document remaining interfaces w/o XML. turn on warnings for missing XML.

2006-05-10 18:09:08 +00:00 · 2006-05-10 18:09:08 +00:00 · ac9db9b54e
commit ac9db9b54e
parent 727758a042
16 changed files with 1639 additions and 546 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -371,7 +371,7 @@ $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXM
 	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(XMLDTD))">' >> $@
-	$(verbose) $(GENXML) -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
+	$(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
 	$(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
 		$(XMLLINT) --noout --path $(dir $(XMLDTD)) --dtdvalid $(XMLDTD) $@ ;\
 	fi
--- a/refpolicy/policy/modules/admin/quota.if
+++ b/refpolicy/policy/modules/admin/quota.if
@ -73,6 +73,17 @@ interface(`quota_dontaudit_getattr_db',`
 	dontaudit $1 quota_db_t:file getattr;
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete quota
 ##	flag files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`quota_manage_flags',`
 	gen_require(`
 		type quota_flag_t;
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@ -1,5 +1,33 @@
 ## <summary>Run shells with substitute user and group</summary>
 #######################################
 ## <summary>
 ##	Restricted su domain template.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	This template creates a derived domain which is allowed
 ##	to change the linux user id, to run shells as a different
 ##	user.
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
 ##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
 ## <param name="user_domain">
 ##	<summary>
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
 ## <param name="user_role">
 ##	<summary>
 ##	The role associated with the user domain.
 ##	</summary>
 ## </param>
 #
 template(`su_restricted_domain_template', `
 	gen_require(`
 		type su_exec_t;
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@ -49,6 +49,7 @@ interface(`corecmd_executable_file',`
 ##	Alias type for bin_t.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_bin_alias',`
 	ifdef(`targeted_policy',`
 		gen_require(`
@ -71,6 +72,7 @@ interface(`corecmd_bin_alias',`
 ##	The domain for which bin_t is an entrypoint.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_bin_entry_type',`
 	gen_require(`
 		type bin_t;
@ -89,6 +91,7 @@ interface(`corecmd_bin_entry_type',`
 ##	The domain for which sbin programs are an entrypoint.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_sbin_entry_type',`
 	gen_require(`
 		type sbin_t;
@ -106,6 +109,7 @@ interface(`corecmd_sbin_entry_type',`
 ##	The domain for which the shell is an entrypoint.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_shell_entry_type',`
 	gen_require(`
 		type shell_exec_t;
@ -115,8 +119,14 @@ interface(`corecmd_shell_entry_type',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_search_bin(domain)
+##	Search the contents of bin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_search_bin',`
 	gen_require(`
@ -127,8 +137,14 @@ interface(`corecmd_search_bin',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_list_bin(domain)
+##	List the contents of bin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_list_bin',`
 	gen_require(`
@ -233,8 +249,15 @@ interface(`corecmd_read_bin_sockets',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_exec_bin(domain)
+##	Execute generic programs in bin directories,
 ##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_exec_bin',`
 	gen_require(`
@ -395,8 +418,14 @@ interface(`corecmd_bin_domtrans',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_search_sbin(domain)
+##	Search the contents of sbin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_search_sbin',`
 	gen_require(`
@ -426,8 +455,14 @@ interface(`corecmd_dontaudit_search_sbin',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_list_sbin(domain)
+##	List the contents of sbin directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_list_sbin',`
 	gen_require(`
@ -438,8 +473,14 @@ interface(`corecmd_list_sbin',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_getattr_sbin_files(domain)
+##	Get the attributes of sbin files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_getattr_sbin_files',`
 	gen_require(`
@ -450,8 +491,15 @@ interface(`corecmd_getattr_sbin_files',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_dontaudit_getattr_sbin_files(domain)
+##	Do not audit attempts to get the attibutes
 ##	of sbin files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_dontaudit_getattr_sbin_files',`
 	gen_require(`
@ -538,8 +586,15 @@ interface(`corecmd_read_sbin_sockets',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_exec_sbin(domain)
+##	Execute generic programs in sbin directories,
 ##	in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_exec_sbin',`
 	gen_require(`
@ -724,8 +779,14 @@ interface(`corecmd_check_exec_shell',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_exec_shell(domain)
+##	Execute a shell in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_exec_shell',`
 	gen_require(`
@ -738,8 +799,14 @@ interface(`corecmd_exec_shell',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_exec_ls(domain)
+##	Execute ls in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_exec_ls',`
 	gen_require(`
@ -826,8 +893,14 @@ interface(`corecmd_shell_domtrans',`
 ')
 ########################################
-#
+## <summary>
-# corecmd_exec_chroot(domain)
+##	Execute chroot in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`corecmd_exec_chroot',`
 	gen_require(`
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@ -103,8 +103,15 @@ interface(`domain_entry_file',`
 ')
 ########################################
-#
+## <summary>
-# domain_interactive_fd(domain)
+##	Make the file descriptors of the specified
 ##	domain for interactive use (widely inheritable)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_interactive_fd',`
 	gen_require(`
@ -115,8 +122,25 @@ interface(`domain_interactive_fd',`
 ')
 ########################################
-#
+## <summary>
-# domain_dyntrans_type(domain)
+##	Allow the specified domain to perform
 ##	dynamic transitions.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	Allow the specified domain to perform
 ##	dynamic transitions.
 ##	</p>
 ##	<p>
 ##	This violates process tranquility, and it
 ##	is strongly suggested that this not be used.
 ##	</p>
 ## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_dyntrans_type',`
 	gen_require(`
@ -309,8 +333,15 @@ interface(`domain_cron_exemption_target',`
 ')
 ########################################
-#
+## <summary>
-# domain_use_interactive_fds(domain)
+##	Inherit and use file descriptors from
 ##	domains with interactive programs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_use_interactive_fds',`
 	gen_require(`
@ -321,8 +352,16 @@ interface(`domain_use_interactive_fds',`
 ')
 ########################################
-#
+## <summary>
-# domain_dontaudit_use_interactive_fds(domain)
+##	Do not audit attempts to inherit file
 ##	descriptors from domains with interactive
 ##	programs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_dontaudit_use_interactive_fds',`
 	gen_require(`
@ -353,8 +392,14 @@ interface(`domain_sigchld_interactive_fds',`
 ')
 ########################################
-#
+## <summary>
-# domain_setpriority_all_domains(domain)
+##	Set the nice level of all domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_setpriority_all_domains',`
 	gen_require(`
@ -370,7 +415,7 @@ interface(`domain_setpriority_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -388,7 +433,7 @@ interface(`domain_signal_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -406,7 +451,7 @@ interface(`domain_signull_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -424,7 +469,7 @@ interface(`domain_sigstop_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -442,7 +487,7 @@ interface(`domain_sigchld_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -674,7 +719,7 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -699,7 +744,7 @@ interface(`domain_dontaudit_read_all_domains_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -717,7 +762,7 @@ interface(`domain_dontaudit_list_all_domains_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -736,7 +781,7 @@ interface(`domain_getsession_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -813,7 +858,7 @@ interface(`domain_dontaudit_getattr_all_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -832,7 +877,7 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -851,7 +896,7 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -870,7 +915,7 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -889,7 +934,7 @@ interface(`domain_dontaudit_getattr_all_key_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -908,7 +953,7 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -927,7 +972,7 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -946,7 +991,7 @@ interface(`domain_dontaudit_rw_all_key_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -965,7 +1010,7 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -984,7 +1029,7 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1017,8 +1062,14 @@ interface(`domain_getattr_all_entry_files',`
 ')
 ########################################
-#
+## <summary>
-# domain_read_all_entry_files(domain)
+##	Read the entry point files for all domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_read_all_entry_files',`
 	gen_require(`
@ -1030,8 +1081,15 @@ interface(`domain_read_all_entry_files',`
 ')
 ########################################
-#
+## <summary>
-# domain_exec_all_entry_files(domain)
+##	Execute the entry point files for all
 ##	domains in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`domain_exec_all_entry_files',`
 	gen_require(`
@ -1106,7 +1164,7 @@ interface(`domain_mmap_all_entry_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1125,7 +1183,7 @@ interface(`domain_entry_file_spec_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1156,8 +1214,24 @@ interface(`domain_unconfined',`
 #
 ########################################
-#
+## <summary>
-# domain_trans(source_domain,entrypoint_file,target_domain)
+##	Specified domain transition requiring setexeccon.
 ## </summary>
 ## <param name="source_domain">
 ##	<summary>
 ##	Domain to transition from.
 ##	</summary>
 ## </param>
 ## <param name="entry_file">
 ##	<summary>
 ##	Type of program to execute.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
 ##	<summary>
 ##	Domain to transition to.
 ##	</summary>
 ## </param>
 #
 template(`domain_trans',`
 	allow $1 $2:file { getattr read execute };
@ -1166,8 +1240,24 @@ template(`domain_trans',`
 ')
 ########################################
-#
+## <summary>
-# domain_auto_trans(source_domain,entrypoint_file,target_domain)
+##	Automatic domain transition by type_transition.
 ## </summary>
 ## <param name="source_domain">
 ##	<summary>
 ##	Domain to transition from.
 ##	</summary>
 ## </param>
 ## <param name="entry_file">
 ##	<summary>
 ##	Type of program to execute.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
 ##	<summary>
 ##	Domain to transition to.
 ##	</summary>
 ## </param>
 #
 template(`domain_auto_trans',`
 	domain_trans($1,$2,$3)
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@ -39,8 +39,15 @@ interface(`files_type',`
 ')
 ########################################
-#
+## <summary>
-# files_lock_file(type)
+##	Make the specified type usable for
 ##	lock files.
 ## </summary>
 ## <param name="type">
 ##	<summary>
 ##	Type to be used for lock files.
 ##	</summary>
 ## </param>
 #
 interface(`files_lock_file',`
 	gen_require(`
@ -52,8 +59,15 @@ interface(`files_lock_file',`
 ')
 ########################################
-#
+## <summary>
-# files_mountpoint(type)
+##	Make the specified type usable for
 ##	filesystem mount points.
 ## </summary>
 ## <param name="type">
 ##	<summary>
 ##	Type to be used for mount points.
 ##	</summary>
 ## </param>
 #
 interface(`files_mountpoint',`
 	gen_require(`
@ -65,8 +79,15 @@ interface(`files_mountpoint',`
 ')
 ########################################
-#
+## <summary>
-# files_pid_file(type)
+##	Make the specified type usable for
 ##	runtime process ID files.
 ## </summary>
 ## <param name="type">
 ##	<summary>
 ##	Type to be used for PID files.
 ##	</summary>
 ## </param>
 #
 interface(`files_pid_file',`
 	gen_require(`
@ -862,8 +883,15 @@ interface(`files_manage_all_files',`
 ')
 ########################################
-#
+## <summary>
-# files_search_all(domain)
+##	Search the contents of all directories on
 ##	extended attribute filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_search_all',`
 	gen_require(`
@ -874,8 +902,15 @@ interface(`files_search_all',`
 ')
 ########################################
-#
+## <summary>
-# files_list_all(domain)
+##	List the contents of all directories on
 ##	extended attribute filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_all',`
 	gen_require(`
@ -886,8 +921,16 @@ interface(`files_list_all',`
 ')
 ########################################
-#
+## <summary>
-# files_dontaudit_search_all_dirs(domain)
+##	Do not audit attempts to search the
 ##	contents of any directories on extended
 ##	attribute filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_dontaudit_search_all_dirs',`
 	gen_require(`
@ -897,9 +940,15 @@ interface(`files_dontaudit_search_all_dirs',`
 	dontaudit $1 file_type:dir search;
 ')
-#######################################
+########################################
-#
+## <summary>
-# files_relabelto_all_file_type_fs(domain)
+##	Relabel a filesystem to the type of a file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_relabelto_all_file_type_fs',`
 	gen_require(`
@ -909,9 +958,15 @@ interface(`files_relabelto_all_file_type_fs',`
 	allow $1 file_type:filesystem relabelto;
 ')
-#######################################
+########################################
-#
+## <summary>
-# files_mount_all_file_type_fs(domain)
+##	Mount all filesystems with the type of a file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_mount_all_file_type_fs',`
 	gen_require(`
@ -921,9 +976,15 @@ interface(`files_mount_all_file_type_fs',`
 	allow $1 file_type:filesystem mount;
 ')
-#######################################
+########################################
-#
+## <summary>
-# files_unmount_all_file_type_fs(domain)
+##	Unmount all filesystems with the type of a file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_unmount_all_file_type_fs',`
 	gen_require(`
@ -934,8 +995,14 @@ interface(`files_unmount_all_file_type_fs',`
 ')
 ########################################
-#
+## <summary>
-# files_mounton_all_mountpoints(domain)
+##	Mount a filesystem on all mount points.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_mounton_all_mountpoints',`
 	gen_require(`
@ -965,8 +1032,14 @@ interface(`files_getattr_all_mountpoints',`
 ')
 ########################################
-#
+## <summary>
-# files_list_root(domain)
+##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_root',`
 	gen_require(`
@ -980,7 +1053,7 @@ interface(`files_list_root',`
 ########################################
 ## <summary>
 ##	Create an object in the root directory, with a private
-##	type.
+##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1008,8 +1081,15 @@ interface(`files_root_filetrans',`
 ')
 ########################################
-#
+## <summary>
-# files_dontaudit_read_root_files(domain)
+##	Do not audit attempts to read files in
 ##	the root directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`files_dontaudit_read_root_files',`
 	gen_require(`
@ -1020,8 +1100,15 @@ interface(`files_dontaudit_read_root_files',`
 ')
 ########################################
-#
+## <summary>
-# files_dontaudit_rw_root_files(domain)
+##	Do not audit attempts to read or write
 ##	files in the root directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_dontaudit_rw_root_files',`
 	gen_require(`
@ -1032,8 +1119,15 @@ interface(`files_dontaudit_rw_root_files',`
 ')
 ########################################
-#
+## <summary>
-# files_dontaudit_rw_root_chr_files(domain)
+##	Do not audit attempts to read or write
 ##	character device nodes in the root directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_dontaudit_rw_root_chr_files',`
 	gen_require(`
@ -1044,8 +1138,14 @@ interface(`files_dontaudit_rw_root_chr_files',`
 ')
 ########################################
-#
+## <summary>
-# files_delete_root_dir_entry(domain)
+##	Remove entries from the root directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_delete_root_dir_entry',`
 	gen_require(`
@ -1056,8 +1156,14 @@ interface(`files_delete_root_dir_entry',`
 ')
 ########################################
-#
+## <summary>
-# files_unmount_rootfs(domain)
+##	Unmount a rootfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_unmount_rootfs',`
 	gen_require(`
@ -1546,8 +1652,14 @@ interface(`files_read_default_pipes',`
 ')
 ########################################
-#
+## <summary>
-# files_search_etc(domain)
+##	Search the contents of /etc directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_search_etc',`
 	gen_require(`
@ -1576,8 +1688,14 @@ interface(`files_setattr_etc_dirs',`
 ')
 ########################################
-#
+## <summary>
-# files_list_etc(domain)
+##	List the contents of /etc directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_etc',`
 	gen_require(`
@ -1588,8 +1706,14 @@ interface(`files_list_etc',`
 ')
 ########################################
-#
+## <summary>
-# files_read_etc_files(domain)
+##	Read generic files in /etc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_read_etc_files',`
 	gen_require(`
@ -1602,8 +1726,14 @@ interface(`files_read_etc_files',`
 ')
 ########################################
-#
+## <summary>
-# files_rw_etc_files(domain)
+##	Read and write generic files in /etc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_rw_etc_files',`
 	gen_require(`
@ -1616,8 +1746,15 @@ interface(`files_rw_etc_files',`
 ')
 ########################################
-#
+## <summary>
-# files_manage_etc_files(domain)
+##	Create, read, write, and delete generic
 ##	files in /etc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_etc_files',`
 	gen_require(`
@ -1649,8 +1786,14 @@ interface(`files_delete_etc_files',`
 ')
 ########################################
-#
+## <summary>
-# files_exec_etc_files(domain)
+##	Execute generic files in /etc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_exec_etc_files',`
 	gen_require(`
@ -1683,8 +1826,25 @@ interface(`files_relabel_etc_files',`
 ')
 ########################################
-#
+## <summary>
-# files_etc_filetrans(domain,privatetype,class(es))
+##	Create objects in /etc with a private
 ##	type using a type_transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="file_type">
 ##	<summary>
 ##	Private file type.
 ##	</summary>
 ## </param>
 ## <param name="class">
 ##	<summary>
 ##	Object classes to be created.
 ##	</summary>
 ## </param>
 #
 interface(`files_etc_filetrans',`
 	gen_require(`
@ -1696,10 +1856,20 @@ interface(`files_etc_filetrans',`
 ')
 ########################################
-#
+## <summary>
-# files_create_boot_flag(domain)
+##	Create a boot flag.
-#
+## </summary>
-# /halt, /.autofsck, etc
+## <desc>
 ##	<p>
 ##	Create a boot flag, such as
 ##	/.autorelabel and /.autofsck.
 ##	</p>
 ## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_create_boot_flag',`
 	gen_require(`
@ -2219,8 +2389,14 @@ interface(`files_manage_lost_found',`
 ')
 ########################################
-#
+## <summary>
-# files_search_mnt(domain)
+##	Search the contents of /mnt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_search_mnt',`
 	gen_require(`
@ -2249,8 +2425,14 @@ interface(`files_dontaudit_search_mnt',`
 ')
 ########################################
-#
+## <summary>
-# files_list_mnt(domain)
+##	List the contents of /mnt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_mnt',`
 	gen_require(`
@ -2812,8 +2994,25 @@ interface(`files_setattr_all_tmp_dirs',`
 ')
 ########################################
-#
+## <summary>
-# files_tmp_filetrans(domain,private_type,object class(es))
+##	Create an object in the tmp directories, with a private
 ##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="private type">
 ##	<summary>
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="object">
 ##	<summary>
 ##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
 interface(`files_tmp_filetrans',`
 	gen_require(`
@ -2825,8 +3024,14 @@ interface(`files_tmp_filetrans',`
 ')
 ########################################
-#
+## <summary>
-# files_purge_tmp(domain)
+##	Delete the contents of /tmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_purge_tmp',`
 	gen_require(`
@ -2838,8 +3043,14 @@ interface(`files_purge_tmp',`
 ')
 ########################################
-#
+## <summary>
-# files_search_usr(domain)
+##	Search the content of /etc.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_search_usr',`
 	gen_require(`
@ -2888,8 +3099,14 @@ interface(`files_getattr_usr_files',`
 ')
 ########################################
-#
+## <summary>
-# files_read_usr_files(domain)
+##	Read generic files in /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_read_usr_files',`
 	gen_require(`
@ -3009,8 +3226,14 @@ interface(`files_exec_usr_src_files',`
 ')
 ########################################
-#
+## <summary>
-# files_dontaudit_search_src(domain)
+##	Do not audit attempts to search /usr/src.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`files_dontaudit_search_src',`
 	gen_require(`
@ -3021,8 +3244,14 @@ interface(`files_dontaudit_search_src',`
 ')
 ########################################
-#
+## <summary>
-# files_read_usr_src_files(domain)
+##	Read files in /usr/src.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_read_usr_src_files',`
 	gen_require(`
@ -3439,8 +3668,15 @@ interface(`files_read_var_lib_symlinks',`
 # in some way.  They really neeed their own types.
 ########################################
-#
+## <summary>
-# files_manage_urandom_seed(domain)
+##	Create, read, write, and delete the
 ##	pseudorandom number generator seed.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_urandom_seed',`
 	gen_require(`
@ -3531,8 +3767,14 @@ interface(`files_rw_lock_dirs',`
 ')
 ########################################
-#
+## <summary>
-# files_getattr_generic_locks(domain)
+##	Get the attributes of generic lock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_getattr_generic_locks',`
 	gen_require(`
@ -3545,21 +3787,34 @@ interface(`files_getattr_generic_locks',`
 ')
 ########################################
-#
+## <summary>
-# files_manage_generic_locks(domain)
+##	Create, read, write, and delete generic
 ##	lock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_generic_locks',`
 	gen_require(`
 		type var_lock_t;
 	')
-	allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
+	allow $1 var_lock_t:dir rw_dir_perms;
-	allow $1 var_lock_t:file { getattr create read write setattr unlink };
+	allow $1 var_lock_t:file manage_file_perms;
 ')
 ########################################
-#
+## <summary>
-# files_delete_all_locks(domain)
+##	Delete all lock files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_delete_all_locks',`
 	gen_require(`
@ -3593,8 +3848,25 @@ interface(`files_read_all_locks',`
 ')
 ########################################
-#
+## <summary>
-# files_lock_filetrans(domain,private_type,[object class(es)])
+##	Create an object in the locks directory, with a private
 ##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="private type">
 ##	<summary>
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="object">
 ##	<summary>
 ##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
 interface(`files_lock_filetrans',`
 	gen_require(`
@ -3626,8 +3898,15 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 ')
 ########################################
-#
+## <summary>
-# files_search_pids(domain)
+##	Search the contents of runtime process
 ##	ID directories (/var/run).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_search_pids',`
 	gen_require(`
@ -3658,8 +3937,15 @@ interface(`files_dontaudit_search_pids',`
 ')
 ########################################
-#
+## <summary>
-# files_list_pids(domain)
+##	List the contents of the runtime process
 ##	ID directories (/var/run).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_pids',`
 	gen_require(`
@ -3671,8 +3957,25 @@ interface(`files_list_pids',`
 ')
 ########################################
-#
+## <summary>
-# files_pid_filetrans(domain,pidfile,[object class(es)])
+##	Create an object in the process ID directory, with a private
 ##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="private type">
 ##	<summary>
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="object">
 ##	<summary>
 ##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
 interface(`files_pid_filetrans',`
 	gen_require(`
@ -3685,8 +3988,14 @@ interface(`files_pid_filetrans',`
 ')
 ########################################
-#
+## <summary>
-# files_rw_generic_pids(domain)
+##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_rw_generic_pids',`
 	gen_require(`
@ -3735,8 +4044,14 @@ interface(`files_dontaudit_ioctl_all_pids',`
 ')
 ########################################
-#
+## <summary>
-# files_read_all_pids(domain)
+##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_read_all_pids',`
 	gen_require(`
@ -3769,8 +4084,14 @@ interface(`files_mounton_all_poly_members',`
 ')
 ########################################
-#
+## <summary>
-# files_delete_all_pids(domain)
+##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_delete_all_pids',`
 	gen_require(`
@ -3787,8 +4108,14 @@ interface(`files_delete_all_pids',`
 ')
 ########################################
-#
+## <summary>
-# files_delete_all_pid_dirs(domain)
+##	Delete all process ID directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_delete_all_pid_dirs',`
 	gen_require(`
@ -3801,8 +4128,15 @@ interface(`files_delete_all_pid_dirs',`
 ')
 ########################################
-#
+## <summary>
-# files_search_spool(domain)
+##	Search the contents of generic spool
 ##	directories (/var/spool).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_search_spool',`
 	gen_require(`
@ -3833,8 +4167,15 @@ interface(`files_dontaudit_search_spool',`
 ')
 ########################################
-#
+## <summary>
-# files_list_spool(domain)
+##	List the contents of generic spool
 ##	(/var/spool) directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_list_spool',`
 	gen_require(`
@ -3846,8 +4187,15 @@ interface(`files_list_spool',`
 ')
 ########################################
-#
+## <summary>
-# files_manage_generic_spool_dirs(domain)
+##	Create, read, write, and delete generic
 ##	spool directories (/var/spool).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_generic_spool_dirs',`
 	gen_require(`
@ -3859,8 +4207,14 @@ interface(`files_manage_generic_spool_dirs',`
 ')
 ########################################
-#
+## <summary>
-# files_read_generic_spool(domain)
+##	Read generic spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_read_generic_spool',`
 	gen_require(`
@ -3873,8 +4227,15 @@ interface(`files_read_generic_spool',`
 ')
 ########################################
-#
+## <summary>
-# files_manage_generic_spool(domain)
+##	Create, read, write, and delete generic
 ##	spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`files_manage_generic_spool',`
 	gen_require(`
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -9,7 +9,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -29,7 +29,7 @@ interface(`fs_type',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -113,7 +113,7 @@ interface(`fs_exec_noxattr',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -134,7 +134,7 @@ interface(`fs_mount_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -154,7 +154,7 @@ interface(`fs_remount_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -174,8 +174,7 @@ interface(`fs_unmount_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -196,7 +195,7 @@ interface(`fs_getattr_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -216,7 +215,7 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -235,7 +234,7 @@ interface(`fs_relabelfrom_xattr_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -254,7 +253,7 @@ interface(`fs_get_xattr_fs_quotas',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -272,7 +271,7 @@ interface(`fs_set_xattr_fs_quotas',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -292,7 +291,7 @@ interface(`fs_mount_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -310,7 +309,7 @@ interface(`fs_remount_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -329,8 +328,7 @@ interface(`fs_unmount_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -349,7 +347,7 @@ interface(`fs_getattr_autofs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -368,7 +366,7 @@ interface(`fs_search_auto_mountpoints',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -387,7 +385,7 @@ interface(`fs_list_auto_mountpoints',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain performing this action.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -403,16 +401,25 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
 ## <summary>
 ##	Register an interpreter for new binary
 ##	file types, using the kernel binfmt_misc
-##	support.  A common use for this is to
+##	support.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	Register an interpreter for new binary
 ##	file types, using the kernel binfmt_misc
 ##	support.
 ##	</p>
 ##	<p>
 ##	A common use for this is to
 ##	register a JVM as an interpreter for
 ##	Java byte code.  Registered binaries
 ##	can be directly executed on a command line
 ##	without specifying the interpreter.
-## </summary>
+##	</p>
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain registering
+##	Domain allowed access.
 ##	the interpreter.
 ##	</summary>
 ## </param>
 #
@ -431,7 +438,7 @@ interface(`fs_register_binary_executable_type',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -450,7 +457,7 @@ interface(`fs_mount_cifs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -468,7 +475,7 @@ interface(`fs_remount_cifs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -487,8 +494,7 @@ interface(`fs_unmount_cifs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -640,7 +646,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -659,7 +665,7 @@ interface(`fs_dontaudit_read_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -677,7 +683,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -698,7 +704,7 @@ interface(`fs_read_cifs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain executing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -718,7 +724,7 @@ interface(`fs_exec_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -738,7 +744,7 @@ interface(`fs_manage_cifs_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -757,7 +763,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -797,7 +803,7 @@ interface(`fs_dontaudit_manage_cifs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -817,7 +823,7 @@ interface(`fs_manage_cifs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the pipes.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -837,7 +843,7 @@ interface(`fs_manage_cifs_named_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the sockets.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -876,7 +882,7 @@ interface(`fs_manage_cifs_named_sockets',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@ -902,7 +908,7 @@ interface(`fs_cifs_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -922,7 +928,7 @@ interface(`fs_mount_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -941,7 +947,7 @@ interface(`fs_remount_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -960,8 +966,7 @@ interface(`fs_unmount_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -980,7 +985,7 @@ interface(`fs_getattr_dos_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1054,7 +1059,7 @@ interface(`fs_list_inotifyfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1074,7 +1079,7 @@ interface(`fs_mount_iso9660_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1093,7 +1098,7 @@ interface(`fs_remount_iso9660_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1112,8 +1117,7 @@ interface(`fs_unmount_iso9660_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -1152,7 +1156,7 @@ interface(`fs_read_iso9660_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1171,7 +1175,7 @@ interface(`fs_mount_nfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1189,7 +1193,7 @@ interface(`fs_remount_nfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1207,8 +1211,7 @@ interface(`fs_unmount_nfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -1301,7 +1304,7 @@ interface(`fs_read_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -1338,7 +1341,7 @@ interface(`fs_write_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain executing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1358,7 +1361,7 @@ interface(`fs_exec_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -1376,7 +1379,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1395,7 +1398,7 @@ interface(`fs_read_nfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1414,7 +1417,7 @@ interface(`fs_getattr_rpc_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1523,7 +1526,7 @@ interface(`fs_read_removable_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1542,7 +1545,7 @@ interface(`fs_list_rpc',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1561,7 +1564,7 @@ interface(`fs_read_rpc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1580,7 +1583,7 @@ interface(`fs_read_rpc_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain reading the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1600,7 +1603,7 @@ interface(`fs_read_rpc_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the directories.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1639,7 +1642,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the files.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1679,7 +1682,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the symbolic links.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1699,7 +1702,7 @@ interface(`fs_manage_nfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the pipes.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1719,7 +1722,7 @@ interface(`fs_manage_nfs_named_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain managing the sockets.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1758,7 +1761,7 @@ interface(`fs_manage_nfs_named_sockets',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@ -1783,7 +1786,7 @@ interface(`fs_nfs_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1802,7 +1805,7 @@ interface(`fs_mount_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1820,7 +1823,7 @@ interface(`fs_remount_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1839,8 +1842,7 @@ interface(`fs_unmount_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -1858,8 +1860,7 @@ interface(`fs_getattr_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	search on nfsd directories.
 ##	</summary>
 ## </param>
 #
@ -1877,8 +1878,7 @@ interface(`fs_search_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	read or write on nfsd files.
 ##	</summary>
 ## </param>
 #
@ -1896,7 +1896,7 @@ interface(`fs_rw_nfsd_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1915,7 +1915,7 @@ interface(`fs_mount_ramfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1933,7 +1933,7 @@ interface(`fs_remount_ramfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1951,8 +1951,7 @@ interface(`fs_unmount_ramfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -2177,7 +2176,7 @@ interface(`fs_manage_ramfs_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2196,7 +2195,7 @@ interface(`fs_mount_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2214,7 +2213,7 @@ interface(`fs_remount_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2233,8 +2232,7 @@ interface(`fs_unmount_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -2252,7 +2250,7 @@ interface(`fs_getattr_romfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2271,7 +2269,7 @@ interface(`fs_mount_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2289,7 +2287,7 @@ interface(`fs_remount_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2308,8 +2306,7 @@ interface(`fs_unmount_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -2327,7 +2324,7 @@ interface(`fs_getattr_rpc_pipefs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2345,7 +2342,7 @@ interface(`fs_mount_tmpfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain remounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2363,7 +2360,7 @@ interface(`fs_remount_tmpfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2382,8 +2379,7 @@ interface(`fs_unmount_tmpfs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -2543,8 +2539,25 @@ interface(`fs_manage_tmpfs_dirs',`
 ')
 ########################################
-#
+## <summary>
-# fs_tmpfs_filetrans(domain,derivedtype,class)
+##	Create an object in a tmpfs filesystem, with a private
 ##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="private type">
 ##	<summary>
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="object">
 ##	<summary>
 ##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
 interface(`fs_tmpfs_filetrans',`
 	gen_require(`
@ -2600,7 +2613,7 @@ interface(`fs_manage_auto_mountpoints',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2619,7 +2632,7 @@ interface(`fs_rw_tmpfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2638,7 +2651,7 @@ interface(`fs_read_tmpfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2657,7 +2670,7 @@ interface(`fs_rw_tmpfs_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2676,7 +2689,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2695,7 +2708,7 @@ interface(`fs_relabel_tmpfs_chr_file',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2714,7 +2727,7 @@ interface(`fs_rw_tmpfs_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2734,7 +2747,7 @@ interface(`fs_relabel_tmpfs_blk_file',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2754,7 +2767,7 @@ interface(`fs_manage_tmpfs_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2774,7 +2787,7 @@ interface(`fs_manage_tmpfs_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2794,7 +2807,7 @@ interface(`fs_manage_tmpfs_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2814,7 +2827,7 @@ interface(`fs_manage_tmpfs_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2833,7 +2846,7 @@ interface(`fs_manage_tmpfs_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2852,7 +2865,7 @@ interface(`fs_mount_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain mounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2870,7 +2883,7 @@ interface(`fs_remount_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain unmounting the filesystem.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -2889,8 +2902,7 @@ interface(`fs_unmount_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -2909,7 +2921,7 @@ interface(`fs_getattr_all_fs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain to not audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@ -2963,8 +2975,7 @@ interface(`fs_set_all_quotas',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the domain doing the
+##	Domain allowed access.
 ##	getattr on the filesystem.
 ##	</summary>
 ## </param>
 #
@ -3229,4 +3240,3 @@ interface(`fs_relabelfrom_noxattr_fs',`
 	allow $1 noxattrfs:blk_file { getattr relabelfrom };
 	allow $1 noxattrfs:chr_file { getattr relabelfrom };
 ')
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -1538,8 +1538,15 @@ interface(`kernel_rw_irq_sysctls',`
 ')
 ########################################
-#
+## <summary>
-# kernel_read_rpc_sysctls(domain)
+##	Read RPC sysctls.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ##
 #
 interface(`kernel_read_rpc_sysctls',`
 	gen_require(`
@ -1553,8 +1560,15 @@ interface(`kernel_read_rpc_sysctls',`
 ')
 ########################################
-#
+## <summary>
-# kernel_rw_rpc_sysctls(domain)
+##	Read and write RPC sysctls.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ##
 #
 interface(`kernel_rw_rpc_sysctls',`
 	gen_require(`
@ -1914,7 +1928,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1932,7 +1946,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1951,7 +1965,7 @@ interface(`kernel_relabelfrom_unlabeled_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1970,7 +1984,7 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -1989,7 +2003,7 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type relabeling the objects.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -300,9 +300,15 @@ template(`mta_admin_template',`
 	')
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_mailserver(domain,entrypointtype)
+##	Make the specified domain usable for a mail server.
 ## </summary>
 ## <param name="type">
 ##	<summary>
 ##	Type to be used as a mail server domain.
 ##	</summary>
 ## </param>
 #
 interface(`mta_mailserver',`
 	gen_require(`
@ -439,9 +445,15 @@ interface(`mta_mailserver_user_agent',`
 	')
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_send_mail(domain)
+##	Send mail from the system.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_send_mail',`
 	gen_require(`
@ -462,9 +474,15 @@ interface(`mta_send_mail',`
 	allow mta_user_agent $1:fifo_file { read write };
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_exec(domain)
+##	Execute sendmail in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_exec',`
 	gen_require(`
@ -533,9 +551,15 @@ interface(`mta_etc_filetrans_aliases',`
 	files_etc_filetrans($1,etc_aliases_t, file)
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_rw_aliases(domain)
+##	Read and write mail aliases.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_rw_aliases',`
 	gen_require(`
@ -604,9 +628,15 @@ interface(`mta_dontaudit_read_spool_symlinks',`
 	dontaudit $1 mail_spool_t:lnk_file read;
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_getattr_spool(domain)
+##	Get the attributes of mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_getattr_spool',`
 	gen_require(`
@ -619,6 +649,17 @@ interface(`mta_getattr_spool',`
 	allow $1 mail_spool_t:file getattr;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`mta_dontaudit_getattr_spool_files',`
 	gen_require(`
 		type mail_spool_t;
@ -661,9 +702,15 @@ interface(`mta_spool_filetrans',`
 	type_transition $1 mail_spool_t:$3 $2;
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_rw_spool(domain)
+##	Read and write the mail spool.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_rw_spool',`
 	gen_require(`
@ -717,9 +764,15 @@ interface(`mta_delete_spool',`
 	allow $1 mail_spool_t:file unlink;
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_manage_spool(domain)
+##	Create, read, write, and delete mail spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_manage_spool',`
 	gen_require(`
@ -751,9 +804,16 @@ interface(`mta_dontaudit_rw_queue',`
 	dontaudit $1 mqueue_spool_t:file { getattr read write };
 ')
-#######################################
+########################################
-#
+## <summary>
-# mta_manage_queue(domain)
+##	Create, read, write, and delete
 ##	mail queue files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`mta_manage_queue',`
 	gen_require(`
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -162,7 +162,7 @@ template(`authlogin_per_userdomain_template',`
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -216,7 +216,7 @@ interface(`auth_login_entry_type',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
@ -245,7 +245,7 @@ interface(`auth_domtrans_login_program',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -294,7 +294,7 @@ interface(`auth_domtrans_chk_passwd',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -332,7 +332,7 @@ interface(`auth_dontaudit_getattr_shadow',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -345,6 +345,25 @@ interface(`auth_read_shadow',`
 	auth_tunable_read_shadow($1)
 ')
 ########################################
 ## <summary>
 ##	Pass shadow assertion for reading.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	Pass shadow assertion for reading.
 ##	This should only be used with
 ##	auth_tunable_read_shadow(), and
 ##	only exists because typeattribute
 ##	does not work in conditionals.
 ##	</p>
 ## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_can_read_shadow_passwords',`
 	gen_require(`
 		attribute can_read_shadow_passwords;
@ -353,6 +372,24 @@ interface(`auth_can_read_shadow_passwords',`
 	typeattribute $1 can_read_shadow_passwords;
 ')
 ########################################
 ## <summary>
 ##	Read the shadow password file.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	Read the shadow password file.  This
 ##	should only be used in a conditional;
 ##	it does not pass the reading shadow
 ##	assertion.
 ##	</p>
 ## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_tunable_read_shadow',`
 	gen_require(`
 		type shadow_t;
@ -387,7 +424,7 @@ interface(`auth_dontaudit_read_shadow',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -402,9 +439,16 @@ interface(`auth_rw_shadow',`
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_manage_shadow(domain)
+##	Create, read, write, and delete the shadow
 ##	password file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_manage_shadow',`
 	gen_require(`
@ -418,7 +462,7 @@ interface(`auth_manage_shadow',`
 #######################################
 ## <summary>
-##	Automatic transition to shadow from etc.
+##	Automatic transition from etc to shadow.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -497,9 +541,15 @@ interface(`auth_append_faillog',`
 	allow $1 faillog_t:file { getattr append };
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_rw_faillog(domain)
+##	Read and write the login failure log.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_rw_faillog',`
 	gen_require(`
@ -573,7 +623,7 @@ interface(`auth_rw_lastlog',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -596,7 +646,7 @@ interface(`auth_domtrans_pam',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -626,7 +676,7 @@ interface(`auth_run_pam',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -645,7 +695,7 @@ interface(`auth_exec_pam',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -660,9 +710,15 @@ interface(`auth_manage_var_auth',`
 	allow $1 var_auth_t:lnk_file rw_file_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_read_pam_pid(domain)
+##	Read PAM PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_read_pam_pid',`
 	gen_require(`
@ -677,7 +733,7 @@ interface(`auth_read_pam_pid',`
 #######################################
 ## <summary>
-##	Do not audit attemps to read PAM pid files.
+##	Do not audit attemps to read PAM PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -699,7 +755,7 @@ interface(`auth_dontaudit_read_pam_pid',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -720,7 +776,7 @@ interface(`auth_delete_pam_pid',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -734,9 +790,15 @@ interface(`auth_manage_pam_pid',`
 	allow $1 pam_var_run_t:file create_file_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_domtrans_pam_console(domain)
+##	Execute pam_console with a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_domtrans_pam_console',`
 	gen_require(`
@ -758,7 +820,7 @@ interface(`auth_domtrans_pam_console',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -772,9 +834,16 @@ interface(`auth_search_pam_console_data',`
 	allow $1 pam_var_console_t:dir search_dir_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_list_pam_console_data(domain)
+##	List the contents of the pam_console
 ##	data directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_list_pam_console_data',`
 	gen_require(`
@ -786,9 +855,15 @@ interface(`auth_list_pam_console_data',`
 	allow $1 pam_var_console_t:dir r_dir_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_read_pam_console_data(domain)
+##	Read pam_console data files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_read_pam_console_data',`
 	gen_require(`
@ -801,9 +876,16 @@ interface(`auth_read_pam_console_data',`
 	allow $1 pam_var_console_t:file r_file_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_manage_pam_console_data(domain)
+##	Create, read, write, and delete
 ##	pam_console data files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_manage_pam_console_data',`
 	gen_require(`
@ -971,7 +1053,7 @@ interface(`auth_manage_all_files_except_shadow',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -994,7 +1076,7 @@ interface(`auth_domtrans_utempter',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -1036,9 +1118,15 @@ interface(`auth_dontaudit_exec_utempter',`
 	dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_setattr_login_records(domain)
+##	Set the attributes of login record files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_setattr_login_records',`
 	gen_require(`
@ -1049,9 +1137,15 @@ interface(`auth_setattr_login_records',`
 	logging_search_logs($1)
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_read_login_records(domain)
+##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_read_login_records',`
 	gen_require(`
@ -1062,9 +1156,16 @@ interface(`auth_read_login_records',`
 	allow $1 wtmp_t:file r_file_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_dontaudit_write_login_records(domain)
+##	Do not audit attempts to write to
 ##	login records files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`auth_dontaudit_write_login_records',`
 	gen_require(`
@ -1110,9 +1211,15 @@ interface(`auth_write_login_records',`
 	allow $1 wtmp_t:file { write lock };
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_rw_login_records(domain)
+##	Read and write login records.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_rw_login_records',`
 	gen_require(`
@ -1123,9 +1230,16 @@ interface(`auth_rw_login_records',`
 	logging_search_logs($1)
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_log_filetrans_login_records(domain)
+##	Create a login records in the log directory
 ##	using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_log_filetrans_login_records',`
 	gen_require(`
@ -1135,9 +1249,16 @@ interface(`auth_log_filetrans_login_records',`
 	logging_log_filetrans($1,wtmp_t,file)
 ')
-#######################################
+########################################
-#
+## <summary>
-# auth_manage_login_records(domain)
+##	Create, read, write, and delete login
 ##	records files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`auth_manage_login_records',`
 	gen_require(`
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -31,7 +31,7 @@ interface(`hostname_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -61,7 +61,7 @@ interface(`hostname_run',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##             The type of the process performing this action.
+##	Domain allowed access.
 ## 	</summary>
 ## </param>
 #
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@ -3,9 +3,15 @@
 ## connection and disconnection of devices at runtime.
 ## </summary>
-#######################################
+########################################
-#
+## <summary>
-# hotplug_domtrans(domain)
+##	Execute hotplug with a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`hotplug_domtrans',`
 	gen_require(`
@ -21,9 +27,15 @@ interface(`hotplug_domtrans',`
 	allow hotplug_t $1:process sigchld;
 ')
-#######################################
+########################################
-#
+## <summary>
-# hotplug_exec(domain)
+##	Execute hotplug in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`hotplug_exec',`
 	gen_require(`
@ -34,9 +46,15 @@ interface(`hotplug_exec',`
 	can_exec($1,hotplug_exec_t)
 ')
-#######################################
+########################################
-#
+## <summary>
-# hotplug_use_fds(domain)
+##	Inherit and use hotplug file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`hotplug_use_fds',`
 	gen_require(`
@ -46,9 +64,16 @@ interface(`hotplug_use_fds',`
 	allow $1 hotplug_t:fd use;
 ')
-#######################################
+########################################
-#
+## <summary>
-# hotplug_dontaudit_use_fds(domain)
+##	Do not audit attempts to inherit
 ##	hotplug file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`hotplug_dontaudit_use_fds',`
 	gen_require(`
@ -59,8 +84,15 @@ interface(`hotplug_dontaudit_use_fds',`
 ')
 ########################################
-#
+## <summary>
-# hotplug_dontaudit_search_config(domain)
+##	Do not audit attempts to search the
 ##	hotplug configuration directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`hotplug_dontaudit_search_config',`
 	gen_require(`
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -150,8 +150,14 @@ interface(`init_system_domain',`
 ')
 ########################################
-#
+## <summary>
-# init_domtrans(domain)
+##	Execute init (/sbin/init) with a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_domtrans',`
 	gen_require(`
@ -186,8 +192,14 @@ interface(`init_exec',`
 ')
 ########################################
-#
+## <summary>
-# init_getpgid(domain)
+##	Get the process group of init.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_getpgid',`
 	gen_require(`
@ -243,8 +255,14 @@ interface(`init_sigchld',`
 ')
 ########################################
-#
+## <summary>
-# init_use_fds(domain)
+##	Inherit and use file descriptors from init.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_use_fds',`
 	gen_require(`
@ -258,8 +276,15 @@ interface(`init_use_fds',`
 ')
 ########################################
-#
+## <summary>
-# init_dontaudit_use_fds(domain)
+##	Do not audit attempts to inherit file
 ##	descriptors from init.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_dontaudit_use_fds',`
 	gen_require(`
@ -295,8 +320,14 @@ interface(`init_udp_send',`
 ')
 ########################################
-#
+## <summary>
-# init_getattr_initctl(domain)
+##	Get the attributes of initctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_getattr_initctl',`
 	gen_require(`
@ -307,8 +338,15 @@ interface(`init_getattr_initctl',`
 ')
 ########################################
-#
+## <summary>
-# init_dontaudit_getattr_initctl(domain)
+##	Do not audit attempts to get the
 ##	attributes of initctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
 interface(`init_dontaudit_getattr_initctl',`
 	gen_require(`
@ -319,8 +357,14 @@ interface(`init_dontaudit_getattr_initctl',`
 ')
 ########################################
-#
+## <summary>
-# init_write_initctl(domain)
+##	Write to initctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_write_initctl',`
 	gen_require(`
@ -332,8 +376,14 @@ interface(`init_write_initctl',`
 ')
 ########################################
-#
+## <summary>
-# init_rw_initctl(domain)
+##	Read and write initctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_rw_initctl',`
 	gen_require(`
@ -345,8 +395,15 @@ interface(`init_rw_initctl',`
 ')
 ########################################
-#
+## <summary>
-# init_dontaudit_rw_initctl(domain)
+##	Do not audit attempts to read and
 ##	write initctl.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_dontaudit_rw_initctl',`
 	gen_require(`
@ -376,8 +433,14 @@ interface(`init_script_file_entry_type',`
 ')
 ########################################
-#
+## <summary>
-# init_domtrans_script(domain)
+##	Execute init scripts with a domain transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -503,8 +566,14 @@ interface(`init_getattr_script_files',`
 ')
 ########################################
-#
+## <summary>
-# init_exec_script_files(domain)
+##	Execute init scripts in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_exec_script_files',`
 	gen_require(`
@ -543,8 +612,14 @@ interface(`init_read_script_state',`
 ')
 ########################################
-#
+## <summary>
-# init_use_script_fds(domain)
+##	Inherit and use init script file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_use_script_fds',`
 	gen_require(`
@ -555,8 +630,15 @@ interface(`init_use_script_fds',`
 ')
 ########################################
-#
+## <summary>
-# init_dontaudit_use_script_fds(domain)
+##	Do not audit attempts to inherit
 ##	init script file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_dontaudit_use_script_fds',`
 	gen_require(`
@ -567,8 +649,14 @@ interface(`init_dontaudit_use_script_fds',`
 ')
 ########################################
-#
+## <summary>
-# init_getpgid_script(domain)
+##	Get the process group ID of init scripts.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_getpgid_script',`
 	gen_require(`
@ -864,8 +952,14 @@ interface(`init_getattr_utmp',`
 ')
 ########################################
-#
+## <summary>
-# init_read_utmp(domain)
+##	Read utmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_read_utmp',`
 	gen_require(`
@ -877,8 +971,14 @@ interface(`init_read_utmp',`
 ')
 ########################################
-#
+## <summary>
-# init_dontaudit_write_utmp(domain)
+##	Do not audit attempts to write utmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_dontaudit_write_utmp',`
 	gen_require(`
@ -927,8 +1027,14 @@ interface(`init_dontaudit_lock_utmp',`
 ')
 ########################################
-#
+## <summary>
-# init_rw_utmp(domain)
+##	Read and write utmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_rw_utmp',`
 	gen_require(`
@ -940,8 +1046,14 @@ interface(`init_rw_utmp',`
 ')
 ########################################
-#
+## <summary>
-# init_dontaudit_rw_utmp(domain)
+##	Do not audit attempts to read and write utmp.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`init_dontaudit_rw_utmp',`
 	gen_require(`
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -72,7 +72,7 @@ interface(`logging_domtrans_auditctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -102,7 +102,7 @@ interface(`logging_run_auditctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -121,8 +121,25 @@ interface(`logging_domtrans_syslog',`
 ')
 ########################################
-#
+## <summary>
-# logging_log_filetrans(domain,privatetype,[class(es)])
+##	Create an object in the log directory, with a private
 ##	type using a type transition.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="private type">
 ##	<summary>
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
 ## <param name="object">
 ##	<summary>
 ##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
 interface(`logging_log_filetrans',`
 	gen_require(`
@ -134,9 +151,15 @@ interface(`logging_log_filetrans',`
 	type_transition $1 var_log_t:$3 $2;
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_send_syslog_msg(domain)
+##	Send system log messages.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
@ -183,7 +206,7 @@ interface(`logging_read_audit_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -239,7 +262,7 @@ interface(`logging_list_logs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -252,9 +275,16 @@ interface(`logging_rw_generic_log_dirs',`
 	allow $1 var_log_t:dir rw_dir_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_dontaudit_getattr_all_logs(domain)
+##	Do not audit attempts to get the atttributes
 ##	of any log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_dontaudit_getattr_all_logs',`
 	gen_require(`
@ -264,9 +294,15 @@ interface(`logging_dontaudit_getattr_all_logs',`
 	dontaudit $1 logfile:file getattr;
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_append_all_logs(domain)
+##	Append to all log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_append_all_logs',`
 	gen_require(`
@ -279,9 +315,15 @@ interface(`logging_append_all_logs',`
 	allow $1 logfile:file { getattr append };
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_read_all_logs(domain)
+##	Read all log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_read_all_logs',`
 	gen_require(`
@ -300,7 +342,7 @@ interface(`logging_read_all_logs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -316,9 +358,15 @@ interface(`logging_exec_all_logs',`
 	can_exec($1,logfile)
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_manage_all_logs(domain)
+##	Create, read, write, and delete all log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_manage_all_logs',`
 	gen_require(`
@ -331,9 +379,15 @@ interface(`logging_manage_all_logs',`
 	allow $1 logfile:file create_file_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_read_generic_logs(domain)
+##	Read generic log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_read_generic_logs',`
 	gen_require(`
@ -345,9 +399,15 @@ interface(`logging_read_generic_logs',`
 	allow $1 var_log_t:file r_file_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# logging_write_generic_logs(domain)
+##	Write generic log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_write_generic_logs',`
 	gen_require(`
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -26,7 +26,7 @@ interface(`modutils_read_module_deps',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -50,7 +50,7 @@ interface(`modutils_read_module_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -68,7 +68,7 @@ interface(`modutils_rename_module_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -94,7 +94,7 @@ interface(`modutils_domtrans_insmod_uncond',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -117,7 +117,7 @@ interface(`modutils_domtrans_insmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -142,8 +142,14 @@ interface(`modutils_run_insmod',`
 ')
 ########################################
-#
+## <summary>
-# modutils_exec_insmod(domain)
+##	Execute insmod in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`modutils_exec_insmod',`
 	gen_require(`
@ -160,7 +166,7 @@ interface(`modutils_exec_insmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -184,7 +190,7 @@ interface(`modutils_domtrans_depmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -209,8 +215,14 @@ interface(`modutils_run_depmod',`
 ')
 ########################################
-#
+## <summary>
-# modutils_exec_depmod(domain)
+##	Execute depmod in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`modutils_exec_depmod',`
 	gen_require(`
@ -227,7 +239,7 @@ interface(`modutils_exec_depmod',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -251,7 +263,7 @@ interface(`modutils_domtrans_update_mods',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -276,8 +288,14 @@ interface(`modutils_run_update_mods',`
 ')
 ########################################
-#
+## <summary>
-# modutils_exec_update_mods(domain)
+##	Execute update_modules in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`modutils_exec_update_mods',`
 	gen_require(`
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -33,7 +33,7 @@ interface(`seutil_domtrans_checkpolicy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -57,9 +57,15 @@ interface(`seutil_run_checkpolicy',`
 	allow checkpolicy_t $3:chr_file rw_term_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_exec_checkpolicy(domain)
+##	Execute checkpolicy in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_exec_checkpolicy',`
 	gen_require(`
@ -77,7 +83,7 @@ interface(`seutil_exec_checkpolicy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -100,11 +106,10 @@ interface(`seutil_domtrans_loadpolicy',`
 ##	Execute load_policy in the load_policy domain, and
 ##	allow the specified role the load_policy domain,
 ##	and use the caller's terminal.
 ##	Has a SIGCHLD signal backchannel.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -128,9 +133,15 @@ interface(`seutil_run_loadpolicy',`
 	allow load_policy_t $3:chr_file rw_term_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_exec_loadpolicy(domain)
+##	Execute load_policy in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_exec_loadpolicy',`
 	gen_require(`
@ -141,9 +152,15 @@ interface(`seutil_exec_loadpolicy',`
 	can_exec($1,load_policy_exec_t)
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_read_loadpolicy(domain)
+##	Read the load_policy program file.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_read_loadpolicy',`
 	gen_require(`
@ -160,7 +177,7 @@ interface(`seutil_read_loadpolicy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -187,7 +204,7 @@ interface(`seutil_domtrans_newrole',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -211,9 +228,15 @@ interface(`seutil_run_newrole',`
 	allow newrole_t $3:chr_file rw_term_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_exec_newrole(domain)
+##	Execute newrole in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_exec_newrole',`
 	gen_require(`
@ -232,7 +255,7 @@ interface(`seutil_exec_newrole',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -244,9 +267,15 @@ interface(`seutil_dontaudit_signal_newrole',`
 	dontaudit $1 newrole_t:process signal;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_sigchld_newrole(domain)
+##	Send a SIGCHLD signal to newrole.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_sigchld_newrole',`
 	gen_require(`
@ -256,9 +285,15 @@ interface(`seutil_sigchld_newrole',`
 	allow $1 newrole_t:process sigchld;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_use_newrole_fds(domain)
+##	Inherit and use newrole file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_use_newrole_fds',`
 	gen_require(`
@ -274,7 +309,7 @@ interface(`seutil_use_newrole_fds',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -300,7 +335,7 @@ interface(`seutil_domtrans_restorecon',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -324,9 +359,15 @@ interface(`seutil_run_restorecon',`
 	allow restorecon_t $3:chr_file rw_term_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_exec_restorecon(domain)
+##	Execute restorecon in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_exec_restorecon',`
 	gen_require(`
@ -343,7 +384,7 @@ interface(`seutil_exec_restorecon',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -399,7 +440,7 @@ interface(`seutil_init_script_domtrans_runinit',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -443,7 +484,7 @@ interface(`seutil_run_runinit',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -470,8 +511,14 @@ interface(`seutil_init_script_run_runinit',`
 ')
 ########################################
-#
+## <summary>
-# seutil_use_runinit_fds(domain)
+##	Inherit and use run_init file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_use_runinit_fds',`
 	gen_require(`
@ -487,7 +534,7 @@ interface(`seutil_use_runinit_fds',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -514,7 +561,7 @@ interface(`seutil_domtrans_setfiles',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -538,9 +585,15 @@ interface(`seutil_run_setfiles',`
 	allow setfiles_t $3:chr_file rw_term_perms;
 ')
-#######################################
+########################################
-#
+## <summary>
-# seutil_exec_setfiles(domain)
+##	Execute setfiles in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_exec_setfiles',`
 	gen_require(`
@ -592,8 +645,14 @@ interface(`seutil_dontaudit_read_config',`
 ')
 ########################################
-#
+## <summary>
-# seutil_read_config(domain)
+##	Read the general SELinux configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_read_config',`
 	gen_require(`
@ -613,7 +672,7 @@ interface(`seutil_read_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -634,7 +693,7 @@ interface(`seutil_manage_selinux_config',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -649,8 +708,14 @@ interface(`seutil_search_default_contexts',`
 ########################################
-#
+## <summary>
-# seutil_read_default_contexts(domain)
+##	Read the default_contexts files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_read_default_contexts',`
 	gen_require(`
@ -665,8 +730,14 @@ interface(`seutil_read_default_contexts',`
 ')
 ########################################
-#
+## <summary>
-# seutil_read_file_contexts(domain)
+##	Read the file_contexts files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_read_file_contexts',`
 	gen_require(`
@ -724,8 +795,14 @@ interface(`seutil_manage_file_contexts',`
 ')
 ########################################
-#
+## <summary>
-# seutil_read_bin_policy(domain)
+##	Read the SELinux binary policy.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_read_bin_policy',`
 	gen_require(`
@ -739,8 +816,14 @@ interface(`seutil_read_bin_policy',`
 ')
 ########################################
-#
+## <summary>
-# seutil_create_bin_policy(domain)
+##	Create the SELinux binary policy.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_create_bin_policy',`
 	gen_require(`
@ -761,7 +844,7 @@ interface(`seutil_create_bin_policy',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -776,8 +859,15 @@ interface(`seutil_relabelto_bin_policy',`
 ')
 ########################################
-#
+## <summary>
-# seutil_manage_bin_policy(domain)
+##	Create, read, write, and delete the SELinux
 ##	binary policy.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_manage_bin_policy',`
 	gen_require(`
@ -793,8 +883,14 @@ interface(`seutil_manage_bin_policy',`
 ')
 ########################################
-#
+## <summary>
-# seutil_read_src_policy(domain)
+##	Read SELinux policy source files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_read_src_policy',`
 	gen_require(`
@ -808,8 +904,15 @@ interface(`seutil_read_src_policy',`
 ')
 ########################################
-#
+## <summary>
-# seutil_manage_src_policy(domain)
+##	Create, read, write, and delete SELinux
 ##	policy source files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`seutil_manage_src_policy',`
 	gen_require(`
@ -855,7 +958,7 @@ interface(`seutil_domtrans_semanage',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@ -909,7 +1012,7 @@ interface(`seutil_manage_module_store',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -929,7 +1032,7 @@ interface(`seutil_get_semanage_read_lock',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #