From 884309360770a5d264cc22a39742c3a6d573aaef Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 12 Aug 2005 19:28:30 +0000
Subject: [PATCH] more comments

---
 refpolicy/policy/modules/kernel/selinux.if | 54 +++++++++++++++++++---
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index daf8e844..837a94aa 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -1,5 +1,5 @@
 ## <summary>
-## Policy for kernel security interface, in particular, selinuxfs.
+##	Policy for kernel security interface, in particular, selinuxfs.
 ## </summary>
 ## <required val="true">
 ##	Contains the policy for the kernel SELinux security interface.
@@ -61,6 +61,16 @@ interface(`selinux_get_enforce_mode',`
 ##	Allow caller to set the mode of policy enforcement
 ##	(enforcing or permissive mode).
 ## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the mode of policy enforcement
+##	(enforcing or permissive mode).
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	The process type to allow to set the enforcement mode.
 ## </param>
@@ -110,6 +120,16 @@ interface(`selinux_load_policy',`
 ##	Allow caller to set the state of Booleans to
 ##	enable or disable conditional portions of the policy.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set the state of Booleans to
+##	enable or disable conditional portions of the policy.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	The process type allowed to set the Boolean.
 ## </param>
@@ -140,8 +160,19 @@ interface(`selinux_set_boolean',`
 
 ########################################
 ## <summary>
-##	Allow caller to set selinux security parameters.
+##	Allow caller to set SELinux access vector cache parameters.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow caller to set SELinux access vector cache parameters.
+##	The allows the domain to set performance related parameters
+##	of the AVC, such as cache threshold.
+##	</p>
+##	<p>
+##	Since this is a security event, this action is
+##	always audited.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	The process type to allow to set security parameters.
 ## </param>
@@ -206,10 +237,10 @@ interface(`selinux_compute_access_vector',`
 
 ########################################
 ## <summary>
-##	
+##	Calculate the default type for object creation.
 ## </summary>
 ## <param name="domain">
-##	
+##	Domain allowed access.
 ## </param>
 #
 interface(`selinux_compute_create_context',`
@@ -227,10 +258,19 @@ interface(`selinux_compute_create_context',`
 
 ########################################
 ## <summary>
-##	
+##	Calculate the context for relabeling objects.
 ## </summary>
+## <desc>
+##	<p>
+##	Calculate the context for relabeling objects.
+##	This is determined by using the type_change
+##	rules in the policy, and is generally used
+##	for determining the context for relabeling
+##	a terminal when a user logs in.
+##	</p>
+## </desc>
 ## <param name="domain">
-##	The process type to
+##	Domain allowed access.
 ## </param>
 #
 interface(`selinux_compute_relabel_context',`
@@ -269,7 +309,7 @@ interface(`selinux_compute_user_contexts',`
 
 ########################################
 ## <summary>
-##	Unconfined access to the SELinux security server.
+##	Unconfined access to the SELinux kernel security server.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.