document remaining interfaces w/o XML. turn on warnings for missing XML.

refpolicy/Makefile

@@ -371,7 +371,7 @@ $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXM
 	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
-	$(verbose) $(GENXML) -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
+	$(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
 	$(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
 		$(XMLLINT) --noout --path $(dir $(XMLDTD)) --dtdvalid $(XMLDTD) $@ ;\
 	fi

refpolicy/policy/modules/admin/quota.if

@@ -73,6 +73,17 @@ interface(`quota_dontaudit_getattr_db',`
 	dontaudit $1 quota_db_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete quota
+##	flag files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
 interface(`quota_manage_flags',`
 	gen_require(`
 		type quota_flag_t;

refpolicy/policy/modules/admin/su.if

@@ -1,5 +1,33 @@
 ## <summary>Run shells with substitute user and group</summary>
 
+#######################################
+## <summary>
+##	Restricted su domain template.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to change the linux user id, to run shells as a different
+##	user.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;

refpolicy/policy/modules/kernel/corecommands.if

@@ -49,6 +49,7 @@ interface(`corecmd_executable_file',`
 ##	Alias type for bin_t.
 ##	</summary>
 ## </param>
+#
 interface(`corecmd_bin_alias',`
 	ifdef(`targeted_policy',`
 		gen_require(`
@@ -71,6 +72,7 @@ interface(`corecmd_bin_alias',`
 ##	The domain for which bin_t is an entrypoint.
 ##	</summary>
 ## </param>
+#
 interface(`corecmd_bin_entry_type',`
 	gen_require(`
 		type bin_t;
@@ -89,6 +91,7 @@ interface(`corecmd_bin_entry_type',`
 ##	The domain for which sbin programs are an entrypoint.
 ##	</summary>
 ## </param>
+#
 interface(`corecmd_sbin_entry_type',`
 	gen_require(`
 		type sbin_t;
@@ -106,6 +109,7 @@ interface(`corecmd_sbin_entry_type',`
 ##	The domain for which the shell is an entrypoint.
 ##	</summary>
 ## </param>
+#
 interface(`corecmd_shell_entry_type',`
 	gen_require(`
 		type shell_exec_t;
@@ -115,8 +119,14 @@ interface(`corecmd_shell_entry_type',`
 ')
 
 ########################################
-#
-# corecmd_search_bin(domain)
+## <summary>
+##	Search the contents of bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_search_bin',`
 	gen_require(`
@@ -127,8 +137,14 @@ interface(`corecmd_search_bin',`
 ')
 
 ########################################
-#
-# corecmd_list_bin(domain)
+## <summary>
+##	List the contents of bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_list_bin',`
 	gen_require(`
@@ -233,8 +249,15 @@ interface(`corecmd_read_bin_sockets',`
 ')
 
 ########################################
-#
-# corecmd_exec_bin(domain)
+## <summary>
+##	Execute generic programs in bin directories,
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_exec_bin',`
 	gen_require(`
@@ -395,8 +418,14 @@ interface(`corecmd_bin_domtrans',`
 ')
 
 ########################################
-#
-# corecmd_search_sbin(domain)
+## <summary>
+##	Search the contents of sbin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_search_sbin',`
 	gen_require(`
@@ -426,8 +455,14 @@ interface(`corecmd_dontaudit_search_sbin',`
 ')
 
 ########################################
-#
-# corecmd_list_sbin(domain)
+## <summary>
+##	List the contents of sbin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_list_sbin',`
 	gen_require(`
@@ -438,8 +473,14 @@ interface(`corecmd_list_sbin',`
 ')
 
 ########################################
-#
-# corecmd_getattr_sbin_files(domain)
+## <summary>
+##	Get the attributes of sbin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_getattr_sbin_files',`
 	gen_require(`
@@ -450,8 +491,15 @@ interface(`corecmd_getattr_sbin_files',`
 ')
 
 ########################################
-#
-# corecmd_dontaudit_getattr_sbin_files(domain)
+## <summary>
+##	Do not audit attempts to get the attibutes
+##	of sbin files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`corecmd_dontaudit_getattr_sbin_files',`
 	gen_require(`
@@ -538,8 +586,15 @@ interface(`corecmd_read_sbin_sockets',`
 ')
 
 ########################################
-#
-# corecmd_exec_sbin(domain)
+## <summary>
+##	Execute generic programs in sbin directories,
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_exec_sbin',`
 	gen_require(`
@@ -724,8 +779,14 @@ interface(`corecmd_check_exec_shell',`
 ')
 
 ########################################
-#
-# corecmd_exec_shell(domain)
+## <summary>
+##	Execute a shell in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_exec_shell',`
 	gen_require(`
@@ -738,8 +799,14 @@ interface(`corecmd_exec_shell',`
 ')
 
 ########################################
-#
-# corecmd_exec_ls(domain)
+## <summary>
+##	Execute ls in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_exec_ls',`
 	gen_require(`
@@ -826,8 +893,14 @@ interface(`corecmd_shell_domtrans',`
 ')
 
 ########################################
-#
-# corecmd_exec_chroot(domain)
+## <summary>
+##	Execute chroot in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`corecmd_exec_chroot',`
 	gen_require(`

refpolicy/policy/modules/kernel/domain.if

@@ -103,8 +103,15 @@ interface(`domain_entry_file',`
 ')
 
 ########################################
-#
-# domain_interactive_fd(domain)
+## <summary>
+##	Make the file descriptors of the specified
+##	domain for interactive use (widely inheritable)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_interactive_fd',`
 	gen_require(`
@@ -115,8 +122,25 @@ interface(`domain_interactive_fd',`
 ')
 
 ########################################
-#
-# domain_dyntrans_type(domain)
+## <summary>
+##	Allow the specified domain to perform
+##	dynamic transitions.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to perform
+##	dynamic transitions.
+##	</p>
+##	<p>
+##	This violates process tranquility, and it
+##	is strongly suggested that this not be used.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_dyntrans_type',`
 	gen_require(`
@@ -309,8 +333,15 @@ interface(`domain_cron_exemption_target',`
 ')
 
 ########################################
-#
-# domain_use_interactive_fds(domain)
+## <summary>
+##	Inherit and use file descriptors from
+##	domains with interactive programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_use_interactive_fds',`
 	gen_require(`
@@ -321,8 +352,16 @@ interface(`domain_use_interactive_fds',`
 ')
 
 ########################################
-#
-# domain_dontaudit_use_interactive_fds(domain)
+## <summary>
+##	Do not audit attempts to inherit file
+##	descriptors from domains with interactive
+##	programs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_dontaudit_use_interactive_fds',`
 	gen_require(`
@@ -353,8 +392,14 @@ interface(`domain_sigchld_interactive_fds',`
 ')
 
 ########################################
-#
-# domain_setpriority_all_domains(domain)
+## <summary>
+##	Set the nice level of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_setpriority_all_domains',`
 	gen_require(`
@@ -370,7 +415,7 @@ interface(`domain_setpriority_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -388,7 +433,7 @@ interface(`domain_signal_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -406,7 +451,7 @@ interface(`domain_signull_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -424,7 +469,7 @@ interface(`domain_sigstop_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -442,7 +487,7 @@ interface(`domain_sigchld_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -674,7 +719,7 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -699,7 +744,7 @@ interface(`domain_dontaudit_read_all_domains_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -717,7 +762,7 @@ interface(`domain_dontaudit_list_all_domains_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -736,7 +781,7 @@ interface(`domain_getsession_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -813,7 +858,7 @@ interface(`domain_dontaudit_getattr_all_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -832,7 +877,7 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -851,7 +896,7 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -870,7 +915,7 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -889,7 +934,7 @@ interface(`domain_dontaudit_getattr_all_key_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -908,7 +953,7 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -927,7 +972,7 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -946,7 +991,7 @@ interface(`domain_dontaudit_rw_all_key_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -965,7 +1010,7 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -984,7 +1029,7 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1017,8 +1062,14 @@ interface(`domain_getattr_all_entry_files',`
 ')
 
 ########################################
-#
-# domain_read_all_entry_files(domain)
+## <summary>
+##	Read the entry point files for all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_read_all_entry_files',`
 	gen_require(`
@@ -1030,8 +1081,15 @@ interface(`domain_read_all_entry_files',`
 ')
 
 ########################################
-#
-# domain_exec_all_entry_files(domain)
+## <summary>
+##	Execute the entry point files for all
+##	domains in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`domain_exec_all_entry_files',`
 	gen_require(`
@@ -1106,7 +1164,7 @@ interface(`domain_mmap_all_entry_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1125,7 +1183,7 @@ interface(`domain_entry_file_spec_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1156,8 +1214,24 @@ interface(`domain_unconfined',`
 #
 
 ########################################
-#
-# domain_trans(source_domain,entrypoint_file,target_domain)
+## <summary>
+##	Specified domain transition requiring setexeccon.
+## </summary>
+## <param name="source_domain">
+##	<summary>
+##	Domain to transition from.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Type of program to execute.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
 #
 template(`domain_trans',`
 	allow $1 $2:file { getattr read execute };
@@ -1166,8 +1240,24 @@ template(`domain_trans',`
 ')
 
 ########################################
-#
-# domain_auto_trans(source_domain,entrypoint_file,target_domain)
+## <summary>
+##	Automatic domain transition by type_transition.
+## </summary>
+## <param name="source_domain">
+##	<summary>
+##	Domain to transition from.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Type of program to execute.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
 #
 template(`domain_auto_trans',`
 	domain_trans($1,$2,$3)

refpolicy/policy/modules/kernel/files.if

@@ -39,8 +39,15 @@ interface(`files_type',`
 ')
 
 ########################################
-#
-# files_lock_file(type)
+## <summary>
+##	Make the specified type usable for
+##	lock files.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for lock files.
+##	</summary>
+## </param>
 #
 interface(`files_lock_file',`
 	gen_require(`
@@ -52,8 +59,15 @@ interface(`files_lock_file',`
 ')
 
 ########################################
-#
-# files_mountpoint(type)
+## <summary>
+##	Make the specified type usable for
+##	filesystem mount points.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for mount points.
+##	</summary>
+## </param>
 #
 interface(`files_mountpoint',`
 	gen_require(`
@@ -65,8 +79,15 @@ interface(`files_mountpoint',`
 ')
 
 ########################################
-#
-# files_pid_file(type)
+## <summary>
+##	Make the specified type usable for
+##	runtime process ID files.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for PID files.
+##	</summary>
+## </param>
 #
 interface(`files_pid_file',`
 	gen_require(`
@@ -862,8 +883,15 @@ interface(`files_manage_all_files',`
 ')
 
 ########################################
-#
-# files_search_all(domain)
+## <summary>
+##	Search the contents of all directories on
+##	extended attribute filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_search_all',`
 	gen_require(`
@@ -874,8 +902,15 @@ interface(`files_search_all',`
 ')
 
 ########################################
-#
-# files_list_all(domain)
+## <summary>
+##	List the contents of all directories on
+##	extended attribute filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_list_all',`
 	gen_require(`
@@ -886,8 +921,16 @@ interface(`files_list_all',`
 ')
 
 ########################################
-#
-# files_dontaudit_search_all_dirs(domain)
+## <summary>
+##	Do not audit attempts to search the
+##	contents of any directories on extended
+##	attribute filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_dontaudit_search_all_dirs',`
 	gen_require(`
@@ -897,9 +940,15 @@ interface(`files_dontaudit_search_all_dirs',`
 	dontaudit $1 file_type:dir search;
 ')
 
-#######################################
-#
-# files_relabelto_all_file_type_fs(domain)
+########################################
+## <summary>
+##	Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_relabelto_all_file_type_fs',`
 	gen_require(`
@@ -909,9 +958,15 @@ interface(`files_relabelto_all_file_type_fs',`
 	allow $1 file_type:filesystem relabelto;
 ')
 
-#######################################
-#
-# files_mount_all_file_type_fs(domain)
+########################################
+## <summary>
+##	Mount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_mount_all_file_type_fs',`
 	gen_require(`
@@ -921,9 +976,15 @@ interface(`files_mount_all_file_type_fs',`
 	allow $1 file_type:filesystem mount;
 ')
 
-#######################################
-#
-# files_unmount_all_file_type_fs(domain)
+########################################
+## <summary>
+##	Unmount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_unmount_all_file_type_fs',`
 	gen_require(`
@@ -934,8 +995,14 @@ interface(`files_unmount_all_file_type_fs',`
 ')
 
 ########################################
-#
-# files_mounton_all_mountpoints(domain)
+## <summary>
+##	Mount a filesystem on all mount points.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_mounton_all_mountpoints',`
 	gen_require(`
@@ -965,8 +1032,14 @@ interface(`files_getattr_all_mountpoints',`
 ')
 
 ########################################
-#
-# files_list_root(domain)
+## <summary>
+##	List the contents of the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_list_root',`
 	gen_require(`
@@ -980,7 +1053,7 @@ interface(`files_list_root',`
 ########################################
 ## <summary>
 ##	Create an object in the root directory, with a private
-##	type.
+##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1008,8 +1081,15 @@ interface(`files_root_filetrans',`
 ')
 
 ########################################
-#
-# files_dontaudit_read_root_files(domain)
+## <summary>
+##	Do not audit attempts to read files in
+##	the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`files_dontaudit_read_root_files',`
 	gen_require(`
@@ -1020,8 +1100,15 @@ interface(`files_dontaudit_read_root_files',`
 ')
 
 ########################################
-#
-# files_dontaudit_rw_root_files(domain)
+## <summary>
+##	Do not audit attempts to read or write
+##	files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_dontaudit_rw_root_files',`
 	gen_require(`
@@ -1032,8 +1119,15 @@ interface(`files_dontaudit_rw_root_files',`
 ')
 
 ########################################
-#
-# files_dontaudit_rw_root_chr_files(domain)
+## <summary>
+##	Do not audit attempts to read or write
+##	character device nodes in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_dontaudit_rw_root_chr_files',`
 	gen_require(`
@@ -1044,8 +1138,14 @@ interface(`files_dontaudit_rw_root_chr_files',`
 ')
 
 ########################################
-#
-# files_delete_root_dir_entry(domain)
+## <summary>
+##	Remove entries from the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_delete_root_dir_entry',`
 	gen_require(`
@@ -1056,8 +1156,14 @@ interface(`files_delete_root_dir_entry',`
 ')
 
 ########################################
-#
-# files_unmount_rootfs(domain)
+## <summary>
+##	Unmount a rootfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_unmount_rootfs',`
 	gen_require(`
@@ -1546,8 +1652,14 @@ interface(`files_read_default_pipes',`
 ')
 
 ########################################
-#
-# files_search_etc(domain)
+## <summary>
+##	Search the contents of /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_search_etc',`
 	gen_require(`
@@ -1576,8 +1688,14 @@ interface(`files_setattr_etc_dirs',`
 ')
 
 ########################################
-#
-# files_list_etc(domain)
+## <summary>
+##	List the contents of /etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_list_etc',`
 	gen_require(`
@@ -1588,8 +1706,14 @@ interface(`files_list_etc',`
 ')
 
 ########################################
-#
-# files_read_etc_files(domain)
+## <summary>
+##	Read generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_read_etc_files',`
 	gen_require(`
@@ -1602,8 +1726,14 @@ interface(`files_read_etc_files',`
 ')
 
 ########################################
-#
-# files_rw_etc_files(domain)
+## <summary>
+##	Read and write generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_rw_etc_files',`
 	gen_require(`
@@ -1616,8 +1746,15 @@ interface(`files_rw_etc_files',`
 ')
 
 ########################################
-#
-# files_manage_etc_files(domain)
+## <summary>
+##	Create, read, write, and delete generic
+##	files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_manage_etc_files',`
 	gen_require(`
@@ -1649,8 +1786,14 @@ interface(`files_delete_etc_files',`
 ')
 
 ########################################
-#
-# files_exec_etc_files(domain)
+## <summary>
+##	Execute generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_exec_etc_files',`
 	gen_require(`
@@ -1683,8 +1826,25 @@ interface(`files_relabel_etc_files',`
 ')
 
 ########################################
-#
-# files_etc_filetrans(domain,privatetype,class(es))
+## <summary>
+##	Create objects in /etc with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
 #
 interface(`files_etc_filetrans',`
 	gen_require(`
@@ -1696,10 +1856,20 @@ interface(`files_etc_filetrans',`
 ')
 
 ########################################
-#
-# files_create_boot_flag(domain)
-#
-# /halt, /.autofsck, etc
+## <summary>
+##	Create a boot flag.
+## </summary>
+## <desc>
+##	<p>
+##	Create a boot flag, such as
+##	/.autorelabel and /.autofsck.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_create_boot_flag',`
 	gen_require(`
@@ -2219,8 +2389,14 @@ interface(`files_manage_lost_found',`
 ')
 
 ########################################
-#
-# files_search_mnt(domain)
+## <summary>
+##	Search the contents of /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_search_mnt',`
 	gen_require(`
@@ -2249,8 +2425,14 @@ interface(`files_dontaudit_search_mnt',`
 ')
 
 ########################################
-#
-# files_list_mnt(domain)
+## <summary>
+##	List the contents of /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_list_mnt',`
 	gen_require(`
@@ -2812,8 +2994,25 @@ interface(`files_setattr_all_tmp_dirs',`
 ')
 
 ########################################
-#
-# files_tmp_filetrans(domain,private_type,object class(es))
+## <summary>
+##	Create an object in the tmp directories, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
 #
 interface(`files_tmp_filetrans',`
 	gen_require(`
@@ -2825,8 +3024,14 @@ interface(`files_tmp_filetrans',`
 ')
 
 ########################################
-#
-# files_purge_tmp(domain)
+## <summary>
+##	Delete the contents of /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_purge_tmp',`
 	gen_require(`
@@ -2838,8 +3043,14 @@ interface(`files_purge_tmp',`
 ')
 
 ########################################
-#
-# files_search_usr(domain)
+## <summary>
+##	Search the content of /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_search_usr',`
 	gen_require(`
@@ -2888,8 +3099,14 @@ interface(`files_getattr_usr_files',`
 ')
 
 ########################################
-#
-# files_read_usr_files(domain)
+## <summary>
+##	Read generic files in /usr.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_read_usr_files',`
 	gen_require(`
@@ -3009,8 +3226,14 @@ interface(`files_exec_usr_src_files',`
 ')
 
 ########################################
-#
-# files_dontaudit_search_src(domain)
+## <summary>
+##	Do not audit attempts to search /usr/src.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`files_dontaudit_search_src',`
 	gen_require(`
@@ -3021,8 +3244,14 @@ interface(`files_dontaudit_search_src',`
 ')
 
 ########################################
-#
-# files_read_usr_src_files(domain)
+## <summary>
+##	Read files in /usr/src.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_read_usr_src_files',`
 	gen_require(`
@@ -3439,8 +3668,15 @@ interface(`files_read_var_lib_symlinks',`
 # in some way.  They really neeed their own types.
 
 ########################################
-#
-# files_manage_urandom_seed(domain)
+## <summary>
+##	Create, read, write, and delete the
+##	pseudorandom number generator seed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_manage_urandom_seed',`
 	gen_require(`
@@ -3531,8 +3767,14 @@ interface(`files_rw_lock_dirs',`
 ')
 
 ########################################
-#
-# files_getattr_generic_locks(domain)
+## <summary>
+##	Get the attributes of generic lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_getattr_generic_locks',`
 	gen_require(`
@@ -3545,21 +3787,34 @@ interface(`files_getattr_generic_locks',`
 ')
 
 ########################################
-#
-# files_manage_generic_locks(domain)
+## <summary>
+##	Create, read, write, and delete generic
+##	lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_manage_generic_locks',`
 	gen_require(`
 		type var_lock_t;
 	')
 
-	allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
-	allow $1 var_lock_t:file { getattr create read write setattr unlink };
+	allow $1 var_lock_t:dir rw_dir_perms;
+	allow $1 var_lock_t:file manage_file_perms;
 ')
 
 ########################################
-#
-# files_delete_all_locks(domain)
+## <summary>
+##	Delete all lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_delete_all_locks',`
 	gen_require(`
@@ -3593,8 +3848,25 @@ interface(`files_read_all_locks',`
 ')
 
 ########################################
-#
-# files_lock_filetrans(domain,private_type,[object class(es)])
+## <summary>
+##	Create an object in the locks directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
 #
 interface(`files_lock_filetrans',`
 	gen_require(`
@@ -3626,8 +3898,15 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 ')
 
 ########################################
-#
-# files_search_pids(domain)
+## <summary>
+##	Search the contents of runtime process
+##	ID directories (/var/run).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_search_pids',`
 	gen_require(`
@@ -3658,8 +3937,15 @@ interface(`files_dontaudit_search_pids',`
 ')
 
 ########################################
-#
-# files_list_pids(domain)
+## <summary>
+##	List the contents of the runtime process
+##	ID directories (/var/run).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_list_pids',`
 	gen_require(`
@@ -3671,8 +3957,25 @@ interface(`files_list_pids',`
 ')
 
 ########################################
-#
-# files_pid_filetrans(domain,pidfile,[object class(es)])
+## <summary>
+##	Create an object in the process ID directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
 #
 interface(`files_pid_filetrans',`
 	gen_require(`
@@ -3685,8 +3988,14 @@ interface(`files_pid_filetrans',`
 ')
 
 ########################################
-#
-# files_rw_generic_pids(domain)
+## <summary>
+##	Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_rw_generic_pids',`
 	gen_require(`
@@ -3735,8 +4044,14 @@ interface(`files_dontaudit_ioctl_all_pids',`
 ')
 
 ########################################
-#
-# files_read_all_pids(domain)
+## <summary>
+##	Read all process ID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_read_all_pids',`
 	gen_require(`
@@ -3769,8 +4084,14 @@ interface(`files_mounton_all_poly_members',`
 ')
 
 ########################################
-#
-# files_delete_all_pids(domain)
+## <summary>
+##	Delete all process IDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_delete_all_pids',`
 	gen_require(`
@@ -3787,8 +4108,14 @@ interface(`files_delete_all_pids',`
 ')
 
 ########################################
-#
-# files_delete_all_pid_dirs(domain)
+## <summary>
+##	Delete all process ID directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_delete_all_pid_dirs',`
 	gen_require(`
@@ -3801,8 +4128,15 @@ interface(`files_delete_all_pid_dirs',`
 ')
 
 ########################################
-#
-# files_search_spool(domain)
+## <summary>
+##	Search the contents of generic spool
+##	directories (/var/spool).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_search_spool',`
 	gen_require(`
@@ -3833,8 +4167,15 @@ interface(`files_dontaudit_search_spool',`
 ')
 
 ########################################
-#
-# files_list_spool(domain)
+## <summary>
+##	List the contents of generic spool
+##	(/var/spool) directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_list_spool',`
 	gen_require(`
@@ -3846,8 +4187,15 @@ interface(`files_list_spool',`
 ')
 
 ########################################
-#
-# files_manage_generic_spool_dirs(domain)
+## <summary>
+##	Create, read, write, and delete generic
+##	spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_manage_generic_spool_dirs',`
 	gen_require(`
@@ -3859,8 +4207,14 @@ interface(`files_manage_generic_spool_dirs',`
 ')
 
 ########################################
-#
-# files_read_generic_spool(domain)
+## <summary>
+##	Read generic spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_read_generic_spool',`
 	gen_require(`
@@ -3873,8 +4227,15 @@ interface(`files_read_generic_spool',`
 ')
 
 ########################################
-#
-# files_manage_generic_spool(domain)
+## <summary>
+##	Create, read, write, and delete generic
+##	spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`files_manage_generic_spool',`
 	gen_require(`

refpolicy/policy/modules/kernel/filesystem.if

@@ -9,7 +9,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -29,7 +29,7 @@ interface(`fs_type',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -113,7 +113,7 @@ interface(`fs_exec_noxattr',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -134,7 +134,7 @@ interface(`fs_mount_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -154,7 +154,7 @@ interface(`fs_remount_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -174,8 +174,7 @@ interface(`fs_unmount_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -196,7 +195,7 @@ interface(`fs_getattr_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -216,7 +215,7 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -235,7 +234,7 @@ interface(`fs_relabelfrom_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -254,7 +253,7 @@ interface(`fs_get_xattr_fs_quotas',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -272,7 +271,7 @@ interface(`fs_set_xattr_fs_quotas',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -292,7 +291,7 @@ interface(`fs_mount_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -310,7 +309,7 @@ interface(`fs_remount_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -329,8 +328,7 @@ interface(`fs_unmount_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -349,7 +347,7 @@ interface(`fs_getattr_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -368,7 +366,7 @@ interface(`fs_search_auto_mountpoints',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -387,7 +385,7 @@ interface(`fs_list_auto_mountpoints',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain performing this action.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -403,16 +401,25 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
 ## <summary>
 ##	Register an interpreter for new binary
 ##	file types, using the kernel binfmt_misc
-##	support.  A common use for this is to
+##	support.
+## </summary>
+## <desc>
+##	<p>
+##	Register an interpreter for new binary
+##	file types, using the kernel binfmt_misc
+##	support.
+##	</p>
+##	<p>
+##	A common use for this is to
 ##	register a JVM as an interpreter for
 ##	Java byte code.  Registered binaries
 ##	can be directly executed on a command line
 ##	without specifying the interpreter.
-## </summary>
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain registering
-##	the interpreter.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -431,7 +438,7 @@ interface(`fs_register_binary_executable_type',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -450,7 +457,7 @@ interface(`fs_mount_cifs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -468,7 +475,7 @@ interface(`fs_remount_cifs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -487,8 +494,7 @@ interface(`fs_unmount_cifs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -640,7 +646,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -659,7 +665,7 @@ interface(`fs_dontaudit_read_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -677,7 +683,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -698,7 +704,7 @@ interface(`fs_read_cifs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain executing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -718,7 +724,7 @@ interface(`fs_exec_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -738,7 +744,7 @@ interface(`fs_manage_cifs_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -757,7 +763,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -797,7 +803,7 @@ interface(`fs_dontaudit_manage_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -817,7 +823,7 @@ interface(`fs_manage_cifs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the pipes.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -837,7 +843,7 @@ interface(`fs_manage_cifs_named_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the sockets.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -876,7 +882,7 @@ interface(`fs_manage_cifs_named_sockets',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@@ -902,7 +908,7 @@ interface(`fs_cifs_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -922,7 +928,7 @@ interface(`fs_mount_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -941,7 +947,7 @@ interface(`fs_remount_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -960,8 +966,7 @@ interface(`fs_unmount_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -980,7 +985,7 @@ interface(`fs_getattr_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1054,7 +1059,7 @@ interface(`fs_list_inotifyfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1074,7 +1079,7 @@ interface(`fs_mount_iso9660_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1093,7 +1098,7 @@ interface(`fs_remount_iso9660_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1112,8 +1117,7 @@ interface(`fs_unmount_iso9660_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1152,7 +1156,7 @@ interface(`fs_read_iso9660_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1171,7 +1175,7 @@ interface(`fs_mount_nfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1189,7 +1193,7 @@ interface(`fs_remount_nfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1207,8 +1211,7 @@ interface(`fs_unmount_nfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1301,7 +1304,7 @@ interface(`fs_read_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1338,7 +1341,7 @@ interface(`fs_write_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain executing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1358,7 +1361,7 @@ interface(`fs_exec_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -1376,7 +1379,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1395,7 +1398,7 @@ interface(`fs_read_nfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1414,7 +1417,7 @@ interface(`fs_getattr_rpc_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1523,7 +1526,7 @@ interface(`fs_read_removable_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1542,7 +1545,7 @@ interface(`fs_list_rpc',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1561,7 +1564,7 @@ interface(`fs_read_rpc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1580,7 +1583,7 @@ interface(`fs_read_rpc_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1600,7 +1603,7 @@ interface(`fs_read_rpc_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1639,7 +1642,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1679,7 +1682,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1699,7 +1702,7 @@ interface(`fs_manage_nfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the pipes.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1719,7 +1722,7 @@ interface(`fs_manage_nfs_named_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the sockets.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1758,7 +1761,7 @@ interface(`fs_manage_nfs_named_sockets',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@@ -1783,7 +1786,7 @@ interface(`fs_nfs_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1802,7 +1805,7 @@ interface(`fs_mount_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1820,7 +1823,7 @@ interface(`fs_remount_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1839,8 +1842,7 @@ interface(`fs_unmount_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1858,8 +1860,7 @@ interface(`fs_getattr_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	search on nfsd directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1877,8 +1878,7 @@ interface(`fs_search_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	read or write on nfsd files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1896,7 +1896,7 @@ interface(`fs_rw_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1915,7 +1915,7 @@ interface(`fs_mount_ramfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1933,7 +1933,7 @@ interface(`fs_remount_ramfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1951,8 +1951,7 @@ interface(`fs_unmount_ramfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2177,7 +2176,7 @@ interface(`fs_manage_ramfs_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2196,7 +2195,7 @@ interface(`fs_mount_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2214,7 +2213,7 @@ interface(`fs_remount_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2233,8 +2232,7 @@ interface(`fs_unmount_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2252,7 +2250,7 @@ interface(`fs_getattr_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2271,7 +2269,7 @@ interface(`fs_mount_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2289,7 +2287,7 @@ interface(`fs_remount_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2308,8 +2306,7 @@ interface(`fs_unmount_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2327,7 +2324,7 @@ interface(`fs_getattr_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2345,7 +2342,7 @@ interface(`fs_mount_tmpfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2363,7 +2360,7 @@ interface(`fs_remount_tmpfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2382,8 +2379,7 @@ interface(`fs_unmount_tmpfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2543,8 +2539,25 @@ interface(`fs_manage_tmpfs_dirs',`
 ')
 
 ########################################
-#
-# fs_tmpfs_filetrans(domain,derivedtype,class)
+## <summary>
+##	Create an object in a tmpfs filesystem, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
 #
 interface(`fs_tmpfs_filetrans',`
 	gen_require(`
@@ -2600,7 +2613,7 @@ interface(`fs_manage_auto_mountpoints',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2619,7 +2632,7 @@ interface(`fs_rw_tmpfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2638,7 +2651,7 @@ interface(`fs_read_tmpfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2657,7 +2670,7 @@ interface(`fs_rw_tmpfs_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2676,7 +2689,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2695,7 +2708,7 @@ interface(`fs_relabel_tmpfs_chr_file',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2714,7 +2727,7 @@ interface(`fs_rw_tmpfs_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2734,7 +2747,7 @@ interface(`fs_relabel_tmpfs_blk_file',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2754,7 +2767,7 @@ interface(`fs_manage_tmpfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2774,7 +2787,7 @@ interface(`fs_manage_tmpfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2794,7 +2807,7 @@ interface(`fs_manage_tmpfs_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2814,7 +2827,7 @@ interface(`fs_manage_tmpfs_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2833,7 +2846,7 @@ interface(`fs_manage_tmpfs_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2852,7 +2865,7 @@ interface(`fs_mount_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2870,7 +2883,7 @@ interface(`fs_remount_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2889,8 +2902,7 @@ interface(`fs_unmount_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2909,7 +2921,7 @@ interface(`fs_getattr_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2963,8 +2975,7 @@ interface(`fs_set_all_quotas',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
-##	getattr on the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -3229,4 +3240,3 @@ interface(`fs_relabelfrom_noxattr_fs',`
 	allow $1 noxattrfs:blk_file { getattr relabelfrom };
 	allow $1 noxattrfs:chr_file { getattr relabelfrom };
 ')
-

refpolicy/policy/modules/kernel/kernel.if

@@ -1538,8 +1538,15 @@ interface(`kernel_rw_irq_sysctls',`
 ')
 
 ########################################
-#
-# kernel_read_rpc_sysctls(domain)
+## <summary>
+##	Read RPC sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
 #
 interface(`kernel_read_rpc_sysctls',`
 	gen_require(`
@@ -1553,8 +1560,15 @@ interface(`kernel_read_rpc_sysctls',`
 ')
 
 ########################################
-#
-# kernel_rw_rpc_sysctls(domain)
+## <summary>
+##	Read and write RPC sysctls.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
 #
 interface(`kernel_rw_rpc_sysctls',`
 	gen_require(`
@@ -1914,7 +1928,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1932,7 +1946,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1951,7 +1965,7 @@ interface(`kernel_relabelfrom_unlabeled_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1970,7 +1984,7 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1989,7 +2003,7 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #

refpolicy/policy/modules/services/mta.if

@@ -300,9 +300,15 @@ template(`mta_admin_template',`
 	')
 ')
 
-#######################################
-#
-# mta_mailserver(domain,entrypointtype)
+########################################
+## <summary>
+##	Make the specified domain usable for a mail server.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail server domain.
+##	</summary>
+## </param>
 #
 interface(`mta_mailserver',`
 	gen_require(`
@@ -439,9 +445,15 @@ interface(`mta_mailserver_user_agent',`
 	')
 ')
 
-#######################################
-#
-# mta_send_mail(domain)
+########################################
+## <summary>
+##	Send mail from the system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_send_mail',`
 	gen_require(`
@@ -462,9 +474,15 @@ interface(`mta_send_mail',`
 	allow mta_user_agent $1:fifo_file { read write };
 ')
 
-#######################################
-#
-# mta_exec(domain)
+########################################
+## <summary>
+##	Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_exec',`
 	gen_require(`
@@ -533,9 +551,15 @@ interface(`mta_etc_filetrans_aliases',`
 	files_etc_filetrans($1,etc_aliases_t, file)
 ')
 
-#######################################
-#
-# mta_rw_aliases(domain)
+########################################
+## <summary>
+##	Read and write mail aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_rw_aliases',`
 	gen_require(`
@@ -604,9 +628,15 @@ interface(`mta_dontaudit_read_spool_symlinks',`
 	dontaudit $1 mail_spool_t:lnk_file read;
 ')
 
-#######################################
-#
-# mta_getattr_spool(domain)
+########################################
+## <summary>
+##	Get the attributes of mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_getattr_spool',`
 	gen_require(`
@@ -619,6 +649,17 @@ interface(`mta_getattr_spool',`
 	allow $1 mail_spool_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
 interface(`mta_dontaudit_getattr_spool_files',`
 	gen_require(`
 		type mail_spool_t;
@@ -661,9 +702,15 @@ interface(`mta_spool_filetrans',`
 	type_transition $1 mail_spool_t:$3 $2;
 ')
 
-#######################################
-#
-# mta_rw_spool(domain)
+########################################
+## <summary>
+##	Read and write the mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_rw_spool',`
 	gen_require(`
@@ -717,9 +764,15 @@ interface(`mta_delete_spool',`
 	allow $1 mail_spool_t:file unlink;
 ')
 
-#######################################
-#
-# mta_manage_spool(domain)
+########################################
+## <summary>
+##	Create, read, write, and delete mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_manage_spool',`
 	gen_require(`
@@ -751,9 +804,16 @@ interface(`mta_dontaudit_rw_queue',`
 	dontaudit $1 mqueue_spool_t:file { getattr read write };
 ')
 
-#######################################
-#
-# mta_manage_queue(domain)
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mail queue files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mta_manage_queue',`
 	gen_require(`

refpolicy/policy/modules/system/authlogin.if

@@ -162,7 +162,7 @@ template(`authlogin_per_userdomain_template',`
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -216,7 +216,7 @@ interface(`auth_login_entry_type',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@@ -245,7 +245,7 @@ interface(`auth_domtrans_login_program',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -294,7 +294,7 @@ interface(`auth_domtrans_chk_passwd',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -332,7 +332,7 @@ interface(`auth_dontaudit_getattr_shadow',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -345,6 +345,25 @@ interface(`auth_read_shadow',`
 	auth_tunable_read_shadow($1)
 ')
 
+########################################
+## <summary>
+##	Pass shadow assertion for reading.
+## </summary>
+## <desc>
+##	<p>
+##	Pass shadow assertion for reading.
+##	This should only be used with
+##	auth_tunable_read_shadow(), and
+##	only exists because typeattribute
+##	does not work in conditionals.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`auth_can_read_shadow_passwords',`
 	gen_require(`
 		attribute can_read_shadow_passwords;
@@ -353,6 +372,24 @@ interface(`auth_can_read_shadow_passwords',`
 	typeattribute $1 can_read_shadow_passwords;
 ')
 
+########################################
+## <summary>
+##	Read the shadow password file.
+## </summary>
+## <desc>
+##	<p>
+##	Read the shadow password file.  This
+##	should only be used in a conditional;
+##	it does not pass the reading shadow
+##	assertion.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`auth_tunable_read_shadow',`
 	gen_require(`
 		type shadow_t;
@@ -387,7 +424,7 @@ interface(`auth_dontaudit_read_shadow',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -402,9 +439,16 @@ interface(`auth_rw_shadow',`
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
 
-#######################################
-#
-# auth_manage_shadow(domain)
+########################################
+## <summary>
+##	Create, read, write, and delete the shadow
+##	password file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_manage_shadow',`
 	gen_require(`
@@ -418,7 +462,7 @@ interface(`auth_manage_shadow',`
 
 #######################################
 ## <summary>
-##	Automatic transition to shadow from etc.
+##	Automatic transition from etc to shadow.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -497,9 +541,15 @@ interface(`auth_append_faillog',`
 	allow $1 faillog_t:file { getattr append };
 ')
 
-#######################################
-#
-# auth_rw_faillog(domain)
+########################################
+## <summary>
+##	Read and write the login failure log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_rw_faillog',`
 	gen_require(`
@@ -573,7 +623,7 @@ interface(`auth_rw_lastlog',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -596,7 +646,7 @@ interface(`auth_domtrans_pam',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -626,7 +676,7 @@ interface(`auth_run_pam',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -645,7 +695,7 @@ interface(`auth_exec_pam',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -660,9 +710,15 @@ interface(`auth_manage_var_auth',`
 	allow $1 var_auth_t:lnk_file rw_file_perms;
 ')
 
-#######################################
-#
-# auth_read_pam_pid(domain)
+########################################
+## <summary>
+##	Read PAM PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_read_pam_pid',`
 	gen_require(`
@@ -677,7 +733,7 @@ interface(`auth_read_pam_pid',`
 
 #######################################
 ## <summary>
-##	Do not audit attemps to read PAM pid files.
+##	Do not audit attemps to read PAM PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -699,7 +755,7 @@ interface(`auth_dontaudit_read_pam_pid',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -720,7 +776,7 @@ interface(`auth_delete_pam_pid',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -734,9 +790,15 @@ interface(`auth_manage_pam_pid',`
 	allow $1 pam_var_run_t:file create_file_perms;
 ')
 
-#######################################
-#
-# auth_domtrans_pam_console(domain)
+########################################
+## <summary>
+##	Execute pam_console with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_domtrans_pam_console',`
 	gen_require(`
@@ -758,7 +820,7 @@ interface(`auth_domtrans_pam_console',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -772,9 +834,16 @@ interface(`auth_search_pam_console_data',`
 	allow $1 pam_var_console_t:dir search_dir_perms;
 ')
 
-#######################################
-#
-# auth_list_pam_console_data(domain)
+########################################
+## <summary>
+##	List the contents of the pam_console
+##	data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_list_pam_console_data',`
 	gen_require(`
@@ -786,9 +855,15 @@ interface(`auth_list_pam_console_data',`
 	allow $1 pam_var_console_t:dir r_dir_perms;
 ')
 
-#######################################
-#
-# auth_read_pam_console_data(domain)
+########################################
+## <summary>
+##	Read pam_console data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_read_pam_console_data',`
 	gen_require(`
@@ -801,9 +876,16 @@ interface(`auth_read_pam_console_data',`
 	allow $1 pam_var_console_t:file r_file_perms;
 ')
 
-#######################################
-#
-# auth_manage_pam_console_data(domain)
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	pam_console data files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_manage_pam_console_data',`
 	gen_require(`
@@ -971,7 +1053,7 @@ interface(`auth_manage_all_files_except_shadow',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -994,7 +1076,7 @@ interface(`auth_domtrans_utempter',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -1036,9 +1118,15 @@ interface(`auth_dontaudit_exec_utempter',`
 	dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
 ')
 
-#######################################
-#
-# auth_setattr_login_records(domain)
+########################################
+## <summary>
+##	Set the attributes of login record files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_setattr_login_records',`
 	gen_require(`
@@ -1049,9 +1137,15 @@ interface(`auth_setattr_login_records',`
 	logging_search_logs($1)
 ')
 
-#######################################
-#
-# auth_read_login_records(domain)
+########################################
+## <summary>
+##	Read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_read_login_records',`
 	gen_require(`
@@ -1062,9 +1156,16 @@ interface(`auth_read_login_records',`
 	allow $1 wtmp_t:file r_file_perms;
 ')
 
-#######################################
-#
-# auth_dontaudit_write_login_records(domain)
+########################################
+## <summary>
+##	Do not audit attempts to write to
+##	login records files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`auth_dontaudit_write_login_records',`
 	gen_require(`
@@ -1110,9 +1211,15 @@ interface(`auth_write_login_records',`
 	allow $1 wtmp_t:file { write lock };
 ')
 
-#######################################
-#
-# auth_rw_login_records(domain)
+########################################
+## <summary>
+##	Read and write login records.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_rw_login_records',`
 	gen_require(`
@@ -1123,9 +1230,16 @@ interface(`auth_rw_login_records',`
 	logging_search_logs($1)
 ')
 
-#######################################
-#
-# auth_log_filetrans_login_records(domain)
+########################################
+## <summary>
+##	Create a login records in the log directory
+##	using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_log_filetrans_login_records',`
 	gen_require(`
@@ -1135,9 +1249,16 @@ interface(`auth_log_filetrans_login_records',`
 	logging_log_filetrans($1,wtmp_t,file)
 ')
 
-#######################################
-#
-# auth_manage_login_records(domain)
+########################################
+## <summary>
+##	Create, read, write, and delete login
+##	records files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`auth_manage_login_records',`
 	gen_require(`

refpolicy/policy/modules/system/hostname.if

@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -31,7 +31,7 @@ interface(`hostname_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -56,14 +56,14 @@ interface(`hostname_run',`
 ')
 
 ########################################
-##     <summary>
-##             Execute hostname in the caller domain.
-##     </summary>
-##     <param name="domain">
+## <summary>
+##	Execute hostname in the caller domain.
+## </summary>
+## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
-##	</summary>
-##     </param>
+##	Domain allowed access.
+## 	</summary>
+## </param>
 #
 interface(`hostname_exec',`
 	gen_require(`

refpolicy/policy/modules/system/hotplug.if

@@ -3,9 +3,15 @@
 ## connection and disconnection of devices at runtime.
 ## </summary>
 
-#######################################
-#
-# hotplug_domtrans(domain)
+########################################
+## <summary>
+##	Execute hotplug with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`hotplug_domtrans',`
 	gen_require(`
@@ -21,9 +27,15 @@ interface(`hotplug_domtrans',`
 	allow hotplug_t $1:process sigchld;
 ')
 
-#######################################
-#
-# hotplug_exec(domain)
+########################################
+## <summary>
+##	Execute hotplug in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`hotplug_exec',`
 	gen_require(`
@@ -34,9 +46,15 @@ interface(`hotplug_exec',`
 	can_exec($1,hotplug_exec_t)
 ')
 
-#######################################
-#
-# hotplug_use_fds(domain)
+########################################
+## <summary>
+##	Inherit and use hotplug file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`hotplug_use_fds',`
 	gen_require(`
@@ -46,9 +64,16 @@ interface(`hotplug_use_fds',`
 	allow $1 hotplug_t:fd use;
 ')
 
-#######################################
-#
-# hotplug_dontaudit_use_fds(domain)
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	hotplug file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`hotplug_dontaudit_use_fds',`
 	gen_require(`
@@ -59,8 +84,15 @@ interface(`hotplug_dontaudit_use_fds',`
 ')
 
 ########################################
-#
-# hotplug_dontaudit_search_config(domain)
+## <summary>
+##	Do not audit attempts to search the
+##	hotplug configuration directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`hotplug_dontaudit_search_config',`
 	gen_require(`

refpolicy/policy/modules/system/init.if

@@ -150,8 +150,14 @@ interface(`init_system_domain',`
 ')
 
 ########################################
-#
-# init_domtrans(domain)
+## <summary>
+##	Execute init (/sbin/init) with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_domtrans',`
 	gen_require(`
@@ -186,8 +192,14 @@ interface(`init_exec',`
 ')
 
 ########################################
-#
-# init_getpgid(domain)
+## <summary>
+##	Get the process group of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_getpgid',`
 	gen_require(`
@@ -243,8 +255,14 @@ interface(`init_sigchld',`
 ')
 
 ########################################
-#
-# init_use_fds(domain)
+## <summary>
+##	Inherit and use file descriptors from init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_use_fds',`
 	gen_require(`
@@ -258,8 +276,15 @@ interface(`init_use_fds',`
 ')
 
 ########################################
-#
-# init_dontaudit_use_fds(domain)
+## <summary>
+##	Do not audit attempts to inherit file
+##	descriptors from init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_dontaudit_use_fds',`
 	gen_require(`
@@ -295,8 +320,14 @@ interface(`init_udp_send',`
 ')
 
 ########################################
-#
-# init_getattr_initctl(domain)
+## <summary>
+##	Get the attributes of initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_getattr_initctl',`
 	gen_require(`
@@ -307,8 +338,15 @@ interface(`init_getattr_initctl',`
 ')
 
 ########################################
-#
-# init_dontaudit_getattr_initctl(domain)
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
 #
 interface(`init_dontaudit_getattr_initctl',`
 	gen_require(`
@@ -319,8 +357,14 @@ interface(`init_dontaudit_getattr_initctl',`
 ')
 
 ########################################
-#
-# init_write_initctl(domain)
+## <summary>
+##	Write to initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_write_initctl',`
 	gen_require(`
@@ -332,8 +376,14 @@ interface(`init_write_initctl',`
 ')
 
 ########################################
-#
-# init_rw_initctl(domain)
+## <summary>
+##	Read and write initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_rw_initctl',`
 	gen_require(`
@@ -345,8 +395,15 @@ interface(`init_rw_initctl',`
 ')
 
 ########################################
-#
-# init_dontaudit_rw_initctl(domain)
+## <summary>
+##	Do not audit attempts to read and
+##	write initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_dontaudit_rw_initctl',`
 	gen_require(`
@@ -376,8 +433,14 @@ interface(`init_script_file_entry_type',`
 ')
 
 ########################################
-#
-# init_domtrans_script(domain)
+## <summary>
+##	Execute init scripts with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@@ -503,8 +566,14 @@ interface(`init_getattr_script_files',`
 ')
 
 ########################################
-#
-# init_exec_script_files(domain)
+## <summary>
+##	Execute init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_exec_script_files',`
 	gen_require(`
@@ -543,8 +612,14 @@ interface(`init_read_script_state',`
 ')
 
 ########################################
-#
-# init_use_script_fds(domain)
+## <summary>
+##	Inherit and use init script file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_use_script_fds',`
 	gen_require(`
@@ -555,8 +630,15 @@ interface(`init_use_script_fds',`
 ')
 
 ########################################
-#
-# init_dontaudit_use_script_fds(domain)
+## <summary>
+##	Do not audit attempts to inherit
+##	init script file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_dontaudit_use_script_fds',`
 	gen_require(`
@@ -567,8 +649,14 @@ interface(`init_dontaudit_use_script_fds',`
 ')
 
 ########################################
-#
-# init_getpgid_script(domain)
+## <summary>
+##	Get the process group ID of init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_getpgid_script',`
 	gen_require(`
@@ -864,8 +952,14 @@ interface(`init_getattr_utmp',`
 ')
 
 ########################################
-#
-# init_read_utmp(domain)
+## <summary>
+##	Read utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_read_utmp',`
 	gen_require(`
@@ -877,8 +971,14 @@ interface(`init_read_utmp',`
 ')
 
 ########################################
-#
-# init_dontaudit_write_utmp(domain)
+## <summary>
+##	Do not audit attempts to write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_dontaudit_write_utmp',`
 	gen_require(`
@@ -927,8 +1027,14 @@ interface(`init_dontaudit_lock_utmp',`
 ')
 
 ########################################
-#
-# init_rw_utmp(domain)
+## <summary>
+##	Read and write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_rw_utmp',`
 	gen_require(`
@@ -940,8 +1046,14 @@ interface(`init_rw_utmp',`
 ')
 
 ########################################
-#
-# init_dontaudit_rw_utmp(domain)
+## <summary>
+##	Do not audit attempts to read and write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`init_dontaudit_rw_utmp',`
 	gen_require(`

refpolicy/policy/modules/system/logging.if

@@ -72,7 +72,7 @@ interface(`logging_domtrans_auditctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -102,7 +102,7 @@ interface(`logging_run_auditctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -121,8 +121,25 @@ interface(`logging_domtrans_syslog',`
 ')
 
 ########################################
-#
-# logging_log_filetrans(domain,privatetype,[class(es)])
+## <summary>
+##	Create an object in the log directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
 #
 interface(`logging_log_filetrans',`
 	gen_require(`
@@ -134,9 +151,15 @@ interface(`logging_log_filetrans',`
 	type_transition $1 var_log_t:$3 $2;
 ')
 
-#######################################
-#
-# logging_send_syslog_msg(domain)
+########################################
+## <summary>
+##	Send system log messages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
@@ -183,7 +206,7 @@ interface(`logging_read_audit_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -239,7 +262,7 @@ interface(`logging_list_logs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -252,9 +275,16 @@ interface(`logging_rw_generic_log_dirs',`
 	allow $1 var_log_t:dir rw_dir_perms;
 ')
 
-#######################################
-#
-# logging_dontaudit_getattr_all_logs(domain)
+########################################
+## <summary>
+##	Do not audit attempts to get the atttributes
+##	of any log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_dontaudit_getattr_all_logs',`
 	gen_require(`
@@ -264,9 +294,15 @@ interface(`logging_dontaudit_getattr_all_logs',`
 	dontaudit $1 logfile:file getattr;
 ')
 
-#######################################
-#
-# logging_append_all_logs(domain)
+########################################
+## <summary>
+##	Append to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_append_all_logs',`
 	gen_require(`
@@ -279,9 +315,15 @@ interface(`logging_append_all_logs',`
 	allow $1 logfile:file { getattr append };
 ')
 
-#######################################
-#
-# logging_read_all_logs(domain)
+########################################
+## <summary>
+##	Read all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_read_all_logs',`
 	gen_require(`
@@ -300,7 +342,7 @@ interface(`logging_read_all_logs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -316,9 +358,15 @@ interface(`logging_exec_all_logs',`
 	can_exec($1,logfile)
 ')
 
-#######################################
-#
-# logging_manage_all_logs(domain)
+########################################
+## <summary>
+##	Create, read, write, and delete all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_manage_all_logs',`
 	gen_require(`
@@ -331,9 +379,15 @@ interface(`logging_manage_all_logs',`
 	allow $1 logfile:file create_file_perms;
 ')
 
-#######################################
-#
-# logging_read_generic_logs(domain)
+########################################
+## <summary>
+##	Read generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_read_generic_logs',`
 	gen_require(`
@@ -345,9 +399,15 @@ interface(`logging_read_generic_logs',`
 	allow $1 var_log_t:file r_file_perms;
 ')
 
-#######################################
-#
-# logging_write_generic_logs(domain)
+########################################
+## <summary>
+##	Write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`logging_write_generic_logs',`
 	gen_require(`

refpolicy/policy/modules/system/modutils.if

@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -26,7 +26,7 @@ interface(`modutils_read_module_deps',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -50,7 +50,7 @@ interface(`modutils_read_module_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -68,7 +68,7 @@ interface(`modutils_rename_module_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -94,7 +94,7 @@ interface(`modutils_domtrans_insmod_uncond',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -117,7 +117,7 @@ interface(`modutils_domtrans_insmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -142,8 +142,14 @@ interface(`modutils_run_insmod',`
 ')
 
 ########################################
-#
-# modutils_exec_insmod(domain)
+## <summary>
+##	Execute insmod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`modutils_exec_insmod',`
 	gen_require(`
@@ -160,7 +166,7 @@ interface(`modutils_exec_insmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -184,7 +190,7 @@ interface(`modutils_domtrans_depmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -209,8 +215,14 @@ interface(`modutils_run_depmod',`
 ')
 
 ########################################
-#
-# modutils_exec_depmod(domain)
+## <summary>
+##	Execute depmod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`modutils_exec_depmod',`
 	gen_require(`
@@ -227,7 +239,7 @@ interface(`modutils_exec_depmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -251,7 +263,7 @@ interface(`modutils_domtrans_update_mods',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -276,8 +288,14 @@ interface(`modutils_run_update_mods',`
 ')
 
 ########################################
-#
-# modutils_exec_update_mods(domain)
+## <summary>
+##	Execute update_modules in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`modutils_exec_update_mods',`
 	gen_require(`

refpolicy/policy/modules/system/selinuxutil.if

@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -33,7 +33,7 @@ interface(`seutil_domtrans_checkpolicy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -57,9 +57,15 @@ interface(`seutil_run_checkpolicy',`
 	allow checkpolicy_t $3:chr_file rw_term_perms;
 ')
 
-#######################################
-#
-# seutil_exec_checkpolicy(domain)
+########################################
+## <summary>
+##	Execute checkpolicy in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_exec_checkpolicy',`
 	gen_require(`
@@ -77,7 +83,7 @@ interface(`seutil_exec_checkpolicy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -100,11 +106,10 @@ interface(`seutil_domtrans_loadpolicy',`
 ##	Execute load_policy in the load_policy domain, and
 ##	allow the specified role the load_policy domain,
 ##	and use the caller's terminal.
-##	Has a SIGCHLD signal backchannel.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -128,9 +133,15 @@ interface(`seutil_run_loadpolicy',`
 	allow load_policy_t $3:chr_file rw_term_perms;
 ')
 
-#######################################
-#
-# seutil_exec_loadpolicy(domain)
+########################################
+## <summary>
+##	Execute load_policy in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_exec_loadpolicy',`
 	gen_require(`
@@ -141,9 +152,15 @@ interface(`seutil_exec_loadpolicy',`
 	can_exec($1,load_policy_exec_t)
 ')
 
-#######################################
-#
-# seutil_read_loadpolicy(domain)
+########################################
+## <summary>
+##	Read the load_policy program file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_read_loadpolicy',`
 	gen_require(`
@@ -160,7 +177,7 @@ interface(`seutil_read_loadpolicy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -187,7 +204,7 @@ interface(`seutil_domtrans_newrole',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -211,9 +228,15 @@ interface(`seutil_run_newrole',`
 	allow newrole_t $3:chr_file rw_term_perms;
 ')
 
-#######################################
-#
-# seutil_exec_newrole(domain)
+########################################
+## <summary>
+##	Execute newrole in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_exec_newrole',`
 	gen_require(`
@@ -232,7 +255,7 @@ interface(`seutil_exec_newrole',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -244,9 +267,15 @@ interface(`seutil_dontaudit_signal_newrole',`
 	dontaudit $1 newrole_t:process signal;
 ')
 
-#######################################
-#
-# seutil_sigchld_newrole(domain)
+########################################
+## <summary>
+##	Send a SIGCHLD signal to newrole.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_sigchld_newrole',`
 	gen_require(`
@@ -256,9 +285,15 @@ interface(`seutil_sigchld_newrole',`
 	allow $1 newrole_t:process sigchld;
 ')
 
-#######################################
-#
-# seutil_use_newrole_fds(domain)
+########################################
+## <summary>
+##	Inherit and use newrole file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_use_newrole_fds',`
 	gen_require(`
@@ -274,7 +309,7 @@ interface(`seutil_use_newrole_fds',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -300,7 +335,7 @@ interface(`seutil_domtrans_restorecon',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -324,9 +359,15 @@ interface(`seutil_run_restorecon',`
 	allow restorecon_t $3:chr_file rw_term_perms;
 ')
 
-#######################################
-#
-# seutil_exec_restorecon(domain)
+########################################
+## <summary>
+##	Execute restorecon in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_exec_restorecon',`
 	gen_require(`
@@ -343,7 +384,7 @@ interface(`seutil_exec_restorecon',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -399,7 +440,7 @@ interface(`seutil_init_script_domtrans_runinit',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -443,7 +484,7 @@ interface(`seutil_run_runinit',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -470,8 +511,14 @@ interface(`seutil_init_script_run_runinit',`
 ')
 
 ########################################
-#
-# seutil_use_runinit_fds(domain)
+## <summary>
+##	Inherit and use run_init file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_use_runinit_fds',`
 	gen_require(`
@@ -487,7 +534,7 @@ interface(`seutil_use_runinit_fds',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -514,7 +561,7 @@ interface(`seutil_domtrans_setfiles',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -538,9 +585,15 @@ interface(`seutil_run_setfiles',`
 	allow setfiles_t $3:chr_file rw_term_perms;
 ')
 
-#######################################
-#
-# seutil_exec_setfiles(domain)
+########################################
+## <summary>
+##	Execute setfiles in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_exec_setfiles',`
 	gen_require(`
@@ -592,8 +645,14 @@ interface(`seutil_dontaudit_read_config',`
 ')
 
 ########################################
-#
-# seutil_read_config(domain)
+## <summary>
+##	Read the general SELinux configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_read_config',`
 	gen_require(`
@@ -613,7 +672,7 @@ interface(`seutil_read_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -634,7 +693,7 @@ interface(`seutil_manage_selinux_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -649,8 +708,14 @@ interface(`seutil_search_default_contexts',`
 
 
 ########################################
-#
-# seutil_read_default_contexts(domain)
+## <summary>
+##	Read the default_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_read_default_contexts',`
 	gen_require(`
@@ -665,8 +730,14 @@ interface(`seutil_read_default_contexts',`
 ')
 
 ########################################
-#
-# seutil_read_file_contexts(domain)
+## <summary>
+##	Read the file_contexts files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_read_file_contexts',`
 	gen_require(`
@@ -724,8 +795,14 @@ interface(`seutil_manage_file_contexts',`
 ')
 
 ########################################
-#
-# seutil_read_bin_policy(domain)
+## <summary>
+##	Read the SELinux binary policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_read_bin_policy',`
 	gen_require(`
@@ -739,8 +816,14 @@ interface(`seutil_read_bin_policy',`
 ')
 
 ########################################
-#
-# seutil_create_bin_policy(domain)
+## <summary>
+##	Create the SELinux binary policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_create_bin_policy',`
 	gen_require(`
@@ -761,7 +844,7 @@ interface(`seutil_create_bin_policy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -776,8 +859,15 @@ interface(`seutil_relabelto_bin_policy',`
 ')
 
 ########################################
-#
-# seutil_manage_bin_policy(domain)
+## <summary>
+##	Create, read, write, and delete the SELinux
+##	binary policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_manage_bin_policy',`
 	gen_require(`
@@ -793,8 +883,14 @@ interface(`seutil_manage_bin_policy',`
 ')
 
 ########################################
-#
-# seutil_read_src_policy(domain)
+## <summary>
+##	Read SELinux policy source files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_read_src_policy',`
 	gen_require(`
@@ -808,8 +904,15 @@ interface(`seutil_read_src_policy',`
 ')
 
 ########################################
-#
-# seutil_manage_src_policy(domain)
+## <summary>
+##	Create, read, write, and delete SELinux
+##	policy source files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`seutil_manage_src_policy',`
 	gen_require(`
@@ -855,7 +958,7 @@ interface(`seutil_domtrans_semanage',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -909,7 +1012,7 @@ interface(`seutil_manage_module_store',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -929,7 +1032,7 @@ interface(`seutil_get_semanage_read_lock',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #