diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 30a66db..ad47766 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -44,6 +44,7 @@ SBINDIR := $(PREFIX)/sbin
 CHECKPOLICY := $(BINDIR)/checkpolicy
 LOADPOLICY := $(SBINDIR)/load_policy
 SETFILES := $(SBINDIR)/setfiles
+XMLLINT := $(BINDIR)/xmllint
 
 # enable MLS if requested.
 ifeq ($(MLS),y)
@@ -270,11 +271,16 @@ xml: policy.xml
 
 policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
 	@echo "Creating $@"
-	$(QUIET) echo "<policy>" > $@
+	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
+	$(QUIET) echo "<policy>" >> $@
 # process this through m4 to eliminate the generated definitions.
 # currently these are only in corenetwork.if
-	$(QUIET) m4 $^ | egrep -h "^##[[:space:]]" | sed -e 's/^##[[:space:]]//g' >> $@
+	$(QUIET) m4 $^ | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
 	$(QUIET) echo "</policy>" >> $@
+	$(QUIET) if test -x $(XMLLINT) && test -f policy.dtd; then \
+		$(XMLLINT) --noout --dtdvalid policy.dtd $@ ;\
+	fi
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 960d24e..562a1dc 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -335,3 +335,4 @@ dontaudit $1_gpg_pinentry_t cifs_t:file write;
 dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
 ') dnl end TODO
 ') dnl end gpg_per_userdomain_template
+
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if
index 035e1a3..9a58221 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if
+++ b/refpolicy/policy/modules/kernel/corenetwork.if
@@ -2,9 +2,16 @@
 ## <summary>Policy controlling access to network objects</summary>
 
 ifdef(`interface_pass',`',`
-#######################################
-#
-# corenetwork_network_tcp_on_general_interface(domain)
+########################################
+## <interface name="corenetwork_network_tcp_on_general_interface">
+##	<description>
+##		Send and receive TCP network traffic on the general interfaces.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`corenetwork_network_tcp_on_general_interface',`
 requires_block_template(`$0'_depend)