Break out Policy Background from the Introduction.

Note that the MAC Framework can also be used to express DAC policies.

Push the MAC Framework Policy Elements section up a level to sect1 and
name it "MAC Policy Architecture".

Stick "MAC" in front of the Policy Entry Points section header to
improve consistency.

en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml

@@ -140,6 +140,10 @@
       services to assist policy writers, including support for
       transient and persistent policy-agnostic object security
       labels.  This support is currently considered experimental.</para>
+  </sect1>
+
+  <sect1>
+    <title>Policy Background</title>
 
     <para>Mandatory Access Control (MAC), refers to a set of
       access control policies that are mandatorily enforced on
@@ -157,6 +161,13 @@
       identity, role, and security clearance, as well as security labels
       on objects representing concepts such as data sensitivity and
       integrity.</para>
+
+    <para>The TrustedBSD MAC Framework is capable of supporting policy
+      modules that implement all of these policies, as well as a broad
+      class of system hardening policies.  In addition, despite the
+      name, the MAC Framework can also be used to implement purely
+      discretionary policies, as policy modules are given substantial
+      flexibility in how they authorize protections.</para>
   </sect1>
   
   <sect1 id="mac-kernel-arch">
@@ -255,36 +266,6 @@
 	are used to permit consistent compound updates of
 	security labels on vnodes.</para>
     </sect2>
-
-    <sect2 id="mac-kernel-arch-policy-elements">
-      <title>MAC Framework Policy Elements</title>
-
-      <para>Security policies are either linked directly into the kernel,
-	or compiled into loadable kernel modules that may be loaded at
-	boot, or dynamically using the module loading system calls at
-	runtime.  Policy modules interact with the system through a
-	set of declared entry points, providing access to a stream of
-	system events and permitting the policy to influence access
-	control decisions.  Each policy contains a number of elements:</para>
-
-      <itemizedlist>
-	<listitem><para>Optional configuration parameters for
-	  policy.</para></listitem>
-	<listitem><para>Centralized implementation of the policy
-	  logic and parameters.</para></listitem>
-	<listitem><para>Optional implementation of policy life cycle
-	  events, such as initialization and destruction.</para></listitem>
-	<listitem><para>Optional support for initializing, maintaining, and
-	  destroying labels on selected kernel objects.</para></listitem>
-	<listitem><para>Optional support for user process inspection and
-	  modification of labels on selected objects.</para></listitem>
-	<listitem><para>Implementation of selected access control
-	  entry points that are of interest to the policy.</para></listitem>
-	<listitem><para>Declaration of poicy identity, module entry
-	  points, and policy properties.</para></listitem>
-      </itemizedlist>
-    </sect2>
-
   </sect1>
 
   <sect1 id="mac-userland-arch">
@@ -368,7 +349,36 @@
 	following such a change.</para></note>
     </sect2>
   </sect1>
-  
+
+  <sect1 id="mac-policy-architecture">
+    <title>MAC Policy Architecture</title>
+
+    <para>Security policies are either linked directly into the kernel,
+      or compiled into loadable kernel modules that may be loaded at
+      boot, or dynamically using the module loading system calls at
+      runtime.  Policy modules interact with the system through a
+      set of declared entry points, providing access to a stream of
+      system events and permitting the policy to influence access
+      control decisions.  Each policy contains a number of elements:</para>
+
+    <itemizedlist>
+      <listitem><para>Optional configuration parameters for
+	policy.</para></listitem>
+      <listitem><para>Centralized implementation of the policy
+	logic and parameters.</para></listitem>
+      <listitem><para>Optional implementation of policy life cycle
+	events, such as initialization and destruction.</para></listitem>
+      <listitem><para>Optional support for initializing, maintaining, and
+	destroying labels on selected kernel objects.</para></listitem>
+      <listitem><para>Optional support for user process inspection and
+	modification of labels on selected objects.</para></listitem>
+      <listitem><para>Implementation of selected access control
+	entry points that are of interest to the policy.</para></listitem>
+      <listitem><para>Declaration of poicy identity, module entry
+	points, and policy properties.</para></listitem>
+     </itemizedlist>
+  </sect1>
+
   <sect1 id="mac-policy-declaration">
     <title>MAC Policy Declaration</title>
     
@@ -484,8 +494,8 @@
       to have label storage.</para></note>
   </sect1>
 
-  <sect1 id="mac-entry-point-intro">
+  <sect1 id="mac-policy-entry-points">
-    <title>Entry Point Introduction</title>
+    <title>MAC Policy Entry Points</title>
     
     <para>Four classes of entry points are offered to policies
       registered with the framework: entry points associated with

en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml

@@ -140,6 +140,10 @@
       services to assist policy writers, including support for
       transient and persistent policy-agnostic object security
       labels.  This support is currently considered experimental.</para>
+  </sect1>
+
+  <sect1>
+    <title>Policy Background</title>
 
     <para>Mandatory Access Control (MAC), refers to a set of
       access control policies that are mandatorily enforced on
@@ -157,6 +161,13 @@
       identity, role, and security clearance, as well as security labels
       on objects representing concepts such as data sensitivity and
       integrity.</para>
+
+    <para>The TrustedBSD MAC Framework is capable of supporting policy
+      modules that implement all of these policies, as well as a broad
+      class of system hardening policies.  In addition, despite the
+      name, the MAC Framework can also be used to implement purely
+      discretionary policies, as policy modules are given substantial
+      flexibility in how they authorize protections.</para>
   </sect1>
   
   <sect1 id="mac-kernel-arch">
@@ -255,36 +266,6 @@
 	are used to permit consistent compound updates of
 	security labels on vnodes.</para>
     </sect2>
-
-    <sect2 id="mac-kernel-arch-policy-elements">
-      <title>MAC Framework Policy Elements</title>
-
-      <para>Security policies are either linked directly into the kernel,
-	or compiled into loadable kernel modules that may be loaded at
-	boot, or dynamically using the module loading system calls at
-	runtime.  Policy modules interact with the system through a
-	set of declared entry points, providing access to a stream of
-	system events and permitting the policy to influence access
-	control decisions.  Each policy contains a number of elements:</para>
-
-      <itemizedlist>
-	<listitem><para>Optional configuration parameters for
-	  policy.</para></listitem>
-	<listitem><para>Centralized implementation of the policy
-	  logic and parameters.</para></listitem>
-	<listitem><para>Optional implementation of policy life cycle
-	  events, such as initialization and destruction.</para></listitem>
-	<listitem><para>Optional support for initializing, maintaining, and
-	  destroying labels on selected kernel objects.</para></listitem>
-	<listitem><para>Optional support for user process inspection and
-	  modification of labels on selected objects.</para></listitem>
-	<listitem><para>Implementation of selected access control
-	  entry points that are of interest to the policy.</para></listitem>
-	<listitem><para>Declaration of poicy identity, module entry
-	  points, and policy properties.</para></listitem>
-      </itemizedlist>
-    </sect2>
-
   </sect1>
 
   <sect1 id="mac-userland-arch">
@@ -368,7 +349,36 @@
 	following such a change.</para></note>
     </sect2>
   </sect1>
-  
+
+  <sect1 id="mac-policy-architecture">
+    <title>MAC Policy Architecture</title>
+
+    <para>Security policies are either linked directly into the kernel,
+      or compiled into loadable kernel modules that may be loaded at
+      boot, or dynamically using the module loading system calls at
+      runtime.  Policy modules interact with the system through a
+      set of declared entry points, providing access to a stream of
+      system events and permitting the policy to influence access
+      control decisions.  Each policy contains a number of elements:</para>
+
+    <itemizedlist>
+      <listitem><para>Optional configuration parameters for
+	policy.</para></listitem>
+      <listitem><para>Centralized implementation of the policy
+	logic and parameters.</para></listitem>
+      <listitem><para>Optional implementation of policy life cycle
+	events, such as initialization and destruction.</para></listitem>
+      <listitem><para>Optional support for initializing, maintaining, and
+	destroying labels on selected kernel objects.</para></listitem>
+      <listitem><para>Optional support for user process inspection and
+	modification of labels on selected objects.</para></listitem>
+      <listitem><para>Implementation of selected access control
+	entry points that are of interest to the policy.</para></listitem>
+      <listitem><para>Declaration of poicy identity, module entry
+	points, and policy properties.</para></listitem>
+     </itemizedlist>
+  </sect1>
+
   <sect1 id="mac-policy-declaration">
     <title>MAC Policy Declaration</title>
     
@@ -484,8 +494,8 @@
       to have label storage.</para></note>
   </sect1>
 
-  <sect1 id="mac-entry-point-intro">
+  <sect1 id="mac-policy-entry-points">
-    <title>Entry Point Introduction</title>
+    <title>MAC Policy Entry Points</title>
     
     <para>Four classes of entry points are offered to policies
       registered with the framework: entry points associated with