(`
@ -423,7 +384,6 @@ interface(`term_dontaudit_use_all_user_ptys',`
 ')
 ########################################
 ## <interface name="term_relabel_all_user_ptys">
 ## <desc>
 ##	Relabel from and to all user
 ##	user pty device nodes.
@ -431,7 +391,6 @@ interface(`term_dontaudit_use_all_user_ptys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_relabel_all_user_ptys',`
 	gen_require(`
@ -444,7 +403,6 @@ interface(`term_relabel_all_user_ptys',`
 ')
 ########################################
 ## <interface name="term_getattr_unallocated_ttys">
 ## <desc>
 ##	Get the attributes of all unallocated
 ##	tty device nodes.
@ -452,7 +410,6 @@ interface(`term_relabel_all_user_ptys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_getattr_unallocated_ttys',`
 	gen_require(`
@ -465,7 +422,6 @@ interface(`term_getattr_unallocated_ttys',`
 ')
 ########################################
 ## <interface name="term_setattr_unallocated_ttys">
 ## <desc>
 ##	Set the attributes of all unallocated
 ##	tty device nodes.
@ -473,7 +429,6 @@ interface(`term_getattr_unallocated_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_setattr_unallocated_ttys',`
 	gen_require(`
@ -486,7 +441,6 @@ interface(`term_setattr_unallocated_ttys',`
 ')
 ########################################
 ## <interface name="term_relabel_unallocated_ttys">
 ## <desc>
 ##	Relabel from and to the unallocated
 ##	tty type.
@ -494,7 +448,6 @@ interface(`term_setattr_unallocated_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_relabel_unallocated_ttys',`
 	gen_require(`
@ -507,7 +460,6 @@ interface(`term_relabel_unallocated_ttys',`
 ')
 ########################################
 ## <interface name="term_reset_tty_labels">
 ## <desc>
 ##	Relabel from all user tty types to
 ##	the unallocated tty type.
@ -515,7 +467,6 @@ interface(`term_relabel_unallocated_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_reset_tty_labels',`
 	gen_require(`
@ -530,14 +481,12 @@ interface(`term_reset_tty_labels',`
 ')
 ########################################
 ## <interface name="term_write_unallocated_ttys">
 ## <desc>
 ##	Write to unallocated ttys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_write_unallocated_ttys',`
 	gen_require(`
@ -550,14 +499,12 @@ interface(`term_write_unallocated_ttys',`
 ')
 ########################################
 ## <interface name="term_use_unallocated_tty">
 ## <desc>
 ##	Read and write unallocated ttys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_unallocated_tty',`
 	gen_require(`
@ -570,7 +517,6 @@ interface(`term_use_unallocated_tty',`
 ')
 ########################################
 ## <interface name="term_dontaudit_use_unallocated_tty">
 ## <desc>
 ##	Do not audit attempts to read or
 ##	write unallocated ttys.
@ -578,7 +524,6 @@ interface(`term_use_unallocated_tty',`
 ## <param name="domain">
 ##	The type of the process to not audit.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_use_unallocated_tty',`
 	gen_require(`
@ -590,7 +535,6 @@ interface(`term_dontaudit_use_unallocated_tty',`
 ')
 ########################################
 ## <interface name="term_getattr_all_user_ttys">
 ## <desc>
 ##	Get the attributes of all user tty
 ##	device nodes.
@ -598,7 +542,6 @@ interface(`term_dontaudit_use_unallocated_tty',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_getattr_all_user_ttys',`
 	gen_require(`
@ -611,7 +554,6 @@ interface(`term_getattr_all_user_ttys',`
 ')
 ########################################
 ## <interface name="term_dontaudit_getattr_all_user_ttys">
 ## <desc>
 ##	Do not audit attempts to get the
 ##	attributes of any user tty
@ -620,7 +562,6 @@ interface(`term_getattr_all_user_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_getattr_all_user_ttys',`
 	gen_require(`
@ -633,7 +574,6 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ')
 ########################################
 ## <interface name="term_setattr_all_user_ttys">
 ## <desc>
 ##	Set the attributes of all user tty
 ##	device nodes.
@ -641,7 +581,6 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_setattr_all_user_ttys',`
 	gen_require(`
@ -654,7 +593,6 @@ interface(`term_setattr_all_user_ttys',`
 ')
 ########################################
 ## <interface name="term_relabel_all_user_ttys">
 ## <desc>
 ##	Relabel from and to all user
 ##	user tty device nodes.
@ -662,7 +600,6 @@ interface(`term_setattr_all_user_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_relabel_all_user_ttys',`
 	gen_require(`
@ -675,14 +612,12 @@ interface(`term_relabel_all_user_ttys',`
 ')
 ########################################
 ## <interface name="term_write_all_user_ttys">
 ## <desc>
 ##	Write to all user ttys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_write_all_user_ttys',`
 	gen_require(`
@ -695,14 +630,12 @@ interface(`term_write_all_user_ttys',`
 ')
 ########################################
 ## <interface name="term_use_all_user_ttys">
 ## <desc>
 ##	Read and write all user to all user ttys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_use_all_user_ttys',`
 	gen_require(`
@ -715,7 +648,6 @@ interface(`term_use_all_user_ttys',`
 ')
 ########################################
 ## <interface name="term_dontaudit_use_all_user_ttys">
 ## <desc>
 ##	Do not audit attempts to read or write
 ##	any user ttys.
@ -723,7 +655,6 @@ interface(`term_use_all_user_ttys',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`term_dontaudit_use_all_user_ttys',`
 	gen_require(`
@ -734,4 +665,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
 	dontaudit $1 ttynode:chr_file { read write };
 ')
 ## </module>
--- a/refpolicy/policy/modules/services/metadata.xml
+++ b/refpolicy/policy/modules/services/metadata.xml
@ -1 +0,0 @@
 <layer name="services">
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -1,4 +1,3 @@
 ## <module name="mta">
 ## <summary>Policy common to all email tranfer agents.</summary>
 #######################################
@ -194,14 +193,12 @@ interface(`mta_exec',`
 ')
 ########################################
 ## <interface name="mta_read_aliases">
 ## <desc>
 ##	Read mail address aliases.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`mta_read_aliases',`
 	gen_require(`
@ -293,4 +290,3 @@ interface(`mta_manage_queue',`
 	allow $1 mqueue_spool_t:file create_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@ -1,15 +1,12 @@
 ## <module name="remotelogin">
 ## <summary>Policy for rshd, rlogind, and telnetd.</summary>
 ########################################
 ## <interface name="remotelogin_domtrans">
 ## <desc>
 ##	Domain transition to the remote login domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`remotelogin_domtrans',`
 	gen_require(`
@ -19,4 +16,3 @@ interface(`remotelogin_domtrans',`
 	auth_domtrans_login_program($1,remote_login_t)
 ')
 ## </module>
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@ -1,15 +1,12 @@
 ## <module name="sendmail">
 ## <summary>Policy for sendmail.</summary>
 ########################################
 ## <interface name="sendmail_domtrans">
 ## <desc>
 ##	Domain transition to sendmail.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`sendmail_domtrans',`
 	gen_require(`
@ -29,4 +26,3 @@ interface(`sendmail_domtrans',`
 	allow sendmail_t $1:process sigchld;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -1,4 +1,3 @@
 ## <module name="authlogin">
 ## <summary>Common policy for authentication and user login.</summary>
 #######################################
@ -89,14 +88,12 @@ interface(`authlogin_per_userdomain_template',`
 ') dnl end authlogin_per_userdomain_template
 ########################################
 ## <interface name="auth_login_entry_type">
 ## <desc>
 ##	Use the login program as an entry point program.
 ## </desc>
 ## <param name="domain">
 ##	The type of process using the login program as entry point.
 ## </param>
 ## </interface>
 #
 interface(`auth_login_entry_type',`
 	gen_require(`
@ -107,7 +104,6 @@ interface(`auth_login_entry_type',`
 ')
 ########################################
 ## <interface name="auth_domtrans_login_program">
 ## <desc>
 ##	Execute a login_program in the target domain.
 ## </desc>
@ -117,7 +113,6 @@ interface(`auth_login_entry_type',`
 ## <param name="target_domain">
 ##	The type of the login_program process.
 ## </param>
 ## </interface>
 #
 interface(`auth_domtrans_login_program',`
 	gen_require(`
@ -137,14 +132,12 @@ interface(`auth_domtrans_login_program',`
 ')
 ########################################
 ## <interface name="auth_domtrans_chk_passwd">
 ## <desc>
 ##	Run unix_chkpwd to check a password.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
@ -181,14 +174,12 @@ interface(`auth_domtrans_chk_passwd',`
 ')
 ########################################
 ## <interface name="auth_dontaudit_getattr_shadow">
 ## <desc>
 ##	
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_dontaudit_getattr_shadow',`
 	gen_require(`
@ -200,14 +191,12 @@ interface(`auth_dontaudit_getattr_shadow',`
 ')
 ########################################
 ## <interface name="auth_read_shadow">
 ## <desc>
 ##	Read the shadow passwords file (/etc/shadow)
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_read_shadow',`
 	gen_require(`
@ -222,7 +211,6 @@ interface(`auth_read_shadow',`
 ')
 ########################################
 ## <interface name="auth_dontaudit_read_shadow">
 ## <desc>
 ##	Do not audit attempts to read the shadow
 ##	password file (/etc/shadow).
@ -230,7 +218,6 @@ interface(`auth_read_shadow',`
 ## <param name="domain">
 ##	The type of the domain to not audit.
 ## </param>
 ## </interface>
 #
 interface(`auth_dontaudit_read_shadow',`
 	gen_require(`
@ -242,14 +229,12 @@ interface(`auth_dontaudit_read_shadow',`
 ')
 ########################################
 ## <interface name="auth_rw_shadow">
 ## <desc>
 ##	Read and write the shadow password file (/etc/shadow).
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_rw_shadow',`
 	gen_require(`
@ -325,14 +310,12 @@ interface(`auth_rw_lastlog',`
 ')
 ########################################
 ## <interface name="auth_domtrans_pam">
 ## <desc>
 ##	Execute pam programs in the pam domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_domtrans_pam',`
 	gen_require(`
@ -351,7 +334,6 @@ interface(`auth_domtrans_pam',`
 ')
 ########################################
 ## <interface name="auth_run_pam">
 ## <desc>
 ##	Execute pam programs in the PAM domain.
 ## </desc>
@ -364,7 +346,6 @@ interface(`auth_domtrans_pam',`
 ## <param name="terminal">
 ##	The type of the terminal allow the PAM domain to use.
 ## </param>
 ## </interface>
 #
 interface(`auth_run_pam',`
 	gen_require(`
@ -378,14 +359,12 @@ interface(`auth_run_pam',`
 ')
 ########################################
 ## <interface name="auth_exec_pam">
 ## <desc>
 ##	Execute the pam program.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_exec_pam',`
 	gen_require(`
@ -413,14 +392,12 @@ interface(`auth_read_pam_pid',`
 ')
 ########################################
 ## <interface name="auth_delete_pam_pid">
 ## <desc>
 ##	Delete pam PID files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_delete_pam_pid',`
 	gen_require(`
@ -507,7 +484,6 @@ interface(`auth_manage_pam_console_data',`
 ')
 ########################################
 ## <interface name="auth_relabel_all_files_except_shadow">
 ## <desc>
 ##	Relabel all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
@ -519,7 +495,6 @@ interface(`auth_manage_pam_console_data',`
 ##	The types to be excluded.  Each type or attribute
 ##	must be negated by the caller.
 ## </param>
 ## </interface>
 #
 interface(`auth_relabel_all_files_except_shadow',`
@ -531,7 +506,6 @@ interface(`auth_relabel_all_files_except_shadow',`
 ')
 ########################################
 ## <interface name="auth_manage_all_files_except_shadow">
 ## <desc>
 ##	Manage all files on the filesystem, except
 ##	the shadow passwords and listed exceptions.
@ -543,7 +517,6 @@ interface(`auth_relabel_all_files_except_shadow',`
 ##	The types to be excluded.  Each type or attribute
 ##	must be negated by the caller.
 ## </param>
 ## </interface>
 #
 interface(`auth_manage_all_files_except_shadow',`
@ -555,14 +528,12 @@ interface(`auth_manage_all_files_except_shadow',`
 ')
 ########################################
 ## <interface name="auth_domtrans_utempter">
 ## <desc>
 ##	Execute utempter programs in the utempter domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`auth_domtrans_utempter',`
 	gen_require(`
@ -581,7 +552,6 @@ interface(`auth_domtrans_utempter',`
 ')
 ########################################
 ## <interface name="auth_run_utempter">
 ## <desc>
 ##	Execute utempter programs in the utempter domain.
 ## </desc>
@ -594,7 +564,6 @@ interface(`auth_domtrans_utempter',`
 ## <param name="terminal">
 ##	The type of the terminal allow the utempter domain to use.
 ## </param>
 ## </interface>
 #
 interface(`auth_run_utempter',`
 	gen_require(`
@ -648,4 +617,3 @@ interface(`auth_rw_login_records',`
 	logging_search_logs($1)
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@ -1,15 +1,12 @@
 ## <module name="clock">
 ## <summary>Policy for reading and setting the hardware clock.</summary>
 ########################################
 ## <interface name="clock_domtrans">
 ## <desc>
 ##	Execute hwclock in the clock domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`clock_domtrans',`
 	gen_require(`
@ -27,7 +24,6 @@ interface(`clock_domtrans',`
 ')
 ########################################
 ## <interface name="clock_run">
 ## <desc>
 ##	Execute hwclock in the clock domain, and
 ##	allow the specified role the hwclock domain.
@ -41,7 +37,6 @@ interface(`clock_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the clock domain to use.
 ## </param>
 ## </interface>
 #
 interface(`clock_run',`
 	gen_require(`
@ -55,14 +50,12 @@ interface(`clock_run',`
 ')
 ########################################
 ## <interface name="clock_exec">
 ##     <desc>
 ##             Execute hwclock
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`clock_exec',`
 	gen_require(`
@ -73,14 +66,12 @@ interface(`clock_exec',`
 ')
 ########################################
 ## <interface name="clock_rw_adjtime">
 ##     <desc>
 ##             Allow executing domain to modify clock drift
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`clock_rw_adjtime',`
 	gen_require(`
@ -92,4 +83,3 @@ interface(`clock_rw_adjtime',`
 	files_list_etc($1)
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -1,4 +1,3 @@
 ## <module name="corecommands">
 ## <summary>
 ## Core policy for shells, and generic programs
 ## in /bin, /sbin, /usr/bin, and /usr/sbin.
@ -148,7 +147,6 @@ interface(`corecmd_exec_ls',`
 ')
 ########################################
 ## <interface name="corecmd_shell_spec_domtrans">
 ## <desc>
 ##	Execute a shell in the target domain.  This
 ##	is an explicit transition, requiring the
@ -160,7 +158,6 @@ interface(`corecmd_exec_ls',`
 ## <param name="target_domain">
 ##	The type of the shell process.
 ## </param>
 ## </interface>
 #
 interface(`corecmd_shell_spec_domtrans',`
 	gen_require(`
@ -184,7 +181,6 @@ interface(`corecmd_shell_spec_domtrans',`
 ')
 ########################################
 ## <interface name="corecmd_domtrans_shell">
 ## <desc>
 ##	Execute a shell in the target domain.
 ## </desc>
@ -194,7 +190,6 @@ interface(`corecmd_shell_spec_domtrans',`
 ## <param name="target_domain">
 ##	The type of the shell process.
 ## </param>
 ## </interface>
 #
 interface(`corecmd_domtrans_shell',`
 	gen_require(`
@ -219,4 +214,3 @@ interface(`corecmd_chroot_exec_chroot',`
 	allow $1 self:capability sys_chroot;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -1,4 +1,3 @@
 ## <module name="domain">
 ## <summary>Core policy for domains.</summary>
 ########################################
@ -92,7 +91,6 @@ interface(`domain_dyntrans_type',`
 ')
 ########################################
 ## <interface name="domain_subj_id_change_exempt">
 ## <desc>
 ##	Makes caller an exception to the constraint preventing
 ##	changing of user identity.
@ -100,7 +98,6 @@ interface(`domain_dyntrans_type',`
 ## <param name="domain">
 ##	The process type to make an exception to the constraint.
 ## </param>
 ## </interface>
 #
 interface(`domain_subj_id_change_exempt',`
 	gen_require(`
@ -111,7 +108,6 @@ interface(`domain_subj_id_change_exempt',`
 ')
 ########################################
 ## <interface name="domain_role_change_exempt">
 ## <desc>
 ##	Makes caller an exception to the constraint preventing
 ##	changing of role.
@ -119,7 +115,6 @@ interface(`domain_subj_id_change_exempt',`
 ## <param name="domain">
 ##	The process type to make an exception to the constraint.
 ## </param>
 ## </interface>
 #
 interface(`domain_role_change_exempt',`
 	gen_require(`
@ -130,7 +125,6 @@ interface(`domain_role_change_exempt',`
 ')
 ########################################
 ## <interface name="domain_obj_id_change_exempt">
 ## <desc>
 ##	Makes caller an exception to the constraint preventing
 ##	changing the user identity in object contexts.
@ -138,7 +132,6 @@ interface(`domain_role_change_exempt',`
 ## <param name="domain">
 ##	The process type to make an exception to the constraint.
 ## </param>
 ## </interface>
 #
 interface(`domain_obj_id_change_exempt',`
 	gen_require(`
@ -188,14 +181,12 @@ interface(`domain_setpriority_all_domains',`
 ')
 ########################################
 ## <interface name="domain_signal_all_domains">
 ## <desc>
 ##	Send general signals to all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_signal_all_domains',`
 	gen_require(`
@ -207,14 +198,12 @@ interface(`domain_signal_all_domains',`
 ')
 ########################################
 ## <interface name="domain_signull_all_domains">
 ## <desc>
 ##	Send a null signal to all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_signull_all_domains',`
 	gen_require(`
@ -226,14 +215,12 @@ interface(`domain_signull_all_domains',`
 ')
 ########################################
 ## <interface name="domain_sigstop_all_domains">
 ## <desc>
 ##	Send a stop signal to all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_sigstop_all_domains',`
 	gen_require(`
@ -245,14 +232,12 @@ interface(`domain_sigstop_all_domains',`
 ')
 ########################################
 ## <interface name="domain_sigchld_all_domains">
 ## <desc>
 ##	Send a child terminated signal to all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_sigchld_all_domains',`
 	gen_require(`
@ -264,14 +249,12 @@ interface(`domain_sigchld_all_domains',`
 ')
 ########################################
 ## <interface name="domain_kill_all_domains">
 ## <desc>
 ##	Send a kill signal to all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_kill_all_domains',`
 	gen_require(`
@ -285,14 +268,12 @@ interface(`domain_kill_all_domains',`
 ')
 ########################################
 ## <interface name="domain_read_all_domains_state">
 ## <desc>
 ##	Read the process state (/proc/pid) of all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_read_all_domains_state',`
 	gen_require(`
@ -316,7 +297,6 @@ interface(`domain_read_all_domains_state',`
 ')
 ########################################
 ## <interface name="domain_dontaudit_list_all_domains_proc">
 ## <desc>
 ##	Do not audit attempts to read the process state
 ##	directories of all domains.
@ -324,7 +304,6 @@ interface(`domain_read_all_domains_state',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_dontaudit_list_all_domains_proc',`
 	gen_require(`
@ -336,14 +315,12 @@ interface(`domain_dontaudit_list_all_domains_proc',`
 ')
 ########################################
 ## <interface name="domain_getsession_all_domains">
 ## <desc>
 ##	Get the session ID of all domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_getsession_all_domains',`
 	gen_require(`
@ -355,7 +332,6 @@ interface(`domain_getsession_all_domains',`
 ')
 ########################################
 ## <interface name="domain_dontaudit_getattr_all_udp_sockets">
 ## <desc>
 ##	Do not audit attempts to get the attributes
 ##	of all domains UDP sockets.
@ -363,7 +339,6 @@ interface(`domain_getsession_all_domains',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_dontaudit_getattr_all_udp_sockets',`
 	gen_require(`
@ -375,7 +350,6 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ')
 ########################################
 ## <interface name="domain_dontaudit_getattr_all_tcp_sockets">
 ## <desc>
 ##	Do not audit attempts to get the attributes
 ##	of all domains TCP sockets.
@ -383,7 +357,6 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 	gen_require(`
@ -395,7 +368,6 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 ')
 ########################################
 ## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets">
 ## <desc>
 ##	Do not audit attempts to get the attributes
 ##	of all domains unix datagram sockets.
@ -403,7 +375,6 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
 	gen_require(`
@ -415,7 +386,6 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
 ')
 ########################################
 ## <interface name="domain_dontaudit_getattr_all_unnamed_pipes">
 ## <desc>
 ##	Do not audit attempts to get the attributes
 ##	of all domains unnamed pipes.
@ -423,7 +393,6 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
 	gen_require(`
@ -461,7 +430,6 @@ interface(`domain_read_all_entry_files',`
 	allow $1 entry_type:file r_file_perms;
 ')
 ## </module>
 #
 # These next macros are not interfaces, but actually are 
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -1,4 +1,3 @@
 ## <module name="files">
 ## <summary>
 ## Basic filesystem types and interfaces.
 ## </summary>
@ -83,7 +82,6 @@ interface(`files_tmp_file',`
 ')
 ########################################
 ## <interface name="files_tmpfs_file">
 ## <desc>
 ##	Transform the type into a file, for use on a
 ##	virtual memory filesystem (tmpfs).
@ -91,7 +89,6 @@ interface(`files_tmp_file',`
 ## <param name="type">
 ##	The type to be transformed.
 ## </param>
 ## </interface>
 #
 interface(`files_tmpfs_file',`
 	gen_require(`
@ -125,7 +122,6 @@ interface(`files_getattr_all_files',`
 ')
 ########################################
 ## <interface name="files_relabel_all_files">
 ## <desc>
 ##	Relabel all files on the filesystem, except
 ##	the listed exceptions.
@ -137,7 +133,6 @@ interface(`files_getattr_all_files',`
 ##	The types to be excluded.  Each type or attribute
 ##	must be negated by the caller.
 ## </param>
 ## </interface>
 #
 interface(`files_relabel_all_files',`
 	gen_require(`
@ -164,7 +159,6 @@ interface(`files_relabel_all_files',`
 ')
 ########################################
 ## <interface name="files_manage_all_files">
 ## <desc>
 ##	Manage all files on the filesystem, except
 ##	the listed exceptions.
@ -176,7 +170,6 @@ interface(`files_relabel_all_files',`
 ##	The types to be excluded.  Each type or attribute
 ##	must be negated by the caller.
 ## </param>
 ## </interface>
 #
 interface(`files_manage_all_files',`
 	gen_require(`
@ -306,7 +299,6 @@ interface(`files_list_root',`
 ')
 ########################################
 ## <interface name="files_create_root">
 ## <desc>
 ##	Create an object in the root directory, with a private
 ##	type.  If no object class is specified, the
@ -324,7 +316,6 @@ interface(`files_list_root',`
 ##	The object class of the object being created.  If
 ##	no class is specified, file will be used.
 ## </param>
 ## </interface>
 #
 interface(`files_create_root',`
 	gen_require(`
@ -498,14 +489,12 @@ interface(`files_manage_generic_etc_files',`
 ')
 ########################################
 ## <interface name="files_delete_generic_etc_files">
 ## <desc>
 ##	Delete system configuration files in /etc.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`files_delete_generic_etc_files',`
 	gen_require(`
@ -642,14 +631,12 @@ interface(`files_dontaudit_search_isid_type_dir',`
 ')
 ########################################
 ## <interface name="files_list_home">
 ## <desc>
 ##	Get listing home home directories.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`files_list_home',`
 	gen_require(`
@ -743,14 +730,12 @@ interface(`files_read_usr_files',`
 ')
 ########################################
 ## <interface name="files_exec_usr_files">
 ## <desc>
 ##	Execute programs in /usr/src in the caller domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`files_exec_usr_files',`
 	gen_require(`
@ -810,14 +795,12 @@ interface(`files_dontaudit_search_var',`
 ')
 ########################################
 ## <interface name="files_search_var_lib">
 ## <desc>
 ##	Search the /var/lib directory.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`files_search_var_lib',`
 	gen_require(`
@ -987,14 +970,12 @@ interface(`files_rw_generic_pids',`
 ')
 ########################################
 ## <interface name="files_dontaudit_write_all_pids">
 ## <desc>
 ##	Do not audit attempts to write to daemon runtime data files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`files_dontaudit_write_all_pids',`
 	gen_require(`
@ -1006,14 +987,12 @@ interface(`files_dontaudit_write_all_pids',`
 ')
 ########################################
 ## <interface name="files_dontaudit_ioctl_all_pids">
 ## <desc>
 ##	Do not audit attempts to ioctl daemon runtime data files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`files_dontaudit_ioctl_all_pids',`
 	gen_require(`
@ -1123,4 +1102,3 @@ interface(`files_manage_spools',`
 	allow $1 var_spool_t:file create_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@ -1,15 +1,12 @@
 ## <module name="getty">
 ## <summary>Policy for getty.</summary>
 ########################################
 ## <interface name="getty_domtrans">
 ##     <desc>
 ##             Execute gettys in the getty domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`getty_domtrans',`
 	gen_require(`
@ -29,14 +26,12 @@ interface(`getty_domtrans',`
 ')
 ########################################
 ## <interface name="getty_read_log">
 ##     <desc>
 ##             Allow process to read getty log file.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`getty_read_log',`
 	gen_require(`
@ -49,14 +44,12 @@ interface(`getty_read_log',`
 ')
 ########################################
 ## <interface name="getty_read_config">
 ##     <desc>
 ##             Allow process to read getty config file.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`getty_read_config',`
 	gen_require(`
@ -69,14 +62,12 @@ interface(`getty_read_config',`
 ')
 ########################################
 ## <interface name="getty_modify_config">
 ##     <desc>
 ##             Allow process to edit getty config file.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`getty_modify_config',`
 	gen_require(`
@ -88,4 +79,3 @@ interface(`getty_modify_config',`
 	allow $1 getty_etc_t:file rw_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@ -1,8 +1,6 @@
 ## <module name="hostname">
 ## <summary>Policy for changing the system host name.</summary>
 ########################################
 ## <interface name="hostname_domtrans">
 ## <desc>
 ##	Execute hostname in the hostname domain.
 ## </desc>
@ -10,7 +8,6 @@
 ##	The type of the process performing this action.
 ##	Has a sigchld signal backchannel.
 ## </param>
 ## </interface>
 #
 interface(`hostname_domtrans',`
 	gen_require(`
@ -30,7 +27,6 @@ interface(`hostname_domtrans',`
 ')
 ########################################
 ## <interface name="hostname_run">
 ## <desc>
 ##	Execute hostname in the hostname domain, and
 ##	allow the specified role the hostname domain.
@ -45,7 +41,6 @@ interface(`hostname_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the hostname domain to use.
 ## </param>
 ## </interface>
 #
 interface(`hostname_run',`
 	gen_require(`
@ -59,7 +54,6 @@ interface(`hostname_run',`
 ')
 ########################################
 ## <interface name="hostname_exec">
 ##     <desc>
 ##             Execute hostname in the hostname domain, and
 ##             Has a sigchld signal backchannel.
@ -67,7 +61,6 @@ interface(`hostname_run',`
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`hostname_exec',`
 	gen_require(`
@ -77,4 +70,3 @@ interface(`hostname_exec',`
 	can_exec($1,hostname_exec_t)
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@ -1,4 +1,3 @@
 ## <module name="hotplug">
 ## <summary>
 ## Policy for hotplug system, for supporting the
 ## connection and disconnection of devices at runtime.
@ -78,14 +77,12 @@ interface(`hotplug_dontaudit_search_config',`
 ')
 ########################################
 ## <interface name="hotplug_read_config">
 ## <desc>
 ##	Read the configuration files for hotplug.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`hotplug_read_config',`
 	gen_require(`
@ -101,4 +98,3 @@ interface(`hotplug_read_config',`
 	allow $1 hotplug_etc_t:lnk_file r_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -1,4 +1,3 @@
 ## <module name="init">
 ## <summary>System initialization programs (init and init scripts).</summary>
 ########################################
@ -260,14 +259,12 @@ interface(`init_exec_script',`
 ')
 ########################################
 ## <interface name="init_read_script_process_state">
 ## <desc>
 ##	Read the process state (/proc/pid) of the init scripts.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`init_read_script_process_state',`
 	gen_require(`
@ -330,14 +327,12 @@ interface(`init_get_script_process_group',`
 ')
 ########################################
 ## <interface name="init_rw_script_pipe">
 ## <desc>
 ##	Read and write init script unnamed pipes.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`init_rw_script_pipe',`
 	gen_require(`
@ -376,14 +371,12 @@ interface(`init_dontaudit_use_script_pty',`
 ')
 ########################################
 ## <interface name="init_rw_script_tmp_files">
 ## <desc>
 ##	Read and write init script temporary data.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`init_rw_script_tmp_files',`
 	gen_require(`
@ -449,4 +442,3 @@ interface(`init_dontaudit_rw_script_pid',`
 	dontaudit $1 initrc_var_run_t:file { getattr read write append };
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@ -1,15 +1,12 @@
 ## <module name="iptables">
 ## <summary>Policy for iptables.</summary>
 ########################################
 ## <interface name="iptables_domtrans">
 ## <desc>
 ##	Execute iptables in the iptables domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`iptables_domtrans',`
 	gen_require(`
@ -29,7 +26,6 @@ interface(`iptables_domtrans',`
 ')
 ########################################
 ## <interface name="iptables_run">
 ## <desc>
 ##	Execute iptables in the iptables domain, and
 ##	allow the specified role the iptables domain.
@ -43,7 +39,6 @@ interface(`iptables_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the iptables domain to use.
 ## </param>
 ## </interface>
 #
 interface(`iptables_run',`
 	gen_require(`
@ -57,14 +52,12 @@ interface(`iptables_run',`
 ')
 ########################################
 ## <interface name="iptables_exec">
 ## <desc>
 ##	Execute iptables in the caller domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`iptables_exec',`
 	gen_require(`
@ -75,4 +68,3 @@ interface(`iptables_exec',`
 	can_exec($1,iptables_exec_t)
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -1,15 +1,12 @@
 ## <module name="libraries">
 ## <summary>Policy for system libraries.</summary>
 ########################################
 ## <interface name="libs_domtrans_ldconfig">
 ## <desc>
 ##	Execute ldconfig in the ldconfig domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_domtrans_ldconfig',`
 	gen_require(`
@ -29,7 +26,6 @@ interface(`libs_domtrans_ldconfig',`
 ')
 ########################################
 ## <interface name="libs_run_ldconfig">
 ## <desc>
 ##	Execute ldconfig in the ldconfig domain.
 ## </desc>
@ -42,7 +38,6 @@ interface(`libs_domtrans_ldconfig',`
 ## <param name="terminal">
 ##	The type of the terminal allow the ldconfig domain to use.
 ## </param>
 ## </interface>
 #
 interface(`libs_run_ldconfig',`
 	gen_require(`
@ -56,7 +51,6 @@ interface(`libs_run_ldconfig',`
 ')
 ########################################
 ## <interface name="libs_use_ld_so">
 ## <desc>
 ##	Use the dynamic link/loader for automatic loading
 ##	of shared libraries.
@ -64,7 +58,6 @@ interface(`libs_run_ldconfig',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_use_ld_so',`
 	gen_require(`
@ -83,7 +76,6 @@ interface(`libs_use_ld_so',`
 ')
 ########################################
 ## <interface name="libs_legacy_use_ld_so">
 ## <desc>
 ##	Use the dynamic link/loader for automatic loading
 ##	of shared libraries with legacy support.
@ -91,7 +83,6 @@ interface(`libs_use_ld_so',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_legacy_use_ld_so',`
 	gen_require(`
@ -105,7 +96,6 @@ interface(`libs_legacy_use_ld_so',`
 ')
 ########################################
 ## <interface name="libs_exec_ld_so">
 ## <desc>
 ##	Execute the dynamic link/loader in the caller's
 ##	domain.  This is commonly needed for the
@ -114,7 +104,6 @@ interface(`libs_legacy_use_ld_so',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_exec_ld_so',`
 	gen_require(`
@ -130,7 +119,6 @@ interface(`libs_exec_ld_so',`
 ')
 ########################################
 ## <interface name="libs_rw_ld_so_cache">
 ## <desc>
 ##	Modify the dynamic link/loader's cached listing
 ##	of shared libraries.
@ -138,7 +126,6 @@ interface(`libs_exec_ld_so',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_rw_ld_so_cache',`
 	gen_require(`
@ -151,14 +138,12 @@ interface(`libs_rw_ld_so_cache',`
 ')
 ########################################
 ## <interface name="libs_search_lib">
 ## <desc>
 ##	Search lib directories.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_search_lib',`
 	gen_require(`
@ -170,7 +155,6 @@ interface(`libs_search_lib',`
 ')
 ########################################
 ## <interface name="libs_read_lib">
 ## <desc>
 ##	Read files in the library directories, such
 ##	as static libraries.
@ -178,7 +162,6 @@ interface(`libs_search_lib',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_read_lib',`
 	gen_require(`
@ -194,14 +177,12 @@ interface(`libs_read_lib',`
 ')
 ########################################
 ## <interface name="libs_exec_lib_files">
 ## <desc>
 ##	Execute library scripts in the caller domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_exec_lib_files',`
 	gen_require(`
@ -217,14 +198,12 @@ interface(`libs_exec_lib_files',`
 ')
 ########################################
 ## <interface name="libs_use_shared_libs">
 ## <desc>
 ##	Load and execute functions from shared libraries.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_use_shared_libs',`
 	gen_require(`
@ -242,7 +221,6 @@ interface(`libs_use_shared_libs',`
 ')
 ########################################
 ## <interface name="libs_legacy_use_shared_libs">
 ## <desc>
 ##	Load and execute functions from shared libraries,
 ##	with legacy support.
@ -250,7 +228,6 @@ interface(`libs_use_shared_libs',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`libs_legacy_use_shared_libs',`
 	gen_require(`
@ -262,4 +239,3 @@ interface(`libs_legacy_use_shared_libs',`
 	allow $1 { shlib_t texrel_shlib_t }:file execmod;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@ -1,15 +1,12 @@
 ## <module name="locallogin">
 ## <summary>Policy for local logins.</summary>
 ########################################
 ## <interface name="locallogin_domtrans">
 ##     <desc>
 ##             Execute local logins in the locallogin domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`locallogin_domtrans',`
 	gen_require(`
@ -20,14 +17,12 @@ interface(`locallogin_domtrans',`
 ')
 ########################################
 ## <interface name="locallogin_use_fd">
 ##     <desc>
 ##             Allow processes to inherit local login file descriptors
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`locallogin_use_fd',`
 	gen_require(`
@ -38,4 +33,3 @@ interface(`locallogin_use_fd',`
 	allow $1 local_login_t:fd use;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -1,4 +1,3 @@
 ## <module name="logging">
 ## <summary>Policy for the kernel message logger and system logging daemon.</summary>
 #######################################
@ -60,7 +59,6 @@ interface(`logging_send_syslog_msg',`
 ')
 ########################################
 ## <interface name="logging_search_logs">
 ## <desc>
 ##	Allows the domain to open a file in the
 ##	log directory, but does not allow the listing
@ -69,7 +67,6 @@ interface(`logging_send_syslog_msg',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`logging_search_logs',`
 	gen_require(`
@ -176,4 +173,3 @@ interface(`logging_rw_generic_logs',`
 	allow $1 var_log_t:file rw_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@ -1,15 +1,12 @@
 ## <module name="lvm">
 ## <summary>Policy for logical volume management programs.</summary>
 ########################################
 ## <interface name="lvm_domtrans">
 ## <desc>
 ##	Execute lvm programs in the lvm domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`lvm_domtrans',`
 	gen_require(`
@ -29,7 +26,6 @@ interface(`lvm_domtrans',`
 ')
 ########################################
 ## <interface name="lvm_run">
 ## <desc>
 ##	Execute lvm programs in the lvm domain.
 ## </desc>
@ -42,7 +38,6 @@ interface(`lvm_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the LVM domain to use.
 ## </param>
 ## </interface>
 #
 interface(`lvm_run',`
 	gen_require(`
@ -56,14 +51,12 @@ interface(`lvm_run',`
 ')
 ########################################
 ## <interface name="lvm_read_config">
 ## <desc>
 ##	Read LVM configuration files.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`lvm_read_config',`
 	gen_require(`
@ -77,4 +70,3 @@ interface(`lvm_read_config',`
 	allow $1 lvm_etc_t:file r_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/metadata.xml
+++ b/refpolicy/policy/modules/system/metadata.xml
@ -1 +0,0 @@
 <layer name="system">
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -1,8 +1,6 @@
 ## <module name="miscfiles">
 ## <summary>Miscelaneous files.</summary>
 ########################################
 ## <interface name="miscfiles_rw_man_cache">
 ##     <desc>
 ##             Allow process to create files and dirs in /var/cache/man
 ##             and /var/catman/
@ -10,7 +8,6 @@
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`miscfiles_rw_man_cache',`
 	gen_require(`
@ -25,14 +22,12 @@ interface(`miscfiles_rw_man_cache',`
 ')
 ########################################
 ## <interface name="miscfiles_read_fonts">
 ##     <desc>
 ##             Allow process to read fonts files
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`miscfiles_read_fonts',`
 	gen_require(`
@ -50,14 +45,12 @@ interface(`miscfiles_read_fonts',`
 ')
 ########################################
 ## <interface name="miscfiles_read_localization">
 ##     <desc>
 ##             Allow process to read localization info
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`miscfiles_read_localization',`
 	gen_require(`
@ -79,14 +72,12 @@ interface(`miscfiles_read_localization',`
 ')
 ########################################
 ## <interface name="miscfiles_legacy_read_localization">
 ##     <desc>
 ##             Allow process to read legacy time localization info
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`miscfiles_legacy_read_localization',`
 	gen_require(`
@ -99,14 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
 ')
 ########################################
 ## <interface name="miscfiles_read_man_pages">
 ##     <desc>
 ##             Allow process to read manpages
 ##     </desc>
 ##     <param name="domain">
 ##             Type type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
@ -122,4 +111,3 @@ interface(`miscfiles_read_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@ -1,15 +1,12 @@
 ## <module name="modutils">
 ## <summary>Policy for kernel module utilities</summary>
 ########################################
 ## <interface name="modutils_read_kernel_module_dependencies">
 ## <desc>
 ##	Read the dependencies of kernel modules.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`modutils_read_kernel_module_dependencies',`
 	gen_require(`
@ -22,7 +19,6 @@ interface(`modutils_read_kernel_module_dependencies',`
 ')
 ########################################
 ## <interface name="modutils_read_module_conf">
 ## <desc>
 ##	Read the configuration options used when
 ##	loading modules.
@ -30,7 +26,6 @@ interface(`modutils_read_kernel_module_dependencies',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`modutils_read_module_conf',`
 	gen_require(`
@ -47,14 +42,12 @@ interface(`modutils_read_module_conf',`
 ')
 ########################################
 ## <interface name="modutils_domtrans_insmod">
 ## <desc>
 ##	Execute insmod in the insmod domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`modutils_domtrans_insmod',`
 	gen_require(`
@ -74,7 +67,6 @@ interface(`modutils_domtrans_insmod',`
 ')
 ########################################
 ## <interface name="modutils_run_insmod">
 ## <desc>
 ##	Execute insmod in the insmod domain, and
 ##	allow the specified role the insmod domain,
@ -90,7 +82,6 @@ interface(`modutils_domtrans_insmod',`
 ## <param name="terminal">
 ##	The type of the terminal allow the insmod domain to use.
 ## </param>
 ## </interface>
 #
 interface(`modutils_run_insmod',`
 	gen_require(`
@ -117,14 +108,12 @@ interface(`modutils_exec_insmod',`
 ')
 ########################################
 ## <interface name="modutils_domtrans_depmod">
 ## <desc>
 ##	Execute depmod in the depmod domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`modutils_domtrans_depmod',`
 	gen_require(`
@ -144,7 +133,6 @@ interface(`modutils_domtrans_depmod',`
 ')
 ########################################
 ## <interface name="modutils_run_depmod">
 ## <desc>
 ##	Execute depmod in the depmod domain.
 ## </desc>
@ -157,7 +145,6 @@ interface(`modutils_domtrans_depmod',`
 ## <param name="terminal">
 ##	The type of the terminal allow the depmod domain to use.
 ## </param>
 ## </interface>
 #
 interface(`modutils_run_depmod',`
 	gen_require(`
@ -184,14 +171,12 @@ interface(`modutils_exec_depmod',`
 ')
 ########################################
 ## <interface name="modutils_domtrans_update_mods">
 ## <desc>
 ##	Execute depmod in the depmod domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`modutils_domtrans_update_mods',`
 	gen_require(`
@ -211,7 +196,6 @@ interface(`modutils_domtrans_update_mods',`
 ')
 ########################################
 ## <interface name="modutils_run_update_mods">
 ## <desc>
 ##	Execute update_modules in the update_modules domain.
 ## </desc>
@ -224,7 +208,6 @@ interface(`modutils_domtrans_update_mods',`
 ## <param name="terminal">
 ##	The type of the terminal allow the update_modules domain to use.
 ## </param>
 ## </interface>
 #
 interface(`modutils_run_update_mods',`
 	gen_require(`
@ -250,4 +233,3 @@ interface(`modutils_exec_update_mods',`
 	can_exec($1, update_modules_exec_t)
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@ -1,15 +1,12 @@
 ## <module name="mount">
 ## <summary>Policy for mount.</summary>
 ########################################
 ## <interface name="mount_domtrans">
 ## <desc>
 ##	Execute mount in the mount domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`mount_domtrans',`
 	gen_require(`
@ -28,7 +25,6 @@ interface(`mount_domtrans',`
 ')
 ########################################
 ## <interface name="mount_run">
 ## <desc>
 ##	Execute mount in the mount domain, and
 ##	allow the specified role the mount domain,
@ -43,7 +39,6 @@ interface(`mount_domtrans',`
 ## <param name="terminal">
 ##	The type of the terminal allow the mount domain to use.
 ## </param>
 ## </interface>
 #
 interface(`mount_run',`
 	gen_require(`
@ -57,14 +52,12 @@ interface(`mount_run',`
 ')
 ########################################
 ## <interface name="mount_use_fd">
 ##     <desc>
 ##             Use file descriptors for mount.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`mount_use_fd',`
 	gen_require(`
@ -76,7 +69,6 @@ interface(`mount_use_fd',`
 ')
 ########################################
 ## <interface name="mount_send_nfs_client_request">
 ##     <desc>
 ##             Allow the mount domain to send nfs requests for mounting
 ##             network drives
@ -84,7 +76,6 @@ interface(`mount_use_fd',`
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`mount_send_nfs_client_request',`
 	gen_require(`
@ -95,4 +86,3 @@ interface(`mount_send_nfs_client_request',`
 	allow $1 mount_t:udp_socket rw_socket_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@ -1,15 +1,12 @@
 ## <module name="selinuxutil">
 ## <summary>Policy for SELinux policy and userland applications.</summary>
 #######################################
 ## <interface name="seutil_domtrans_checkpol">
 ## <desc>
 ##	Execute checkpolicy in the checkpolicy domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_domtrans_checkpol',`
 	gen_require(`
@ -30,7 +27,6 @@ interface(`seutil_domtrans_checkpol',`
 ')
 ########################################
 ## <interface name="seutil_run_checkpol">
 ## <desc>
 ##	Execute checkpolicy in the checkpolicy domain, and
 ##	allow the specified role the checkpolicy domain,
@ -46,7 +42,6 @@ interface(`seutil_domtrans_checkpol',`
 ## <param name="terminal">
 ##	The type of the terminal allow the checkpolicy domain to use.
 ## </param>
 ## </interface>
 #
 interface(`seutil_run_checkpol',`
 	gen_require(`
@ -74,14 +69,12 @@ interface(`seutil_exec_checkpol',`
 ')
 #######################################
 ## <interface name="seutil_domtrans_loadpol">
 ## <desc>
 ##	Execute load_policy in the load_policy domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_domtrans_loadpol',`
 	gen_require(`
@ -101,7 +94,6 @@ interface(`seutil_domtrans_loadpol',`
 ')
 ########################################
 ## <interface name="seutil_run_loadpol">
 ## <desc>
 ##	Execute load_policy in the load_policy domain, and
 ##	allow the specified role the load_policy domain,
@ -117,7 +109,6 @@ interface(`seutil_domtrans_loadpol',`
 ## <param name="terminal">
 ##	The type of the terminal allow the load_policy domain to use.
 ## </param>
 ## </interface>
 #
 interface(`seutil_run_loadpol',`
 	gen_require(`
@ -158,14 +149,12 @@ interface(`seutil_read_loadpol',`
 ')
 #######################################
 ## <interface name="seutil_domtrans_newrole">
 ## <desc>
 ##	Execute newrole in the load_policy domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_domtrans_newrole',`
 	gen_require(`
@ -186,7 +175,6 @@ interface(`seutil_domtrans_newrole',`
 ')
 ########################################
 ## <interface name="seutil_run_newrole">
 ## <desc>
 ##	Execute newrole in the newrole domain, and
 ##	allow the specified role the newrole domain,
@ -201,7 +189,6 @@ interface(`seutil_domtrans_newrole',`
 ## <param name="terminal">
 ##	The type of the terminal allow the newrole domain to use.
 ## </param>
 ## </interface>
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
@ -229,7 +216,6 @@ interface(`seutil_exec_newrole',`
 ')
 ########################################
 ## <interface name="seutil_dontaudit_newrole_signal">
 ## <desc>
 ##	Do not audit the caller attempts to send
 ##	a signal to newrole.
@ -237,7 +223,6 @@ interface(`seutil_exec_newrole',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_dontaudit_newrole_signal',`
 	gen_require(`
@ -275,14 +260,12 @@ interface(`seutil_use_newrole_fd',`
 ')
 #######################################
 ## <interface name="seutil_domtrans_restorecon">
 ## <desc>
 ##	Execute restorecon in the restorecon domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_domtrans_restorecon',`
 	gen_require(`
@ -302,7 +285,6 @@ interface(`seutil_domtrans_restorecon',`
 ')
 ########################################
 ## <interface name="seutil_run_restorecon">
 ## <desc>
 ##	Execute restorecon in the restorecon domain, and
 ##	allow the specified role the restorecon domain,
@ -317,7 +299,6 @@ interface(`seutil_domtrans_restorecon',`
 ## <param name="terminal">
 ##	The type of the terminal allow the restorecon domain to use.
 ## </param>
 ## </interface>
 #
 interface(`seutil_run_restorecon',`
 	gen_require(`
@ -344,14 +325,12 @@ interface(`seutil_exec_restorecon',`
 ')
 ########################################
 ## <interface name="seutil_domtrans_runinit">
 ## <desc>
 ##	Execute run_init in the run_init domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_domtrans_runinit',`
 	gen_require(`
@ -372,7 +351,6 @@ interface(`seutil_domtrans_runinit',`
 ')
 ########################################
 ## <interface name="seutil_run_runinit">
 ## <desc>
 ##	Execute run_init in the run_init domain, and
 ##	allow the specified role the run_init domain,
@ -387,7 +365,6 @@ interface(`seutil_domtrans_runinit',`
 ## <param name="terminal">
 ##	The type of the terminal allow the run_init domain to use.
 ## </param>
 ## </interface>
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
@ -414,14 +391,12 @@ interface(`seutil_use_runinit_fd',`
 ')
 ########################################
 ## <interface name="seutil_domtrans_setfiles">
 ## <desc>
 ##	Execute setfiles in the setfiles domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_domtrans_setfiles',`
 	gen_require(`
@ -442,7 +417,6 @@ interface(`seutil_domtrans_setfiles',`
 ')
 ########################################
 ## <interface name="seutil_run_setfiles">
 ## <desc>
 ##	Execute setfiles in the setfiles domain, and
 ##	allow the specified role the setfiles domain,
@ -457,7 +431,6 @@ interface(`seutil_domtrans_setfiles',`
 ## <param name="terminal">
 ##	The type of the terminal allow the setfiles domain to use.
 ## </param>
 ## </interface>
 #
 interface(`seutil_run_setfiles',`
 	gen_require(`
@ -571,14 +544,12 @@ interface(`seutil_create_binary_pol',`
 ')
 ########################################
 ## <interface name="seutil_relabelto_binary_pol">
 ## <desc>
 ##	Allow the caller to relabel a file to the binary policy type.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`seutil_relabelto_binary_pol',`
 	gen_require(`
@ -644,4 +615,3 @@ interface(`seutil_manage_src_pol',`
 	allow $1 policy_src_t:file create_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -1,15 +1,12 @@
 ## <module name="sysnetwork">
 ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
 #######################################
 ## <interface name="sysnet_domtrans_dhcpc">
 ##     <desc>
 ##             Execute dhcp client in dhcpc domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`sysnet_domtrans_dhcpc',`
 	gen_require(`
@ -29,14 +26,12 @@ interface(`sysnet_domtrans_dhcpc',`
 ')
 #######################################
 ## <interface name="sysnet_domtrans_ifconfig">
 ## <desc>
 ##	Execute ifconfig in the ifconfig domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`sysnet_domtrans_ifconfig',`
 	gen_require(`
@ -56,7 +51,6 @@ interface(`sysnet_domtrans_ifconfig',`
 ')
 ########################################
 ## <interface name="sysnet_run_ifconfig">
 ## <desc>
 ##	Execute ifconfig in the ifconfig domain, and
 ##	allow the specified role the ifconfig domain,
@ -71,7 +65,6 @@ interface(`sysnet_domtrans_ifconfig',`
 ## <param name="terminal">
 ##	The type of the terminal allow the ifconfig domain to use.
 ## </param>
 ## </interface>
 #
 interface(`sysnet_run_ifconfig',`
 	gen_require(`
@ -86,14 +79,12 @@ interface(`sysnet_run_ifconfig',`
 ')
 #######################################
 ## <interface name="sysnet_read_config">
 ##     <desc>
 ##             Allow network init to read network config files.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`sysnet_read_config',`
 	gen_require(`
@ -105,4 +96,3 @@ interface(`sysnet_read_config',`
 	allow $1 net_conf_t:file r_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@ -1,15 +1,12 @@
 ## <module name="udev">
 ## <summary>Policy for udev.</summary>
 ########################################
 ## <interface name="udev_domtrans">
 ##     <desc>
 ##             Execute udev in the udev domain.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`udev_domtrans',`
 	gen_require(`
@ -28,14 +25,12 @@ interface(`udev_domtrans',`
 ')
 ########################################
 ## <interface name="udev_read_db">
 ##     <desc>
 ##             Allow process to read list of devices.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`udev_read_db',`
 	gen_require(`
@ -48,14 +43,12 @@ interface(`udev_read_db',`
 ')
 ########################################
 ## <interface name="udev_rw_db">
 ##     <desc>
 ##             Allow process to modify list of devices.
 ##     </desc>
 ##     <param name="domain">
 ##             The type of the process performing this action.
 ##     </param>
 ## </interface>
 #
 interface(`udev_rw_db',`
 	gen_require(`
@ -67,4 +60,3 @@ interface(`udev_rw_db',`
 	allow $1 udev_tdb_t:file rw_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -1,4 +1,3 @@
 ## <module name="userdomain">
 ## <summary>Policy for user domains</summary>
 ########################################
@ -809,7 +808,6 @@ template(`admin_domain_template',`
 ')
 ########################################
 ## <interface name="userdom_spec_domtrans_all_users">
 ## <desc>
 ##	Execute a shell in all user domains.  This
 ##	is an explicit transition, requiring the
@ -818,7 +816,6 @@ template(`admin_domain_template',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_spec_domtrans_all_users',`
 	gen_require(`
@ -829,7 +826,6 @@ interface(`userdom_spec_domtrans_all_users',`
 ')
 ########################################
 ## <interface name="userdom_spec_domtrans_unpriv_users">
 ## <desc>
 ##	Execute a shell in all unprivileged user domains.  This
 ##	is an explicit transition, requiring the
@ -838,7 +834,6 @@ interface(`userdom_spec_domtrans_all_users',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_spec_domtrans_unpriv_users',`
 	gen_require(`
@ -849,14 +844,12 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 ')
 ########################################
 ## <interface name="userdom_shell_domtrans_sysadm">
 ## <desc>
 ##	Execute a shell in the sysadm domain.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_shell_domtrans_sysadm',`
 	gen_require(`
@ -867,14 +860,12 @@ interface(`userdom_shell_domtrans_sysadm',`
 ')
 ########################################
 ## <interface name="userdom_use_sysadm_tty">
 ## <desc>
 ##	Read and write sysadm ttys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_use_sysadm_tty',`
 	gen_require(`
@ -888,14 +879,12 @@ interface(`userdom_use_sysadm_tty',`
 ')
 ########################################
 ## <interface name="userdom_use_sysadm_terms">
 ## <desc>
 ##	Read and write sysadm ttys and ptys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_use_sysadm_terms',`
 	gen_require(`
@ -909,14 +898,12 @@ interface(`userdom_use_sysadm_terms',`
 ')
 ########################################
 ## <interface name="userdom_dontaudit_use_sysadm_terms">
 ## <desc>
 ##	Do not audit attempts to use admin ttys and ptys.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_dontaudit_use_sysadm_terms',`
 	gen_require(`
@ -928,14 +915,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ')
 ########################################
 ## <interface name="userdom_search_all_users_home">
 ## <desc>
 ##	Search all users home directories.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_search_all_users_home',`
 	gen_require(`
@ -948,14 +933,12 @@ interface(`userdom_search_all_users_home',`
 ')
 ########################################
 ## <interface name="userdom_read_all_user_data">
 ## <desc>
 ##	Read all files in all users home directories.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_read_all_user_data',`
 	gen_require(`
@ -970,14 +953,12 @@ interface(`userdom_read_all_user_data',`
 ')
 ########################################
 ## <interface name="userdom_use_all_user_fd">
 ## <desc>
 ##	Inherit the file descriptors from all user domains
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_use_all_user_fd',`
 	gen_require(`
@ -989,14 +970,12 @@ interface(`userdom_use_all_user_fd',`
 ')
 ########################################
 ## <interface name="userdom_signal_all_users">
 ## <desc>
 ##	Send general signals to all user domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_signal_all_users',`
 	gen_require(`
@ -1008,14 +987,12 @@ interface(`userdom_signal_all_users',`
 ')
 ########################################
 ## <interface name="userdom_signal_unpriv_users">
 ## <desc>
 ##	Send general signals to unprivileged user domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_signal_unpriv_users',`
 	gen_require(`
@ -1027,14 +1004,12 @@ interface(`userdom_signal_unpriv_users',`
 ')
 ########################################
 ## <interface name="userdom_use_unpriv_users_fd">
 ## <desc>
 ##	Inherit the file descriptors from all user domains.
 ## </desc>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_use_unpriv_users_fd',`
 	gen_require(`
@ -1046,7 +1021,6 @@ interface(`userdom_use_unpriv_users_fd',`
 ')
 ########################################
 ## <interface name="userdom_dontaudit_use_unpriv_user_fd">
 ## <desc>
 ##	Do not audit attempts to inherit the
 ##	file descriptors from all user domains.
@ -1054,7 +1028,6 @@ interface(`userdom_use_unpriv_users_fd',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 ## </interface>
 #
 interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	gen_require(`
@ -1065,4 +1038,3 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	dontaudit $1 unpriv_userdomain:fd use;
 ')
 ## </module>