xml building changes, add desc tag to booleans, add summary tag to bools

2006-02-10 18:41:53 +00:00 · 2006-02-10 18:41:53 +00:00 · 885b83ec9f
commit 885b83ec9f
parent 9778406fdc
148 changed files with 4391 additions and 221 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -273,7 +273,7 @@ $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXM
 	@mkdir -p tmp
 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
-	$(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) $(ALL_LAYERS) >> $@
+	$(verbose) $(GENXML) -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o tmp $(ALL_LAYERS) >> $@
 	$(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
 		$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
 	fi
@ -358,21 +358,38 @@ $(APPDIR)/users/root: $(APPCONF)/root_default_contexts
 #
 # Install policy headers
 #
-install-headers: $(DETECTED_MODS:.te=.if) $(ROLEMAP) $(M4SUPPORT)
+install-headers: doc/policy.xml
 	@mkdir -p $(HEADERDIR)
 	@echo "Installing policy headers"
-	$(verbose) install -m 644 $^ $(HEADERDIR)
-	$(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/all_perms.spt
+	$(verbose) install -m 644 tmp/global_{tunables,booleans}.xml $(HEADERDIR)
+	$(verbose) m4 $(M4PARAM) $(ROLEMAP) > $(HEADERDIR)/$(notdir $(ROLEMAP))
+	$(verbose) mkdir -p $(HEADERDIR)/support
+	$(verbose) install -m 644 $(M4SUPPORT) $(GENXML) $(XMLDTD) $(HEADERDIR)/support
+	$(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/support/all_perms.spt
+	$(verbose) for i in $(notdir $(ALL_LAYERS)); do \
+		mkdir -p $(HEADERDIR)/$$i ;\
+		install -m 644 $(MODDIR)/$$i/*.if \
+			$(MODDIR)/$$i/metadata.xml \
+			$(HEADERDIR)/$$i ;\
+	done
+	$(verbose) echo "TYPE=$(TYPE)" > $(HEADERDIR)/build.conf
+	$(verbose) echo "NAME=$(NAME)" >> $(HEADERDIR)/build.conf
+ifneq "$(DISTRO)" ""
+	$(verbose) echo "DISTRO=$(DISTRO)" >> $(HEADERDIR)/build.conf
+endif
+	$(verbose) echo "MONOLITHIC=n" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "DIRECT_INITRC=$(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+	$(verbose) echo "POLY=$(POLY)" >> $(HEADERDIR)/build.conf
+	$(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile

 ########################################
 #
 # Install policy documentation
 #
-install-docs: $(DOCFILES) build.conf tmp/html
+install-docs: tmp/html
 	@mkdir -p $(DOCSDIR)/html
 	@echo "Installing policy documentation"
 	$(verbose) install -m 644 $(DOCFILES) $(DOCSDIR)
-	$(verbose) install -m 644 build.conf $(DOCSDIR)/build.conf.example
 	$(verbose) install -m 644 $(wildcard $(HTMLDIR)/*) $(DOCSDIR)/html

 ########################################
--- a/refpolicy/doc/Makefile.example
+++ b/refpolicy/doc/Makefile.example
@ -1,140 +1,6 @@

-include build.conf
+NAME ?= refpolicy
+SHAREDIR := /usr/share/selinux
+HEADERDIR := $(SHAREDIR)/$(NAME)/include

-# executables
-PREFIX := /usr
-BINDIR := $(PREFIX)/bin
-SBINDIR := $(PREFIX)/sbin
-CHECKMODULE := $(BINDIR)/checkmodule
-SEMODULE := $(SBINDIR)/semodule
-SEMOD_PKG := $(BINDIR)/semodule_package
-
-# helper tools
-AWK ?= gawk
-INSTALL ?= install
-M4 ?= m4
-SED ?= sed
-EINFO ?= echo
-
-# installation paths
-SHAREDIR := $(PREFIX)/share/selinux
-MODPKGDIR := $(SHAREDIR)/$(NAME)
-HEADERDIR := $(SHAREDIR)/refpolicy/include
-
-# set default build options
-TYPE ?= strict
-NAME ?= $(TYPE)
-DIRECT_INITRC ?= n
-POLY ?= n
-
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
-	M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
-	M4PARAM += -D targeted_policy
-endif
-
-# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
-	M4PARAM += -D enable_mls
-	CHECKPOLICY += -M
-	CHECKMODULE += -M
-endif
-
-# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
-	M4PARAM += -D enable_mcs
-	CHECKPOLICY += -M
-	CHECKMODULE += -M
-endif
-
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
-	M4PARAM += -D distro_$(DISTRO)
-endif
-
-# enable polyinstantiation
-ifeq ($(POLY),y)
-	M4PARAM += -D enable_polyinstantiation
-endif
-
-ifeq ($(DIRECT_INITRC),y)
-	M4PARAM += -D direct_sysadm_daemon
-endif
-
-ifneq ($(VERBOSE),y)
-	quiet := @
-endif
-
-M4PARAM += -D hide_broken_symptoms
-
-# policy headers
-m4support := $(wildcard $(HEADERDIR)/*.spt)
-all_interfaces := $(wildcard $(HEADERDIR)/*.if)
-rolemap := $(HEADERDIR)/rolemap
-
-detected_mods := $(wildcard *.te)
-detected_ifs := $(detected_mods:.te=.if)
-all_packages := $(detected_mods:.te=.pp)
-install_mods := $(MODPKGDIR)/$(all_packages)
-
-########################################
-#
-# Functions
-#
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# peruser-expansion modulename,outputfile
-define peruser-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
-	$(call parse-rolemap,$1,$2)
-	$(verbose) echo "')" >> $2
-endef
-
-########################################
-#
-# Main targets
-#
-
-all: $(all_packages)
-
-########################################
-#
-# Build module packages
-#
-tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
-	@$(EINFO) "Compliling $(NAME) $(basename $(@F)) module"
-	@test -d tmp || mkdir -p tmp
-	$(call peruser-expansion,$(basename $(@F)),$@.role)
-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-tmp/%.mod.fc: $(m4support) %.fc
-	$(verbose) $(M4) $(M4PARAM) $^ > $@
-
-%.pp: tmp/%.mod tmp/%.mod.fc
-	@echo "Creating $(NAME) $(@F) policy package"
-	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-
-tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
-	@test -d tmp || mkdir -p tmp
-	$(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-########################################
-#
-# Clean the environment
-#
-
-clean:
-	rm -fR tmp
-	rm -f *.pp
-
-.PHONY: clean install all default
+include $(HEADERDIR)/Makefile
--- a/refpolicy/doc/policy.dtd
+++ b/refpolicy/doc/policy.dtd
@ -11,11 +11,11 @@
 <!ELEMENT required (#PCDATA)>
 <!ATTLIST required
      val (true|false) "false">
-<!ELEMENT tunable (#PCDATA)>
+<!ELEMENT tunable (desc)>
 <!ATTLIST tunable
      name CDATA #REQUIRED
      dftval CDATA #REQUIRED>
-<!ELEMENT bool (#PCDATA)>
+<!ELEMENT bool (desc)>
 <!ATTLIST bool
      name CDATA #REQUIRED
      dftval CDATA #REQUIRED>
@ -25,7 +25,7 @@
 <!ELEMENT template (summary,desc?,param+)>
 <!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
 <!ELEMENT desc (#PCDATA|%inline.class;)*>
-<!ELEMENT param (#PCDATA)>
+<!ELEMENT param (summary)>
 <!ATTLIST param 
      name CDATA #REQUIRED
      optional (true|false) "false">
--- a/refpolicy/doc/templates/global_bool_list.html
+++ b/refpolicy/doc/templates/global_bool_list.html
@ -8,7 +8,7 @@
 <p>[[bool['def_val']]]</p>
 [[if bool['desc']]]
 <h5>Description</h5>
-<p>[[bool['desc']]]</p>
+[[bool['desc']]]
 [[end]]
 </div></div>
 [[end]]
--- a/refpolicy/doc/templates/global_tun_list.html
+++ b/refpolicy/doc/templates/global_tun_list.html
@ -8,7 +8,7 @@
 <p>[[tun['def_val']]]</p>
 [[if tun['desc']]]
 <h5>Description</h5>
-<p>[[tun['desc']]]</p>
+[[tun['desc']]]
 [[end]]
 </div></div>
 [[end]]
--- a/refpolicy/policy/global_booleans
+++ b/refpolicy/policy/global_booleans
@ -4,15 +4,27 @@
 # file should be used.
 #

+## <desc>
+## <p>
 ## Enabling secure mode disallows programs, such as
 ## newrole, from transitioning to administrative
 ## user domains.
+## </p>
+## </desc>
 gen_bool(secure_mode,false)

+## <desc>
+## <p>
 ## Disable transitions to insmod.
+## </p>
+## </desc>
 gen_bool(secure_mode_insmod,false)

+## <desc>
+## <p>
 ## boolean to determine whether the system permits loading policy, setting
 ## enforcing mode, and changing boolean values.  Set this to true and you
 ## have to reboot to set it back
+## </p>
+## </desc>
 gen_bool(secure_mode_policyload,false)
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@ -9,142 +9,312 @@
 # Common tunables
 #

+## <desc>
+## <p>
 ## Allow cvs daemon to read shadow
+## </p>
+## </desc>
+#
 gen_tunable(allow_cvs_read_shadow,false)

+## <desc>
+## <p>
 ## Allow making the heap executable.
+## </p>
+## </desc>
 gen_tunable(allow_execheap,false)

+
+## <desc>
+## <p>
 ## Allow making anonymous memory executable, e.g. 
 ## for runtime-code generation or executable stack.
+## </p>
+## </desc>
 gen_tunable(allow_execmem,false)

+## <desc>
+## <p>
 ## Allow making a modified private file
 ## mapping executable (text relocation).
+## </p>
+## </desc>
 gen_tunable(allow_execmod,false)

+## <desc>
+## <p>
 ## Allow making the stack executable via mprotect.
 ## Also requires allow_execmem.
+## </p>
+## </desc>
 gen_tunable(allow_execstack,false)

+## <desc>
+## <p>
 ## Allow ftp servers to modify public files
 ## used for public file transfer services.
+## </p>
+## </desc>
 gen_tunable(allow_ftpd_anon_write,false)

+## <desc>
+## <p>
 ## Allow gssd to read temp directory.
+## </p>
+## </desc>
 gen_tunable(allow_gssd_read_tmp,true)

+## <desc>
+## <p>
 ## Allow Apache to modify public files
 ## used for public file transfer services.
+## </p>
+## </desc>
 gen_tunable(allow_httpd_anon_write,false)

+## <desc>
+## <p>
 ## Allow java executable stack
+## </p>
+## </desc>
 gen_tunable(allow_java_execstack,false)

+## <desc>
+## <p>
 ## Allow system to run with kerberos
+## </p>
+## </desc>
 gen_tunable(allow_kerberos,false)

+## <desc>
+## <p>
 ## Allow rsync to modify public files
 ## used for public file transfer services.
+## </p>
+## </desc>
 gen_tunable(allow_rsync_anon_write,false)

+## <desc>
+## <p>
 ## Allow sasl to read shadow
+## </p>
+## </desc>
 gen_tunable(allow_saslauthd_read_shadow,false)

+## <desc>
+## <p>
 ## Allow samba to modify public files
 ## used for public file transfer services.
+## </p>
+## </desc>
 gen_tunable(allow_smbd_anon_write,false)

+## <desc>
+## <p>
 ## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
 gen_tunable(allow_ptrace,false)

+## <desc>
+## <p>
 ## Allow system to run with NIS
+## </p>
+## </desc>
 gen_tunable(allow_ypbind,false)

+## <desc>
+## <p>
 ## Enable extra rules in the cron domain
 ## to support fcron.
+## </p>
+## </desc>
 gen_tunable(fcron_crond,false)

+## <desc>
+## <p>
 ## Allow ftp to read and write files in the user home directories
+## </p>
+## </desc>
 gen_tunable(ftp_home_dir,false)

+## <desc>
+## <p>
 ## Allow ftpd to run directly without inetd
+## </p>
+## </desc>
 gen_tunable(ftpd_is_daemon,false)

+## <desc>
+## <p>
 ## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
 gen_tunable(httpd_builtin_scripting,false)

+## <desc>
+## <p>
 ## Allow http daemon to tcp connect 
+## </p>
+## </desc>
 gen_tunable(httpd_can_network_connect,false)

-## allow httpd to connect to mysql/posgresql 
+## <desc>
+## <p>
+## Allow httpd to connect to mysql/posgresql 
+## </p>
+## </desc>
 gen_tunable(httpd_can_network_connect_db, false)

-## allow httpd to act as a relay 
+## <desc>
+## <p>
+## Allow httpd to act as a relay 
+## </p>
+## </desc>
 gen_tunable(httpd_can_network_relay, false)

+## <desc>
+## <p>
 ## Allow httpd cgi support
+## </p>
+## </desc>
 gen_tunable(httpd_enable_cgi,false)

+## <desc>
+## <p>
 ## Allow httpd to act as a FTP server by
 ## listening on the ftp port.
+## </p>
+## </desc>
 gen_tunable(httpd_enable_ftp_server,false)

+## <desc>
+## <p>
 ## Allow httpd to read home directories
+## </p>
+## </desc>
 gen_tunable(httpd_enable_homedirs,false)

+## <desc>
+## <p>
 ## Run SSI execs in system CGI script domain.
+## </p>
+## </desc>
 gen_tunable(httpd_ssi_exec,false)

+## <desc>
+## <p>
 ## Allow http daemon to communicate with the TTY
+## </p>
+## </desc>
 gen_tunable(httpd_tty_comm,false)

+## <desc>
+## <p>
 ## Run CGI in the main httpd domain
+## </p>
+## </desc>
 gen_tunable(httpd_unified,false)

+## <desc>
+## <p>
 ## Allow BIND to write the master zone files.
 ## Generally this is used for dynamic DNS.
+## </p>
+## </desc>
 gen_tunable(named_write_master_zones,false)

+## <desc>
+## <p>
 ## Allow nfs to be exported read/write.
+## </p>
+## </desc>
 gen_tunable(nfs_export_all_rw,false)

+## <desc>
+## <p>
 ## Allow nfs to be exported read only
+## </p>
+## </desc>
 gen_tunable(nfs_export_all_ro,false)

+## <desc>
+## <p>
 ## Allow pppd to load kernel modules for certain modems
+## </p>
+## </desc>
 gen_tunable(pppd_can_insmod,false)

+## <desc>
+## <p>
 ## Allow reading of default_t files.
+## </p>
+## </desc>
 gen_tunable(read_default_t,false)

+## <desc>
+## <p>
 ## Allow ssh to run from inetd instead of as a daemon.
+## </p>
+## </desc>
 gen_tunable(run_ssh_inetd,false)

+## <desc>
+## <p>
 ## Allow samba to export user home directories.
+## </p>
+## </desc>
 gen_tunable(samba_enable_home_dirs,false)

+## <desc>
+## <p>
 ## Allow spamassassin to do DNS lookups
+## </p>
+## </desc>
 gen_tunable(spamassasin_can_network,false)

+## <desc>
+## <p>
 ## Allow squid to connect to all ports, not just
 ## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
 gen_tunable(squid_connect_any,false)

+## <desc>
+## <p>
 ## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
 gen_tunable(ssh_sysadm_login,false)

+## <desc>
+## <p>
 ## Configure stunnel to be a standalone daemon or
 ## inetd service.
+## </p>
+## </desc>
 gen_tunable(stunnel_is_daemon,false)

+## <desc>
+## <p>
 ## Support NFS home directories
+## </p>
+## </desc>
 gen_tunable(use_nfs_home_dirs,false)

+## <desc>
+## <p>
 ## Support SAMBA home directories
+## </p>
+## </desc>
 gen_tunable(use_samba_home_dirs,false)

+## <desc>
+## <p>
 ## Control users use of ping and traceroute
+## </p>
+## </desc>
 gen_tunable(user_ping,false)

 ########################################
@ -153,69 +323,141 @@ gen_tunable(user_ping,false)
 #

 ifdef(`targeted_policy',`',`
+## <desc>
+## <p>
 ## Allow gpg executable stack
+## </p>
+## </desc>
 gen_tunable(allow_gpg_execstack,false)

+## <desc>
+## <p>
 ## allow host key based authentication
+## </p>
+## </desc>
 gen_tunable(allow_ssh_keysign,false)

+## <desc>
+## <p>
 ## Allow users to connect to mysql
+## </p>
+## </desc>
 gen_tunable(allow_user_mysql_connect,false)

+## <desc>
+## <p>
 ## Allow cdrecord to read various content.
 ## nfs, samba, removable devices, user temp
 ## and untrusted content files
+## </p>
+## </desc>
 gen_tunable(cdrecord_read_content,false)

+## <desc>
+## <p>
 ## Allow system cron jobs to relabel filesystem
 ## for restoring file contexts.
+## </p>
+## </desc>
 gen_tunable(cron_can_relabel,false)

+## <desc>
+## <p>
 ## Allow pppd to be run for a regular user
+## </p>
+## </desc>
 gen_tunable(pppd_for_user,false)

+## <desc>
+## <p>
 ## Allow applications to read untrusted content
 ## If this is disallowed, Internet content has
 ## to be manually relabeled for read access to be granted
+## </p>
+## </desc>
 gen_tunable(read_untrusted_content,false)

+## <desc>
+## <p>
 ## Allow user spamassassin clients to use the network.
+## </p>
+## </desc>
 gen_tunable(spamassassin_can_network,false)

+## <desc>
+## <p>
 ## Allow staff_r users to search the sysadm home 
 ## dir and read files (such as ~/.bashrc)
+## </p>
+## </desc>
 gen_tunable(staff_read_sysadm_file,false)

+## <desc>
+## <p>
 ## Allow regular users direct mouse access 
+## </p>
+## </desc>
 gen_tunable(user_direct_mouse,false)

+## <desc>
+## <p>
 ## Allow users to read system messages.
+## </p>
+## </desc>
 gen_tunable(user_dmesg,false)

+## <desc>
+## <p>
 ## Allow users to control network interfaces
 ## (also needs USERCTL=true)
+## </p>
+## </desc>
 gen_tunable(user_net_control,false)

+## <desc>
+## <p>
 ## Allow user to r/w files on filesystems
 ## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
 gen_tunable(user_rw_noexattrfile,false)

+## <desc>
+## <p>
 ## Allow users to rw usb devices
+## </p>
+## </desc>
 gen_tunable(user_rw_usb,false)

+## <desc>
+## <p>
 ## Allow users to run TCP servers (bind to ports and accept connection from
 ## the same domain and outside users)  disabling this forces FTP passive mode
 ## and may change other protocols.
+## </p>
+## </desc>
 gen_tunable(user_tcp_server,false)

+## <desc>
+## <p>
 ## Allow w to display everyone
+## </p>
+## </desc>
 gen_tunable(user_ttyfile_stat,false)

+## <desc>
+## <p>
 ## Allow applications to write untrusted content
 ## If this is disallowed, no Internet content
 ## will be stored.
+## </p>
+## </desc>
 gen_tunable(write_untrusted_content,false)

+## <desc>
+## <p>
 ## Allow xdm logins as sysadm
+## </p>
+## </desc>
 gen_tunable(xdm_sysadm_login,false)
 ')
--- a/refpolicy/policy/modules/admin/acct.if
+++ b/refpolicy/policy/modules/admin/acct.if
@ -5,7 +5,9 @@
 ##	Transition to the accounting management domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`acct_domtrans',`
@ -27,7 +29,9 @@ interface(`acct_domtrans',`
 ##	Execute accounting management tools in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`acct_exec',`
@ -44,7 +48,9 @@ interface(`acct_exec',`
 ##	Execute accounting management data in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 # cjp: this is added for logrotate, and does
@ -63,7 +69,9 @@ interface(`acct_exec_data',`
 ##	Create, read, write, and delete process accounting data.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`acct_manage_data',`
--- a/refpolicy/policy/modules/admin/alsa.if
+++ b/refpolicy/policy/modules/admin/alsa.if
@ -5,7 +5,9 @@
 ##	Domain transition to alsa
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`alsa_domtrans',`
@ -27,7 +29,9 @@ interface(`alsa_domtrans',`
 ##	Allow read and write access to alsa semaphores.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`alsa_rw_semaphores',`
@ -43,7 +47,9 @@ interface(`alsa_rw_semaphores',`
 ##	Allow read and write access to alsa shared memory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`alsa_rw_shared_mem',`
--- a/refpolicy/policy/modules/admin/amanda.if
+++ b/refpolicy/policy/modules/admin/amanda.if
@ -5,7 +5,9 @@
 ##	Execute amrecover in the amanda_recover domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`amanda_domtrans_recover',`
@ -27,13 +29,19 @@ interface(`amanda_domtrans_recover',`
 ##	allow the specified role the amanda_recover domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the amanda_recover domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the amanda_recover domain to use.
+##	</summary>
 ## </param>
 #
 interface(`amanda_run_recover',`
@ -51,7 +59,9 @@ interface(`amanda_run_recover',`
 ##	Search amanda library directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`amanda_search_lib',`
@ -68,7 +78,9 @@ interface(`amanda_search_lib',`
 ##	Do not audit attempts to read /etc/dumpdates.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`amanda_dontaudit_read_dumpdates',`
--- a/refpolicy/policy/modules/admin/certwatch.if
+++ b/refpolicy/policy/modules/admin/certwatch.if
@ -5,7 +5,9 @@
 ##	Domain transition to certwatch.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`certwatch_domtrans',`
@ -31,13 +33,19 @@ interface(`certwatch_domtrans',`
 ##	backchannel.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the certwatch domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the certwatch domain to use.
+##	</summary>
 ## </param>
 #
 interface(`certwatach_run',`
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@ -7,7 +7,9 @@
 ##	Execute consoletype in the consoletype domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`consoletype_domtrans',`
@ -30,13 +32,19 @@ interface(`consoletype_domtrans',`
 ##	allow the specified role the consoletype domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the consoletype domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the consoletype domain to use.
+##	</summary>
 ## </param>
 #
 interface(`consoletype_run',`
@ -54,7 +62,9 @@ interface(`consoletype_run',`
 ##	Execute consoletype in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`consoletype_exec',`
--- a/refpolicy/policy/modules/admin/ddcprobe.if
+++ b/refpolicy/policy/modules/admin/ddcprobe.if
@ -5,7 +5,9 @@
 ##	Execute ddcprobe in the ddcprobe domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`ddcprobe_domtrans',`
@ -27,13 +29,19 @@ interface(`ddcprobe_domtrans',`
 ##	allow the specified role the ddcprobe domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	Role to be authenticated for ddcprobe domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the clock domain to use.
+##	</summary>
 ## </param>
 #
 interface(`ddcprobe_run',`
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@ -5,7 +5,9 @@
 ##	Execute dmesg in the dmesg domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`dmesg_domtrans',`
@ -36,7 +38,9 @@ interface(`dmesg_domtrans',`
 ##	Execute dmesg in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`dmesg_exec',`
--- a/refpolicy/policy/modules/admin/dmidecode.if
+++ b/refpolicy/policy/modules/admin/dmidecode.if
@ -5,7 +5,9 @@
 ##	Execute dmidecode in the dmidecode domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dmidecode_domtrans',`
@ -27,13 +29,19 @@ interface(`dmidecode_domtrans',`
 ##	allow the specified role the dmidecode domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the dmidecode domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the dmidecode domain to use.
+##	</summary>
 ## </param>
 #
 interface(`dmidecode_run',`
--- a/refpolicy/policy/modules/admin/firstboot.if
+++ b/refpolicy/policy/modules/admin/firstboot.if
@ -8,7 +8,9 @@
 ##	Execute firstboot in the firstboot domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`firstboot_domtrans',`
@ -30,13 +32,19 @@ interface(`firstboot_domtrans',`
 ##	allow the specified role the firstboot domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the firstboot domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the firstboot domain to use.
+##	</summary>
 ## </param>
 #
 interface(`firstboot_run',`
@ -54,7 +62,9 @@ interface(`firstboot_run',`
 ##	Inherit and use a file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`firstboot_use_fd',`
@ -71,7 +81,9 @@ interface(`firstboot_use_fd',`
 ##	file descriptor from firstboot.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`firstboot_dontaudit_use_fd',`
@ -87,7 +99,9 @@ interface(`firstboot_dontaudit_use_fd',`
 ##	Write to a firstboot unnamed pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`firstboot_write_pipes',`
--- a/refpolicy/policy/modules/admin/kudzu.if
+++ b/refpolicy/policy/modules/admin/kudzu.if
@ -5,7 +5,9 @@
 ##	Execute kudzu in the kudzu domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`kudzu_domtrans',`
@ -27,13 +29,19 @@ interface(`kudzu_domtrans',`
 ##	allow the specified role the kudzu domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the kudzu domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the kudzu domain to use.
+##	</summary>
 ## </param>
 #
 interface(`kudzu_run',`
@ -51,7 +59,9 @@ interface(`kudzu_run',`
 ##	Get attributes of kudzu executable.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 # cjp: added for ddcprobe
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@ -5,7 +5,9 @@
 ##	Execute logrotate in the logrotate domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`logrotate_domtrans',`
@ -27,13 +29,19 @@ interface(`logrotate_domtrans',`
 ##	allow the specified role the logrotate domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the logrotate domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the logrotate domain to use.
+##	</summary>
 ## </param>
 #
 interface(`logrotate_run',`
@ -51,7 +59,9 @@ interface(`logrotate_run',`
 ##	Execute logrotate in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`logrotate_exec',`
@ -67,7 +77,9 @@ interface(`logrotate_exec',`
 ##	Inherit and use logrotate file descriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`logrotate_use_fd',`
@ -83,7 +95,9 @@ interface(`logrotate_use_fd',`
 ##	Do not audit attempts to inherit logrotate file descriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`logrotate_dontaudit_use_fd',`
@ -99,7 +113,9 @@ interface(`logrotate_dontaudit_use_fd',`
 ##	Read a logrotate temporary files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`logrotate_read_tmp_files',`
--- a/refpolicy/policy/modules/admin/logwatch.if
+++ b/refpolicy/policy/modules/admin/logwatch.if
@ -5,7 +5,9 @@
 ##	Read logwatch temporary files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`logwatch_read_tmp_files',`
--- a/refpolicy/policy/modules/admin/mrtg.if
+++ b/refpolicy/policy/modules/admin/mrtg.if
@ -5,7 +5,9 @@
 ##	Create and append mrtg logs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mrtg_append_create_logs',`
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@ -5,7 +5,9 @@
 ##	Execute network utilities in the netutils domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`netutils_domtrans',`
@ -27,13 +29,19 @@ interface(`netutils_domtrans',`
 ##	allow the specified role the netutils domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the netutils domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the netutils domain to use.
+##	</summary>
 ## </param>
 #
 interface(`netutils_run',`
@ -51,7 +59,9 @@ interface(`netutils_run',`
 ##	Execute network utilities in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`netutils_exec',`
@ -67,7 +77,9 @@ interface(`netutils_exec',`
 ##	Execute ping in the ping domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`netutils_domtrans_ping',`
@ -89,13 +101,19 @@ interface(`netutils_domtrans_ping',`
 ##	allow the specified role the ping domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the ping domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the ping domain to use.
+##	</summary>
 ## </param>
 #
 interface(`netutils_run_ping',`
@ -114,13 +132,19 @@ interface(`netutils_run_ping',`
 ##	allow the specified role the ping domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the ping domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the ping domain to use.
+##	</summary>
 ## </param>
 #
 interface(`netutils_run_ping_cond',`
@ -142,7 +166,9 @@ interface(`netutils_run_ping_cond',`
 ##	Execute ping in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`netutils_exec_ping',`
@ -158,7 +184,9 @@ interface(`netutils_exec_ping',`
 ##	Execute traceroute in the traceroute domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`netutils_domtrans_traceroute',`
@ -180,13 +208,19 @@ interface(`netutils_domtrans_traceroute',`
 ##	allow the specified role the traceroute domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the traceroute domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the traceroute domain to use.
+##	</summary>
 ## </param>
 #
 interface(`netutils_run_traceroute',`
@ -205,13 +239,19 @@ interface(`netutils_run_traceroute',`
 ##	allow the specified role the traceroute domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the traceroute domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the traceroute domain to use.
+##	</summary>
 ## </param>
 #
 interface(`netutils_run_traceroute_cond',`
@ -233,7 +273,9 @@ interface(`netutils_run_traceroute_cond',`
 ##	Execute traceroute in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`netutils_exec_traceroute',`
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@ -8,7 +8,9 @@
 ##	Execute emerge in the portage domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`portage_domtrans',`
@ -32,13 +34,19 @@ interface(`portage_domtrans',`
 ##	allow the specified role the portage domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to allow the portage domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow for portage to use.
+##	</summary>
 ## </param>
 #
 interface(`portage_run',`
@ -72,7 +80,9 @@ interface(`portage_run',`
 ##	</p>
 ## </desc>
 ## <param name="prefix">
+##	<summary>
 ##	Name to be used to derive types.
+##	</summary>
 ## </param>
 #
 template(`portage_compile_domain_template',`
--- a/refpolicy/policy/modules/admin/prelink.if
+++ b/refpolicy/policy/modules/admin/prelink.if
@ -5,7 +5,9 @@
 ##	Execute the prelink program in the prelink domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`prelink_domtrans',`
@ -27,7 +29,9 @@ interface(`prelink_domtrans',`
 ##	Make the specified file type prelinkable.
 ## </summary>
 ## <param name="file_type">
+##	<summary>
 ##	File type to be prelinked.
+##	</summary>
 ## </param>
 #
 # cjp: added for misc non-entrypoint objects
@ -44,7 +48,9 @@ interface(`prelink_object_file',`
 ##	Read the prelink cache.
 ## </summary>
 ## <param name="file_type">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`prelink_read_cache',`
@ -61,7 +67,9 @@ interface(`prelink_read_cache',`
 ##	Delete the prelink cache.
 ## </summary>
 ## <param name="file_type">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`prelink_delete_cache',`
@ -78,7 +86,9 @@ interface(`prelink_delete_cache',`
 ##	prelink log files.
 ## </summary>
 ## <param name="file_type">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`prelink_manage_log',`
--- a/refpolicy/policy/modules/admin/quota.if
+++ b/refpolicy/policy/modules/admin/quota.if
@ -5,7 +5,9 @@
 ##	Execute quota management tools in the quota domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`quota_domtrans',`
@ -27,13 +29,19 @@ interface(`quota_domtrans',`
 ##	allow the specified role the quota domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the quota domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the quota domain to use.
+##	</summary>
 ## </param>
 #
 interface(`quota_run',`
@ -52,7 +60,9 @@ interface(`quota_run',`
 ##	of filesystem quota data files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`quota_dontaudit_getattr_db',`
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@ -5,7 +5,9 @@
 ##	Execute rpm programs in the rpm domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_domtrans',`
@ -28,7 +30,9 @@ interface(`rpm_domtrans',`
 ##	Execute rpm_script programs in the rpm_script domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`rpm_domtrans_script',`
@ -50,13 +54,19 @@ interface(`rpm_domtrans_script',`
 ##	Execute RPM programs in the RPM domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to allow the RPM domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the RPM domain to use.
+##	</summary>
 ## </param>
 #
 interface(`rpm_run',`
@ -76,7 +86,9 @@ interface(`rpm_run',`
 ##	Inherit and use file descriptors from RPM.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_use_fd',`
@ -92,7 +104,9 @@ interface(`rpm_use_fd',`
 ##	Read from an unnamed RPM pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_read_pipes',`
@ -108,7 +122,9 @@ interface(`rpm_read_pipes',`
 ##	Read and write an unnamed RPM pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_rw_pipes',`
@ -124,7 +140,9 @@ interface(`rpm_rw_pipes',`
 ##	Create, read, write, and delete the RPM log.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_manage_log',`
@ -141,7 +159,9 @@ interface(`rpm_manage_log',`
 ##	Inherit and use file descriptors from RPM scripts.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_use_script_fd',`
@ -157,7 +177,9 @@ interface(`rpm_use_script_fd',`
 ##	Read the RPM package database.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_read_db',`
@ -176,7 +198,9 @@ interface(`rpm_read_db',`
 ##	Create, read, write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`rpm_manage_db',`
@ -196,7 +220,9 @@ interface(`rpm_manage_db',`
 ##	write, and delete the RPM package database.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`rpm_dontaudit_manage_db',`
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@ -98,14 +98,20 @@ template(`su_restricted_domain_template', `
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`su_per_userdomain_template',`
@ -255,7 +261,9 @@ template(`su_per_userdomain_template',`
 ##	Execute su in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`su_exec',`
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@ -17,14 +17,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`sudo_per_userdomain_template',`
--- a/refpolicy/policy/modules/admin/tmpreaper.if
+++ b/refpolicy/policy/modules/admin/tmpreaper.if
@ -5,7 +5,9 @@
 ##	Execute tmpreaper in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`tmpreaper_exec',`
--- a/refpolicy/policy/modules/admin/updfstab.if
+++ b/refpolicy/policy/modules/admin/updfstab.if
@ -5,7 +5,9 @@
 ##	Execute updfstab in the updfstab domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`updfstab_domtrans',`
--- a/refpolicy/policy/modules/admin/usbmodules.if
+++ b/refpolicy/policy/modules/admin/usbmodules.if
@ -5,7 +5,9 @@
 ##	Execute usbmodules in the usbmodules domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`usbmodules_domtrans',`
@ -29,13 +31,19 @@ interface(`usbmodules_domtrans',`
 ##	and use the caller's terminal.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the usbmodules domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the usbmodules domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usbmodules_run',`
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@ -5,7 +5,9 @@
 ##	Execute chfn in the chfn domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_domtrans_chfn',`
@ -29,13 +31,19 @@ interface(`usermanage_domtrans_chfn',`
 ##	allow the specified role the chfn domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the chfn domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the chfn domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_run_chfn',`
@ -53,7 +61,9 @@ interface(`usermanage_run_chfn',`
 ##	Execute groupadd in the groupadd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_domtrans_groupadd',`
@ -77,13 +87,19 @@ interface(`usermanage_domtrans_groupadd',`
 ##	allow the specified role the groupadd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the groupadd domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the groupadd domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_run_groupadd',`
@ -101,7 +117,9 @@ interface(`usermanage_run_groupadd',`
 ##	Execute passwd in the passwd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_domtrans_passwd',`
@ -125,13 +143,19 @@ interface(`usermanage_domtrans_passwd',`
 ##	allow the specified role the passwd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the passwd domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the passwd domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_run_passwd',`
@ -150,7 +174,9 @@ interface(`usermanage_run_passwd',`
 ##	the admin passwd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_domtrans_admin_passwd',`
@ -175,13 +201,19 @@ interface(`usermanage_domtrans_admin_passwd',`
 ##	the admin passwd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the admin passwd domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the admin passwd domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_run_admin_passwd',`
@ -199,7 +231,9 @@ interface(`usermanage_run_admin_passwd',`
 ##	Execute useradd in the useradd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_domtrans_useradd',`
@ -223,13 +257,19 @@ interface(`usermanage_domtrans_useradd',`
 ##	allow the specified role the useradd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the useradd domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the useradd domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_run_useradd',`
@ -247,7 +287,9 @@ interface(`usermanage_run_useradd',`
 ##	Read the crack database.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`usermanage_read_crack_db',`
--- a/refpolicy/policy/modules/admin/vbetool.if
+++ b/refpolicy/policy/modules/admin/vbetool.if
@ -5,7 +5,9 @@
 ##	Execute vbetool application in the vbetool domain.
 ## </summary>
 ## <param name="domain" optional="true">
+##	<summary>
 ##	N/A
+##	</summary>
 ## </param>
 #
 interface(`vbetool_domtrans',`
--- a/refpolicy/policy/modules/admin/vpn.if
+++ b/refpolicy/policy/modules/admin/vpn.if
@ -5,7 +5,9 @@
 ##	Execute VPN clients in the vpnc domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`vpn_domtrans',`
@ -27,13 +29,19 @@ interface(`vpn_domtrans',`
 ##	allow the specified role the vpnc domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the vpnc domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the vpnc domain to use.
+##	</summary>
 ## </param>
 #
 interface(`vpn_run',`
@ -51,7 +59,9 @@ interface(`vpn_run',`
 ##	Send generic signals to VPN clients.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`vpn_signal',`
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`cdrecord_per_userdomain_template', `
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@ -18,14 +18,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="userdomain">
+##	<summary>
 ##	The user domain.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role associated with the user.
+##	</summary>
 ## </param>
 #
 template(`gpg_per_userdomain_template',`
--- a/refpolicy/policy/modules/apps/irc.if
+++ b/refpolicy/policy/modules/apps/irc.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`irc_per_userdomain_template',`
--- a/refpolicy/policy/modules/apps/java.if
+++ b/refpolicy/policy/modules/apps/java.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`java_per_userdomain_template',`
--- a/refpolicy/policy/modules/apps/loadkeys.if
+++ b/refpolicy/policy/modules/apps/loadkeys.if
@ -5,7 +5,9 @@
 ##	Execute the loadkeys program in the loadkeys domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`loadkeys_domtrans',`
@ -32,13 +34,19 @@ interface(`loadkeys_domtrans',`
 ##	Execute the loadkeys program in the loadkeys domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to allow the loadkeys domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the loadkeys domain to use.
+##	</summary>
 ## </param>
 #
 interface(`loadkeys_run',`
@ -61,7 +69,9 @@ interface(`loadkeys_run',`
 ##	Execute the loadkeys program in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`loadkeys_exec',`
--- a/refpolicy/policy/modules/apps/lockdev.if
+++ b/refpolicy/policy/modules/apps/lockdev.if
@ -17,14 +17,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`lockdev_per_userdomain_template',`
--- a/refpolicy/policy/modules/apps/mono.if
+++ b/refpolicy/policy/modules/apps/mono.if
@ -5,7 +5,9 @@
 ##	Execute the mono program in the mono domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mono_domtrans',`
--- a/refpolicy/policy/modules/apps/screen.if
+++ b/refpolicy/policy/modules/apps/screen.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`screen_per_userdomain_template',`
--- a/refpolicy/policy/modules/apps/slocate.if
+++ b/refpolicy/policy/modules/apps/slocate.if
@ -5,7 +5,9 @@
 ##	Create the locate log with append mode.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`slocate_create_append_log',`
--- a/refpolicy/policy/modules/apps/tvtime.if
+++ b/refpolicy/policy/modules/apps/tvtime.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`tvtime_per_userdomain_template',`
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`userhelper_per_userdomain_template',`
@ -205,7 +211,9 @@ template(`userhelper_per_userdomain_template',`
 ##	Search the userhelper configuration directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`userhelper_search_config',`
@ -222,7 +230,9 @@ interface(`userhelper_search_config',`
 ##	the userhelper configuration directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`userhelper_dontaudit_search_config',`
--- a/refpolicy/policy/modules/apps/usernetctl.if
+++ b/refpolicy/policy/modules/apps/usernetctl.if
@ -5,7 +5,9 @@
 ##	Execute usernetctl in the usernetctl domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`usernetctl_domtrans',`
@ -31,13 +33,19 @@ interface(`usernetctl_domtrans',`
 ##	allow the specified role the usernetctl domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the usernetctl domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the usernetctl domain to use.
+##	</summary>
 ## </param>
 #
 interface(`usernetctl_run',`
--- a/refpolicy/policy/modules/apps/webalizer.if
+++ b/refpolicy/policy/modules/apps/webalizer.if
@ -5,7 +5,9 @@
 ##	Execute webalizer in the webalizer domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`webalizer_domtrans',`
@ -27,13 +29,19 @@ interface(`webalizer_domtrans',`
 ##	allow the specified role the webalizer domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the webalizer domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the webalizer domain to use.
+##	</summary>
 ## </param>
 #
 interface(`webalizer_run',`
--- a/refpolicy/policy/modules/apps/wine.if
+++ b/refpolicy/policy/modules/apps/wine.if
@ -5,7 +5,9 @@
 ##	Execute the wine program in the wine domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`wine_domtrans',`
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@ -5,7 +5,9 @@
 ##	Execute bootloader in the bootloader domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_domtrans',`
@ -27,13 +29,19 @@ interface(`bootloader_domtrans',`
 ##	a domain transition to the bootloader domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the bootloader domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the bootloader domain to use.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_run',`
@ -52,7 +60,9 @@ interface(`bootloader_run',`
 ##	Get attributes of the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_getattr_boot_dirs',`
@ -69,7 +79,9 @@ interface(`bootloader_getattr_boot_dirs',`
 ##	of the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_dontaudit_getattr_boot_dirs',`
@ -85,7 +97,9 @@ interface(`bootloader_dontaudit_getattr_boot_dirs',`
 ##	Search the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_search_boot',`
@ -101,7 +115,9 @@ interface(`bootloader_search_boot',`
 ##	Do not audit attempts to search the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_dontaudit_search_boot',`
@ -118,7 +134,9 @@ interface(`bootloader_dontaudit_search_boot',`
 ##	in the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_rw_boot_symlinks',`
@ -135,7 +153,9 @@ interface(`bootloader_rw_boot_symlinks',`
 ##	Install a kernel into the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_create_kernel_img',`
@ -153,7 +173,9 @@ interface(`bootloader_create_kernel_img',`
 ##	Install a system.map into the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_create_kernel_symbol_table',`
@ -170,7 +192,9 @@ interface(`bootloader_create_kernel_symbol_table',`
 ##	Read system.map in the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_read_kernel_symbol_table',`
@ -190,7 +214,9 @@ interface(`bootloader_read_kernel_symbol_table',`
 ##	Delete a kernel from /boot.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_delete_kernel',`
@ -207,7 +233,9 @@ interface(`bootloader_delete_kernel',`
 ##	Delete a system.map in the /boot directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_delete_kernel_symbol_table',`
@ -224,7 +252,9 @@ interface(`bootloader_delete_kernel_symbol_table',`
 ##	Read the bootloader configuration file.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_read_config',`
@ -241,7 +271,9 @@ interface(`bootloader_read_config',`
 ##	configuration file.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_rw_config',`
@ -258,7 +290,9 @@ interface(`bootloader_rw_config',`
 ##	temporary data in /tmp.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_rw_tmp_files',`
@ -276,7 +310,9 @@ interface(`bootloader_rw_tmp_files',`
 ##	temporary data in /tmp.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_create_runtime_file',`
@ -294,7 +330,9 @@ interface(`bootloader_create_runtime_file',`
 ##	Search the contents of the kernel module directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_search_kernel_modules',`
@ -310,7 +348,9 @@ interface(`bootloader_search_kernel_modules',`
 ##	List the contents of the kernel module directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_list_kernel_modules',`
@ -326,7 +366,9 @@ interface(`bootloader_list_kernel_modules',`
 ##	Get the attributes of kernel module files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_getattr_kernel_modules',`
@ -343,7 +385,9 @@ interface(`bootloader_getattr_kernel_modules',`
 ##	Read kernel module files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_read_kernel_modules',`
@ -361,7 +405,9 @@ interface(`bootloader_read_kernel_modules',`
 ##	Write kernel module files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_write_kernel_modules',`
@ -382,7 +428,9 @@ interface(`bootloader_write_kernel_modules',`
 ##	kernel module files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bootloader_manage_kernel_modules',`
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@ -23,7 +23,9 @@
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Alias type for bin_t.
+##	</summary>
 ## </param>
 interface(`corecmd_bin_alias',`
 	ifdef(`targeted_policy',`
@ -42,7 +44,9 @@ interface(`corecmd_bin_alias',`
 ##	Make the shell an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The domain for which the shell is an entrypoint.
+##	</summary>
 ## </param>
 interface(`corecmd_shell_entry_type',`
 	gen_require(`
@ -81,7 +85,9 @@ interface(`corecmd_list_bin',`
 ##	Get the attributes of files in bin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_getattr_bin_files',`
@ -97,7 +103,9 @@ interface(`corecmd_getattr_bin_files',`
 ##	Read files in bin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_bin_files',`
@ -114,7 +122,9 @@ interface(`corecmd_read_bin_files',`
 ##	Read symbolic links in bin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_bin_symlinks',`
@ -131,7 +141,9 @@ interface(`corecmd_read_bin_symlinks',`
 ##	Read pipes in bin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_bin_pipes',`
@ -148,7 +160,9 @@ interface(`corecmd_read_bin_pipes',`
 ##	Read named sockets in bin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_bin_sockets',`
@ -180,7 +194,9 @@ interface(`corecmd_exec_bin',`
 ##	Create, read, write, and delete bin files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_manage_bin_files',`
@ -197,7 +213,9 @@ interface(`corecmd_manage_bin_files',`
 ##	Relabel to and from the bin type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_relabel_bin_files',`
@ -214,7 +232,9 @@ interface(`corecmd_relabel_bin_files',`
 ##	Mmap a bin file as executable.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_mmap_bin_files',`
@ -252,10 +272,14 @@ interface(`corecmd_mmap_bin_files',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="target_domain">
+##	<summary>
 ##	The type of the new process.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_bin_spec_domtrans',`
@ -293,10 +317,14 @@ interface(`corecmd_bin_spec_domtrans',`
 ##      </p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="target_domain">
+##	<summary>
 ##      The type of the new process.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_bin_domtrans',`
@ -326,7 +354,9 @@ interface(`corecmd_search_sbin',`
 ##	sbin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_dontaudit_search_sbin',`
@ -378,7 +408,9 @@ interface(`corecmd_dontaudit_getattr_sbin_files',`
 ##	Read files in sbin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_sbin_files',`
@ -395,7 +427,9 @@ interface(`corecmd_read_sbin_files',`
 ##	Read symbolic links in sbin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_sbin_symlinks',`
@ -412,7 +446,9 @@ interface(`corecmd_read_sbin_symlinks',`
 ##	Read named pipes in sbin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_sbin_pipes',`
@ -429,7 +465,9 @@ interface(`corecmd_read_sbin_pipes',`
 ##	Read named sockets in sbin directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_read_sbin_sockets',`
@ -460,7 +498,9 @@ interface(`corecmd_exec_sbin',`
 ##	Create, read, write, and delete sbin files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for prelink
@ -478,7 +518,9 @@ interface(`corecmd_manage_sbin_files',`
 ##	Relabel to and from the sbin type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for prelink
@ -496,7 +538,9 @@ interface(`corecmd_relabel_sbin_files',`
 ##	Mmap a sbin file as executable.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for prelink
@ -533,10 +577,14 @@ interface(`corecmd_mmap_sbin_files',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="target_domain">
+##	<summary>
 ##	The type of the new process.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_sbin_domtrans',`
@ -576,10 +624,14 @@ interface(`corecmd_sbin_domtrans',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="target_domain">
+##	<summary>
 ##	The type of the new process.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_sbin_spec_domtrans',`
@ -598,7 +650,9 @@ interface(`corecmd_sbin_spec_domtrans',`
 ##	Check if a shell is executable (DAC-wise).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_check_exec_shell',`
@ -658,10 +712,14 @@ interface(`corecmd_exec_ls',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="target_domain">
+##	<summary>
 ##	The type of the shell process.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_shell_spec_domtrans',`
@ -690,10 +748,14 @@ interface(`corecmd_shell_spec_domtrans',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="target_domain">
+##	<summary>
 ##	The type of the shell process.
+##	</summary>
 ## </param>
 #
 interface(`corecmd_shell_domtrans',`
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -8,7 +8,9 @@
 ##	Send and receive TCP network traffic on the generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -25,7 +27,9 @@ interface(`corenet_tcp_sendrecv_generic_if',`
 ##	Send UDP network traffic on generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_generic_if',`
@ -41,7 +45,9 @@ interface(`corenet_udp_send_generic_if',`
 ##	Receive UDP network traffic on generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_generic_if',`
@ -57,7 +63,9 @@ interface(`corenet_udp_receive_generic_if',`
 ##	Send and Receive UDP network traffic on generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_generic_if',`
@ -70,7 +78,9 @@ interface(`corenet_udp_sendrecv_generic_if',`
 ##	Send raw IP packets on generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_send_generic_if',`
@ -90,7 +100,9 @@ interface(`corenet_raw_send_generic_if',`
 ##	Receive raw IP packets on generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_receive_generic_if',`
@ -106,7 +118,9 @@ interface(`corenet_raw_receive_generic_if',`
 ##	Send and receive raw IP packets on generic interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_sendrecv_generic_if',`
@ -119,7 +133,9 @@ interface(`corenet_raw_sendrecv_generic_if',`
 ##	Send and receive TCP network traffic on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_all_if',`
@ -135,7 +151,9 @@ interface(`corenet_tcp_sendrecv_all_if',`
 ##	Send UDP network traffic on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_all_if',`
@ -151,7 +169,9 @@ interface(`corenet_udp_send_all_if',`
 ##	Receive UDP network traffic on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_all_if',`
@ -167,7 +187,9 @@ interface(`corenet_udp_receive_all_if',`
 ##	Send and receive UDP network traffic on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_all_if',`
@ -180,7 +202,9 @@ interface(`corenet_udp_sendrecv_all_if',`
 ##	Send raw IP packets on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_send_all_if',`
@ -200,7 +224,9 @@ interface(`corenet_raw_send_all_if',`
 ##	Receive raw IP packets on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_receive_all_if',`
@ -216,7 +242,9 @@ interface(`corenet_raw_receive_all_if',`
 ##	Send and receive raw IP packets on all interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_sendrecv_all_if',`
@ -229,7 +257,9 @@ interface(`corenet_raw_sendrecv_all_if',`
 ##	Send and receive TCP network traffic on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_generic_node',`
@ -245,7 +275,9 @@ interface(`corenet_tcp_sendrecv_generic_node',`
 ##	Send UDP network traffic on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_generic_node',`
@ -261,7 +293,9 @@ interface(`corenet_udp_send_generic_node',`
 ##	Receive UDP network traffic on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_generic_node',`
@ -277,7 +311,9 @@ interface(`corenet_udp_receive_generic_node',`
 ##	Send and receive UDP network traffic on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_generic_node',`
@ -290,7 +326,9 @@ interface(`corenet_udp_sendrecv_generic_node',`
 ##	Send raw IP packets on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_send_generic_node',`
@ -306,7 +344,9 @@ interface(`corenet_raw_send_generic_node',`
 ##	Receive raw IP packets on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_receive_generic_node',`
@ -322,7 +362,9 @@ interface(`corenet_raw_receive_generic_node',`
 ##	Send and receive raw IP packets on generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_sendrecv_generic_node',`
@ -335,7 +377,9 @@ interface(`corenet_raw_sendrecv_generic_node',`
 ##	Bind TCP sockets to generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_bind_generic_node',`
@ -351,7 +395,9 @@ interface(`corenet_tcp_bind_generic_node',`
 ##	Bind UDP sockets to generic nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_bind_generic_node',`
@ -367,7 +413,9 @@ interface(`corenet_udp_bind_generic_node',`
 ##	Send and receive TCP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_all_nodes',`
@ -383,7 +431,9 @@ interface(`corenet_tcp_sendrecv_all_nodes',`
 ##	Send UDP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_all_nodes',`
@ -399,7 +449,9 @@ interface(`corenet_udp_send_all_nodes',`
 ##	Receive UDP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_all_nodes',`
@ -415,7 +467,9 @@ interface(`corenet_udp_receive_all_nodes',`
 ##	Send and receive UDP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_all_nodes',`
@ -428,7 +482,9 @@ interface(`corenet_udp_sendrecv_all_nodes',`
 ##	Send raw IP packets on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_send_all_nodes',`
@ -444,7 +500,9 @@ interface(`corenet_raw_send_all_nodes',`
 ##	Receive raw IP packets on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_receive_all_nodes',`
@ -460,7 +518,9 @@ interface(`corenet_raw_receive_all_nodes',`
 ##	Send and receive raw IP packets on all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_raw_sendrecv_all_nodes',`
@ -473,7 +533,9 @@ interface(`corenet_raw_sendrecv_all_nodes',`
 ##	Bind TCP sockets to all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_bind_all_nodes',`
@ -489,7 +551,9 @@ interface(`corenet_tcp_bind_all_nodes',`
 ##	Bind UDP sockets to all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_bind_all_nodes',`
@ -505,7 +569,9 @@ interface(`corenet_udp_bind_all_nodes',`
 ##	Bind raw sockets to all nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 # rawip_socket node_bind does not make much sense. 
 interface(`corenet_raw_bind_all_nodes',`
@ -521,7 +587,9 @@ interface(`corenet_raw_bind_all_nodes',`
 ##	Send and receive TCP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_generic_port',`
@ -537,7 +605,9 @@ interface(`corenet_tcp_sendrecv_generic_port',`
 ##	Send UDP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_generic_port',`
@ -553,7 +623,9 @@ interface(`corenet_udp_send_generic_port',`
 ##	Receive UDP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_generic_port',`
@ -569,7 +641,9 @@ interface(`corenet_udp_receive_generic_port',`
 ##	Send and receive UDP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_generic_port',`
@ -582,7 +656,9 @@ interface(`corenet_udp_sendrecv_generic_port',`
 ##	Bind TCP sockets to generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_bind_generic_port',`
@ -598,7 +674,9 @@ interface(`corenet_tcp_bind_generic_port',`
 ##	Bind UDP sockets to generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_bind_generic_port',`
@ -614,7 +692,9 @@ interface(`corenet_udp_bind_generic_port',`
 ##	Connect TCP sockets to generic ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_connect_generic_port',`
@ -630,7 +710,9 @@ interface(`corenet_tcp_connect_generic_port',`
 ##	Send and receive TCP network traffic on all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_all_ports',`
@ -646,7 +728,9 @@ interface(`corenet_tcp_sendrecv_all_ports',`
 ##	Send UDP network traffic on all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_all_ports',`
@ -662,7 +746,9 @@ interface(`corenet_udp_send_all_ports',`
 ##	Receive UDP network traffic on all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_all_ports',`
@ -678,7 +764,9 @@ interface(`corenet_udp_receive_all_ports',`
 ##	Send and receive UDP network traffic on all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_all_ports',`
@ -691,7 +779,9 @@ interface(`corenet_udp_sendrecv_all_ports',`
 ##	Bind TCP sockets to all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_bind_all_ports',`
@ -707,7 +797,9 @@ interface(`corenet_tcp_bind_all_ports',`
 ##	Do not audit attepts to bind TCP sockets to any ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`corenet_dontaudit_tcp_bind_all_ports',`
@ -723,7 +815,9 @@ interface(`corenet_dontaudit_tcp_bind_all_ports',`
 ##	Bind UDP sockets to all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_bind_all_ports',`
@ -739,7 +833,9 @@ interface(`corenet_udp_bind_all_ports',`
 ##	Connect TCP sockets to all ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_connect_all_ports',`
@ -755,7 +851,9 @@ interface(`corenet_tcp_connect_all_ports',`
 ##	Send and receive TCP network traffic on generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_reserved_port',`
@ -771,7 +869,9 @@ interface(`corenet_tcp_sendrecv_reserved_port',`
 ##	Send UDP network traffic on generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_reserved_port',`
@ -787,7 +887,9 @@ interface(`corenet_udp_send_reserved_port',`
 ##	Receive UDP network traffic on generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_reserved_port',`
@ -803,7 +905,9 @@ interface(`corenet_udp_receive_reserved_port',`
 ##	Send and receive UDP network traffic on generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_reserved_port',`
@ -816,7 +920,9 @@ interface(`corenet_udp_sendrecv_reserved_port',`
 ##	Bind TCP sockets to generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_bind_reserved_port',`
@ -833,7 +939,9 @@ interface(`corenet_tcp_bind_reserved_port',`
 ##	Bind UDP sockets to generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_bind_reserved_port',`
@ -850,7 +958,9 @@ interface(`corenet_udp_bind_reserved_port',`
 ##	Connect TCP sockets to generic reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_connect_reserved_port',`
@ -866,7 +976,9 @@ interface(`corenet_tcp_connect_reserved_port',`
 ##	Send and receive TCP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_sendrecv_all_reserved_ports',`
@ -882,7 +994,9 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
 ##	Send UDP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_send_all_reserved_ports',`
@ -898,7 +1012,9 @@ interface(`corenet_udp_send_all_reserved_ports',`
 ##	Receive UDP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_receive_all_reserved_ports',`
@ -914,7 +1030,9 @@ interface(`corenet_udp_receive_all_reserved_ports',`
 ##	Send and receive UDP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_sendrecv_all_reserved_ports',`
@ -927,7 +1045,9 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
 ##	Bind TCP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_bind_all_reserved_ports',`
@ -944,7 +1064,9 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
 ##	Do not audit attempts to bind TCP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
@ -960,7 +1082,9 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
 ##	Bind UDP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_udp_bind_all_reserved_ports',`
@ -977,7 +1101,9 @@ interface(`corenet_udp_bind_all_reserved_ports',`
 ##	Do not audit attempts to bind UDP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
@ -993,7 +1119,9 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 ##      Connect TCP sockets to reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_connect_all_reserved_ports',`
@ -1010,7 +1138,9 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
 ##	all reserved ports.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
@ -1026,7 +1156,9 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
 ##	Read and write the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corenet_use_tun_tap_device',`
@ -1043,7 +1175,9 @@ interface(`corenet_use_tun_tap_device',`
 ##	Read and write the point-to-point device.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corenet_use_ppp_device',`
@ -1062,7 +1196,9 @@ interface(`corenet_use_ppp_device',`
 ##	session.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corenet_non_ipsec_sendrecv',`
@ -1074,7 +1210,9 @@ interface(`corenet_non_ipsec_sendrecv',`
 ##	Unconfined access to network objects.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`corenet_unconfined',`
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@ -17,7 +17,9 @@ define(`create_netif_interfaces',``
 ##	Send and receive TCP network traffic on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -34,7 +36,9 @@ interface(`corenet_tcp_sendrecv_$1_if',`
 ##	Send UDP network traffic on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
@ -51,7 +55,9 @@ interface(`corenet_udp_send_$1_if',`
 ##	Receive UDP network traffic on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
@ -68,7 +74,9 @@ interface(`corenet_udp_receive_$1_if',`
 ##	Send and receive UDP network traffic on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -82,7 +90,9 @@ interface(`corenet_udp_sendrecv_$1_if',`
 ##	Send raw IP packets on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
@ -103,7 +113,9 @@ interface(`corenet_raw_send_$1_if',`
 ##	Receive raw IP packets on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
@ -120,7 +132,9 @@ interface(`corenet_raw_receive_$1_if',`
 ##	Send and receive raw IP packets on the $1 interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -142,7 +156,9 @@ define(`create_node_interfaces',``
 ##	Send and receive TCP traffic on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -159,7 +175,9 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 ##	Send UDP traffic on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
@ -176,7 +194,9 @@ interface(`corenet_udp_send_$1_node',`
 ##	Receive UDP traffic on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
@ -193,7 +213,9 @@ interface(`corenet_udp_receive_$1_node',`
 ##	Send and receive UDP traffic on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -207,7 +229,9 @@ interface(`corenet_udp_sendrecv_$1_node',`
 ##	Send raw IP packets on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
@ -224,7 +248,9 @@ interface(`corenet_raw_send_$1_node',`
 ##	Receive raw IP packets on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
@ -241,7 +267,9 @@ interface(`corenet_raw_receive_$1_node',`
 ##	Send and receive raw IP packets on the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -255,7 +283,9 @@ interface(`corenet_raw_sendrecv_$1_node',`
 ##	Bind TCP sockets to node $1.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="none"/>
 #
@ -272,7 +302,9 @@ interface(`corenet_tcp_bind_$1_node',`
 ##	Bind UDP sockets to the $1 node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="none"/>
 #
@ -297,7 +329,9 @@ define(`create_port_interfaces',``
 ##	Send and receive TCP traffic on the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -314,7 +348,9 @@ interface(`corenet_tcp_sendrecv_$1_port',`
 ##	Send UDP traffic on the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
 #
@ -331,7 +367,9 @@ interface(`corenet_udp_send_$1_port',`
 ##	Receive UDP traffic on the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
 #
@ -348,7 +386,9 @@ interface(`corenet_udp_receive_$1_port',`
 ##	Send and receive UDP traffic on the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
@ -362,7 +402,9 @@ interface(`corenet_udp_sendrecv_$1_port',`
 ##	Bind TCP sockets to the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="none"/>
 #
@ -380,7 +422,9 @@ interface(`corenet_tcp_bind_$1_port',`
 ##	Bind UDP sockets to the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <infoflow type="none"/>
 #
@ -398,7 +442,9 @@ interface(`corenet_udp_bind_$1_port',`
 ##	Make a TCP connection to the $1 port.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`corenet_tcp_connect_$1_port',`
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@ -18,7 +18,9 @@
 ##	</p>
 ## </desc>
 ## <param name="type">
+##	<summary>
 ##	Type to be used as a basic domain type.
+##	</summary>
 ## </param>
 #
 interface(`domain_base_type',`
@ -57,7 +59,9 @@ interface(`domain_base_type',`
 ##	Make the specified type usable as a domain.
 ## </summary>
 ## <param name="type">
+##	<summary>
 ##	Type to be used as a domain type.
+##	</summary>
 ## </param>
 #
 interface(`domain_type',`
@ -107,11 +111,15 @@ interface(`domain_type',`
 ##	an entry point for the domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to be entered.
+##	</summary>
 ## </param>
 ## <param name="type">
+##	<summary>
 ##	Type of program used for entering
 ##	the domain.
+##	</summary>
 ## </param>
 #
 interface(`domain_entry_file',`
@ -158,7 +166,9 @@ interface(`domain_dyntrans_type',`
 ##	identity and system role.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_system_change_exemption',`
@ -175,7 +185,9 @@ interface(`domain_system_change_exemption',`
 ##	changing of user identity.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to make an exception to the constraint.
+##	</summary>
 ## </param>
 #
 interface(`domain_subj_id_change_exemption',`
@ -192,7 +204,9 @@ interface(`domain_subj_id_change_exemption',`
 ##	changing of role.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to make an exception to the constraint.
+##	</summary>
 ## </param>
 #
 interface(`domain_role_change_exemption',`
@ -209,7 +223,9 @@ interface(`domain_role_change_exemption',`
 ##	changing the user identity in object contexts.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to make an exception to the constraint.
+##	</summary>
 ## </param>
 #
 interface(`domain_obj_id_change_exemption',`
@ -242,7 +258,9 @@ interface(`domain_obj_id_change_exemption',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain target for user exemption.
+##	</summary>
 ## </param>
 #
 interface(`domain_user_exemption_target',`
@ -275,7 +293,9 @@ interface(`domain_user_exemption_target',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain target for user exemption.
+##	</summary>
 ## </param>
 #
 interface(`domain_cron_exemption_source',`
@ -308,7 +328,9 @@ interface(`domain_cron_exemption_source',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain target for user exemption.
+##	</summary>
 ## </param>
 #
 interface(`domain_cron_exemption_target',`
@ -349,7 +371,9 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
 ##	discriptors are widely inheritable.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: this was added because of newrole
@ -378,7 +402,9 @@ interface(`domain_setpriority_all_domains',`
 ##	Send general signals to all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_signal_all_domains',`
@ -394,7 +420,9 @@ interface(`domain_signal_all_domains',`
 ##	Send a null signal to all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_signull_all_domains',`
@ -410,7 +438,9 @@ interface(`domain_signull_all_domains',`
 ##	Send a stop signal to all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_sigstop_all_domains',`
@ -426,7 +456,9 @@ interface(`domain_sigstop_all_domains',`
 ##	Send a child terminated signal to all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_sigchld_all_domains',`
@ -442,7 +474,9 @@ interface(`domain_sigchld_all_domains',`
 ##	Send a kill signal to all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_kill_all_domains',`
@ -459,7 +493,9 @@ interface(`domain_kill_all_domains',`
 ##	Search the process state directory (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_search_all_domains_state',`
@ -477,7 +513,9 @@ interface(`domain_search_all_domains_state',`
 ##	state directory (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_search_all_domains_state',`
@ -493,7 +531,9 @@ interface(`domain_dontaudit_search_all_domains_state',`
 ##	Read the process state (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_read_all_domains_state',`
@ -512,7 +552,9 @@ interface(`domain_read_all_domains_state',`
 ##	Get the attributes of all domains of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_getattr_all_domains',`
@ -528,7 +570,9 @@ interface(`domain_getattr_all_domains',`
 ##	Get the attributes of all domains of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_domains',`
@ -544,7 +588,9 @@ interface(`domain_dontaudit_getattr_all_domains',`
 ##	Read the process state (/proc/pid) of all confined domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_read_confined_domains_state',`
@ -566,7 +612,9 @@ interface(`domain_read_confined_domains_state',`
 ##	Get the attributes of all confined domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_getattr_confined_domains',`
@ -582,7 +630,9 @@ interface(`domain_getattr_confined_domains',`
 ##	Ptrace all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_ptrace_all_domains',`
@ -609,7 +659,9 @@ interface(`domain_ptrace_all_domains',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_ptrace_all_domains',`
@ -635,7 +687,9 @@ interface(`domain_dontaudit_ptrace_all_domains',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_ptrace_confined_domains',`
@ -652,7 +706,9 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
 ##	state (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_read_all_domains_state',`
@ -675,7 +731,9 @@ interface(`domain_dontaudit_read_all_domains_state',`
 ##	directories of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_list_all_domains_state',`
@ -691,7 +749,9 @@ interface(`domain_dontaudit_list_all_domains_state',`
 ##	Get the session ID of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_getsession_all_domains',`
@ -708,7 +768,9 @@ interface(`domain_getsession_all_domains',`
 ##	session ID of all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getsession_all_domains',`
@ -735,7 +797,9 @@ interface(`domain_dontaudit_getsession_all_domains',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_getattr_all_sockets',`
@ -762,7 +826,9 @@ interface(`domain_getattr_all_sockets',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_sockets',`
@ -779,7 +845,9 @@ interface(`domain_dontaudit_getattr_all_sockets',`
 ##	of all domains TCP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_tcp_sockets',`
@ -796,7 +864,9 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 ##	of all domains UDP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_udp_sockets',`
@ -813,7 +883,9 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ##	all domains UDP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_rw_all_udp_sockets',`
@ -830,7 +902,9 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
 ##	all domains IPSEC key management sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_key_sockets',`
@ -847,7 +921,9 @@ interface(`domain_dontaudit_getattr_all_key_sockets',`
 ##	all domains packet sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_packet_sockets',`
@ -864,7 +940,9 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',`
 ##	all domains raw sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_raw_sockets',`
@ -881,7 +959,9 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',`
 ##	all domains key sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_rw_all_key_sockets',`
@ -898,7 +978,9 @@ interface(`domain_dontaudit_rw_all_key_sockets',`
 ##	of all domains unix datagram sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_dgram_sockets',`
@ -915,7 +997,9 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',`
 ##	of all domains unix datagram sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_stream_sockets',`
@ -932,7 +1016,9 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',`
 ##	of all domains unnamed pipes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_getattr_all_pipes',`
@ -949,7 +1035,9 @@ interface(`domain_dontaudit_getattr_all_pipes',`
 ##	files for all domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`domain_getattr_all_entry_files',`
@ -992,7 +1080,9 @@ interface(`domain_exec_all_entry_files',`
 ##	entrypoint files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for prelink
@ -1010,7 +1100,9 @@ interface(`domain_manage_all_entry_files',`
 ##	file types.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for prelink
@ -1027,7 +1119,9 @@ interface(`domain_relabel_all_entry_files',`
 ##	Mmap all entry point files as executable.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for prelink
@ -1044,7 +1138,9 @@ interface(`domain_mmap_all_entry_files',`
 ##      Execute an entry_type in the specified domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 # cjp: added for userhelper
@ -1061,7 +1157,9 @@ interface(`domain_entry_file_spec_domtrans',`
 ##	Unconfined access to domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`domain_unconfined',`
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -12,10 +12,14 @@
 ##	by transitioning to the specified domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type entered by kernel.
+##	</summary>
 ## </param>
 ## <param name="entrypoint">
+##	<summary>
 ##	The executable type for the entrypoint.
+##	</summary>
 ## </param>
 #
 interface(`kernel_domtrans_to',`
@ -41,7 +45,9 @@ interface(`kernel_domtrans_to',`
 ##	the specified directory type.
 ## </summary>
 ## <param name="directory_type">
+##	<summary>
 ##	The type of the directory to use as a mountpoint.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rootfs_mountpoint',`
@ -57,7 +63,9 @@ interface(`kernel_rootfs_mountpoint',`
 ##	Set the process group of kernel threads.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_setpgid',`
@ -73,7 +81,9 @@ interface(`kernel_setpgid',`
 ##	Send a SIGCHLD signal to kernel threads.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process sending the signal.
+##	</summary>
 ## </param>
 #
 interface(`kernel_sigchld',`
@ -89,7 +99,9 @@ interface(`kernel_sigchld',`
 ##	Send a generic signal to kernel threads.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process sending the signal.
+##	</summary>
 ## </param>
 #
 interface(`kernel_signal',`
@ -106,7 +118,9 @@ interface(`kernel_signal',`
 ##	the caller.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process with which to share state information.
+##	</summary>
 ## </param>
 #
 interface(`kernel_share_state',`
@ -122,7 +136,9 @@ interface(`kernel_share_state',`
 ##	Permits caller to use kernel file descriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process using the descriptors.
+##	</summary>
 ## </param>
 #
 interface(`kernel_use_fd',`
@ -139,7 +155,9 @@ interface(`kernel_use_fd',`
 ##	kernel file descriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of process not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_use_fd',`
@ -155,7 +173,9 @@ interface(`kernel_dontaudit_use_fd',`
 ##	Read and write kernel unnamed pipes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_pipes',`
@ -171,7 +191,9 @@ interface(`kernel_rw_pipes',`
 ##	Read and write kernel unix datagram sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_unix_dgram_sockets',`
@ -187,7 +209,9 @@ interface(`kernel_rw_unix_dgram_sockets',`
 ##	Send messages to kernel unix datagram sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dgram_send',`
@ -203,7 +227,9 @@ interface(`kernel_dgram_send',`
 ##	Receive messages from kernel TCP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_tcp_recvfrom',`
@ -219,7 +245,9 @@ interface(`kernel_tcp_recvfrom',`
 ##	Send UDP network traffic to the kernel.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_udp_sendto',`
@ -236,7 +264,9 @@ interface(`kernel_udp_sendto',`
 ##	Receive messages from kernel UDP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_udp_recvfrom',`
@ -252,7 +282,9 @@ interface(`kernel_udp_recvfrom',`
 ##	Allows caller to load kernel modules
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to allow to load kernel modules.
+##	</summary>
 ## </param>
 #
 interface(`kernel_load_module',`
@ -269,7 +301,9 @@ interface(`kernel_load_module',`
 ##	Allows caller to read the ring buffer.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type allowed to read the ring buffer.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_ring_buffer',`
@ -285,7 +319,9 @@ interface(`kernel_read_ring_buffer',`
 ##	Do not audit attempts to read the ring buffer.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_read_ring_buffer',`
@ -301,7 +337,9 @@ interface(`kernel_dontaudit_read_ring_buffer',`
 ##	Change the level of kernel messages logged to the console.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_change_ring_buffer_level',`
@ -317,7 +355,9 @@ interface(`kernel_change_ring_buffer_level',`
 ##	Allows the caller to clear the ring buffer.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type clearing the buffer.
+##	</summary>
 ## </param>
 #
 interface(`kernel_clear_ring_buffer',`
@ -333,7 +373,9 @@ interface(`kernel_clear_ring_buffer',`
 ##	Get information on all System V IPC objects.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	
+##	</summary>
 ## </param>
 #
 interface(`kernel_get_sysvipc_info',`
@ -349,7 +391,9 @@ interface(`kernel_get_sysvipc_info',`
 ##	Get the attributes of a kernel debugging filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_getattr_debugfs',`
@ -365,7 +409,9 @@ interface(`kernel_getattr_debugfs',`
 ##	Mount a kernel debugging filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the domain mounting the filesystem.
+##	</summary>
 ## </param>
 #
 interface(`kernel_mount_debugfs',`
@ -381,7 +427,9 @@ interface(`kernel_mount_debugfs',`
 ##	Unmount a kernel debugging filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the domain unmounting the filesystem.
+##	</summary>
 ## </param>
 #
 interface(`kernel_unmount_debugfs',`
@ -397,7 +445,9 @@ interface(`kernel_unmount_debugfs',`
 ##	Remount a kernel debugging filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the domain remounting the filesystem.
+##	</summary>
 ## </param>
 #
 interface(`kernel_remount_debugfs',`
@ -413,7 +463,9 @@ interface(`kernel_remount_debugfs',`
 ##	Search the contents of a kernel debugging filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_search_debugfs',`
@ -429,7 +481,9 @@ interface(`kernel_search_debugfs',`
 ##	Read information from the debugging filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_debugfs',`
@ -447,7 +501,9 @@ interface(`kernel_read_debugfs',`
 ##	Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_getattr_proc',`
@ -463,7 +519,9 @@ interface(`kernel_getattr_proc',`
 ##	Search directories in /proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_search_proc',`
@ -479,7 +537,9 @@ interface(`kernel_search_proc',`
 ##	List the contents of directories in /proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_list_proc',`
@ -496,7 +556,9 @@ interface(`kernel_list_proc',`
 ##	contents of directories in /proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_list_proc',`
@ -512,7 +574,9 @@ interface(`kernel_dontaudit_list_proc',`
 ##	Get the attributes of files in /proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_getattr_proc_files',`
@ -529,7 +593,9 @@ interface(`kernel_getattr_proc_files',`
 ##	Read symbolic links in /proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_proc_symlinks',`
@ -546,7 +612,9 @@ interface(`kernel_read_proc_symlinks',`
 ##	Allows caller to read system state information in proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading the system state information.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_system_state',`
@ -564,7 +632,9 @@ interface(`kernel_read_system_state',`
 ##	Write to generic proc entries.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: this should probably go away.  any
@ -586,7 +656,9 @@ interface(`kernel_write_proc_files',`
 ##	read system state information in proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_read_system_state',`
@ -603,7 +675,9 @@ interface(`kernel_dontaudit_read_system_state',`
 ##	read system state information in proc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_read_proc_symlinks',`
@ -619,7 +693,9 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
 ##	Allow caller to read the state information for software raid.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading software raid state.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_software_raid_state',`
@ -636,7 +712,9 @@ interface(`kernel_read_software_raid_state',`
 ##	Allow caller to read and set the state information for software raid.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading software raid state.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_software_raid_state',`
@ -653,7 +731,9 @@ interface(`kernel_rw_software_raid_state',`
 ##	Allows caller to get attribues of core kernel interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type getting the attibutes.
+##	</summary>
 ## </param>
 #
 interface(`kernel_getattr_core_if',`
@ -671,7 +751,9 @@ interface(`kernel_getattr_core_if',`
 ##	core kernel interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_core_if',`
@ -688,7 +770,9 @@ interface(`kernel_dontaudit_getattr_core_if',`
 ##	using the /proc/kmsg interface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading the messages.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_messages',`
@ -708,7 +792,9 @@ interface(`kernel_read_messages',`
 ##	interface (/proc/kmsg).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type getting the attributes.
+##	</summary>
 ## </param>
 #
 interface(`kernel_getattr_message_if',`
@ -726,7 +812,9 @@ interface(`kernel_getattr_message_if',`
 ##	message interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_message_if',`
@ -743,7 +831,9 @@ interface(`kernel_dontaudit_getattr_message_if',`
 ##	state directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading the state.
+##	</summary>
 ## </param>
 ##
 #
@ -760,7 +850,9 @@ interface(`kernel_dontaudit_search_network_state',`
 ##	Allow searching of network state directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading the state.
+##	</summary>
 ## </param>
 ##
 #
@ -777,7 +869,9 @@ interface(`kernel_search_network_state',`
 ##	Allow caller to read the network state information.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading the state.
+##	</summary>
 ## </param>
 ##
 #
@ -797,7 +891,9 @@ interface(`kernel_read_network_state',`
 ##	Allow caller to read the network state symbolic links.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type reading the state.
+##	</summary>
 ## </param>
 ##
 #
@ -817,7 +913,9 @@ interface(`kernel_read_network_state_symlinks',`
 ##	the base directory of sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 ##
 #
@ -834,7 +932,9 @@ interface(`kernel_dontaudit_search_sysctl',`
 ##	Allow access to read sysctl directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to allow to read sysctl directories.
+##	</summary>
 ## </param>
 ##
 #
@ -851,7 +951,9 @@ interface(`kernel_read_sysctl',`
 ##	Allow caller to read the device sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to allow to read the device sysctls.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_device_sysctls',`
@ -870,7 +972,9 @@ interface(`kernel_read_device_sysctls',`
 ##	Read and write device sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_device_sysctls',`
@ -888,7 +992,9 @@ interface(`kernel_rw_device_sysctls',`
 ##	Allow caller to search virtual memory sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ##
 #
@ -905,7 +1011,9 @@ interface(`kernel_search_vm_sysctl',`
 ##	Allow caller to read virtual memory sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ##
 #
@ -924,7 +1032,9 @@ interface(`kernel_read_vm_sysctls',`
 ##	Read and write virtual memory sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_vm_sysctls',`
@ -942,7 +1052,9 @@ interface(`kernel_rw_vm_sysctls',`
 ##	Search network sysctl directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_search_network_sysctl',`
@ -958,7 +1070,9 @@ interface(`kernel_search_network_sysctl',`
 ##	Do not audit attempts by caller to search network sysctl directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_search_network_sysctl',`
@ -974,7 +1088,9 @@ interface(`kernel_dontaudit_search_network_sysctl',`
 ##	Allow caller to read network sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ##
 #
@ -994,7 +1110,9 @@ interface(`kernel_read_net_sysctls',`
 ##	Allow caller to modiry contents of sysctl network files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_net_sysctls',`
@ -1014,7 +1132,9 @@ interface(`kernel_rw_net_sysctls',`
 ##	socket sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_unix_sysctls',`
@ -1034,7 +1154,9 @@ interface(`kernel_read_unix_sysctls',`
 ##	socket sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_unix_sysctls',`
@ -1053,7 +1175,9 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Read the hotplug sysctl.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_hotplug_sysctls',`
@ -1072,7 +1196,9 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Read and write the hotplug sysctl.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_hotplug_sysctls',`
@ -1091,7 +1217,9 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Read the modprobe sysctl.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_modprobe_sysctls',`
@ -1110,7 +1238,9 @@ interface(`kernel_read_modprobe_sysctls',`
 ##	Read and write the modprobe sysctl.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_modprobe_sysctls',`
@ -1129,7 +1259,9 @@ interface(`kernel_rw_modprobe_sysctls',`
 ##	Do not audit attempts to search generic kernel sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_search_kernel_sysctl',`
@ -1145,7 +1277,9 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
 ##	Read generic kernel sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_kernel_sysctls',`
@ -1164,7 +1298,9 @@ interface(`kernel_read_kernel_sysctls',`
 ##	Do not audit attempts to write generic kernel sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_write_kernel_sysctl',`
@ -1180,7 +1316,9 @@ interface(`kernel_dontaudit_write_kernel_sysctl',`
 ##	Read and write generic kernel sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_kernel_sysctl',`
@ -1199,7 +1337,9 @@ interface(`kernel_rw_kernel_sysctl',`
 ##	Read filesystem sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_fs_sysctls',`
@ -1218,7 +1358,9 @@ interface(`kernel_read_fs_sysctls',`
 ##	Read and write fileystem sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_fs_sysctls',`
@ -1237,7 +1379,9 @@ interface(`kernel_rw_fs_sysctls',`
 ##	Read IRQ sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_irq_sysctls',`
@ -1255,7 +1399,9 @@ interface(`kernel_read_irq_sysctls',`
 ##	Read and write IRQ sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ##
 #
@ -1304,7 +1450,9 @@ interface(`kernel_rw_rpc_sysctls',`
 ##	Allow caller to read all sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_read_all_sysctls',`
@ -1325,7 +1473,9 @@ interface(`kernel_read_all_sysctls',`
 ##	Read and write all sysctls.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_all_sysctls',`
@ -1346,7 +1496,9 @@ interface(`kernel_rw_all_sysctls',`
 ##	Send a kill signal to unlabeled processes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_kill_unlabeled',`
@ -1362,7 +1514,9 @@ interface(`kernel_kill_unlabeled',`
 ##	Send general signals to unlabeled processes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_signal_unlabeled',`
@ -1378,7 +1532,9 @@ interface(`kernel_signal_unlabeled',`
 ##	Send a null signal to unlabeled processes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_signull_unlabeled',`
@ -1394,7 +1550,9 @@ interface(`kernel_signull_unlabeled',`
 ##	Send a stop signal to unlabeled processes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_sigstop_unlabeled',`
@ -1410,7 +1568,9 @@ interface(`kernel_sigstop_unlabeled',`
 ##	Send a child terminated signal to unlabeled processes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_sigchld_unlabeled',`
@ -1426,7 +1586,9 @@ interface(`kernel_sigchld_unlabeled',`
 ##	List unlabeled directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_list_unlabeled',`
@ -1442,7 +1604,9 @@ interface(`kernel_list_unlabeled',`
 ##	Do not audit attempts to list unlabeled directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_list_unlabeled',`
@ -1458,7 +1622,9 @@ interface(`kernel_dontaudit_list_unlabeled',`
 ##	Read and write unlabeled directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_unlabeled_dirs',`
@ -1475,7 +1641,9 @@ interface(`kernel_rw_unlabeled_dirs',`
 ##	attributes of an unlabeled file.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_files',`
@ -1492,7 +1660,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_files',`
 ##	read an unlabeled file.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_read_unlabeled_files',`
@ -1509,7 +1679,9 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
 ##	attributes of unlabeled symbolic links.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
@ -1526,7 +1698,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
 ##	attributes of unlabeled named pipes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
@ -1543,7 +1717,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
 ##	attributes of unlabeled named sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
@ -1560,7 +1736,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
 ##	unlabeled block devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
@ -1576,7 +1754,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
 ##	Read and write unlabeled block device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_rw_unlabeled_blk_files',`
@ -1593,7 +1773,9 @@ interface(`kernel_rw_unlabeled_blk_files',`
 ##	unlabeled character devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type not to audit.
+##	</summary>
 ## </param>
 #
 interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
@ -1609,7 +1791,9 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 ##	Allow caller to relabel unlabeled directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type relabeling the objects.
+##	</summary>
 ## </param>
 #
 interface(`kernel_relabelfrom_unlabeled_dirs',`
@ -1625,7 +1809,9 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type relabeling the objects.
+##	</summary>
 ## </param>
 #
 interface(`kernel_relabelfrom_unlabeled_files',`
@ -1642,7 +1828,9 @@ interface(`kernel_relabelfrom_unlabeled_files',`
 ##	Allow caller to relabel unlabeled symbolic links.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type relabeling the objects.
+##	</summary>
 ## </param>
 #
 interface(`kernel_relabelfrom_unlabeled_symlinks',`
@ -1659,7 +1847,9 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',`
 ##	Allow caller to relabel unlabeled named pipes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type relabeling the objects.
+##	</summary>
 ## </param>
 #
 interface(`kernel_relabelfrom_unlabeled_pipes',`
@ -1676,7 +1866,9 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
 ##	Allow caller to relabel unlabeled named sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type relabeling the objects.
+##	</summary>
 ## </param>
 #
 interface(`kernel_relabelfrom_unlabeled_sockets',`
@ -1708,7 +1900,9 @@ interface(`kernel_relabelfrom_unlabeled_sockets',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_sendrecv_unlabeled_association',`
@ -1724,7 +1918,9 @@ interface(`kernel_sendrecv_unlabeled_association',`
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kernel_unconfined',`
--- a/refpolicy/policy/modules/kernel/mls.if
+++ b/refpolicy/policy/modules/kernel/mls.if
@ -17,7 +17,9 @@
 ##	for reading from files at higher levels.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_file_read_up',`
@ -34,7 +36,9 @@ interface(`mls_file_read_up',`
 ##	for writing to files at lower levels.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_file_write_down',`
@ -51,7 +55,9 @@ interface(`mls_file_write_down',`
 ##	for raising the level of files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_file_upgrade',`
@ -68,7 +74,9 @@ interface(`mls_file_upgrade',`
 ##	for lowering the level of files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_file_downgrade',`
@ -86,7 +94,9 @@ interface(`mls_file_downgrade',`
 ##	the current level.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_rangetrans_source',`
@ -104,7 +114,9 @@ interface(`mls_rangetrans_source',`
 ##	the current level.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_rangetrans_target',`
@ -121,7 +133,9 @@ interface(`mls_rangetrans_target',`
 ##	for reading from processes at higher levels.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_process_read_up',`
@ -138,7 +152,9 @@ interface(`mls_process_read_up',`
 ##	for writing to processes at lower levels.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_process_write_down',`
@ -156,7 +172,9 @@ interface(`mls_process_write_down',`
 ##	it executes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`mls_process_set_level',`
@ -184,7 +202,9 @@ interface(`mls_process_set_level',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The type of the object.
+##	</summary>
 ## </param>
 #
 interface(`mls_trusted_object',`
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@ -10,7 +10,9 @@
 ##	Gets the caller the mountpoint of the selinuxfs filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type requesting the selinuxfs mountpoint.
+##	</summary>
 ## </param>
 #
 interface(`selinux_get_fs_mount',`
@ -25,7 +27,9 @@ interface(`selinux_get_fs_mount',`
 ##	attributes of the selinuxfs directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`selinux_dontaudit_getattr_dir',`
@ -41,7 +45,9 @@ interface(`selinux_dontaudit_getattr_dir',`
 ##	Search selinuxfs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`selinux_search_fs',`
@ -57,7 +63,9 @@ interface(`selinux_search_fs',`
 ##	Do not audit attempts to search selinuxfs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`selinux_dontaudit_search_fs',`
@ -74,7 +82,9 @@ interface(`selinux_dontaudit_search_fs',`
 ##	generic selinuxfs entries
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`selinux_dontaudit_read_fs',`
@ -92,7 +102,9 @@ interface(`selinux_dontaudit_read_fs',`
 ##	(enforcing or permissive mode).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type to allow to get the enforcing mode.
+##	</summary>
 ## </param>
 #
 interface(`selinux_get_enforce_mode',`
@ -120,7 +132,9 @@ interface(`selinux_get_enforce_mode',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The process type to allow to set the enforcement mode.
+##	</summary>
 ## </param>
 #
 interface(`selinux_set_enforce_mode',`
@ -145,7 +159,9 @@ interface(`selinux_set_enforce_mode',`
 ##	Allow caller to load the policy into the kernel.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type that will load the policy.
+##	</summary>
 ## </param>
 #
 interface(`selinux_load_policy',`
@ -181,7 +197,9 @@ interface(`selinux_load_policy',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The process type allowed to set the Boolean.
+##	</summary>
 ## </param>
 #
 interface(`selinux_set_boolean',`
@ -216,7 +234,9 @@ interface(`selinux_set_boolean',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The process type to allow to set security parameters.
+##	</summary>
 ## </param>
 #
 interface(`selinux_set_parameters',`
@ -237,7 +257,9 @@ interface(`selinux_set_parameters',`
 ##	Allows caller to validate security contexts.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type permitted to validate contexts.
+##	</summary>
 ## </param>
 #
 interface(`selinux_validate_context',`
@ -255,7 +277,9 @@ interface(`selinux_validate_context',`
 ##	Allows caller to compute an access vector.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type allowed to compute an access vector.
+##	</summary>
 ## </param>
 #
 interface(`selinux_compute_access_vector',`
@ -273,7 +297,9 @@ interface(`selinux_compute_access_vector',`
 ##	Calculate the default type for object creation.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`selinux_compute_create_context',`
@ -292,7 +318,9 @@ interface(`selinux_compute_create_context',`
 ##	directory members.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`selinux_compute_member',`
@ -319,7 +347,9 @@ interface(`selinux_compute_member',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`selinux_compute_relabel_context',`
@ -337,7 +367,9 @@ interface(`selinux_compute_relabel_context',`
 ##	Allows caller to compute possible contexts for a user.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The process type allowed to compute user contexts.
+##	</summary>
 ## </param>
 #
 interface(`selinux_compute_user_contexts',`
@ -355,7 +387,9 @@ interface(`selinux_compute_user_contexts',`
 ##	Unconfined access to the SELinux kernel security server.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`selinux_unconfined',`
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -6,7 +6,9 @@
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_getattr_fixed_disk_dev',`
@ -24,7 +26,9 @@ interface(`storage_getattr_fixed_disk_dev',`
 ##	the attributes of fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_getattr_fixed_disk_dev',`
@ -41,7 +45,9 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_setattr_fixed_disk_dev',`
@ -59,7 +65,9 @@ interface(`storage_setattr_fixed_disk_dev',`
 ##	the attributes of fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_setattr_fixed_disk_dev',`
@ -78,7 +86,9 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 ##	should only be used by trusted domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_raw_read_fixed_disk',`
@ -98,7 +108,9 @@ interface(`storage_raw_read_fixed_disk',`
 ##	fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_read_fixed_disk',`
@ -118,7 +130,9 @@ interface(`storage_dontaudit_read_fixed_disk',`
 ##	should only be used by trusted domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_raw_write_fixed_disk',`
@ -138,7 +152,9 @@ interface(`storage_raw_write_fixed_disk',`
 ##	fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_write_fixed_disk',`
@ -155,7 +171,9 @@ interface(`storage_dontaudit_write_fixed_disk',`
 ##	Create block devices in /dev with the fixed disk type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_create_fixed_disk',`
@ -174,7 +192,9 @@ interface(`storage_create_fixed_disk',`
 ##	Create, read, write, and delete fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_manage_fixed_disk',`
@ -193,7 +213,9 @@ interface(`storage_manage_fixed_disk',`
 ##	Create fixed disk device nodes on a tmpfs filesystem.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_create_fixed_disk_tmpfs',`
@ -213,7 +235,9 @@ interface(`storage_create_fixed_disk_tmpfs',`
 ##	Relabel fixed disk device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_relabel_fixed_disk',`
@ -230,7 +254,9 @@ interface(`storage_relabel_fixed_disk',`
 ##	Enable a fixed disk device as swap space
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_swapon_fixed_disk',`
@ -248,7 +274,9 @@ interface(`storage_swapon_fixed_disk',`
 ##	the generic SCSI interface device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_getattr_scsi_generic_dev',`
@ -266,7 +294,9 @@ interface(`storage_getattr_scsi_generic_dev',`
 ##	the generic SCSI interface device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_setattr_scsi_generic_dev',`
@ -287,7 +317,9 @@ interface(`storage_setattr_scsi_generic_dev',`
 ##	should only be used by trusted domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_read_scsi_generic',`
@ -310,7 +342,9 @@ interface(`storage_read_scsi_generic',`
 ##	should only be used by trusted domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_write_scsi_generic',`
@ -330,7 +364,9 @@ interface(`storage_write_scsi_generic',`
 ##	for the SCSI generic inerface.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_setattr_scsi_generic_dev_dev',`
@ -348,7 +384,9 @@ interface(`storage_setattr_scsi_generic_dev_dev',`
 ##	SCSI generic device interfaces.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_rw_scsi_generic',`
@ -365,7 +403,9 @@ interface(`storage_dontaudit_rw_scsi_generic',`
 ##	devices device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_getattr_removable_dev',`
@ -383,7 +423,9 @@ interface(`storage_getattr_removable_dev',`
 ##	the attributes of removable devices device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_getattr_removable_dev',`
@ -400,7 +442,9 @@ interface(`storage_dontaudit_getattr_removable_dev',`
 ##	removable devices device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_read_removable_device',`
@ -418,7 +462,9 @@ interface(`storage_dontaudit_read_removable_device',`
 ##	devices device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_setattr_removable_dev',`
@ -436,7 +482,9 @@ interface(`storage_setattr_removable_dev',`
 ##	the attributes of removable devices device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_setattr_removable_dev',`
@ -456,7 +504,9 @@ interface(`storage_dontaudit_setattr_removable_dev',`
 ##	should only be used by trusted domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_raw_read_removable_device',`
@ -473,7 +523,9 @@ interface(`storage_raw_read_removable_device',`
 ##	Do not audit attempts to directly read removable devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_raw_read_removable_device',`
@ -493,7 +545,9 @@ interface(`storage_dontaudit_raw_read_removable_device',`
 ##	should only be used by trusted domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_raw_write_removable_device',`
@ -510,7 +564,9 @@ interface(`storage_raw_write_removable_device',`
 ##	Do not audit attempts to directly write removable devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`storage_dontaudit_raw_write_removable_device',`
@ -527,7 +583,9 @@ interface(`storage_dontaudit_raw_write_removable_device',`
 ##	a tape device.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_read_tape',`
@ -545,7 +603,9 @@ interface(`storage_read_tape',`
 ##	a tape device.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_write_tape',`
@ -563,7 +623,9 @@ interface(`storage_write_tape',`
 ##	of device nodes of tape devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_getattr_tape_dev',`
@ -581,7 +643,9 @@ interface(`storage_getattr_tape_dev',`
 ##	of device nodes of tape devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`storage_setattr_tape_dev',`
@ -598,7 +662,9 @@ interface(`storage_setattr_tape_dev',`
 ##	Unconfined access to storage devices.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`storage_unconfined',`
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -8,7 +8,9 @@
 ##	Transform specified type into a pty type.
 ## </summary>
 ## <param name="pty_type">
+##	<summary>
 ##	An object type that will applied to a pty.
+##	</summary>
 ## </param>
 #
 interface(`term_pty',`
@ -29,11 +31,15 @@ interface(`term_pty',`
 ##	type change by login programs such as ssh.
 ## </summary>
 ## <param name="userdomain">
+##	<summary>
 ##	The type of the user domain associated with
 ##	this pty.
+##	</summary>
 ## </param>
 ## <param name="object_type">
+##	<summary>
 ##	An object type that will applied to a pty.
+##	</summary>
 ## </param>
 #
 interface(`term_user_pty',`
@ -51,7 +57,9 @@ interface(`term_user_pty',`
 ##	used by login programs, such as sshd.
 ## </summary>
 ## <param name="pty_type">
+##	<summary>
 ##	An object type that will applied to a pty.
+##	</summary>
 ## </param>
 #
 interface(`term_login_pty',`
@ -68,7 +76,9 @@ interface(`term_login_pty',`
 ##	Transform specified type into a tty type.
 ## </summary>
 ## <param name="tty_type">
+##	<summary>
 ##	An object type that will applied to a tty.
+##	</summary>
 ## </param>
 #
 interface(`term_tty',`
@ -102,10 +112,14 @@ interface(`term_tty',`
 ##	Create a pty in the /dev/pts directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process creating the pty.
+##	</summary>
 ## </param>
 ## <param name="pty_type">
+##	<summary>
 ##	The type of the pty.
+##	</summary>
 ## </param>
 #
 interface(`term_create_pty',`
@ -128,7 +142,9 @@ interface(`term_create_pty',`
 ##	ttys and all ptys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_all_terms',`
@ -147,7 +163,9 @@ interface(`term_use_all_terms',`
 ##	Write to the console.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_write_console',`
@ -164,7 +182,9 @@ interface(`term_write_console',`
 ##	Read from the console.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_read_console',`
@ -181,7 +201,9 @@ interface(`term_read_console',`
 ##	Read from and write to the console.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_console',`
@ -199,7 +221,9 @@ interface(`term_use_console',`
 ##	or write to the console.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_use_console',`
@ -216,7 +240,9 @@ interface(`term_dontaudit_use_console',`
 ##	device node.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_setattr_console',`
@ -234,7 +260,9 @@ interface(`term_setattr_console',`
 ##	attributes of the /dev/pts directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_getattr_pty_dirs',`
@ -250,7 +278,9 @@ interface(`term_dontaudit_getattr_pty_dirs',`
 ##	Search the contents of the /dev/pts directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_search_ptys',`
@ -268,7 +298,9 @@ interface(`term_search_ptys',`
 ##	contents of the /dev/pts directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_search_ptys',`
@ -286,7 +318,9 @@ interface(`term_dontaudit_search_ptys',`
 ##	list all ptys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_list_ptys',`
@ -304,7 +338,9 @@ interface(`term_list_ptys',`
 ##	/dev/pts directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_list_ptys',`
@ -321,7 +357,9 @@ interface(`term_dontaudit_list_ptys',`
 ##	write, or delete the /dev/pts directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_manage_pty_dirs',`
@ -337,7 +375,9 @@ interface(`term_dontaudit_manage_pty_dirs',`
 ##	ioctl of generic pty types.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for ppp
@ -358,7 +398,9 @@ interface(`term_ioctl_generic_ptys',`
 ##	the targeted policy.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_generic_ptys',`
@ -378,7 +420,9 @@ interface(`term_use_generic_ptys',`
 ##	generally only used in the targeted policy.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_use_generic_ptys',`
@ -395,7 +439,9 @@ interface(`term_dontaudit_use_generic_ptys',`
 ##	terminal (/dev/tty).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_controlling_term',`
@ -412,7 +458,9 @@ interface(`term_use_controlling_term',`
 ##	Read and write the pty multiplexor (/dev/ptmx).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to allow access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_ptmx',`
@ -429,7 +477,9 @@ interface(`term_use_ptmx',`
 ##	write the pty multiplexor (/dev/ptmx).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_use_ptmx',`
@ -446,7 +496,9 @@ interface(`term_dontaudit_use_ptmx',`
 ##	pty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_getattr_all_user_ptys',`
@ -466,7 +518,9 @@ interface(`term_getattr_all_user_ptys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_getattr_all_user_ptys',`
@ -485,7 +539,9 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 ##	pty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_setattr_all_user_ptys',`
@ -503,7 +559,9 @@ interface(`term_setattr_all_user_ptys',`
 ##	Relabel to all user ptys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_relabelto_all_user_ptys',`
@ -519,7 +577,9 @@ interface(`term_relabelto_all_user_ptys',`
 ##	Read and write all user ptys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_all_user_ptys',`
@ -539,7 +599,9 @@ interface(`term_use_all_user_ptys',`
 ##	user ptys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_use_all_user_ptys',`
@ -556,7 +618,9 @@ interface(`term_dontaudit_use_all_user_ptys',`
 ##	user pty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_relabel_all_user_ptys',`
@ -576,7 +640,9 @@ interface(`term_relabel_all_user_ptys',`
 ##	tty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_getattr_unallocated_ttys',`
@ -594,7 +660,9 @@ interface(`term_getattr_unallocated_ttys',`
 ##	of all unallocated tty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_getattr_unallocated_ttys',`
@ -611,7 +679,9 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
 ##	tty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_setattr_unallocated_ttys',`
@ -629,7 +699,9 @@ interface(`term_setattr_unallocated_ttys',`
 ##	unallocated tty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_ioctl_unallocated_ttys',`
@ -646,7 +718,9 @@ interface(`term_dontaudit_ioctl_unallocated_ttys',`
 ##	tty type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_relabel_unallocated_ttys',`
@ -664,7 +738,9 @@ interface(`term_relabel_unallocated_ttys',`
 ##	the unallocated tty type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_reset_tty_labels',`
@ -683,7 +759,9 @@ interface(`term_reset_tty_labels',`
 ##	Write to unallocated ttys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_write_unallocated_ttys',`
@ -700,7 +778,9 @@ interface(`term_write_unallocated_ttys',`
 ##	Read and write unallocated ttys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_unallocated_ttys',`
@ -718,7 +798,9 @@ interface(`term_use_unallocated_ttys',`
 ##	write unallocated ttys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to not audit.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_use_unallocated_ttys',`
@ -735,7 +817,9 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_getattr_all_user_ttys',`
@ -754,7 +838,9 @@ interface(`term_getattr_all_user_ttys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_getattr_all_user_ttys',`
@ -772,7 +858,9 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ##	device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_setattr_all_user_ttys',`
@ -790,7 +878,9 @@ interface(`term_setattr_all_user_ttys',`
 ##	user tty device nodes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_relabel_all_user_ttys',`
@ -807,7 +897,9 @@ interface(`term_relabel_all_user_ttys',`
 ##	Write to all user ttys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_write_all_user_ttys',`
@ -824,7 +916,9 @@ interface(`term_write_all_user_ttys',`
 ##	Read and write all user to all user ttys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_use_all_user_ttys',`
@ -842,7 +936,9 @@ interface(`term_use_all_user_ttys',`
 ##	any user ttys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`term_dontaudit_use_all_user_ttys',`
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@ -6,7 +6,9 @@
 ##	web content.
 ## </summary>
 ## <param name="prefix">
+##	<summary>
 ##	The prefix to be used for deriving type names.
+##	</summary>
 ## </param>
 #
 template(`apache_content_template',`
@ -246,14 +248,20 @@ template(`apache_content_template',`
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`apache_per_userdomain_template', `
@ -326,7 +334,9 @@ template(`apache_per_userdomain_template', `
 ##	Transition to apache.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_domtrans',`
@ -348,7 +358,9 @@ interface(`apache_domtrans',`
 ##	Send a null signal to apache.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_signull',`
@ -364,7 +376,9 @@ interface(`apache_signull',`
 ##	Send a SIGCHLD signal to apache.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_sigchld',`
@ -380,7 +394,9 @@ interface(`apache_sigchld',`
 ##	Inherit and use file descriptors from Apache.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_use_fd',`
@ -397,7 +413,9 @@ interface(`apache_use_fd',`
 ##	unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_dontaudit_rw_stream_sockets',`
@ -414,7 +432,9 @@ interface(`apache_dontaudit_rw_stream_sockets',`
 ##	TCP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_dontaudit_rw_tcp_sockets',`
@ -431,7 +451,9 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 ##	apache configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_read_config',`
@ -451,7 +473,9 @@ interface(`apache_read_config',`
 ##	a domain transition.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_domtrans_helper',`
@ -475,13 +499,19 @@ interface(`apache_domtrans_helper',`
 ##	specified role the dmidecode domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the dmidecode domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the dmidecode domain to use.
+##	</summary>
 ## </param>
 #
 interface(`apache_run_helper',`
@ -500,7 +530,9 @@ interface(`apache_run_helper',`
 ##	apache log files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_read_log',`
@ -520,7 +552,9 @@ interface(`apache_read_log',`
 ##	Apache logs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`apache_dontaudit_append_log',`
@ -537,7 +571,9 @@ interface(`apache_dontaudit_append_log',`
 ##	module directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`apache_dontaudit_search_modules',`
@ -555,7 +591,9 @@ interface(`apache_dontaudit_search_modules',`
 ##	directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_list_modules',`
@ -572,7 +610,9 @@ interface(`apache_list_modules',`
 ##	apache modules.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_exec_modules',`
@ -591,7 +631,9 @@ interface(`apache_exec_modules',`
 ##	apache system content files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
@ -612,7 +654,9 @@ interface(`apache_manage_sys_content',`
 ##	script domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: this interface specifically added to allow
@ -639,7 +683,9 @@ interface(`apache_domtrans_sys_script',`
 ##	system script unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
@ -656,7 +702,9 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
 ##	script domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_domtrans_all_scripts',`
@ -674,10 +722,14 @@ interface(`apache_domtrans_all_scripts',`
 ##	to the specified role.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the script domains.
+##	</summary>
 ## </param>
 #
 # cjp: this is missing the terminal since scripts
@ -697,7 +749,9 @@ interface(`apache_run_all_scripts',`
 ##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_read_squirrelmail_data',`
@ -714,7 +768,9 @@ interface(`apache_read_squirrelmail_data',`
 ##	apache squirrelmail data.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apache_append_squirrelmail_data',`
@ -730,7 +786,9 @@ interface(`apache_append_squirrelmail_data',`
 ##	Search system script state directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`apache_search_sys_script_state',`
--- a/refpolicy/policy/modules/services/apm.if
+++ b/refpolicy/policy/modules/services/apm.if
@ -5,7 +5,9 @@
 ##	Execute APM in the apm domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apm_domtrans_client',`
@ -27,7 +29,9 @@ interface(`apm_domtrans_client',`
 ##	Use file descriptors for apmd.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`apm_use_fd',`
@ -43,7 +47,9 @@ interface(`apm_use_fd',`
 ##	Write to apmd unnamed pipes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`apm_write_pipes',`
@ -59,7 +65,9 @@ interface(`apm_write_pipes',`
 ##	Read and write to an apm unix stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apm_rw_stream_sockets',`
@ -75,7 +83,9 @@ interface(`apm_rw_stream_sockets',`
 ##	Append to apm's log file.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apm_append_log',`
@ -92,7 +102,9 @@ interface(`apm_append_log',`
 ##	Connect to apmd over an unix stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`apm_stream_connect',`
--- a/refpolicy/policy/modules/services/arpwatch.if
+++ b/refpolicy/policy/modules/services/arpwatch.if
@ -5,7 +5,9 @@
 ##	Search arpwatch's data file directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`arpwatch_search_data',`
@ -21,7 +23,9 @@ interface(`arpwatch_search_data',`
 ##	Create arpwatch data files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`arpwatch_manage_data_files',`
@ -38,7 +42,9 @@ interface(`arpwatch_manage_data_files',`
 ##	Read and write arpwatch temporary files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`arpwatch_rw_tmp_files',`
@ -54,7 +60,9 @@ interface(`arpwatch_rw_tmp_files',`
 ##	Read and write arpwatch temporary files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`arpwatch_manage_tmp_files',`
@ -71,7 +79,9 @@ interface(`arpwatch_manage_tmp_files',`
 ##	arpwatch packet sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`arpwatch_dontaudit_rw_packet_sockets',`
--- a/refpolicy/policy/modules/services/automount.if
+++ b/refpolicy/policy/modules/services/automount.if
@ -5,7 +5,9 @@
 ##	Execute automount in the automount domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`automount_domtrans',`
@ -28,7 +30,9 @@ interface(`automount_domtrans',`
 ##	Execute automount in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`automount_exec_config',`
--- a/refpolicy/policy/modules/services/avahi.if
+++ b/refpolicy/policy/modules/services/avahi.if
@ -6,7 +6,9 @@
 ##	avahi over dbus.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`avahi_dbus_chat',`
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@ -5,7 +5,9 @@
 ##	Execute ndc in the ndc domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_domtrans_ndc',`
@ -26,7 +28,9 @@ interface(`bind_domtrans_ndc',`
 ##	Send generic signals to BIND.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_signal',`
@ -43,13 +47,19 @@ interface(`bind_signal',`
 ##	allow the specified role the ndc domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the bind domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the bind domain to use.
+##	</summary>
 ## </param>
 #
 interface(`bind_run_ndc',`
@ -67,7 +77,9 @@ interface(`bind_run_ndc',`
 ##	Execute bind in the named domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_domtrans',`
@ -88,7 +100,9 @@ interface(`bind_domtrans',`
 ##	Read DNSSEC keys.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_read_dnssec_keys',`
@ -105,7 +119,9 @@ interface(`bind_read_dnssec_keys',`
 ##	Read BIND named configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_read_config',`
@ -122,7 +138,9 @@ interface(`bind_read_config',`
 ##	Write BIND named configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_write_config',`
@ -140,7 +158,9 @@ interface(`bind_write_config',`
 ##	BIND configuration directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_manage_config_dirs',`
@ -156,7 +176,9 @@ interface(`bind_manage_config_dirs',`
 ##	Search the BIND cache directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_search_cache',`
@ -176,7 +198,9 @@ interface(`bind_search_cache',`
 ##	BIND cache files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_manage_cache',`
@ -197,7 +221,9 @@ interface(`bind_manage_cache',`
 ##	of the BIND pid directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_setattr_pid_dirs',`
@ -213,7 +239,9 @@ interface(`bind_setattr_pid_dirs',`
 ##	Read BIND zone files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bind_read_zone',`
--- a/refpolicy/policy/modules/services/bluetooth.if
+++ b/refpolicy/policy/modules/services/bluetooth.if
@ -5,7 +5,9 @@
 ##	Read bluetooth daemon configuration.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bluetooth_read_config',`
@ -21,7 +23,9 @@ interface(`bluetooth_read_config',`
 ##	Execute bluetooth_helper in the bluetooth_helper domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`bluetooth_domtrans_helper',`
@ -43,7 +47,9 @@ interface(`bluetooth_domtrans_helper',`
 ##	bluetooth over dbus.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bluetooth_dbus_chat',`
@ -62,13 +68,19 @@ interface(`bluetooth_dbus_chat',`
 ##	allow the specified role the bluetooth_helper domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the bluetooth_helper domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the bluetooth_helper domain to use.
+##	</summary>
 ## </param>
 #
 interface(`bluetooth_run_helper',`
@ -86,7 +98,9 @@ interface(`bluetooth_run_helper',`
 ##	Read bluetooth helper files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`bluetooth_dontaudit_read_helper_files',`
--- a/refpolicy/policy/modules/services/canna.if
+++ b/refpolicy/policy/modules/services/canna.if
@ -5,7 +5,9 @@
 ##	Connect to Canna using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`canna_stream_connect',`
--- a/refpolicy/policy/modules/services/cpucontrol.if
+++ b/refpolicy/policy/modules/services/cpucontrol.if
@ -5,7 +5,9 @@
 ##	CPUcontrol stub interface.  No access allowed.
 ## </summary>
 ## <param name="domain" optional="true">
+##	<summary>
 ##	N/A
+##	</summary>
 ## </param>
 #
 interface(`cpucontrol_stub',`
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -17,14 +17,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`cron_per_userdomain_template',`
@ -267,8 +273,10 @@ template(`cron_per_userdomain_template',`
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 #
 template(`cron_admin_template',`
@ -304,10 +312,14 @@ template(`cron_admin_template',`
 ##	from the system cron jobs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to transition to.
+##	</summary>
 ## </param>
 ## <param name="entrypoint">
+##	<summary>
 ##	The type of the file used as an entrypoint to this domain.
+##	</summary>
 ## </param>
 #
 interface(`cron_system_entry',`
@ -335,7 +347,9 @@ interface(`cron_system_entry',`
 ##	from the cron daemon.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_use_fd',`
@ -351,7 +365,9 @@ interface(`cron_use_fd',`
 ##	Send a SIGCHLD signal to the cron daemon.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_sigchld',`
@ -367,7 +383,9 @@ interface(`cron_sigchld',`
 ##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_read_pipes',`
@ -383,7 +401,9 @@ interface(`cron_read_pipes',`
 ##	Do not audit attempts to write cron daemon unnamed pipes.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_dontaudit_write_pipes',`
@ -399,7 +419,9 @@ interface(`cron_dontaudit_write_pipes',`
 ##	Read and write a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_rw_pipes',`
@ -415,7 +437,9 @@ interface(`cron_rw_pipes',`
 ##	Create, read, and write a cron daemon TCP socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: need to fix this name
@ -432,7 +456,9 @@ interface(`cron_crw_tcp_socket',`
 ##	Search the directory containing user cron tables.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process to performing this action.
+##	</summary>
 ## </param>
 #
 interface(`cron_search_spool',`
@ -449,7 +475,9 @@ interface(`cron_search_spool',`
 ##	Execute APM in the apm domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_anacron_domtrans_system_job',`
@ -471,7 +499,9 @@ interface(`cron_anacron_domtrans_system_job',`
 ##	from system cron jobs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_use_system_job_fd',`
@ -487,7 +517,9 @@ interface(`cron_use_system_job_fd',`
 ##	Write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_write_system_job_pipes',`
@ -503,7 +535,9 @@ interface(`cron_write_system_job_pipes',`
 ##	Read and write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_rw_system_job_pipes',`
@ -519,7 +553,9 @@ interface(`cron_rw_system_job_pipes',`
 ##	Read temporary files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cron_read_system_job_tmp_files',`
@ -537,7 +573,9 @@ interface(`cron_read_system_job_tmp_files',`
 ##	files from the system cron jobs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`cron_dontaudit_append_system_job_tmp_files',`
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@ -5,7 +5,9 @@
 ##	Execute cups in the cups domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`cups_domtrans',`
@ -27,7 +29,9 @@ interface(`cups_domtrans',`
 ##	cups over dbus.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_dbus_chat',`
@ -45,7 +49,9 @@ interface(`cups_dbus_chat',`
 ##	Execute cups_config in the cups_config domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`cups_domtrans_config',`
@ -67,7 +73,9 @@ interface(`cups_domtrans_config',`
 ##	configuration daemon.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_signal_config',`
@ -84,7 +92,9 @@ interface(`cups_signal_config',`
 ##	cupsd_config over dbus.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_dbus_chat_config',`
@ -102,7 +112,9 @@ interface(`cups_dbus_chat_config',`
 ##	Read cups configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_read_config',`
@ -121,7 +133,9 @@ interface(`cups_read_config',`
 ##	Read cups-writable configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_read_rw_config',`
@ -139,7 +153,9 @@ interface(`cups_read_rw_config',`
 ##	Read cups log files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_read_log',`
@ -156,7 +172,9 @@ interface(`cups_read_log',`
 ##	Connect to ptal over an unix domain stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_stream_connect_ptal',`
@ -175,7 +193,9 @@ interface(`cups_stream_connect_ptal',`
 ##	Connect to cups over TCP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cups_tcp_connect',`
--- a/refpolicy/policy/modules/services/cvs.if
+++ b/refpolicy/policy/modules/services/cvs.if
@ -5,7 +5,9 @@
 ##	Read the CVS data and metadata.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cvs_read_data',`
--- a/refpolicy/policy/modules/services/cyrus.if
+++ b/refpolicy/policy/modules/services/cyrus.if
@ -6,7 +6,9 @@
 ##	and delete cyrus data files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`cyrus_manage_data',`
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@ -5,7 +5,9 @@
 ##	DBUS stub interface.  No access allowed.
 ## </summary>
 ## <param name="domain" optional="true">
+##	<summary>
 ##	N/A
+##	</summary>
 ## </param>
 #
 interface(`dbus_stub',`
@ -30,14 +32,20 @@ interface(`dbus_stub',`
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`dbus_per_userdomain_template',`
@ -177,11 +185,15 @@ template(`dbus_per_userdomain_template',`
 ##	the system DBUS.
 ## </summary>
 ## <param name="domain_prefix">
+##	<summary>
 ##	The prefix of the domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="domain">
+##	<summary>
 ##	The type of the domain.
+##	</summary>
 ## </param>
 #
 template(`dbus_system_bus_client_template',`
@ -209,7 +221,9 @@ template(`dbus_system_bus_client_template',`
 ##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dbus_read_config',`
@ -226,7 +240,9 @@ interface(`dbus_read_config',`
 ##	for service (acquire_svc).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dbus_connect_system_bus',`
@ -243,7 +259,9 @@ interface(`dbus_connect_system_bus',`
 ##	Send a message on the system DBUS.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dbus_send_system_bus',`
@ -260,7 +278,9 @@ interface(`dbus_send_system_bus',`
 ##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dbus_system_bus_unconfined',`
--- a/refpolicy/policy/modules/services/dhcp.if
+++ b/refpolicy/policy/modules/services/dhcp.if
@ -6,7 +6,9 @@
 ##	server state files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dhcpd_setattr_state_files',`
--- a/refpolicy/policy/modules/services/dictd.if
+++ b/refpolicy/policy/modules/services/dictd.if
@ -6,7 +6,9 @@
 ##	over TCP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dictd_tcp_connect',`
--- a/refpolicy/policy/modules/services/djbdns.if
+++ b/refpolicy/policy/modules/services/djbdns.if
@ -6,7 +6,9 @@
 ##	components that are directly supervised by daemontools.
 ## </summary>
 ## <param name="prefix">
+##	<summary>
 ##      The prefix to be used for deriving type names.
+##	</summary>
 ## </param>
 #
 template(`djbdns_daemontools_domain_template',`
--- a/refpolicy/policy/modules/services/dovecot.if
+++ b/refpolicy/policy/modules/services/dovecot.if
@ -5,7 +5,9 @@
 ##	Create, read, write, and delete the dovecot spool files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`dovecot_manage_spool',`
--- a/refpolicy/policy/modules/services/finger.if
+++ b/refpolicy/policy/modules/services/finger.if
@ -5,7 +5,9 @@
 ##	Execute fingerd in the fingerd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`finger_domtrans',`
@ -26,7 +28,9 @@ interface(`finger_domtrans',`
 ##	Allow the specified domain to connect to fingerd with a tcp socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`finger_tcp_connect',`
--- a/refpolicy/policy/modules/services/ftp.if
+++ b/refpolicy/policy/modules/services/ftp.if
@ -17,8 +17,10 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 #
 template(`ftp_per_userdomain_template',`
@ -36,7 +38,9 @@ template(`ftp_per_userdomain_template',`
 ##      Use ftp by connecting over TCP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ftp_tcp_connect',`
@ -54,7 +58,9 @@ interface(`ftp_tcp_connect',`
 ##      Read ftpd etc files
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ftp_read_config',`
@ -71,7 +77,9 @@ interface(`ftp_read_config',`
 ##      Execute FTP daemon entry point programs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ftp_check_exec',`
@ -88,7 +96,9 @@ interface(`ftp_check_exec',`
 ##      Read FTP transfer logs
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##      Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ftp_read_log',`
--- a/refpolicy/policy/modules/services/gpm.if
+++ b/refpolicy/policy/modules/services/gpm.if
@ -6,7 +6,9 @@
 ##	stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`gpm_stream_connect',`
@ -24,7 +26,9 @@ interface(`gpm_stream_connect',`
 ##	control channel named socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`gpm_getattr_gpmctl',`
@ -43,7 +47,9 @@ interface(`gpm_getattr_gpmctl',`
 ##	named socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`gpm_dontaudit_getattr_gpmctl',`
@ -60,7 +66,9 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 ##	control channel named socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`gpm_setattr_gpmctl',`
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@ -5,7 +5,9 @@
 ##	Execute hal in the hal domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`hal_domtrans',`
@ -27,7 +29,9 @@ interface(`hal_domtrans',`
 ##	datagram socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`hal_dgram_sendto',`
@ -44,7 +48,9 @@ interface(`hal_dgram_sendto',`
 ##	stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`hal_stream_connect',`
@ -60,7 +66,9 @@ interface(`hal_stream_connect',`
 ##	Send a dbus message to hal.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`hal_dbus_send',`
@ -78,7 +86,9 @@ interface(`hal_dbus_send',`
 ##	hal over dbus.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`hal_dbus_chat',`
--- a/refpolicy/policy/modules/services/howl.if
+++ b/refpolicy/policy/modules/services/howl.if
@ -5,7 +5,9 @@
 ##	Send generic signals to howl.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`howl_signal',`
--- a/refpolicy/policy/modules/services/i18n_input.if
+++ b/refpolicy/policy/modules/services/i18n_input.if
@ -5,7 +5,9 @@
 ##	Use i18n_input over a TCP connection.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`i18n_use',`
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@ -14,10 +14,14 @@
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The type associated with the inetd service process.
+##	</summary>
 ## </param>
 ## <param name="entrypoint">
+##	<summary>
 ##	The type associated with the process program.
+##	</summary>
 ## </param>
 #
 interface(`inetd_core_service_domain',`
@ -79,10 +83,14 @@ interface(`inetd_core_service_domain',`
 ##	Define the specified domain as a TCP inetd service.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type associated with the inetd service process.
+##	</summary>
 ## </param>
 ## <param name="entrypoint">
+##	<summary>
 ##	The type associated with the process program.
+##	</summary>
 ## </param>
 #
 interface(`inetd_tcp_service_domain',`
@ -101,10 +109,14 @@ interface(`inetd_tcp_service_domain',`
 ##	Define the specified domain as a UDP inetd service.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type associated with the inetd service process.
+##	</summary>
 ## </param>
 ## <param name="entrypoint">
+##	<summary>
 ##	The type associated with the process program.
+##	</summary>
 ## </param>
 #
 interface(`inetd_udp_service_domain',`
@ -122,10 +134,14 @@ interface(`inetd_udp_service_domain',`
 ##	Define the specified domain as a TCP and UDP inetd service.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type associated with the inetd service process.
+##	</summary>
 ## </param>
 ## <param name="entrypoint">
+##	<summary>
 ##	The type associated with the process program.
+##	</summary>
 ## </param>
 #
 interface(`inetd_service_domain',`
@ -144,7 +160,9 @@ interface(`inetd_service_domain',`
 ##	Inherit and use file descriptors from inetd.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inetd_use_fd',`
@ -160,7 +178,9 @@ interface(`inetd_use_fd',`
 ##	Connect to the inetd service using a TCP connection.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inetd_tcp_connect',`
@ -178,7 +198,9 @@ interface(`inetd_tcp_connect',`
 ##	Run inetd child process in the inet child domain
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inetd_domtrans_child',`
@ -200,7 +222,9 @@ interface(`inetd_domtrans_child',`
 ##	Send UDP network traffic to inetd.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`inetd_udp_sendto',`
@ -217,7 +241,9 @@ interface(`inetd_udp_sendto',`
 ##	Read and write inetd TCP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`inetd_rw_tcp_sockets',`
--- a/refpolicy/policy/modules/services/inn.if
+++ b/refpolicy/policy/modules/services/inn.if
@ -6,7 +6,9 @@
 ##	in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_exec',`
@ -23,7 +25,9 @@ interface(`inn_exec',`
 ##	inn configuration files in /etc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_exec_config',`
@ -39,7 +43,9 @@ interface(`inn_exec_config',`
 ##	Create, read, write, and delete the innd log.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_manage_log',`
@ -57,7 +63,9 @@ interface(`inn_manage_log',`
 ##	Create, read, write, and delete the innd pid files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_manage_pid',`
@ -76,7 +84,9 @@ interface(`inn_manage_pid',`
 ##	Read innd configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_read_config',`
@ -94,7 +104,9 @@ interface(`inn_read_config',`
 ##	Read innd news library files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_read_news_lib',`
@ -112,7 +124,9 @@ interface(`inn_read_news_lib',`
 ##	Read innd news library files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_read_news_spool',`
@ -130,7 +144,9 @@ interface(`inn_read_news_spool',`
 ##	Send to a innd unix dgram socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`inn_dgram_send',`
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@ -26,7 +26,9 @@
 ##	Use kerberos services
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kerberos_use',`
@ -63,7 +65,9 @@ interface(`kerberos_use',`
 ##	Read the kerberos configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kerberos_read_config',`
@ -81,7 +85,9 @@ interface(`kerberos_read_config',`
 ##	configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`kerberos_dontaudit_write_config',`
@ -97,7 +103,9 @@ interface(`kerberos_dontaudit_write_config',`
 ##	Read and write the kerberos configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kerberos_rw_config',`
@ -114,7 +122,9 @@ interface(`kerberos_rw_config',`
 ##	Read the kerberos key table.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`kerberos_read_keytab',`
--- a/refpolicy/policy/modules/services/ldap.if
+++ b/refpolicy/policy/modules/services/ldap.if
@ -6,7 +6,9 @@
 ##	database directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ldap_list_db',`
@ -22,7 +24,9 @@ interface(`ldap_list_db',`
 ##	Read the OpenLDAP configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ldap_read_config',`
@ -39,7 +43,9 @@ interface(`ldap_read_config',`
 ##	Use LDAP over TCP connection.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ldap_use',`
--- a/refpolicy/policy/modules/services/lpd.if
+++ b/refpolicy/policy/modules/services/lpd.if
@ -16,14 +16,20 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`lpd_per_userdomain_template',`
@ -217,8 +223,10 @@ template(`lpd_per_userdomain_template',`
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 #
 template(`lpr_admin_template',`
@ -240,7 +248,9 @@ template(`lpr_admin_template',`
 ##	Execute lpd in the lpd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`lpd_domtrans_checkpc',`
@ -262,13 +272,19 @@ interface(`lpd_domtrans_checkpc',`
 ##	allow the specified role the lpd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the lpd domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the lpd domain to use.
+##	</summary>
 ## </param>
 #
 interface(`lpd_run_checkpc',`
@ -286,7 +302,9 @@ interface(`lpd_run_checkpc',`
 ##	List the contents of the printer spool directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`lpd_list_spool',`
@ -303,7 +321,9 @@ interface(`lpd_list_spool',`
 ##	Create, read, write, and delete printer spool files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`lpd_manage_spool',`
@ -323,7 +343,9 @@ interface(`lpd_manage_spool',`
 ##	List the contents of the printer spool directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`lpd_read_config',`
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@ -11,7 +11,9 @@
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The type of daemon to be used eg, cgi would give mailman_cgi_
+##	</summary>
 ## </param>
 #
 template(`mailman_domain_template', `
@ -100,7 +102,9 @@ template(`mailman_domain_template', `
 ##	Execute mailman in the mailman domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_domtrans',`
@ -122,7 +126,9 @@ interface(`mailman_domtrans',`
 ##	mailman CGI domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_domtrans_cgi',`
@ -143,7 +149,9 @@ interface(`mailman_domtrans_cgi',`
 ##	Execute mailman in the caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowd access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_exec',`
@ -159,7 +167,9 @@ interface(`mailman_exec',`
 ##	Send generic signals to the mailman cgi domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_signal_cgi',`
@ -175,7 +185,9 @@ interface(`mailman_signal_cgi',`
 ##	Allow domain to search data directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_search_data',`
@ -191,7 +203,9 @@ interface(`mailman_search_data',`
 ##	List the contents of mailman data directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_list_data',`
@ -207,7 +221,9 @@ interface(`mailman_list_data',`
 ##	Allow read acces to mailman data symbolic links.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_read_data_symlinks',`
@ -225,7 +241,9 @@ interface(`mailman_read_data_symlinks',`
 ##	mailman logs.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_manage_log',`
@ -243,7 +261,9 @@ interface(`mailman_manage_log',`
 ##	Allow domain to read mailman archive files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mailman_read_archive',`
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -5,7 +5,9 @@
 ##	MTA stub interface.  No access allowed.
 ## </summary>
 ## <param name="domain" optional="true">
+##	<summary>
 ##	N/A
+##	</summary>
 ## </param>
 #
 interface(`mta_stub',`
@ -30,8 +32,10 @@ interface(`mta_stub',`
 ##	</p>
 ## </desc>
 ## <param name="domain_prefix">
+##	<summary>
 ##	The prefix of the domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 #
 template(`mta_base_mail_template',`
@ -159,14 +163,20 @@ template(`mta_base_mail_template',`
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 ## <param name="user_role">
+##	<summary>
 ##	The role associated with the user domain.
+##	</summary>
 ## </param>
 #
 template(`mta_per_userdomain_template',`
@ -249,11 +259,15 @@ template(`mta_per_userdomain_template',`
 ##	mail domain.
 ## </summary>
 ## <param name="userdomain_prefix">
+##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
+##	</summary>
 ## </param>
 ## <param name="user_domain">
+##	<summary>
 ##	The type of the user domain.
+##	</summary>
 ## </param>
 #
 template(`mta_admin_template',`
@ -329,10 +343,14 @@ interface(`mta_mailserver',`
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The type to be used for the mail server.
+##	</summary>
 ## </param>
 ## <param name="entry_point">
+##	<summary>
 ##	The type to be used for the domain entry point program.
+##	</summary>
 ## </param>
 interface(`mta_sendmail_mailserver',`
 	gen_require(`
@ -353,7 +371,9 @@ interface(`mta_sendmail_mailserver',`
 ##	for sending mail.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Mail server domain type used for sending mail.
+##	</summary>
 ## </param>
 #
 interface(`mta_mailserver_sender',`
@ -370,7 +390,9 @@ interface(`mta_mailserver_sender',`
 ##	for delivering mail to local users.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Mail server domain type used for delivering mail.
+##	</summary>
 ## </param>
 #
 interface(`mta_mailserver_delivery',`
@ -405,7 +427,9 @@ interface(`mta_mailserver_delivery',`
 ##	users to the local mail spool.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Mail server domain type used for sending local mail.
+##	</summary>
 ## </param>
 #
 interface(`mta_mailserver_user_agent',`
@ -462,7 +486,9 @@ interface(`mta_exec',`
 ##	Read mail server configuration.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_read_config',`
@ -481,7 +507,9 @@ interface(`mta_read_config',`
 ##	Read mail address aliases.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_read_aliases',`
@ -499,7 +527,9 @@ interface(`mta_read_aliases',`
 ##	to the mail address aliases type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_filetrans_aliases',`
@ -529,7 +559,9 @@ interface(`mta_rw_aliases',`
 ##	sockets of mail delivery domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Mail server domain.
+##	</summary>
 ## </param>
 #
 interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
@ -545,7 +577,9 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
 ##	Connect to all mail servers over TCP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Mail server domain.
+##	</summary>
 ## </param>
 #
 interface(`mta_tcp_connect_all_mailservers',`
@ -564,7 +598,9 @@ interface(`mta_tcp_connect_all_mailservers',`
 ##	in the mail spool.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_dontaudit_read_spool_symlinks',`
@ -607,14 +643,20 @@ interface(`mta_dontaudit_getattr_spool_files',`
 ##	mail spool directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="private type">
+##	<summary>
 ##	The type of the object to be created.
+##	</summary>
 ## </param>
 ## <param name="object" optional="true">
+##	<summary>
 ##	The object class of the object being created.  If
 ##	no class is specified, file will be used.
+##	</summary>
 ## </param>
 #
 interface(`mta_filetrans_spool',`
@ -652,7 +694,9 @@ interface(`mta_rw_spool',`
 ##	Create, read, and write the mail spool.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_append_spool',`
@ -671,7 +715,9 @@ interface(`mta_append_spool',`
 ##	Delete from the mail spool.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_delete_spool',`
@ -705,7 +751,9 @@ interface(`mta_manage_spool',`
 ##	write the mail queue.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`mta_dontaudit_rw_queue',`
@ -735,7 +783,9 @@ interface(`mta_manage_queue',`
 ##	Read sendmail binary.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for postfix
@ -753,7 +803,9 @@ interface(`mta_read_sendmail_bin',`
 ##	of user mail domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mta_rw_user_mail_stream_sockets',`
--- a/refpolicy/policy/modules/services/mysql.if
+++ b/refpolicy/policy/modules/services/mysql.if
@ -5,7 +5,9 @@
 ##	Send a generic signal to MySQL.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_signal',`
@ -21,7 +23,9 @@ interface(`mysql_signal',`
 ##	Connect to MySQL using a unix domain stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_stream_connect',`
@ -39,7 +43,9 @@ interface(`mysql_stream_connect',`
 ##	Read MySQL configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_read_config',`
@ -58,7 +64,9 @@ interface(`mysql_read_config',`
 ##	database storage.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: "_dir" in the name is added to clarify that this
@ -77,7 +85,9 @@ interface(`mysql_search_db',`
 ##	Read and write to the MySQL database directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_rw_db_dirs',`
@ -94,7 +104,9 @@ interface(`mysql_rw_db_dirs',`
 ##	Create, read, write, and delete MySQL database directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_manage_db_dirs',`
@ -112,7 +124,9 @@ interface(`mysql_manage_db_dirs',`
 ##	named socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_rw_db_sockets',`
@ -130,7 +144,9 @@ interface(`mysql_rw_db_sockets',`
 ##	Write to the MySQL log.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`mysql_write_log',`
--- a/refpolicy/policy/modules/services/networkmanager.if
+++ b/refpolicy/policy/modules/services/networkmanager.if
@ -5,7 +5,9 @@
 ##	Read and write NetworkManager UDP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for named.
@ -22,7 +24,9 @@ interface(`networkmanager_rw_udp_sockets',`
 ##	Read and write NetworkManager packet sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for named.
@ -40,7 +44,9 @@ interface(`networkmanager_rw_packet_sockets',`
 ##	routing sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 # cjp: added for named.
@ -58,7 +64,9 @@ interface(`networkmanager_rw_routing_sockets',`
 ##	NetworkManager over dbus.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`networkmanager_dbus_chat',`
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@ -18,7 +18,9 @@
 ##	</p>
 ## </desc>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`nis_use_ypbind_uncond',`
@ -65,7 +67,9 @@ interface(`nis_use_ypbind_uncond',`
 ##	Use the ypbind service to access NIS services.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`nis_use_ypbind',`
@ -122,7 +126,9 @@ interface(`nis_use_ypbind',`
 ##	Execute ypbind in the ypbind domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nis_domtrans_ypbind',`
@ -144,7 +150,9 @@ interface(`nis_domtrans_ypbind',`
 ##	Send generic signals to ypbind.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`nis_signal_ypbind',`
@ -160,7 +168,9 @@ interface(`nis_signal_ypbind',`
 ##	List the contents of the NIS data directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`nis_list_var_yp',`
@ -177,7 +187,9 @@ interface(`nis_list_var_yp',`
 ##	Send UDP network traffic to NIS clients.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`nis_udp_send_ypbind',`
@ -194,7 +206,9 @@ interface(`nis_udp_send_ypbind',`
 ##	Connect to ypbind over TCP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nis_tcp_connect_ypbind',`
@ -212,7 +226,9 @@ interface(`nis_tcp_connect_ypbind',`
 ##	Read ypbind pid files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nis_read_ypbind_pid',`
@ -229,7 +245,9 @@ interface(`nis_read_ypbind_pid',`
 ##	Delete ypbind pid files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nis_delete_ypbind_pid',`
@ -246,7 +264,9 @@ interface(`nis_delete_ypbind_pid',`
 ##	Read ypserv configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nis_read_ypserv_config',`
--- a/refpolicy/policy/modules/services/nscd.if
+++ b/refpolicy/policy/modules/services/nscd.if
@ -5,7 +5,9 @@
 ##	Execute NSCD in the nscd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`nscd_domtrans',`
@ -28,7 +30,9 @@ interface(`nscd_domtrans',`
 ##	a unix stream socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nscd_socket_use',`
@ -56,7 +60,9 @@ interface(`nscd_socket_use',`
 ##	an inherited NSCD file descriptor.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nscd_shm_use',`
@ -87,7 +93,9 @@ interface(`nscd_shm_use',`
 ##	Read NSCD pid file.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nscd_read_pid',`
@ -105,7 +113,9 @@ interface(`nscd_read_pid',`
 ##	Unconfined access to NSCD services.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`nscd_unconfined',`
--- a/refpolicy/policy/modules/services/ntp.if
+++ b/refpolicy/policy/modules/services/ntp.if
@ -5,7 +5,9 @@
 ##	NTP stub interface.  No access allowed.
 ## </summary>
 ## <param name="domain" optional="true">
+##	<summary>
 ##	N/A
+##	</summary>
 ## </param>
 #
 interface(`ntp_stub',`
@ -19,7 +21,9 @@ interface(`ntp_stub',`
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`ntp_domtrans',`
@ -41,7 +45,9 @@ interface(`ntp_domtrans',`
 ##	Execute ntp server in the ntpd domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`ntp_domtrans_ntpdate',`
--- a/refpolicy/policy/modules/services/portmap.if
+++ b/refpolicy/policy/modules/services/portmap.if
@ -5,7 +5,9 @@
 ##	Execute portmap_helper in the helper domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`portmap_domtrans_helper',`
@ -29,13 +31,19 @@ interface(`portmap_domtrans_helper',`
 ##	Communicate with portmap.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the portmap domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the portmap domain to use.
+##	</summary>
 ## </param>
 #
 interface(`portmap_run_helper',`
@ -61,7 +69,9 @@ interface(`portmap_run_helper',`
 ##	Send UDP network traffic to portmap.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`portmap_udp_send',`
@ -78,7 +88,9 @@ interface(`portmap_udp_send',`
 ##	Send and receive UDP network traffic from portmap.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`portmap_udp_chat',`
@ -97,7 +109,9 @@ interface(`portmap_udp_chat',`
 ##	Connect to portmap over a TCP socket
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`portmap_tcp_connect',`
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@ -5,7 +5,9 @@
 ##	Postfix stub interface.  No access allowed.
 ## </summary>
 ## <param name="domain" optional="true">
+##	<summary>
 ##	N/A
+##	</summary>
 ## </param>
 #
 interface(`postfix_stub',`
@ -177,7 +179,9 @@ template(`postfix_public_domain_template',`
 ##	Read postfix configuration files.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_read_config',`
@ -197,14 +201,20 @@ interface(`postfix_read_config',`
 ##	the postfix configuration directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="private type">
+##	<summary>
 ##	The type of the object to be created.
+##	</summary>
 ## </param>
 ## <param name="object" optional="true">
+##	<summary>
 ##	The object class of the object being created.  If
 ##	no class is specified, file will be used.
+##	</summary>
 ## </param>
 #
 interface(`postfix_filetrans_config',`
@ -229,7 +239,9 @@ interface(`postfix_filetrans_config',`
 ##	TCP sockets.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`postfix_dontaudit_rw_local_tcp_sockets',`
@ -247,7 +259,9 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
 ##	file descriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`postfix_dontaudit_use_fd',`
@ -263,7 +277,9 @@ interface(`postfix_dontaudit_use_fd',`
 ##	Execute postfix_map in the postfix_map domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_domtrans_map',`
@ -285,13 +301,19 @@ interface(`postfix_domtrans_map',`
 ##	allow the specified role the postfix_map domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <param name="role">
+##	<summary>
 ##	The role to be allowed the postfix_map domain.
+##	</summary>
 ## </param>
 ## <param name="terminal">
+##	<summary>
 ##	The type of the terminal allow the postfix_map domain to use.
+##	</summary>
 ## </param>
 #
 interface(`postfix_run_map',`
@ -310,7 +332,9 @@ interface(`postfix_run_map',`
 ##	postfix_master domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_domtrans_master',`
@ -332,7 +356,9 @@ interface(`postfix_domtrans_master',`
 ##	caller domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_exec_master',`
@ -348,7 +374,9 @@ interface(`postfix_exec_master',`
 ##	Search postfix mail spool directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_search_spool',`
@ -365,7 +393,9 @@ interface(`postfix_search_spool',`
 ##	List postfix mail spool directories.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_list_spool',`
@ -383,7 +413,9 @@ interface(`postfix_list_spool',`
 ##	in their respective domains.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postfix_domtrans_user_mail_handler',`
--- a/refpolicy/policy/modules/services/postgresql.if
+++ b/refpolicy/policy/modules/services/postgresql.if
@ -5,7 +5,9 @@
 ##	Allow the specified domain to search postgresql's database directory.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postgresql_search_db',`
@ -21,7 +23,9 @@ interface(`postgresql_search_db',`
 ##	Allow the specified domain to manage postgresql's database.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 interface(`postgresql_manage_db',`
 	gen_require(`
@ -38,7 +42,9 @@ interface(`postgresql_manage_db',`
 ##	Execute postgresql in the postgresql domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	The type of the process performing this action.
+##	</summary>
 ## </param>
 #
 interface(`postgresql_domtrans',`
@ -59,7 +65,9 @@ interface(`postgresql_domtrans',`
 ##	Allow the specified domain to read postgresql's etc.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postgresql_read_config',`
@ -78,7 +86,9 @@ interface(`postgresql_read_config',`
 ##	Allow the specified domain to connect to postgresql with a tcp socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postgresql_tcp_connect',`
@ -96,7 +106,9 @@ interface(`postgresql_tcp_connect',`
 ##	Allow the specified domain to connect to postgresql with a unix socket.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`postgresql_stream_connect',`
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@ -5,7 +5,9 @@
 ##	Use PPP file discriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ppp_use_fd',`
@ -22,7 +24,9 @@ interface(`ppp_use_fd',`
 ##	and use PPP file discriptors.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
+##	</summary>
 ## </param>
 #
 interface(`ppp_dontaudit_use_fd',`
@ -38,7 +42,9 @@ interface(`ppp_dontaudit_use_fd',`
 ##	Send a SIGCHLD signal to PPP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ppp_sigchld',`
@ -55,7 +61,9 @@ interface(`ppp_sigchld',`
 ##	Send a generic signal to PPP.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ppp_signal',`
@ -71,7 +79,9 @@ interface(`ppp_signal',`
 ##	 Execute domain in the ppp domain.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	 Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ppp_domtrans',`
@ -93,7 +103,9 @@ interface(`ppp_domtrans',`
 ##	 Conditionally execute ppp daemon on behalf of a user or staff type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	 Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ppp_run_cond',`
@ -114,7 +126,9 @@ interface(`ppp_run_cond',`
 ##	 Unconditionally execute ppp daemon on behalf of a user or staff type.
 ## </summary>
 ## <param name="domain">
+##	<summary>
 ##	 Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`ppp_run',`
--- a/Show More
+++ b/Show More