diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 8a970d5..f1fae05 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -759,13 +759,22 @@ interface(`kernel_getattr_proc_files',`
########################################
##
-## Read symbolic links in /proc.
+## Read generic symbolic links in /proc.
##
+##
+##
+## Allow the specified domain to read (follow) generic
+## symbolic links (symlinks) in the proc filesystem (/proc).
+## This interface does not include access to the targets of
+## these links. An example symlink is /proc/self.
+##
+##
##
##
## Domain allowed access.
##
##
+##
#
interface(`kernel_read_proc_symlinks',`
gen_require(`
@@ -777,13 +786,33 @@ interface(`kernel_read_proc_symlinks',`
########################################
##
-## Allows caller to read system state information in proc.
+## Allows caller to read system state information in /proc.
##
+##
+##
+## Allow the specified domain to read general system
+## state information from the proc filesystem (/proc).
+##
+##
+## Generally it should be safe to allow this access. Some
+## example files that can be read based on this interface:
+##
+##
+## - /proc/cpuinfo
+## - /proc/meminfo
+## - /proc/uptime
+##
+##
+## This does not allow access to sysctl entries (/proc/sys/*)
+## nor process state information (/proc/pid).
+##
+##
##
##
-## The process type reading the system state information.
+## Domain allowed access.
##
##
+##
##
#
interface(`kernel_read_system_state',`
@@ -1082,13 +1111,24 @@ interface(`kernel_search_network_state',`
########################################
##
-## Allow caller to read the network state information.
+## Read the network state information.
##
+##
+##
+## Allow the specified domain to read the networking
+## state information. This includes several pieces
+## of networking information, such as network interface
+## names, netfilter (iptables) statistics, protocol
+## information, routes, and remote procedure call (RPC)
+## information.
+##
+##
##
##
-## The process type reading the state.
+## Domain allowed access.
##
##
+##
##
#
interface(`kernel_read_network_state',`
@@ -1650,13 +1690,35 @@ interface(`kernel_read_crypto_sysctls',`
########################################
##
-## Read generic kernel sysctls.
+## Read general kernel sysctls.
##
+##
+##
+## Allow the specified domain to read general
+## kernel sysctl settings. These settings are typically
+## read using the sysctl program. The settings
+## that are included by this interface are prefixed
+## with "kernel.", for example, kernel.sysrq.
+##
+##
+## This does not include access to the hotplug
+## handler setting (kernel.hotplug)
+## nor the module installer handler setting
+## (kernel.modprobe).
+##
+##
+## Related interfaces:
+##
+##
+## - kernel_rw_kernel_sysctl()
+##
+##
##
##
## Domain allowed access.
##
##
+##
#
interface(`kernel_read_kernel_sysctls',`
gen_require(`