diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index ca26e5e..4beb272 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -129,7 +129,7 @@ CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
 USER_FILES := $(POLDIR)/users 
 
 DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$(subst ./,,$(shell find -iname $(mod).te)))
-ALL_LAYERS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
 
 GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
 GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
@@ -153,6 +153,7 @@ POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_
 DOCS = doc
 POLXML = $(DOCS)/policy.xml
 XMLDTD = $(DOCS)/policy.dtd
+LAYERXML = metadata.xml
 HTMLDIR = $(DOCS)/html
 DOCTEMPLATE = $(DOCS)/templates
 
@@ -364,9 +365,13 @@ $(POLXML): $(ALL_INTERFACES)
 	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
 	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
 	$(QUIET) echo "<policy>" >> $@
-# process this through m4 to eliminate the generated definitions templates.
-# currently these are only in corenetwork.if
-	$(QUIET) m4 $(ALL_INTERFACES) $(GLOBALTUN) | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
+# do all modules, even disabled ones:
+	$(QUIET) for i in $(ALL_LAYERS); do \
+		cat $$i/$(LAYERXML) >> $@ ;\
+		egrep -h "^##[[:blank:]]" $$i/*.if | sed -e 's/^##[[:blank:]]//g' >> $@ ;\
+		echo "</layer>" >> $@;\
+	done
+	$(QUIET) egrep -h "^##[[:blank:]]" $(GLOBALTUN) | sed -e 's/^##[[:blank:]]//g' >> $@
 	$(QUIET) echo "</policy>" >> $@
 	$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
 		$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
diff --git a/refpolicy/doc/policy.dtd b/refpolicy/doc/policy.dtd
index 3afb7e3..a5ccae7 100644
--- a/refpolicy/doc/policy.dtd
+++ b/refpolicy/doc/policy.dtd
@@ -1,10 +1,12 @@
 <!ENTITY  % inline.class  "pre|p|ul|li">
 
-<!ELEMENT policy (module+,tunable*)>
-<!ELEMENT module (summary,description?,interface+)>
+<!ELEMENT policy (layer+,tunable*)>
+<!ELEMENT layer (module+)>
+<!ATTLIST layer
+      name CDATA #REQUIRED>
+<!ELEMENT module (summary,description?,(interface|template)*)>
 <!ATTLIST module 
-      name CDATA #REQUIRED
-      layer CDATA #REQUIRED>
+      name CDATA #REQUIRED>
 <!ELEMENT tunable (#PCDATA)>
 <!ATTLIST tunable
       name CDATA #REQUIRED
@@ -12,6 +14,8 @@
 <!ELEMENT summary (#PCDATA)>
 <!ELEMENT interface (summary?,description?,securitydesc?,parameter+,infoflow?)>
 <!ATTLIST interface name CDATA #REQUIRED>
+<!ELEMENT template (summary,description?,securitydesc?,parameter+)>
+<!ATTLIST template name CDATA #REQUIRED>
 <!ELEMENT description (#PCDATA|%inline.class;)*>
 <!ELEMENT securitydesc (#PCDATA|%inline.class;)*>
 <!ELEMENT parameter (#PCDATA)>
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 0c6f5b7..3e55cac 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -1,4 +1,4 @@
-## <module name="dmesg" layer="admin">
+## <module name="dmesg">
 ## <summary>Policy for dmesg.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index c4c3bde..c0d2e30 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -1,4 +1,4 @@
-## <module name="rpm" layer="admin">
+## <module name="rpm">
 ## <summary>Policy for the RPM package manager.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 194411f..625aaff 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -1,4 +1,4 @@
-## <module name="usermanage" layer="admin">
+## <module name="usermanage">
 ## <summary>Policy for managing user accounts.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 903524b..9f42521 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -1,9 +1,28 @@
+## <module name="gpg">
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
 
 #######################################
-#
-# Per user domain template for this module
-#
-# gpg_per_userdomain_template(userdomain_prefix)
+## <template name="gpg_per_userdomain_template">
+##	<summary>
+##		The per-userdomain template for the gpg module.
+##	</summary>
+##	<description>
+##		<p>
+##		This template creates the types and rules for GPG,
+##		GPG-agent, and GPG helper programs.  This protects
+##		the user keys and secrets, and runs the programs
+##		in domains specific to the user type.
+##		</p>
+##		<p>
+##		This is invoked	automatically for each user, and
+##		generally does not need to be statically invoked 
+##		directly by policy writers.
+##		</p>
+##	</description>
+##	<parameter name="userdomain_prefix">
+##		The prefix of the user domain (e.g., user
+##		is the prefix for user_t).
+##	</parameter>
 #
 define(`gpg_per_userdomain_template',`
 	gen_require(`$0'_depend)
@@ -349,3 +368,6 @@ define(`gpg_per_userdomain_template',`
 	') dnl end TODO
 ')
 
+## </template>
+
+## </module>
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 753d039..5a64873 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -1,4 +1,4 @@
-## <module name="bootloader" layer="kernel">
+## <module name="bootloader">
 ## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index f1189cf..9430836 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1,4 +1,4 @@
-## <module name="corenetwork" layer="kernel">
+## <module name="corenetwork">
 ## <summary>Policy controlling access to network objects</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index aa87733..4611ab9 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1,4 +1,4 @@
-## <module name="devices" layer="kernel">
+## <module name="devices">
 ## <summary>
 ##	Device nodes and interfaces for many basic system devices.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 6d7b9f6..4528dc4 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1,4 +1,4 @@
-## <module name="filesystem" layer="kernel">
+## <module name="filesystem">
 ## <summary>Policy for filesystems.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index d6deee8..df67d3e 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1,4 +1,4 @@
-## <module name="kernel" layer="kernel">
+## <module name="kernel">
 ## <summary>
 ##	Policy for kernel threads, proc filesystem, 
 ##	and unlabeled processes and objects.
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 4f36172..307e28a 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -1,4 +1,4 @@
-## <module name="selinux" layer="kernel">
+## <module name="selinux">
 ## <summary>
 ##	Policy for kernel security interface, in particular, selinuxfs.
 ## </summary>
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 233326f..854ce59 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -1,4 +1,4 @@
-## <module name="storage" layer="kernel">
+## <module name="storage">
 ## <summary>Policy controlling access to storage devices</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index db943ba..90ea8a1 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -1,4 +1,4 @@
-## <module name="terminal" layer="kernel">
+## <module name="terminal">
 ## <summary>Policy for terminals.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index c28b2a7..6726287 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -1,4 +1,4 @@
-## <module name="mta" layer="services">
+## <module name="mta">
 ## <summary>Policy common to all email tranfer agents.</summary>
 
 #######################################
diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if
index e4e26d5..5fbe4ca 100644
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@@ -1,4 +1,4 @@
-## <module name="remotelogin" layer="services">
+## <module name="remotelogin">
 ## <summary>Policy for rshd, rlogind, and telnetd.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index cc202c5..99ba008 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -1,4 +1,4 @@
-## <module name="sendmail" layer="services">
+## <module name="sendmail">
 ## <summary>Policy for sendmail.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 88f96d9..740a2b1 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1,4 +1,4 @@
-## <module name="authlogin" layer="system">
+## <module name="authlogin">
 ## <summary>Common policy for authentication and user login.</summary>
 
 #######################################
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 45a2245..42449ca 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -1,4 +1,4 @@
-## <module name="clock" layer="system">
+## <module name="clock">
 ## <summary>Policy for reading and setting the hardware clock.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index ac9b624..fb32f23 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -1,4 +1,4 @@
-## <module name="corecommands" layer="system">
+## <module name="corecommands">
 ## <summary>
 ##	Core policy for shells, and generic programs
 ##	in /bin, /sbin, /usr/bin, and /usr/sbin.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index aa14bbb..018375e 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -1,4 +1,4 @@
-## <module name="domain" layer="system">
+## <module name="domain">
 ## <summary>Core policy for domains.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 2f78d9a..e91e72c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1,4 +1,4 @@
-## <module name="files" layer="system">
+## <module name="files">
 ## <summary>
 ##	Basic filesystem types and interfaces.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index 51ce7a5..41850c1 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -1,4 +1,4 @@
-## <module name="getty" layer="system">
+## <module name="getty">
 ## <summary>Policy for getty.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 3a37ecb..28b679d 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,4 +1,4 @@
-## <module name="hostname" layer="system">
+## <module name="hostname">
 ## <summary>Policy for changing the system host name.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 4007f50..9f6dd58 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -1,4 +1,4 @@
-## <module name="hotplug" layer="system">
+## <module name="hotplug">
 ## <summary>
 ##	Policy for hotplug system, for supporting the
 ##	connection and disconnection of devices at runtime.
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 9d3013a..ce8b55e 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -1,4 +1,4 @@
-## <module name="init" layer="system">
+## <module name="init">
 ## <summary>System initialization programs (init and init scripts).</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index b46ea3c..c41a5c0 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -1,4 +1,4 @@
-## <module name="iptables" layer="system">
+## <module name="iptables">
 ## <summary>Policy for iptables.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 2f7514e..f187806 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -1,4 +1,4 @@
-## <module name="libraries" layer="system">
+## <module name="libraries">
 ## <summary>Policy for system libraries.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index ef30cb7..281da20 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -1,4 +1,4 @@
-## <module name="locallogin" layer="system">
+## <module name="locallogin">
 ## <summary>Policy for local logins.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index e7e4c4e..df1b2c5 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -1,4 +1,4 @@
-## <module name="logging" layer="system">
+## <module name="logging">
 ## <summary>Policy for the kernel message logger and system logging daemon.</summary>
 
 #######################################
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index fb0c163..adc7b50 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -1,4 +1,4 @@
-## <module name="lvm" layer="system">
+## <module name="lvm">
 ## <summary>Policy for logical volume management programs.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index d8d8c60..cef50ff 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -1,4 +1,4 @@
-## <module name="miscfiles" layer="system">
+## <module name="miscfiles">
 ## <summary>Miscelaneous files.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index c4cefed..2c310cf 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -1,4 +1,4 @@
-## <module name="modutils" layer="system">
+## <module name="modutils">
 ## <summary>Policy for kernel module utilities</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index ac8cd49..e7cbdc1 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -1,4 +1,4 @@
-## <module name="mount" layer="system">
+## <module name="mount">
 ## <summary>Policy for mount.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 6183f14..a4108b0 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -1,4 +1,4 @@
-## <module name="selinuxutil" layer="system">
+## <module name="selinuxutil">
 ## <summary>Policy for SELinux policy and userland applications.</summary>
 
 #######################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 08ee021..ce884dc 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -1,4 +1,4 @@
-## <module name="sysnetwork" layer="system">
+## <module name="sysnetwork">
 ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
 
 #######################################
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index c1eccd0..4b986f5 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -1,4 +1,4 @@
-## <module name="udev" layer="system">
+## <module name="udev">
 ## <summary>Policy for udev.</summary>
 
 ########################################
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index db11429..229bd81 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1,4 +1,4 @@
-## <module name="userdomain" layer="system">
+## <module name="userdomain">
 ## <summary>Policy for user domains</summary>
 
 ########################################