libselinux: man: Fix man pages formatting

- Add man page sections '(N)' to external references, and '()' on
  functions described in the same man page.
- Escape minus signs when those are expected to be used on the command
  line or files.
- Mark files and variables in italic; Note headings, function names,
  constants, program options and man page references in bold.
- Do not justify and hyphenate SEE ALSO section, and avoid hyphenation
  on symbol names by prepending them with \%.
- Remove trailing dot from NAME section description.
- Split sections with a no-op command '.', to visually distinguish them
  but to avoid introducing spurious vertical space in the formatted
  output.
- Add explicit .sp commands in the SYNOPSIS section between function
  prototypes, and fix space placement in function protoypes.
- Split header includes with .br (instead of the explicit or implicit
  .sp) so that they are vertically contiguous.
- Add missing {} around SELINUXTYPE and POLICYTYPE variable text in
  paths.
- Remove unneeded formatting commands.
- Remove spurious blank lines.

Signed-off-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

50 files changed, 1048 insertions, 855 deletions

diff --git a/libselinux/man/man3/avc_add_callback.3 b/libselinux/man/man3/avc_add_callback.3
index 9c83cac4..dbfe72d3 100644
--- a/libselinux/man/man3/avc_add_callback.3
+++ b/libselinux/man/man3/avc_add_callback.3
@@ -3,33 +3,35 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
 .TH "avc_add_callback" "3" "9 June 2004" "" "SELinux API documentation"
 .SH "NAME"
-avc_add_callback \- additional event notification for SELinux userspace object managers.
+avc_add_callback \- additional event notification for SELinux userspace object managers
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "int avc_add_callback(int (*" callback ")(uint32_t " event , 
 .in +\w'int avc_add_callback(int (*callback)('u
 .BI "security_id_t " ssid ,
-
+.br
 .BI "security_id_t " tsid ,
-
+.br
 .BI "security_class_t " tclass ,
-
+.br
 .BI "access_vector_t " perms ,
-
+.br
 .BI "access_vector_t *" out_retained "),"
 .in
 .in +\w'int avc_add_callback('u
 .BI "uint32_t " events ", security_id_t " ssid , 
-
+.br
 .BI "security_id_t " tsid ", security_class_t " tclass ,
-
+.br
 .BI "access_vector_t " perms ");"
 .in
+.
 .SH "DESCRIPTION"
-.B avc_add_callback
+.BR avc_add_callback ()
 is used to register callback functions on security events.  The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.
 
 .I events
@@ -55,10 +57,14 @@ and will cause any SID to match.
 .I callback
 is the callback function provided by the userspace object manager.  The
 .I event
-argument indicates the security event which occured; the remaining arguments are interpreted according to the event as described below.  The return value of the callback should be zero on success, \-1 on error with errno set appropriately (but see
+argument indicates the security event which occured; the remaining arguments
+are interpreted according to the event as described below.  The return value
+of the callback should be zero on success, \-1 on error with
+.I errno
+set appropriately (but see
 .B RETURN VALUE
 below).
-
+.
 .SH "SECURITY EVENTS"
 In all cases below,
 .I ssid
@@ -69,7 +75,7 @@ may be set to
 indicating that the change applies to all source and/or target SID's.  Unless otherwise indicated, the
 .I out_retained
 parameter is unused.
-
+.
 .TP
 .B AVC_CALLBACK_GRANT
 Previously denied permissions are now granted for
@@ -142,10 +148,10 @@ should no longer be audited when denied for
 .I tsid
 with respect to
 .IR tclass .
-
+.
 .SH "RETURN VALUE"
 On success,
-.B avc_add_callback
+.BR avc_add_callback ()
 returns zero.  On error, \-1 is returned and
 .I errno
 is set appropriately.
@@ -157,25 +163,27 @@ on all further permission checks until
 is called.  In non-threaded mode, the permission check on which the error occurred will return \-1 and the value of 
 .I errno
 encountered to the caller.  In both cases, a log message is produced and the kernel may be notified of the error.
-
+.
 .SH "ERRORS"
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
+.
 .SH "NOTES"
 If the userspace AVC is running in threaded mode, callbacks registered via
-.B avc_add_callback
+.BR avc_add_callback ()
 may be executed in the context of the netlink handler thread.  This will likely introduce synchronization issues requiring the use of locks.  See
 .BR avc_init (3).
 
 Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module.  The only security event that currently gets excercised is
 .BR AVC_CALLBACK_RESET .
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR avc_init (3),
 .BR avc_has_perm (3),
 .BR avc_context_to_sid (3),
diff --git a/libselinux/man/man3/avc_cache_stats.3 b/libselinux/man/man3/avc_cache_stats.3
index 96f2b218..c00f090b 100644
--- a/libselinux/man/man3/avc_cache_stats.3
+++ b/libselinux/man/man3/avc_cache_stats.3
@@ -3,10 +3,11 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
 .TH "avc_cache_stats" "3" "27 May 2004" "" "SELinux API documentation"
 .SH "NAME"
-avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics.
+avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "void avc_av_stats(void);"
@@ -14,15 +15,16 @@ avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC sta
 .BI "void avc_sid_stats(void);"
 .sp
 .BI "void avc_cache_stats(struct avc_cache_stats *" stats ");"
+.
 .SH "DESCRIPTION"
 The userspace AVC maintains two internal hash tables, one to store security ID's and one to cache access decisions.
 
-.B avc_av_stats
+.BR avc_av_stats ()
 and
-.B avc_sid_stats
+.BR avc_sid_stats ()
 produce log messages indicating the status of the access decision and SID tables, respectively.  The messages contain the number of entries in the table, number of hash buckets and number of buckets used, and maximum number of entries in a single bucket.
 
-.B avc_cache_stats
+.BR avc_cache_stats ()
 populates a structure whose fields reflect cache activity:
 
 .RS
@@ -74,26 +76,28 @@ Number of cache misses.
 .TP
 .I cav_probes
 Number of entries examined while searching the cache.
-
+.
 .SH "NOTES"
 When the cache is flushed as a result of a call to
-.B avc_reset
+.BR avc_reset ()
 or a policy change notification,
 the statistics returned by
-.B avc_cache_stats
+.BR avc_cache_stats ()
 are reset to zero.  The SID table, however, is left
 unchanged.
 
 When a policy change notification is received, a call to
-.B avc_av_stats
+.BR avc_av_stats ()
 is made before the cache is flushed.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR avc_init (3),
 .BR avc_has_perm (3),
 .BR avc_context_to_sid (3),
-.BR avc_add_callback (3)
+.BR avc_add_callback (3),
 .BR selinux (8)
diff --git a/libselinux/man/man3/avc_compute_create.3 b/libselinux/man/man3/avc_compute_create.3
index 52d09b54..ce615bf8 100644
--- a/libselinux/man/man3/avc_compute_create.3
+++ b/libselinux/man/man3/avc_compute_create.3
@@ -3,10 +3,11 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
 .TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation"
 .SH "NAME"
-avc_compute_create, avc_compute_member \- obtain SELinux label for new object.
+avc_compute_create, avc_compute_member \- obtain SELinux label for new object
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid ,
@@ -18,26 +19,27 @@ avc_compute_create, avc_compute_member \- obtain SELinux label for new object.
 .in +\w'int avc_compute_member('u
 .BI "security_class_t " tclass ", security_id_t *" newsid ");"
 .in
+.
 .SH "DESCRIPTION"
-.B avc_compute_create
+.BR avc_compute_create ()
 is used to compute a SID to use for labeling a new object in a particular class based on a SID pair.  This call is identical to
-.BR security_compute_create ,
+.BR security_compute_create (),
 but does not require converting from userspace SID's to contexts and back again.
 
-.B avc_compute_member
+.BR avc_compute_member ()
 is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair.  This call is identical to
-.BR security_compute_member ,
+.BR security_compute_member (),
 but does not require converting from userspace SID's to contexts and back again.
 
 These functions
 return a SID for the computed context in the memory referenced by
 .IR sid .
-
+.
 .SH "RETURN VALUE"
 On success, zero is returned.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "ERRORS"
 .TP
 .B EINVAL
@@ -48,14 +50,13 @@ and/or the security contexts referenced by
 and
 .I tsid
 are not recognized by the currently loaded policy.
-
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR avc_init (3),
 .BR avc_context_to_sid (3),
diff --git a/libselinux/man/man3/avc_context_to_sid.3 b/libselinux/man/man3/avc_context_to_sid.3
index 1caf5ec5..e416b098 100644
--- a/libselinux/man/man3/avc_context_to_sid.3
+++ b/libselinux/man/man3/avc_context_to_sid.3
@@ -3,10 +3,11 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
 .TH "avc_context_to_sid" "3" "27 May 2004" "" "SELinux API documentation"
 .SH "NAME"
-avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipulate SELinux security ID's.
+avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipulate SELinux security ID's
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");"
@@ -14,17 +15,17 @@ avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipu
 .BI "int avc_sid_to_context(security_id_t " sid ", security_context_t *" ctx ");"
 .sp
 .BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");"
-.sp
+.
 .SH "DESCRIPTION"
 Security ID's (SID's) are opaque representations of security contexts, managed by the userspace AVC.
 
-.B avc_context_to_sid
+.BR avc_context_to_sid ()
 returns a SID for the given
 .I context
 in the memory referenced by
 .IR sid .
 
-.B avc_sid_to_context
+.BR avc_sid_to_context ()
 returns a copy of the context represented by
 .I sid
 in the memory referenced by
@@ -32,40 +33,41 @@ in the memory referenced by
 The user must free the copy with
 .BR freecon (3).
 
-.B avc_get_initial_sid
+.BR avc_get_initial_sid ()
 returns a SID for the kernel initial security identifier specified by 
 .IR name .
-
+.
 .SH "RETURN VALUE"
-.B avc_context_to_sid
+.BR avc_context_to_sid ()
 and
-.B avc_sid_to_context
+.BR avc_sid_to_context ()
 return zero on success.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "ERRORS"
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
 .SH "NOTES"
 As of libselinux version 2.0.86, SID's are no longer reference counted.  A SID will be valid from the time it is first obtained until the next call to
 .BR avc_destroy (3).
 The
-.B sidget
+.BR sidget (3)
 and
-.B sidput
+.BR sidput (3)
 functions, formerly used to adjust the reference count, are no-ops and are deprecated.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR avc_init (3),
 .BR avc_has_perm (3),
 .BR avc_cache_stats (3),
 .BR avc_add_callback (3),
 .BR getcon (3),
-.BR freecon (3)
+.BR freecon (3),
 .BR selinux (8)
diff --git a/libselinux/man/man3/avc_has_perm.3 b/libselinux/man/man3/avc_has_perm.3
index 50f4d442..73539522 100644
--- a/libselinux/man/man3/avc_has_perm.3
+++ b/libselinux/man/man3/avc_has_perm.3
@@ -3,10 +3,11 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
 .TH "avc_has_perm" "3" "27 May 2004" "" "SELinux API documentation"
 .SH "NAME"
-avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions.
+avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");"
@@ -14,32 +15,33 @@ avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and
 .BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid ,
 .in +\w'int avc_has_perm('u
 .BI "security_class_t " tclass ", access_vector_t " requested ,
-
+.br
 .BI "struct avc_entry_ref *" aeref ", void *" auditdata ");"
 .in
 .sp
 .BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid ,
 .in +\w'int avc_has_perm('u
 .BI "security_class_t " tclass ", access_vector_t " requested ,
-
+.br
 .BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");"
 .in
 .sp
 .BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid ,
 .in +\w'void avc_audit('u
 .BI "security_class_t " tclass ", access_vector_t " requested ,
-
+.br
 .BI "struct av_decision *" avd ", int " result ", void *" auditdata ");"
 .in
+.
 .SH "DESCRIPTION"
-.B avc_entry_ref_init
+.BR avc_entry_ref_init ()
 initializes an
 .B avc_entry_ref
 structure; see
 .B ENTRY REFERENCES
 below.  This function may be implemented as a macro.
 
-.B avc_has_perm
+.BR avc_has_perm ()
 checks whether the 
 .I requested
 permissions are granted
@@ -55,19 +57,19 @@ and updating
 if non-NULL, to refer to a cache entry with the resulting decision.  The granting or denial of permissions is audited in accordance with the policy.  The
 .I auditdata
 parameter is for supplemental auditing; see
-.B avc_audit
+.BR avc_audit ()
 below.
 
-.B avc_has_perm_noaudit
+.BR avc_has_perm_noaudit ()
 behaves as
-.B avc_has_perm
+.BR avc_has_perm ()
 without producing an audit message.  The access decision is returned in
 .I avd
 and can be passed to
-.B avc_audit
+.BR avc_audit ()
 explicitly.
 
-.B avc_audit
+.BR avc_audit ()
 produces an audit message for the access query represented by
 .IR ssid ,
 .IR tsid ,
@@ -77,7 +79,7 @@ and
 with a decision represented by
 .IR avd .
 Pass the value returned by
-.B avc_has_perm_noaudit
+.BR avc_has_perm_noaudit ()
 as
 .IR result .
 The
@@ -86,7 +88,7 @@ parameter is passed to the user-supplied
 .B func_audit
 callback and can be used to add supplemental information to the audit message; see
 .BR avc_init (3).
-
+.
 .SH "ENTRY REFERENCES"
 Entry references can be used to speed cache performance for repeated queries on the same subject and target.  The userspace AVC will check the
 .I aeref
@@ -97,14 +99,14 @@ will be updated to reference the cache entry for that query.  A subsequent query
 After declaring an
 .B avc_entry_ref
 structure, use
-.B avc_entry_ref_init
+.BR avc_entry_ref_init ()
 to initialize it before passing it to
-.B avc_has_perm
+.BR avc_has_perm ()
 or
-.B avc_has_perm_noaudit
+.BR \%avc_has_perm_noaudit ()
 for the first time.
 Using an uninitialized structure will produce undefined behavior.
-
+.
 .SH "RETURN VALUE"
 If requested permissions are granted, zero is returned.  If requested permissions are denied or an error occured, \-1 is returned and
 .I errno
@@ -113,9 +115,9 @@ is set appropriately.
 In permissive mode, zero will be returned and
 .I errno
 unchanged even if permissions were denied.
-.B avc_has_perm
+.BR avc_has_perm ()
 will still produce an audit message in this case.
-
+.
 .SH "ERRORS"
 .TP
 .B EACCES
@@ -132,7 +134,7 @@ are not recognized by the currently loaded policy.
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
+.
 .SH "NOTES"
 Internal errors encountered by the userspace AVC may cause certain values of
 .I errno
@@ -142,14 +144,16 @@ or
 .BR EINVAL .
 Make sure that userspace object managers are granted appropriate access to
 netlink by the policy.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR avc_init (3),
 .BR avc_context_to_sid (3),
 .BR avc_cache_stats (3),
 .BR avc_add_callback (3),
-.BR security_compute_av (3)
-.BR selinux(8)
+.BR security_compute_av (3),
+.BR selinux (8)
diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3
index 331a6655..e26c3be6 100644
--- a/libselinux/man/man3/avc_init.3
+++ b/libselinux/man/man3/avc_init.3
@@ -3,37 +3,39 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
 .TH "avc_init" "3" "27 May 2004" "" "SELinux API documentation"
 .SH "NAME"
-avc_init - legacy userspace SELinux AVC setup.
+avc_init \- legacy userspace SELinux AVC setup
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "int avc_init(const char *" msgprefix , 
 .in +\w'int avc_init('u
 .BI "const struct avc_memory_callback *" mem_callbacks ,
-
+.br
 .BI "const struct avc_log_callback *" log_callbacks ,
-
+.br
 .BI "const struct avc_thread_callback *" thread_callbacks ,
-
+.br
 .BI "const struct avc_lock_callback *" lock_callbacks ");"
+.
 .SH "DESCRIPTION"
-.B avc_init
+.BR avc_init ()
 is deprecated; please use
 .BR avc_open (3)
 in conjunction with
 .BR selinux_set_callback (3)
 in all new code.
 
-.B avc_init
+.BR avc_init ()
 initializes the userspace AVC and must be called before any other AVC operation can be performed.  A non-NULL
 .I msgprefix
 will be prepended to all audit messages produced by the userspace AVC.  The default is `uavc'.  The remaining arguments, if non-NULL, specify callbacks to be used by the userspace AVC.
-
+.
 .SH "CALLBACKS"
 The userspace AVC can be directed how to perform memory allocation, logging, thread creation, and locking via callback functions passed to
-.BR avc_init .
+.BR avc_init ().
 The purpose of this functionality is to allow the userspace AVC to be smoothly integrated into existing userspace object managers.
 
 Use an
@@ -150,26 +152,26 @@ The
 callback should destroy
 .IR lock ,
 freeing any resources associated with it.  The default behavior is not to perform any locking.  Note that undefined behavior may result if threading is used without appropriate locking.
-
+.
 .SH "NETLINK NOTIFICATION"
 Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
 .BR avc_has_perm (3)
 to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
 
 In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query.  If threading and locking callbacks are passed to
-.B avc_init
+.BR avc_init ()
 however, a dedicated thread will be started to listen on the netlink socket.  This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
-
+.
 .SH "RETURN VALUE"
 Functions with a return value return zero on success.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "NOTES"
 The
 .I msgprefix
 argument to
-.B avc_init
+.BR avc_init ()
 currently has a length limit of 15 characters and will be truncated if necessary.
 
 If a provided
@@ -184,12 +186,11 @@ If a netlink thread has been created and an error occurs on the socket (such as
 on all further permission checks until
 .B avc_destroy 
 is called.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR avc_open (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
-
diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3
index 785be4c3..c8268a12 100644
--- a/libselinux/man/man3/avc_netlink_loop.3
+++ b/libselinux/man/man3/avc_netlink_loop.3
@@ -5,24 +5,25 @@
 .SH "NAME"
 avc_netlink_open, avc_netlink_close, avc_netlink_acquire_fd,
 avc_netlink_release_fd, avc_netlink_check_nb, avc_netlink_loop \- SELinux
-netlink processing.
+netlink processing
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "int avc_netlink_open(int " blocking ");"
 .sp
-.BI "void avc_netlink_close(void);"
-.sp
-.BI "int avc_netlink_acquire_fd(void);"
+.B void avc_netlink_close(void);
 .sp
-.BI "void avc_netlink_release_fd(void);"
+.B int avc_netlink_acquire_fd(void);
 .sp
-.BI "void avc_netlink_loop(void);"
+.B void avc_netlink_release_fd(void);
 .sp
-.BI "int avc_netlink_check_nb(void);"
+.B void avc_netlink_loop(void);
 .sp
+.B int avc_netlink_check_nb(void);
+.
 .SH "DESCRIPTION"
 These functions enable applications to handle notification of SELinux events
 via netlink.  The userspace AVC normally checks for netlink messages on each
@@ -35,7 +36,7 @@ loop.  These functions also permit netlink monitoring without requiring a
 call to
 .BR avc_open (3).
 
-.B avc_netlink_open
+.BR avc_netlink_open ()
 opens a netlink socket to receive SELinux notifications.  The socket
 descriptor is stored internally; use
 .BR avc_netlink_acquire_fd (3)
@@ -45,38 +46,38 @@ argument controls whether the O_NONBLOCK flag is set on the socket descriptor.
 .BR avc_open (3)
 calls this function internally, specifying non-blocking behavior.
 
-.B avc_netlink_close
+.BR avc_netlink_close ()
 closes the netlink socket.  This function is called automatically by
 .BR avc_destroy (3).
 
-.B avc_netlink_acquire_fd
+.BR avc_netlink_acquire_fd ()
 returns the netlink socket descriptor number and informs the userspace AVC
 not to check the socket descriptor automatically on calls to
 .BR avc_has_perm (3).
 
-.B avc_netlink_release_fd
+.BR avc_netlink_release_fd ()
 returns control of the netlink socket to the userspace AVC, re-enabling
 automatic processing of notifications.
 
-.B avc_netlink_check_nb
+.BR avc_netlink_check_nb ()
 checks the netlink socket for pending messages and processes them.
 Callbacks for policyload and enforcing changes will be called;
 see
 .BR selinux_set_callback (3).
 This function does not block.
 
-.B avc_netlink_loop
+.BR avc_netlink_loop ()
 enters a loop blocking on the netlink socket and processing messages as they
 are received.  This function will not return unless an error occurs on
 the socket, in which case the socket is closed.
-
+.
 .SH "RETURN VALUE"
-.B avc_netlink_acquire_fd
+.BR avc_netlink_acquire_fd ()
 returns a non-negative file descriptor number on success.  Other functions
-with a return value return zero on success.  On error, -1 is returned and
+with a return value return zero on success.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "SEE ALSO"
 .BR avc_open (3),
 .BR selinux_set_callback (3),
diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
index d1dab8fe..5b275a8e 100644
--- a/libselinux/man/man3/avc_open.3
+++ b/libselinux/man/man3/avc_open.3
@@ -3,10 +3,11 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008
 .TH "avc_open" "3" "12 Jun 2008" "" "SELinux API documentation"
 .SH "NAME"
-avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown.
+avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/avc.h>
 .sp
 .BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");"
@@ -16,49 +17,48 @@ avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and
 .BI "int avc_reset(void);"
 .sp
 .BI "void avc_cleanup(void);"
+.
 .SH "DESCRIPTION"
-.B avc_open
+.BR avc_open ()
 initializes the userspace AVC and must be called before any other AVC operation can be performed.
 
-.B avc_destroy
+.BR avc_destroy ()
 destroys the userspace AVC, freeing all internal memory structures.  After this call has been made, 
-.B avc_open
+.BR avc_open ()
 must be called again before any AVC operations can be performed.
 
-.B avc_reset
+.BR avc_reset ()
 flushes the userspace AVC, causing it to forget any cached access decisions.  The userspace AVC normally calls this function automatically when needed, see
 .B NETLINK NOTIFICATION
 below.
 
-.B avc_cleanup
+.BR avc_cleanup ()
 attempts to free unused memory within the userspace AVC, but does not flush any cached access decisions.  Under normal operation, calling this function should not be necessary.
-
 .SH "OPTIONS"
 The userspace AVC obeys callbacks set via
 .BR selinux_set_callback (3),
 in particular the logging and audit callbacks.
 
 The options which may be passed to
-.B avc_open
+.BR avc_open ()
 include the following:
-
 .TP
 .B AVC_OPT_SETENFORCE
 This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise.  The system enforcing mode will be ignored.
-
+.
 .SH "NETLINK NOTIFICATION"
 Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
 .BR avc_has_perm (3)
 to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
-
+.
 .SH "RETURN VALUE"
 Functions with a return value return zero on success.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR selinux (8),
 .BR avc_has_perm (3),
@@ -67,4 +67,3 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
 .BR avc_add_callback (3),
 .BR selinux_set_callback (3),
 .BR security_compute_av (3)
-
diff --git a/libselinux/man/man3/context_new.3 b/libselinux/man/man3/context_new.3
index 820f927f..02574457 100644
--- a/libselinux/man/man3/context_new.3
+++ b/libselinux/man/man3/context_new.3
@@ -1,61 +1,77 @@
 .TH "context_new" "3" "20 December 2011" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
 context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/context.h>
-
+.sp
 .BI "context_t context_new(const char *" context_str );
-
+.sp
 .BI "const char * context_str(context_t " con );
-
+.sp
 .BI "void context_free(context_t " con );
-
+.sp
 .BI "const char * context_type_get(context_t " con );
-
+.sp
 .BI "const char * context_range_get(context_t " con );
-
+.sp
 .BI "const char * context_role_get(context_t " con );
-
+.sp
 .BI "const char * context_user_get(context_t " con );
-
+.sp
 .BI "int context_type_set(context_t " con ", const char *" type );
-
+.sp
 .BI "int context_range_set(context_t " con ", const char *" range );
-
+.sp
 .BI "int context_role_set(context_t " con ", const char *" role );
-
+.sp
 .BI "int context_user_set(context_t " con ", const char *" user );
-
+.
 .SH "DESCRIPTION"
 These functions allow an application to manipulate the fields of a
 security context string without requiring it to know the format of the
 string.
 
-context_new
- Return a new context initialized to a context string 
-
-context_str
- Return a pointer to the string value of the context_t
-Valid until the next call to context_str or context_free 
-for the same context_t*
-
-context_free
- Free the storage used by a context
-
-context_type_get, context_range_get, context_role_get, context_user_get
- Get a pointer to the string value of a context component
-
-.B NOTE: 
+.BR context_new ()
+returns a new context initialized to a context string.
+
+.BR context_str ()
+returns a pointer to the string value of the
+.BR context_t ,
+valid until the next call to
+.BR context_str ()
+or
+.BR context_free ()
+for the same
+.BR context_t* .
+
+.BR context_free ()
+frees the storage used by a context.
+
+.BR context_type_get (),
+.BR context_range_get (),
+.BR context_role_get (),
+.BR \%context_user_get ()
+get a pointer to the string value of a context component.
+
+.B Note:
 Values returned by the get functions are only valid until the next call 
-to a set function or context_free() for the same context_t structure.
-
-context_type_set, context_range_set, context_role_set, context_user_set
- Set a context component
-
+to a set function or
+.BR context_free ()
+for the same
+.B context_t
+structure.
+
+.BR context_type_set (),
+.BR context_range_set (),
+.BR context_role_set (),
+.BR \%context_user_set ()
+set a context component.
+.
 .SH "RETURN VALUE"
-On success, zero is returned. On failure, -1 is returned and errno is
-set appropriately.
-
+On success, zero is returned. On failure, \-1 is returned and
+.I errno
+is set appropriately.
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
index c3fa9566..63cba817 100644
--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -1,10 +1,10 @@
 .TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SELinux"
 .SH "NAME"
 get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine SELinux context(s) for user sessions
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/get_context_list.h>
 .sp
 .BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list );
@@ -15,66 +15,94 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
 .sp
 .BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon );
 .sp
-.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
+.BI "int get_default_context_with_role(const char *" user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
 .sp
-.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
+.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
 .sp
 .BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon );
 .sp
 .BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon );
 .sp
 .BI "int get_default_type(const char *" role ", char **" type );
-
+.
 .SH "DESCRIPTION"
-.B get_ordered_context_list
+.BR get_ordered_context_list ()
 invokes the 
-.B security_compute_user
+.BR security_compute_user (3)
 function to obtain the list of contexts for the specified
 .I user
 that are reachable from the specified
 .I fromcon
 context.  The function then orders the resulting list based on the global
-.B /etc/selinux/<SELINUXTYPE>/contexts/default_contexts
+.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
 file and the per-user
-.B /etc/selinux/<SELINUXTYPE>/contexts/users/<username>
+.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
 file if it exists.  The 
 .I fromcon
 parameter may be NULL to indicate that the current context should
 be used.  The function returns the number of contexts in the
-list, or -1 upon errors.  The list must be freed using the
-.B freeconary
+list, or \-1 upon errors.  The list must be freed using the
+.BR freeconary (3)
 function.
 
-.B get_ordered_context_list_with_level
-invokes the get_ordered_context_list function and applies the specified level.
+.BR get_ordered_context_list_with_level ()
+invokes the
+.BR \%get_ordered_context_list ()
+function and applies the specified level.
 
-.B get_default_context
-is the same as get_ordered_context_list but only returns a single context
-which has to be freed with freecon.
+.BR get_default_context ()
+is the same as
+.BR get_ordered_context_list ()
+but only returns a single context
+which has to be freed with
+.BR freecon (3).
 
-.B get_default_context_with_level
-invokes the get_default_context function and applies the specified level.
+.BR get_default_context_with_level ()
+invokes the
+.BR get_default_context ()
+function and applies the specified level.
 
-.B get_default_context_with_role
-is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user.
+.BR get_default_context_with_role ()
+is the same as
+.BR get_default_context ()
+but only returns a context with the specified role, returning \-1 if no
+such context is reachable for the user.
 
-.B get_default_context_with_rolelevel
-invokes the get_default_context_with_role function and applies the specified level.
+.BR get_default_context_with_rolelevel ()
+invokes the
+.BR \%get_default_context_with_role ()
+function and applies the specified level.
 
-.B query_user_context
+.BR query_user_context ()
 takes a list of contexts, queries the user via stdin/stdout as to which context
 they want, and returns a new context as selected by the user (which has to be
-freed with freecon).
+freed with
+.BR freecon (3)).
 
-.B manual_user_enter_context
-allows the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon.
-
-.B get_default_type
-Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free.
+.BR manual_user_enter_context ()
+allows the user to manually enter a context as a fallback if a list of
+authorized contexts could not be obtained. Caller must free via
+.BR freecon (3).
 
+.BR get_default_type ()
+Get the default type (domain) for
+.I role
+and set
+.I type
+to refer to it, which has to be freed with free.
+.
 .SH "RETURN VALUE"
-get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors.
-The other functions return 0 for success or -1 for errors.
-
+.BR get_ordered_context_list ()
+and
+.BR get_ordered_context_list_with_level ()
+return the number of contexts in the list upon success or \-1 upon errors.
+The other functions return 0 for success or \-1 for errors.
+.
 .SH "SEE ALSO"
-.BR selinux "(8), " freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)"
+.ad l
+.nh
+.BR selinux (8),
+.BR freeconary (3),
+.BR freecon (3),
+.BR security_compute_av (3),
+.BR getseuserbyname (3)
diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
index c620c516..f1d3a7f6 100644
--- a/libselinux/man/man3/getcon.3
+++ b/libselinux/man/man3/getcon.3
@@ -1,78 +1,99 @@
 .TH "getcon" "3" "21 December 2011" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
-getcon, getprevcon, getpidcon \- get SELinux security context of a process.
+getcon, getprevcon, getpidcon \- get SELinux security context of a process
 
-freecon, freeconary \- free memory associated with SELinux security contexts.
+freecon, freeconary \- free memory associated with SELinux security contexts
 
-getpeercon - get security context of a peer socket.
+getpeercon \- get security context of a peer socket
 
-setcon - set current security context of a process.
+setcon \- set current security context of a process
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getcon(security_context_t *" context );
-
+.sp
 .BI "int getprevcon(security_context_t *" context );
-
+.sp
 .BI "int getpidcon(pid_t " pid ", security_context_t *" context );
-
-.BI "int getpeercon(int " fd ", security_context_t *" context);
-
+.sp
+.BI "int getpeercon(int " fd ", security_context_t *" context );
+.sp
 .BI "void freecon(security_context_t "con );
-
+.sp
 .BI "void freeconary(security_context_t *" con );
-
-.BI "int setcon(security_context_t " context);
-
+.sp
+.BI "int setcon(security_context_t " context );
+.
 .SH "DESCRIPTION"
-.B getcon
+.BR getcon ()
 retrieves the context of the current process, which must be free'd with
 freecon.
 
-.B getprevcon
+.BR getprevcon ()
 same as getcon but gets the context before the last exec.
 
-.B getpidcon
+.BR getpidcon ()
 returns the process context for the specified PID.
 
-.B getpeercon
-retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
+.BR getpeercon ()
+retrieves context of peer socket, and set
+.BI * context
+to refer to it, which must be free'd with
+.BR freecon ().
 
-.B freecon
+.BR freecon ()
 frees the memory allocated for a security context.
 
-.B freeconary
+.BR freeconary ()
 frees the memory allocated for a context array.
 
 If
 .I con
 is NULL, no operation is performed.
 
-.B setcon
+.BR setcon ()
 sets the current security context of the process to a new value.  Note
 that use of this function requires that the entire application be
 trusted to maintain any desired separation between the old and new
 security contexts, unlike exec-based transitions performed via
-setexeccon(3).  When possible, decompose your application and use
-setexeccon() and execve() instead.
+.BR setexeccon (3).
+When possible, decompose your application and use
+.BR setexeccon (3)
+and
+.BR execve (3)
+instead.
 
 Since access to file descriptors is revalidated upon use by SELinux,
 the new context must be explicitly authorized in the policy to use the
 descriptors opened by the old context if that is desired.  Otherwise,
 attempts by the process to use any existing descriptors (including
-stdin, stdout, and stderr) after performing the setcon() will fail.
-
-A multi-threaded application can perform a setcon() prior to creating
+.IR stdin ,
+.IR stdout ,
+and
+.IR stderr )
+after performing the
+.BR setcon ()
+will fail.
+
+A multi-threaded application can perform a
+.BR setcon ()
+prior to creating
 any child threads, in which case all of the child threads will inherit
-the new context.  However, setcon() will fail if there are any other
+the new context.  However,
+.BR setcon ()
+will fail if there are any other
 threads running in the same process.
 
-If the process was being ptraced at the time of the setcon()
+If the process was being ptraced at the time of the
+.BR setcon ()
 operation, ptrace permission will be revalidated against the new
-context and the setcon() will fail if it is not allowed by policy.
-
+context and the
+.BR setcon ()
+will fail if it is not allowed by policy.
+.
 .SH "RETURN VALUE"
-On error -1 is returned.  On success 0 is returned.
-
+On error \-1 is returned.  On success 0 is returned.
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " setexeccon "(3)"
diff --git a/libselinux/man/man3/getexeccon.3 b/libselinux/man/man3/getexeccon.3
index 4b832a26..54fb873a 100644
--- a/libselinux/man/man3/getexeccon.3
+++ b/libselinux/man/man3/getexeccon.3
@@ -1,43 +1,58 @@
 .TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
-getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.
+getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process
 
 rpm_execcon \- run a helper for rpm in an appropriate security context
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getexeccon(security_context_t *" context );
-
+.sp
 .BI "int setexeccon(security_context_t "context );
-
+.sp
 .BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
-
+.
 .SH "DESCRIPTION"
-.B getexeccon
+.BR getexeccon ()
 retrieves the context used for executing a new process.
-This returned context should be freed with freecon if non-NULL.  
-getexeccon sets *con to NULL if no exec context has been explicitly 
+This returned context should be freed with
+.BR freecon (3)
+if non-NULL.
+.BR getexeccon ()
+sets
+.BI * context
+to NULL if no exec context has been explicitly
 set by the program (i.e. using the default policy behavior).
 
-.B setexeccon
-sets the context used for the next execve call.  
+.BR setexeccon ()
+sets the context used for the next
+.BR execve (2)
+call.
 NULL can be passed to
-setexeccon to reset to the default policy behavior.  
-The exec context is automatically reset after the next execve, so a
-program doesn't need to explicitly sanitize it upon startup.  
-
-
-setexeccon can be applied prior to library
-functions that internally perform an execve, e.g. execl*, execv*, popen,
+.BR setexeccon ()
+to reset to the default policy behavior.
+The exec context is automatically reset after the next
+.BR execve (2),
+so a program doesn't need to explicitly sanitize it upon startup.
+
+.BR setexeccon ()
+can be applied prior to library
+functions that internally perform an
+.BR execve (2),
+e.g.
+.BR execl *(3),
+.BR execv *(3),
+.BR popen (3),
 in order to set an exec context for that operation.  
 
-
-Note: Signal handlers that perform an execve must take care to
+.B Note:
+Signal handlers that perform an
+.BR execve (2)
+must take care to
 save, reset, and restore the exec context to avoid unexpected behavior.
 
-
-.B rpm_execcon
+.BR rpm_execcon ()
 runs a helper for rpm in an appropriate security context.  The
 verified parameter should contain the return code from the signature
 verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
@@ -46,15 +61,18 @@ the function.  The function determines the proper security context for
 the helper based on policy, sets the exec context accordingly, and
 then executes the specified filename with the provided argument and
 environment arrays.
-
-
+.
 .SH "RETURN VALUE"
-On error -1 is returned.
-
-On success getexeccon and setexeccon returns 0.
-rpm_execcon only returns upon errors, as it calls execve(2).
-
+On error \-1 is returned.
+
+On success
+.BR getexeccon ()
+and
+.BR setexeccon ()
+returns 0.
+.BR rpm_execcon ()
+only returns upon errors, as it calls
+.BR execve (2).
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " getcon "(3)"
-
-
diff --git a/libselinux/man/man3/getfilecon.3 b/libselinux/man/man3/getfilecon.3
index 61b216f1..8605a0c6 100644
--- a/libselinux/man/man3/getfilecon.3
+++ b/libselinux/man/man3/getfilecon.3
@@ -1,42 +1,59 @@
 .TH "getfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
 getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getfilecon(const char *" path ", security_context_t *" con );
-
+.sp
 .BI "int lgetfilecon(const char *" path ", security_context_t *" con );
-
+.sp
 .BI "int fgetfilecon(int "fd ", security_context_t *" con );
+.
 .SH "DESCRIPTION"
-.B getfilecon
+.BR getfilecon ()
 retrieves the context associated with the given path in the file system, the
 length of the context is returned.
 
-.B lgetfilecon
-is identical to getfilecon, except in the case of a symbolic link, where the
+.BR lgetfilecon ()
+is identical to
+.BR getfilecon (),
+except in the case of a symbolic link, where the
 link itself is interrogated, not the file that it refers to.
 
-.B fgetfilecon
-is identical to getfilecon, only the open file pointed to by filedes (as
-returned by open(2)) is interrogated in place of path.
-
-
-The returned context should be freed with freecon if non-NULL.  
+.BR fgetfilecon ()
+is identical to
+.BR getfilecon (),
+only the open file pointed to by filedes (as returned by
+.BR open (2))
+is interrogated in place of path.
+
+The returned context should be freed with
+.BR freecon (3)
+if non-NULL.
+.
 .SH "RETURN VALUE"
 On success, a positive number is returned indicating the size of the
-extended attribute value. On failure, \-1 is returned and errno is  set
-appropriately.
+extended attribute value. On failure, \-1 is returned and
+.I errno
+is  set appropriately.
 
 If the context does not exist, or the process has no access to
-this attribute, errno is set to ENODATA.
-
-If extended attributes are not supported by the filesystem, or are dis\-
-abled, errno is set to ENOTSUP.
-
-The errors documented for the stat(2) system call are also applicable
-here.
-
+this attribute,
+.I errno
+is set to
+.BR ENODATA .
+
+If extended attributes are not supported by the filesystem, or are
+disabled,
+.I errno
+is set to
+.BR ENOTSUP .
+
+The errors documented for the
+.BR stat (2)
+system call are also applicable here.
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/getfscreatecon.3 b/libselinux/man/man3/getfscreatecon.3
index 474aa281..1b0f3d16 100644
--- a/libselinux/man/man3/getfscreatecon.3
+++ b/libselinux/man/man3/getfscreatecon.3
@@ -1,38 +1,47 @@
 .TH "getfscreatecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
-getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object.
-
+getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getfscreatecon(security_context_t *" con );
-
+.sp
 .BI "int setfscreatecon(security_context_t "context );
-
+.
 .SH "DESCRIPTION"
-.B getfscreatecon
+.BR getfscreatecon ()
 retrieves the context used for creating a new file system object.
-This returned context should be freed with freecon if non-NULL.  
-getfscreatecon sets *con to NULL if no fscreate context has been explicitly 
+This returned context should be freed with
+.BR freecon (3)
+if non-NULL.
+.BR getfscreatecon ()
+sets *con to NULL if no fscreate context has been explicitly
 set by the program (i.e. using the default policy behavior).
 
-.B setfscreatecon
+.BR setfscreatecon ()
 sets the context used for creating a new file system object.
 NULL can be passed to
-setfscreatecon to reset to the default policy behavior.  
-The fscreate context is automatically reset after the next execve, so a
-program doesn't need to explicitly sanitize it upon startup.  
-
-setfscreatecon can be applied prior to library
+.BR setfscreatecon ()
+to reset to the default policy behavior.
+The fscreate context is automatically reset after the next
+.BR execve (2),
+so a program doesn't need to explicitly sanitize it upon startup.
+
+.BR setfscreatecon ()
+can be applied prior to library
 functions that internally perform an file creation,
 in order to set an file context on the objects.
 
-
-Note: Signal handlers that perform an setfscreate must take care to
+.B Note:
+Signal handlers that perform a
+.BR setfscreatecon ()
+must take care to
 save, reset, and restore the fscreate context to avoid unexpected behavior.
+.
 .SH "RETURN VALUE"
-On error -1 is returned.
+On error \-1 is returned.
 On success 0 is returned.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)"
diff --git a/libselinux/man/man3/getkeycreatecon.3 b/libselinux/man/man3/getkeycreatecon.3
index 3b594a00..709be512 100644
--- a/libselinux/man/man3/getkeycreatecon.3
+++ b/libselinux/man/man3/getkeycreatecon.3
@@ -1,38 +1,47 @@
-.TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com from russell@coker.com.au" "SELinux API documentation"
+.TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings.
-
+getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getkeycreatecon(security_context_t *" con );
-
+.sp
 .BI "int setkeycreatecon(security_context_t "context );
-
+.
 .SH "DESCRIPTION"
-.B getkeycreatecon
+.BR getkeycreatecon ()
 retrieves the context used for creating a new kernel keyring.
-This returned context should be freed with freecon if non-NULL.  
-getkeycreatecon sets *con to NULL if no keycreate context has been explicitly 
+This returned context should be freed with
+.BR freecon (3)
+if non-NULL.
+.BR getkeycreatecon ()
+sets *con to NULL if no keycreate context has been explicitly
 set by the program (i.e. using the default policy behavior).
 
-.B setkeycreatecon
+.BR setkeycreatecon ()
 sets the context used for creating a new kernel keyring.
 NULL can be passed to
-setkeycreatecon to reset to the default policy behavior.  
-The keycreate context is automatically reset after the next execve, so a
-program doesn't need to explicitly sanitize it upon startup.  
-
-setkeycreatecon can be applied prior to library
+.BR setkeycreatecon ()
+to reset to the default policy behavior.
+The keycreate context is automatically reset after the next
+.BR execve (2),
+so a program doesn't need to explicitly sanitize it upon startup.
+
+.BR setkeycreatecon ()
+can be applied prior to library
 functions that internally perform an file creation,
 in order to set an file context on the objects.
 
-
-Note: Signal handlers that perform an setkeycreate must take care to
+.B Note:
+Signal handlers that perform a
+.BR setkeycreatecon ()
+must take care to
 save, reset, and restore the keycreate context to avoid unexpected behavior.
+.
 .SH "RETURN VALUE"
-On error -1 is returned.
+On error \-1 is returned.
 On success 0 is returned.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)"
diff --git a/libselinux/man/man3/getseuserbyname.3 b/libselinux/man/man3/getseuserbyname.3
index 16303564..c231e65f 100644
--- a/libselinux/man/man3/getseuserbyname.3
+++ b/libselinux/man/man3/getseuserbyname.3
@@ -1,28 +1,33 @@
 .TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
 getseuserbyname \- get SELinux username and level for a given Linux username
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getseuserbyname(const char *" linuxuser ", char **" selinuxuser ", char **" level ");
+.
 .SH "DESCRIPTION"
-.B getseuserbyname
+.BR getseuserbyname ()
 retrieves the SELinux username and security level associated with 
 a given Linux username.  The SELinux username and security level can
 then be passed to other libselinux functions such as 
-get_ordered_context_list_with_level and get_default_context_with_level.
-
-
+.BR \%get_ordered_context_list_with_level (3)
+and
+.BR \%get_default_context_with_level (3).
 
 The returned SELinux username and level should be freed by the caller
 using free.  
+.
 .SH "RETURN VALUE"
 On success, 0 is returned.
-On failure, \-1 is returned and errno is set appropriately.
-
-The errors documented for the stat(2) system call are also applicable
-here.
+On failure, \-1 is returned and
+.I errno
+is set appropriately.
 
+The errors documented for the
+.BR stat (2)
+system call are also applicable here.
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/getsockcreatecon.3 b/libselinux/man/man3/getsockcreatecon.3
index 24f2cc0e..8fb2061e 100644
--- a/libselinux/man/man3/getsockcreatecon.3
+++ b/libselinux/man/man3/getsockcreatecon.3
@@ -1,38 +1,47 @@
-.TH "getsockcreatecon" "3" "24 September 2008" "dwalsh@redhat.com from russell@coker.com.au" "SELinux API documentation"
+.TH "getsockcreatecon" "3" "24 September 2008" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-getsockcreatecon, setsockcreatecon \- get or set the SELinux security context used for creating a new labeled sockets.
-
+getsockcreatecon, setsockcreatecon \- get or set the SELinux security context used for creating a new labeled sockets
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getsockcreatecon(security_context_t *" con );
-
+.sp
 .BI "int setsockcreatecon(security_context_t "context );
-
+.
 .SH "DESCRIPTION"
-.B getsockcreatecon
+.BR getsockcreatecon ()
 retrieves the context used for creating a new labeled network socket.
-This returned context should be freed with freecon if non-NULL.  
-getsockcreatecon sets *con to NULL if no sockcreate context has been explicitly 
+This returned context should be freed with
+.BR freecon (3)
+if non-NULL.
+.BR getsockcreatecon ()
+sets *con to NULL if no sockcreate context has been explicitly
 set by the program (i.e. using the default policy behavior).
 
-.B setsockcreatecon
+.BR setsockcreatecon ()
 sets the context used for creating a new labeled network sockets
 NULL can be passed to
-setsockcreatecon to reset to the default policy behavior.  
-The sockcreate context is automatically reset after the next execve, so a
-program doesn't need to explicitly sanitize it upon startup.  
-
-setsockcreatecon can be applied prior to library
+.BR setsockcreatecon ()
+to reset to the default policy behavior.
+The sockcreate context is automatically reset after the next
+.BR execve (2),
+so a program doesn't need to explicitly sanitize it upon startup.
+
+.BR setsockcreatecon ()
+can be applied prior to library
 functions that internally perform an file creation,
 in order to set an file context on the objects.
 
-
-Note: Signal handlers that perform an setsockcreate must take care to
+.B Note:
+Signal handlers that perform a
+.BR setsockcreatecon ()
+must take care to
 save, reset, and restore the sockcreate context to avoid unexpected behavior.
+.
 .SH "RETURN VALUE"
-On error -1 is returned.
+On error \-1 is returned.
 On success 0 is returned.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " getcon "(3)
diff --git a/libselinux/man/man3/init_selinuxmnt.3 b/libselinux/man/man3/init_selinuxmnt.3
index e70098b1..8466f9ff 100644
--- a/libselinux/man/man3/init_selinuxmnt.3
+++ b/libselinux/man/man3/init_selinuxmnt.3
@@ -1,28 +1,31 @@
 .TH "init_selinuxmnt" "3" "21 Nov 2009" "" "SELinux API documentation"
 .SH "NAME"
-init_selinuxmnt \- initialize the global variable selinux_mnt.
-
+init_selinuxmnt \- initialize the global variable selinux_mnt
+.
 .SH "SYNOPSIS"
 .BI "static void init_selinuxmnt(void);"
 .sp
 .BI "static void fini_selinuxmnt(void);"
 .sp
 .BI "void set_selinuxmnt(char *" mnt ");"
-
+.
 .SH "DESCRIPTION"
-.B init_selinuxmnt 
-initializes the global variable selinux_mnt to the selinuxfs mountpoint.
+.BR init_selinuxmnt ()
+initializes the global variable
+.I selinux_mnt
+to the selinuxfs mountpoint.
 
-.B fini_selinuxmnt
-deinitializes the global variable selinux_mnt that stores the selinuxfs
-mountpoint.
+.BR fini_selinuxmnt ()
+deinitializes the global variable
+.I selinux_mnt
+that stores the selinuxfs mountpoint.
 
-.B set_selinuxmnt
+.BR set_selinuxmnt ()
 changes the selinuxfs mountpoint to
-.I mnt. 
-
+.IR mnt .
+.
 .SH "AUTHOR"
 This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
-
+.
 .SH "SEE ALSO"
 .BR selinux (8),
diff --git a/libselinux/man/man3/is_context_customizable.3 b/libselinux/man/man3/is_context_customizable.3
index d230ace6..0f748b62 100644
--- a/libselinux/man/man3/is_context_customizable.3
+++ b/libselinux/man/man3/is_context_customizable.3
@@ -1,25 +1,24 @@
 .TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-is_context_customizable \- check whether SELinux context type is customizable by the administrator.
+is_context_customizable \- check whether SELinux context type is customizable by the administrator
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-.B int is_context_customizable(security_context_t scon);
-
+.BI "int is_context_customizable(security_context_t " scon );
+.
 .SH "DESCRIPTION"
-.B is_context_customizable
-
-This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file.  A customizable type is a file context type that
+This function checks whether the type of scon is in the
+.I /etc/selinux/{SELINUXTYPE}/context/customizable_types
+file.  A customizable type is a file context type that
 administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.
-
- 
+.
 .SH "RETURN VALUE"
-returns 1 if security context is customizable or 0 if it is not. 
-returns -1 on error
-
+Returns 1 if security context is customizable or 0 if it is not.
+Returns \-1 on error.
+.
 .SH "FILE"
-/etc/selinux/SELINUXTYPE/context/customizable_types
-
+.I /etc/selinux/{SELINUXTYPE}/context/customizable_types
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/is_selinux_enabled.3 b/libselinux/man/man3/is_selinux_enabled.3
index d744c0b7..f02052c4 100644
--- a/libselinux/man/man3/is_selinux_enabled.3
+++ b/libselinux/man/man3/is_selinux_enabled.3
@@ -1,24 +1,24 @@
 .TH "is_selinux_enabled" "3" "7 Mar 2010" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
 is_selinux_enabled \- check whether SELinux is enabled
-
+.
 .SH "NAME"
 is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS 
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .B int is_selinux_enabled();
-
+.sp
 .B int is_selinux_mls_enabled();
-
+.
 .SH "DESCRIPTION"
-.B is_selinux_enabled
+.BR is_selinux_enabled ()
 returns 1 if SELinux is running or 0 if it is not. 
 On error, \-1 is returned.
 
-.B is_selinux_mls_enabled
+.BR is_selinux_mls_enabled ()
 returns 1 if SELinux is running in MLS mode or 0 if it is not. 
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/matchmediacon.3 b/libselinux/man/man3/matchmediacon.3
index 1a3a5618..f77ab5e9 100644
--- a/libselinux/man/man3/matchmediacon.3
+++ b/libselinux/man/man3/matchmediacon.3
@@ -1,26 +1,30 @@
 .TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-matchmediacon \- get the default SELinux security context for the specified mediatype from the policy.
-
+matchmediacon \- get the default SELinux security context for the specified mediatype from the policy
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-.BI "int matchmediacon(const char *" media ", security_context_t *" con);"
-
-
+.BI "int matchmediacon(const char *" media ", security_context_t *" con );
+.
 .SH "DESCRIPTION"
-
-.B matchmediacon 
-matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context. 
+.BR matchmediacon ()
+matches the specified media type with the media contexts configuration and
+sets the security context
+.I con
+to refer to the resulting context.
 .sp
-
-.B Note: 
-   Caller must free returned security context "con" using freecon.
+.B Note:
+Caller must free returned security context
+.I con
+using
+.BR freecon (3).
+.
 .SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise.
-
+Returns 0 on success or \-1 otherwise.
+.
 .SH Files
-/etc/selinux/POLICYTYPE/contexts/files/media
-
+.I /etc/selinux/{POLICYTYPE}/contexts/files/media
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3)
diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
index cdbb2526..4c320abd 100644
--- a/libselinux/man/man3/matchpathcon.3
+++ b/libselinux/man/man3/matchpathcon.3
@@ -1,65 +1,59 @@
 .TH "matchpathcon" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
 .SH "NAME"
-matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration.
-
+matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-
 .BI "int matchpathcon_init(const char *" path ");"
-
+.sp
 .BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
-
+.sp
 .BI "int matchpathcon_fini(void);"
 .sp
-
 .BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con ");
 .sp
-
-.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t * " con ");"
-
+.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t *" con ");"
+.
 .SH "DESCRIPTION"
-.B matchpathcon_init
+.BR matchpathcon_init ()
 loads the file contexts configuration specified by
 .I path
 into memory for use by subsequent 
-.B matchpathcon 
+.BR matchpathcon ()
 calls.  If
 .I path
 is NULL, then the active file contexts configuration is loaded by default,
 i.e. the path returned by 
-.B selinux_file_context_path(3).
+.BR selinux_file_context_path (3).
 Unless the 
 .B MATCHPATHCON_BASEONLY 
 flag has been set via 
-.B set_matchpathcon_flags(3),
+.BR \%set_matchpathcon_flags (3),
 files with the same path prefix but a 
-.B .homedirs
+.B \%.homedirs
 and
 .B .local
 suffix are also looked up and loaded if present.  These files provide
 dynamically generated entries for user home directories and for local
 customizations.
 
-.sp
-.B matchpathcon_init_prefix
+.BR matchpathcon_init_prefix ()
 is the same as
-.B matchpathcon_init
+.BR matchpathcon_init ()
 but only loads entries with regular expressions that have stems prefixed
 by
-.I prefix.
+.I \%prefix.
 
-.sp
-.B matchpathcon_fini
+.BR matchpathcon_fini ()
 frees the memory allocated by a prior call to
-.B matchpathcon_init.
+.BR matchpathcon_init. ()
 This function can be used to free and reset the internal state between multiple 
-.B matchpathcon_init 
+.BR matchpathcon_init ()
 calls, or to free memory when finished using 
-.B matchpathcon.
+.BR matchpathcon ().
 
-.sp
-.B matchpathcon 
+.BR matchpathcon ()
 matches the specified pathname and mode against the file contexts
 configuration and sets the security context 
 .I con 
@@ -67,7 +61,7 @@ to refer to the
 resulting context. The caller must free the returned security context 
 .I con
 using
-.B freecon(3)
+.BR freecon (3)
 when finished using it.
 .I mode
 can be 0 to disable mode matching, but
@@ -76,23 +70,23 @@ Only the file format bits (i.e. the file type) of the
 .I mode 
 are used.
 If 
-.B matchpathcon_init
+.BR matchpathcon_init ()
 has not already been called, then this function will call it upon
 its first invocation with a NULL
 .I path,
 defaulting to the active file contexts configuration.
-.sp
 
-.B matchpathcon_index
+.BR matchpathcon_index ()
 is the same as
-.B matchpathcon
+.BR matchpathcon ()
 but returns a specification index that can later be used in a
-.B matchpathcon_filespec_add(3)
+.BR matchpathcon_filespec_add (3)
 call.
-.sp
-
+.
 .SH "RETURN VALUE"
 Returns zero on success or \-1 otherwise.
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selinux "(8), " set_matchpathcon_flags "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " matchpathcon_filespec_add "(3), " matchpathcon_checkmatches "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/matchpathcon_checkmatches.3 b/libselinux/man/man3/matchpathcon_checkmatches.3
index 47ee94c9..6bbee44a 100644
--- a/libselinux/man/man3/matchpathcon_checkmatches.3
+++ b/libselinux/man/man3/matchpathcon_checkmatches.3
@@ -1,33 +1,30 @@
 .TH "matchpathcon_checkmatches" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
 .SH "NAME"
-matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations.
-
+matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-
 .BI "void matchpathcon_checkmatches(char *" str ");"
 .sp
-
 .BI "int matchpathcon_filespec_add(ino_t " ino ", int " specind ", const char *" file ");"
-
+.sp
 .BI "void matchpathcon_filespec_destroy(void);"
-
+.sp
 .BI "void matchpathcon_filespec_eval(void);"
-
+.
 .SH "DESCRIPTION"
-.B matchpathcon_checkmatches
+.BR matchpathcon_checkmatches ()
 checks whether any specification has no matches and reports them.
 The
 .I str
 argument is used as a prefix for any warning messages.
 .sp
-
-.B matchpathcon_filespec_add
+.BR matchpathcon_filespec_add ()
 maintains an association between an inode
 .I ino
 and a specification index
-.I specind,
+.IR specind ,
 and checks whether a conflicting specification is already associated
 with the same inode (e.g. due to multiple hard links). If so, then
 it uses the latter of the two specifications based on their order in the 
@@ -35,18 +32,17 @@ it uses the latter of the two specifications based on their order in the
 context configuration. Returns the specification index used or \-1 on
 error.
 .sp
-
-.B matchpathcon_filespec_destroy
+.BR matchpathcon_filespec_destroy ()
 destroys any inode associations that have been added, e.g. to restart
 for a new filesystem.
 .sp
-
-.B matchpathcon_filespec_eval
+.BR matchpathcon_filespec_eval ()
 displays statistics on the hash table usage for the inode associations.
-
-.sp
+.
 .SH "RETURN VALUE"
 Returns zero on success or \-1 otherwise.
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3
index af55f060..60d571d5 100644
--- a/libselinux/man/man3/security_check_context.3
+++ b/libselinux/man/man3/security_check_context.3
@@ -1,16 +1,16 @@
 .TH "security_check_context" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
 security_check_context \- check the validity of a SELinux context
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int security_check_context(security_context_t "con );
-
+.
 .SH "DESCRIPTION"
-.B security_check_context
+.BR security_check_context ()
 returns 0 if SELinux is running and the context is valid, otherwise it
-returns -1.
-
+returns \-1.
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3
index e82e1d81..0e9f01df 100644
--- a/libselinux/man/man3/security_class_to_string.3
+++ b/libselinux/man/man3/security_class_to_string.3
@@ -5,17 +5,17 @@
 .SH "NAME"
 security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert
 between SELinux class and permission values and string names.
-
+.
 print_access_vector \- display an access vector in human-readable form. 
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/flask.h>
 .sp
-.BI "const char * security_class_to_string(security_class_t " tclass ");"
+.BI "const char *security_class_to_string(security_class_t " tclass ");"
 .sp
-.BI "const char * security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");"
+.BI "const char *security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");"
 .sp
 .BI "int security_av_string(security_class_t " tclass ", access_vector_t " av ", char **" result ");"
 .sp
@@ -26,21 +26,21 @@ print_access_vector \- display an access vector in human-readable form.
 .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
 .sp
 .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");"
-
+.
 .SH "DESCRIPTION"
-.B security_class_to_string
+.BR security_class_to_string ()
 returns a string name for class
 .IR tclass ,
 or NULL if the class is invalid.  The returned string must not be modified or freed.
 
-.B security_av_perm_to_string
+.BR security_av_perm_to_string ()
 returns a string name for the access vector bit
 .I av
 of class
 .IR tclass ,
 or NULL if either argument is invalid.  The returned string must not be modified or freed.
 
-.B security_av_string
+.BR security_av_string ()
 computes a full access vector string representation using
 .I tclass
 and
@@ -50,35 +50,35 @@ which may have multiple bits set.  The string is returned in the memory pointed
 and should be freed by the caller using
 .BR free (3).
 
-.B string_to_security_class
+.BR string_to_security_class ()
 returns the class value corresponding to the string name
 .IR name ,
 or zero if no such class exists.
 
-.B mode_to_security_class
+.BR mode_to_security_class ()
 returns the class value corresponding to the specified 
 .IR mode ,
 or zero if no such class exists.
 
-.B string_to_av_perm
+.BR string_to_av_perm ()
 returns the access vector bit corresponding to the string name
 .I name
 and security class
 .IR tclass ,
 or zero if no such value exists.
 
-.B print_access_vector
+.BR print_access_vector ()
 displays an access vector in human-readable form on the standard output
 stream.
-
+.
 .SH "RETURN VALUE"
-.B security_av_string
+.BR security_av_string ()
 returns zero on success or \-1 on error with
 .I errno
 set appropriately.
-.B print_access_vector
+.BR print_access_vector ()
 does not return a value. All other functions return zero or NULL on error.
-
+.
 .SH "ERRORS"
 .TP
 .B EINVAL
@@ -87,10 +87,10 @@ A class or access vector argument is not recognized by the currently loaded poli
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR selinux (8),
 .BR getcon (3),
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 468831a6..6034019a 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -2,11 +2,11 @@
 .SH "NAME"
 security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
 security_compute_member, security_compute_user, security_get_initial_context \- query
-the SELinux policy database in the kernel.
-
+the SELinux policy database in the kernel
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/flask.h>
 .sp
 .BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd );
@@ -23,91 +23,90 @@ the SELinux policy database in the kernel.
 .sp
 .BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
 .sp
-.BI "int security_get_initial_context(const char *" name ", security_context_t
-"con );
+.BI "int security_get_initial_context(const char *" name ", security_context_t " con );
 .sp
-.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata);
+.BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata);
 .sp
 .BI "int selinux_check_passwd_access(access_vector_t " requested );
 .sp
 .BI "int checkPasswdAccess(access_vector_t " requested );
-
+.
 .SH "DESCRIPTION"
-.B security_compute_av
+.BR security_compute_av ()
 queries whether the policy permits the source context
-.B scon
+.I scon
 to access the target context
-.B tcon
+.I tcon
 via class
-.B tclass
+.I tclass
 with the
-.B requested
+.I requested
 access vector.  The decision is returned in
-.BR avd .
+.IR avd .
 
-.B security_compute_av_flags
+.BR security_compute_av_flags ()
 is identical to
 .B security_compute_av
 but additionally sets the
-.B flags
+.I flags
 field of
-.BR avd .
+.IR avd .
 Currently one flag is supported:
 .BR SELINUX_AVD_FLAGS_PERMISSIVE ,
 which indicates the decision is computed on a permissive domain.
 
-.B security_compute_create
+.BR security_compute_create ()
 is used to compute a context to use for labeling a new object in a particular
 class based on a SID pair.
 
-.B security_compute_create_name
+.BR security_compute_create_name ()
 is identical to
-.B security_compute_create
+.BR \%security_compute_create ()
 but also takes name of the new object in creation as an argument.
 When
-.BR TYPE_TRANSITION
+.B TYPE_TRANSITION
 rule on the given class and a SID pair has object name extension,
 we shall be able to obtain a correct
-.BR newcon
+.I newcon
 according to the security policy. Note that this interface is only
 supported on the linux 2.6.40 or later.
 In the older kernel, the object name will be simply ignored.
 
-.B security_compute_relabel
+.BR security_compute_relabel ()
 is used to compute the new context to use when relabeling an object, it is used
 in the pam_selinux.so source and the newrole source to determine the correct
 label for the tty at login time, but can be used for other things.
 
-.B security_compute_member
+.BR security_compute_member ()
 is used to compute the context to use when labeling a polyinstantiated object
 instance.
 
-.B security_compute_user
+.BR security_compute_user ()
 is used to determine the set of user contexts that can be reached from a
 source context. It is mainly used by
-.B get_ordered_context_list.
+.BR get_ordered_context_list ().
 
-.B security_get_initial_context
+.BR security_get_initial_context ()
 is used to get the context of a kernel initial security identifier specified by 
 .I name
 
-.B selinux_check_access
+.BR selinux_check_access ()
 is used to check if the source context has the access permission for the specified class on the target context.
 
-.B selinux_check_passwd_access
+.BR selinux_check_passwd_access ()
 is used to check for a permission in the
 .I passwd
 class.
-.B selinux_check_passwd_access
+.BR selinux_check_passwd_access ()
 uses getprevcon() for the source and target security contexts.
 
-.B checkPasswdAccess
+.BR checkPasswdAccess ()
 is a deprecated alias of the
-.B selinux_check_passwd_access
+.BR selinux_check_passwd_access ()
 function.
-
+.
 .SH "RETURN VALUE"
 Returns zero on success or \-1 on error.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
index 6725bdec..aeb78da2 100644
--- a/libselinux/man/man3/security_disable.3
+++ b/libselinux/man/man3/security_disable.3
@@ -1,28 +1,30 @@
 .TH "security_disable" "3" "21 Nov 2009" "" "SELinux API documentation"
 .SH "NAME"
-security_disable \- disable the SELinux kernel code at runtime.
-
+security_disable \- disable the SELinux kernel code at runtime
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int security_disable(void);"
-
+.
 .SH "DESCRIPTION"
-.B security_disable
-disables the SELinux kernel code, unregisters selinuxfs from /proc/filesystems,
-and then unmounts /selinux.
+.BR security_disable ()
+disables the SELinux kernel code, unregisters selinuxfs from
+.IR /proc/filesystems ,
+and then unmounts
+.IR /selinux .
 .sp
 This function can only be called at runtime and prior to the initial policy
 load. After the initial policy load, the SELinux kernel code cannot be disabled,
 but only placed in "permissive" mode by using
-.B setenforce(1).
-
+.BR setenforce (1).
+.
 .SH "RETURN VALUE"
-.B security_disable
+.BR security_disable ()
 returns zero on success or \-1 on error.
-
+.
 .SH "AUTHOR"
 This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
-
+.
 .SH "SEE ALSO"
 .BR selinux (8), " setenforce "(3)
diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3
index 86771b5f..7658014a 100644
--- a/libselinux/man/man3/security_getenforce.3
+++ b/libselinux/man/man3/security_getenforce.3
@@ -1,29 +1,29 @@
 .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
 security_getenforce, security_setenforce, security_deny_unknown \- get or set the enforcing state of SELinux
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .B int security_getenforce(void);
-
+.sp
 .BI "int security_setenforce(int "value );
-
+.sp
 .B int security_deny_unknown(void);
-
+.
 .SH "DESCRIPTION"
-.B security_getenforce
+.BR security_getenforce ()
 returns 0 if SELinux is running in permissive mode, 1 if it is running in
-enforcing mode, and -1 on error.
+enforcing mode, and \-1 on error.
 
-.B security_setenforce
+.BR security_setenforce ()
 sets SELinux to enforcing mode if the value 1 is passed in, and sets it to
-permissive mode if 0 is passed in.  On success 0 is returned, on error -1 is
+permissive mode if 0 is passed in.  On success 0 is returned, on error \-1 is
 returned.
 
-.B security_deny_unknown
+.BR security_deny_unknown ()
 returns 0 if SELinux treats policy queries on undefined object classes or
-permissions as being allowed, 1 if such queries are denied, and -1 on error.
-
+permissions as being allowed, 1 if such queries are denied, and \-1 on error.
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/security_load_booleans.3 b/libselinux/man/man3/security_load_booleans.3
index 40e91bcc..3dc963d9 100644
--- a/libselinux/man/man3/security_load_booleans.3
+++ b/libselinux/man/man3/security_load_booleans.3
@@ -3,6 +3,7 @@
 security_load_booleans, security_set_boolean, security_commit_booleans, 
 security_get_boolean_names, security_get_boolean_active,
 security_get_boolean_pending \- routines for manipulating SELinux boolean values
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -19,10 +20,8 @@ security_get_boolean_pending \- routines for manipulating SELinux boolean values
 .BI "int security_set_boolean_list(size_t " boolcnt ", SELboolean *" boollist ", int " permanent ");"
 .sp
 .BI "int security_commit_booleans(void);"
-
-
+.
 .SH "DESCRIPTION"
-
 The SELinux policy can include conditional rules that are enabled or
 disabled based on the current values of a set of policy booleans.
 These policy booleans allow runtime modification of the security
@@ -31,41 +30,37 @@ policy without having to load a new policy.
 The SELinux API allows for a transaction based update. So you can
 set several boolean values and then commit them all at once.
 
-.B security_load_booleans
-
+.BR security_load_booleans ()
 loads policy boolean settings. Path may be NULL, in which case the
 booleans are loaded from the active policy boolean configuration file.
 
-.B security_get_boolean_names
-
+.BR security_get_boolean_names ()
 provides a list of boolean names, currently supported by the loaded policy.
 
-.B security_get_boolean_pending
-
+.BR security_get_boolean_pending ()
 returns the pending value for boolean or \-1 on failure.
 
-.B security_get_boolean_active
-
+.BR security_get_boolean_active ()
 returns the active value for boolean or \-1 on failure.
 
-.B security_set_boolean 
-
+.BR security_set_boolean ()
 sets the pending value for boolean 
 
-.B security_set_boolean_list
-
+.BR security_set_boolean_list ()
 saves a list of booleans in a single transaction.
 
-.B security_commit_booleans
-
+.BR security_commit_booleans ()
 commits all pending values for the booleans.
-
+.
 .SH "RETURN VALUE"
 Where not otherwise stated, functions described in this manual page return
 zero on success or \-1 on error. 
-
+.
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
+.
 .SH "SEE ALSO"
-selinux(8), getsebool(8), booleans(8), togglesebool(8)
+.BR selinux (8),
+.BR getsebool (8),
+.BR booleans (8),
+.BR togglesebool (8)
diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3
index 163503eb..c4439bfe 100644
--- a/libselinux/man/man3/security_load_policy.3
+++ b/libselinux/man/man3/security_load_policy.3
@@ -1,7 +1,7 @@
 .TH "security_load_policy" "3" "3 November 2009" "guido@trentalancia.com" "SELinux API documentation"
 .SH "NAME"
 security_load_policy \- load a new SELinux policy
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -10,15 +10,15 @@ security_load_policy \- load a new SELinux policy
 .BI "int selinux_mkload_policy(int " preservebools ");"
 .sp
 .BI "int selinux_init_load_policy(int *" enforce ");"
-
+.
 .SH "DESCRIPTION"
-.B security_load_policy
+.BR security_load_policy ()
 loads a new policy, returns 0 for success and \-1 for error.
 
-.B selinux_mkload_policy
+.BR selinux_mkload_policy ()
 makes a policy image and loads it. This function provides a higher level
 interface for loading policy than
-.B security_load_policy,
+.BR \%security_load_policy (),
 internally determining the right policy version, locating and opening
 the policy file, mapping it into memory, manipulating it as needed for
 current boolean settings and/or local definitions, and then calling
@@ -29,7 +29,7 @@ be preserved into the new policy (if 1) or reset to the saved policy
 settings (if 0). The former case is the default for policy reloads, while
 the latter case is an option for policy reloads but is primarily used for
 the initial policy load.
-.B selinux_init_load_policy
+.BR selinux_init_load_policy ()
 performs the initial policy load. This function determines the desired
 enforcing mode, sets the
 .I enforce
@@ -40,19 +40,18 @@ handles the initial selinuxfs mount required to perform these actions.
 It should also be noted that after the initial policy load, the SELinux
 kernel code cannot anymore be disabled and the selinuxfs cannot be
 unmounted using a call to
-.B security_disable(3).
+.BR security_disable (3).
 Therefore, after the initial policy load, the only operational changes
 are those permitted by
-.B setenforce(3)
+.BR setenforce (3)
 (i.e. eventually setting the framework in permissive mode rather than
 in enforcing one).
-
+.
 .SH "RETURN VALUE"
-returns zero on success or \-1 on error.
-
+Returns zero on success or \-1 on error.
+.
 .SH "AUTHOR"
 This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8), " security_disable "(3), " setenforce "(1)
-
diff --git a/libselinux/man/man3/security_policyvers.3 b/libselinux/man/man3/security_policyvers.3
index 9e5dfd23..041ff3a7 100644
--- a/libselinux/man/man3/security_policyvers.3
+++ b/libselinux/man/man3/security_policyvers.3
@@ -5,12 +5,11 @@ security_policyvers \- get the version of the SELinux policy
 .B #include <selinux/selinux.h>
 .sp
 .B int security_policyvers();
-
+.
 .SH "DESCRIPTION"
-.B security_policyvers
-returns the version of the policy (a positive integer) on success, or -1 on
+.BR security_policyvers ()
+returns the version of the policy (a positive integer) on success, or \-1 on
 error.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/selabel_lookup.3 b/libselinux/man/man3/selabel_lookup.3
index ab792bba..08b31617 100644
--- a/libselinux/man/man3/selabel_lookup.3
+++ b/libselinux/man/man3/selabel_lookup.3
@@ -3,27 +3,29 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
 .TH "selabel_lookup" "3" "18 Jun 2007" "" "SELinux API documentation"
 .SH "NAME"
-selabel_lookup \- obtain SELinux security context from a string label.
+selabel_lookup \- obtain SELinux security context from a string label
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/label.h>
 .sp
 .BI "int selabel_lookup(struct selabel_handle *" hnd ,
 .in +\w'int selabel_lookup('u
 .BI "security_context_t *" context ,
-
+.br
 .BI "const char *" key ", int " type ");"
 .in
 .sp
 .BI "int selabel_lookup_raw(struct selabel_handle *" hnd ,
 .in +\w'int selabel_lookup_raw('u
 .BI "security_context_t *" context ,
-
+.br
 .BI "const char *" key ", int " type ");"
-
+.in
+.
 .SH "DESCRIPTION"
-.B selabel_lookup
+.BR selabel_lookup ()
 performs a lookup operation on the handle 
 .IR hnd ,
 returning the result in the memory pointed to by 
@@ -38,16 +40,16 @@ parameters are the inputs to the lookup operation and are interpreted according
 .I handle
 is open on.
 
-.B selabel_lookup_raw
+.BR selabel_lookup_raw ()
 behaves identically to 
-.B selabel_lookup
+.BR selabel_lookup ()
 but does not perform context translation.
-
+.
 .SH "RETURN VALUE"
 On success, zero is returned.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "ERRORS"
 .TP
 .B ENOENT
@@ -66,13 +68,12 @@ inputs are invalid, or the context being returned failed validation.
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR selabel_open (3),
 .BR selabel_stats (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
-
diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
index 8674e377..00f28287 100644
--- a/libselinux/man/man3/selabel_open.3
+++ b/libselinux/man/man3/selabel_open.3
@@ -3,23 +3,24 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
 .TH "selabel_open" "3" "18 Jun 2007" "" "SELinux API documentation"
 .SH "NAME"
-selabel_open, selabel_close \- userspace SELinux labeling interface.
+selabel_open, selabel_close \- userspace SELinux labeling interface
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/label.h>
 .sp
 .BI "struct selabel_handle *selabel_open(int " backend , 
 .in +\w'struct selabel_handle *selabel_open('u
 .BI "struct selinux_opt *" options ,
-
+.br
 .BI "unsigned " nopt ");"
 .in
 .sp
 .BI "void selabel_close(struct selabel_handle *" hnd ");"
-
+.
 .SH "DESCRIPTION"
-.B selabel_open
+.BR selabel_open ()
 is used to initialize a labeling handle to be used for lookup operations.  The 
 .I backend
 argument specifies which backend is to be opened; the list of current backends appears in 
@@ -48,14 +49,14 @@ The available option types are described in
 .B GLOBAL OPTIONS
 below as well as in the documentation for each individual backend.  The return value on success is a non-NULL value for use in subsequent label operations.
 
-.B selabel_close
+.BR selabel_close ()
 terminates use of a handle, freeing any internal resources associated with it.  After this call has been made, the handle must not be used again.
-
+.
 .SH "GLOBAL OPTIONS"
 Global options which may be passed to
-.B selabel_open
+.BR selabel_open ()
 include the following:
-
+.
 .TP
 .B SELABEL_OPT_UNUSED
 The option with a type code of zero is a no-op.  Thus an array of options may be initizalized to zero and any untouched elements will not cause an error.
@@ -66,9 +67,8 @@ A non-null value for this option enables context validation.  By default,
 is used; a custom validation function can be provided via
 .BR selinux_set_callback (3).
 Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
-
+.
 .SH "BACKENDS"
-
 .TP
 .B SELABEL_CTX_FILE
 File contexts backend, described in 
@@ -85,18 +85,19 @@ X Windows contexts backend, described in
 .B SELABEL_CTX_DB
 Database objects contexts backend, described in
 .BR selabel_db (5).
-
+.
 .SH "RETURN VALUE"
 A non-NULL handle value is returned on success.  On error, NULL is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selabel_lookup (3),
 .BR selabel_stats (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
-
diff --git a/libselinux/man/man3/selabel_stats.3 b/libselinux/man/man3/selabel_stats.3
index d39accce..44e1a655 100644
--- a/libselinux/man/man3/selabel_stats.3
+++ b/libselinux/man/man3/selabel_stats.3
@@ -3,33 +3,33 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
 .TH "selabel_stats" "3" "18 Jun 2007" "" "SELinux API documentation"
 .SH "NAME"
-selabel_stats \- obtain SELinux labeling statistics.
+selabel_stats \- obtain SELinux labeling statistics
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
-
+.br
 .B #include <selinux/label.h>
 .sp
 .BI "void selabel_stats(struct selabel_handle *" hnd ");"
-
+.
 .SH "DESCRIPTION"
-.B selabel_stats
+.BR selabel_stats ()
 causes zero or more messages to be printed containing backend-specific information about number of queries performed, number of unused entries, or other operational information.
 
 The messages are printed to standard error by default; a custom logging function can be provided via 
 .BR selinux_set_callback (3).
-
+.
 .SH "RETURN VALUE"
 None.
-
+.
 .SH "ERRORS"
 None.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR selabel_open (3),
 .BR selabel_lookup (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
-
diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
index b4f6590f..ec97dcf8 100644
--- a/libselinux/man/man3/selinux_binary_policy_path.3
+++ b/libselinux/man/man3/selinux_binary_policy_path.3
@@ -5,89 +5,106 @@ selinux_failsafe_context_path, selinux_removable_context_path,
 selinux_default_context_path, selinux_user_contexts_path,
 selinux_file_context_path, selinux_media_context_path,
 selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration
-directories and files.
-
+directories and files
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 
-const char *selinux_path(void);
-
-const char *selinux_policy_root(void);
-
-const char *selinux_binary_policy_path(void);
-
-const char *selinux_failsafe_context_path(void);
-
-const char *selinux_removable_context_path(void);
-
-const char *selinux_default_context_path(void);
-
-const char *selinux_user_contexts_path(void);
-
-const char *selinux_usersconf_path(void);
-
-const char *selinux_x_context_path(void);
-
-const char *selinux_sepgsql_context_path(void);
-
-const char *selinux_file_context_path(void);
-
-const char *selinux_media_context_path(void);
-
-const char *selinux_securetty_types_path(void);
-
-const char *selinux_contexts_path(void);
-
-const char *selinux_booleans_path(void);
-
-
+.B const char *selinux_path(void);
+.sp
+.B const char *selinux_policy_root(void);
+.sp
+.B const char *selinux_binary_policy_path(void);
+.sp
+.B const char *selinux_failsafe_context_path(void);
+.sp
+.B const char *selinux_removable_context_path(void);
+.sp
+.B const char *selinux_default_context_path(void);
+.sp
+.B const char *selinux_user_contexts_path(void);
+.sp
+.B const char *selinux_usersconf_path(void);
+.sp
+.B const char *selinux_x_context_path(void);
+.sp
+.B const char *selinux_sepgsql_context_path(void);
+.sp
+.B const char *selinux_file_context_path(void);
+.sp
+.B const char *selinux_media_context_path(void);
+.sp
+.B const char *selinux_securetty_types_path(void);
+.sp
+.B const char *selinux_contexts_path(void);
+.sp
+.B const char *selinux_booleans_path(void);
+.
 .SH "DESCRIPTION"
-
 These functions return the paths to the active policy configuration
-directories and files based on the settings in /etc/selinux/config.
-
+directories and files based on the settings in
+.IR /etc/selinux/config .
 .sp
-selinux_path() - top-level SELinux configuration directory
+.BR selinux_path ()
+returns the top-level SELinux configuration directory.
 .sp
-selinux_policy_root() - top-level policy directory 
+.BR selinux_policy_root ()
+returns the top-level policy directory.
 .sp
-selinux_binary_policy_path() - binary policy file loaded into kernel
+.BR selinux_binary_policy_path ()
+returns the binary policy file loaded into kernel.
 .sp
-selinux_default_type_path - context file mapping roles to default types.
+.BR selinux_default_type_path ()
+returns the context file mapping roles to default types.
 .sp
-selinux_failsafe_context_path() - failsafe context for emergency logins
+.BR selinux_failsafe_context_path ()
+returns the failsafe context for emergency logins.
 .sp
-selinux_removable_context_path() - filesystem context for removable media
+.BR selinux_removable_context_path ()
+returns the filesystem context for removable media.
 .sp
-selinux_default_context_path() - system-wide default contexts for user sessions
+.BR selinux_default_context_path ()
+returns the system-wide default contexts for user sessions.
 .sp
-selinux_user_contexts_path() - directory containing per-user default contexts
+.BR selinux_user_contexts_path ()
+returns the directory containing per-user default contexts.
 .sp
-selinux_usersconf_path() - file containing mapping between Linux Users and SELinux users
+.BR selinux_usersconf_path ()
+returns the file containing mapping between Linux Users and SELinux users.
 .sp
-selinux_x_context_path() - file containing configuration for XSELinux extension
+.BR selinux_x_context_path ()
+returns the file containing configuration for XSELinux extension.
 .sp
-selinux_sepgsql_context_path() - file containing configuration for SE-PostgreSQL
+.BR selinux_sepgsql_context_path ()
+returns the file containing configuration for SE-PostgreSQL.
 .sp
-selinux_netfilter_context_path - default netfilter context 
+.BR selinux_netfilter_context_path ()
+returns the default netfilter context.
 .sp
-selinux_file_context_path() - default system file contexts configuration
+.BR selinux_file_context_path ()
+returns the default system file contexts configuration.
 .sp
-selinux_file_context_local_path() - local customization file contexts configuration
+.BR selinux_file_context_local_path ()
+returns the local customization file contexts configuration.
 .sp
-selinux_file_context_homedir_path() - home directory file contexts configuration
+.BR selinux_file_context_homedir_path ()
+returns the home directory file contexts configuration.
 .sp
-selinux_media_context_path() - file contexts for media device nodes
+.BR selinux_media_context_path ()
+returns the file contexts for media device nodes.
 .sp
-selinux_contexts_path() - directory containing all of the context configuration files
+.BR selinux_contexts_path ()
+returns the directory containing all of the context configuration files.
 .sp
-selinux_securetty_types_path() - defines tty types for newrole securettys
+.BR selinux_securetty_types_path ()
+returns the defines tty types for newrole securettys.
 .sp
-selinux_booleans_path() - initial policy boolean settings
-
+.BR selinux_booleans_path ()
+returns the initial policy boolean settings.
+.
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
diff --git a/libselinux/man/man3/selinux_boolean_sub.3 b/libselinux/man/man3/selinux_boolean_sub.3
index 8693d573..308c2684 100644
--- a/libselinux/man/man3/selinux_boolean_sub.3
+++ b/libselinux/man/man3/selinux_boolean_sub.3
@@ -1,25 +1,29 @@
 .TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-selinux_boolean_sub
+selinux_boolean_sub \-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-.BI "char *selinux_boolean_sub(const char * " boolean_name ");"
+.BI "char *selinux_boolean_sub(const char *" boolean_name ");"
 .sp
 .SH "DESCRIPTION"
-.B selinux_boolean_sub
-searches the /etc/selinux/POLICYTYPE/booleans.subs_dist file
+.BR selinux_boolean_sub ()
+searches the
+.I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist
+file
 for a maching boolean_name record.  If the record exists the boolean substitution name is returned.  If not
-.B selinux_boolean_sub
-returns the original boolean_name.
+.BR \%selinux_boolean_sub ()
+returns the original
+.IR \%boolean_name .
 
 .SH "RETURN VALUE"
-.BR selinux_boolean_sub
+.BR selinux_boolean_sub ()
 returns the
 .I boolean_name
 or the substituted name on success.  The returned value must be freed with
 .BR free "(3)."
-.BR selinux_boolean_sub
+.BR selinux_boolean_sub ()
 returns NULL on error.
 .SH "SEE ALSO"
-security_get_boolean_names.3
+.BR security_get_boolean_names (3)
diff --git a/libselinux/man/man3/selinux_check_securetty_context.3 b/libselinux/man/man3/selinux_check_securetty_context.3
index 65a10d3d..22e8533a 100644
--- a/libselinux/man/man3/selinux_check_securetty_context.3
+++ b/libselinux/man/man3/selinux_check_securetty_context.3
@@ -1,16 +1,16 @@
 .TH "selinux_check_securetty_context" "3" "1 January 2007" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
 selinux_check_securetty_context \- check whether a SELinux tty security context is defined as a securetty context
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int selinux_check_securetty_context(security_context_t "tty_context );
-
+.
 .SH "DESCRIPTION"
-.B selinux_check_securetty_context
-returns 0 if tty_context is a securetty context
+.BR selinux_check_securetty_context ()
+returns 0 if tty_context is a securetty context,
 returns < 0 otherwise. 
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
diff --git a/libselinux/man/man3/selinux_colors_path.3 b/libselinux/man/man3/selinux_colors_path.3
index 851d81dc..cc57e439 100644
--- a/libselinux/man/man3/selinux_colors_path.3
+++ b/libselinux/man/man3/selinux_colors_path.3
@@ -1,36 +1,37 @@
 .TH "selinux_colors_path" "3" "08 April 2011" "SELinux API documentation"
-
 .SH "NAME"
-selinux_colors_path \- Return a path to the active SELinux policy color configuration file.
+selinux_colors_path \- Return a path to the active SELinux policy color configuration file
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .B const char *selinux_colors_path(void);
-
+.
 .SH "DESCRIPTION"
-.B selinux_colors_path
+.BR selinux_colors_path ()
 returns the path to the active policy color configuration file. 
 .sp
 The path is built from the path returned by 
 .BR selinux_policy_root "(3)"
 with 
-.B /secolor.conf
+.I /secolor.conf
 appended.
 .sp
 This optional configuration file whose format is shown in 
-.BR secolor.conf "(5),"
+.BR \%secolor.conf (5),
 controls the colors to be associated with the 
 .I raw
 context components of the
 .BR selinux_raw_context_to_color "(3)"
 function when information is to be displayed by an SELinux color-aware application.
-
+.
 .SH "RETURN VALUE"
 On success, the path to the active policy color configuration file is returned. If a path is not available NULL is returned.
-
+.
 .SH "ERRORS"
 None.
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selinux "(8), " selinux_policy_root "(3), " selinux_config "(5), " selinux_raw_context_to_color "(3), " secolor.conf  "(5)"
-
diff --git a/libselinux/man/man3/selinux_file_context_cmp.3 b/libselinux/man/man3/selinux_file_context_cmp.3
index cd671888..30bbaa3e 100644
--- a/libselinux/man/man3/selinux_file_context_cmp.3
+++ b/libselinux/man/man3/selinux_file_context_cmp.3
@@ -1,8 +1,7 @@
 .TH "selinux_file_context_cmp" "3" "08 March 2011" "SELinux API documentation"
-
 .SH "NAME"
-selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component.
-
+selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -10,20 +9,20 @@ selinux_file_context_cmp \- Compare two SELinux security contexts excluding the
 .RS
 .BI "const security_context_t " b ");"
 .RE
-
+.
 .SH "DESCRIPTION"
-.B selinux_file_context_cmp
+.BR selinux_file_context_cmp ()
 compares two context strings excluding the user component with
-.B strcmp(3)
+.BR strcmp (3)
 as shown in the
 .B EXAMPLE
 section.
 .sp
 This is useful as for most object contexts, the user component is not relevant.
-
+.
 .SH "RETURN VALUE"
 The return values follow the
-.B strcmp(3)
+.BR strcmp (3)
 function, where:
 .RS
 0  if they are equal.
@@ -40,13 +39,13 @@ is greater than
 is less than
 .I b
 .RE
-
+.
 .SH "ERRORS"
 None.
-
+.
 .SH "NOTES"
 The contexts being compared do not specifically need to be file contexts.
-
+.
 .SH "EXAMPLE"
 If context
 .I a
@@ -68,8 +67,8 @@ then the actual strings compared are:
 .RE
 .sp
 Therefore they will match and
-.B selinux_file_context_cmp
+.BR selinux_file_context_cmp ()
 will return zero.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
diff --git a/libselinux/man/man3/selinux_file_context_verify.3 b/libselinux/man/man3/selinux_file_context_verify.3
index e22be706..893949f1 100644
--- a/libselinux/man/man3/selinux_file_context_verify.3
+++ b/libselinux/man/man3/selinux_file_context_verify.3
@@ -1,15 +1,14 @@
 .TH "selinux_file_context_verify" "3" "08 March 2011" "SELinux API documentation"
-
 .SH "NAME"
-selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file.
-
+selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
-
+.
 .SH "DESCRIPTION"
-.B selinux_file_context_verify
+.BR selinux_file_context_verify ()
 compares the context of the specified
 .I path
 that is held on disk (in the extended attribute), to the system default entry held in the file contexts series of files.
@@ -21,7 +20,7 @@ may be zero.
 Note that the two contexts are compared for "significant" differences (i.e. the user component of the contexts are ignored) as shown in the
 .B EXAMPLE
 section.
-
+.
 .SH "RETURN VALUE"
 If the contexts significantly match, 1 (one) is returned.
 .sp
@@ -40,7 +39,7 @@ section, or if
 On failure \-1 is returned and
 .I errno
 set appropriately.
-
+.
 .SH "ERRORS"
 .TP
 .B ENOTSUP
@@ -58,22 +57,26 @@ are invalid, or the returned context fails validation.
 .TP
 .B ENOMEM
 if attempt to allocate memory failed.
-
+.
 .SH "FILES"
 The following configuration files (the file contexts series of files) supporting the active policy will be used (should they exist) to determine the
 .I path
 default context:
 .sp
 .RS
-contexts/files/file_contexts - This file must exist.
+.I contexts/files/file_contexts
+- This file must exist.
 .sp
-contexts/files/file_contexts.local - If exists has local customizations.
+.I contexts/files/file_contexts.local
+- If exists has local customizations.
 .sp
-contexts/files/file_contexts.homedirs - If exists has users home directory customizations.
+.I contexts/files/file_contexts.homedirs
+- If exists has users home directory customizations.
 .sp
-contexts/files/file_contexts.subs - If exists has substitutions that are then applied to the 'in memory' version of the file contexts files.
+.I contexts/files/file_contexts.subs
+- If exists has substitutions that are then applied to the 'in memory' version of the file contexts files.
 .RE
-
+.
 .SH "EXAMPLE"
 If the files context is:
 .RS
@@ -91,8 +94,8 @@ then the actual strings compared are:
 .RE
 .sp
 Therefore they will match and
-.B selinux_file_context_verify
+.BR selinux_file_context_verify ()
 will return 1.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
diff --git a/libselinux/man/man3/selinux_getenforcemode.3 b/libselinux/man/man3/selinux_getenforcemode.3
index a6a753e9..7ed94c11 100644
--- a/libselinux/man/man3/selinux_getenforcemode.3
+++ b/libselinux/man/man3/selinux_getenforcemode.3
@@ -1,25 +1,31 @@
 .TH "selinux_getenforcemode" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
 selinux_getenforcemode \- get the enforcing state of SELinux
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-.B int selinux_getenforcemode(int *enforce);
-
-
+.BI "int selinux_getenforcemode(int *" enforce );
+.
 .SH "DESCRIPTION"
-.B selinux_getenforcemode
-Reads the contents of the /etc/selinux/config file to determine how the 
-system was setup to run SELinux.
+.BR selinux_getenforcemode ()
+Reads the contents of the
+.I /etc/selinux/config
+file to determine how the system was setup to run SELinux.
 
-Sets the value of enforce to 1 if SELinux should be run in enforcing mode.
-Sets the value of enforce to 0 if SELinux should be run in permissive mode.
-Sets the value of enforce to -1 if SELinux should be disabled.
+Sets the value of
+.I enforce
+to 1 if SELinux should be run in enforcing mode.
+Sets the value of
+.I enforce
+to 0 if SELinux should be run in permissive mode.
+Sets the value of
+.I enforce
+to \-1 if SELinux should be disabled.
+.
 .SH "RETURN VALUE"
 On success, zero is returned.
-On failure, -1 is returned.
-
+On failure, \-1 is returned.
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
-
diff --git a/libselinux/man/man3/selinux_getpolicytype.3 b/libselinux/man/man3/selinux_getpolicytype.3
index b93e66e6..c947e2cd 100644
--- a/libselinux/man/man3/selinux_getpolicytype.3
+++ b/libselinux/man/man3/selinux_getpolicytype.3
@@ -1,21 +1,23 @@
 .TH "selinux_getpolicytype" "3" "24 Sep 2008" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
 selinux_getpolicytype \- get the type of SELinux policy running on the system
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int selinux_getpolicytype(char **" policytype );
-
-
+.
 .SH "DESCRIPTION"
-.B selinux_getpolicytype
-Reads the contents of the /etc/selinux/config file to determine the SELinux policy used on the system.
-
+.BR selinux_getpolicytype ()
+Reads the contents of the
+.I /etc/selinux/config
+file to determine the SELinux policy used on the system, and sets
+.I \%policytype
+accordinly.
+.
 .SH "RETURN VALUE"
 On success, zero is returned.
-On failure, -1 is returned.
-
+On failure, \-1 is returned.
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
-
diff --git a/libselinux/man/man3/selinux_lsetfilecon_default.3 b/libselinux/man/man3/selinux_lsetfilecon_default.3
index 0589c7a5..d4fc6583 100644
--- a/libselinux/man/man3/selinux_lsetfilecon_default.3
+++ b/libselinux/man/man3/selinux_lsetfilecon_default.3
@@ -1,20 +1,20 @@
 .TH "selinux_lsetfilecon_default" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
 .SH "NAME"
-selinux_lsetfilecon_default \- set the file context to the system defaults.
-
+selinux_lsetfilecon_default \- set the file context to the system defaults
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-
 .BI "int selinux_lsetfilecon_default(const char *" path ");"
-
+.
 .SH "DESCRIPTION"
-.B selinux_lsetfilecon_default
+.BR selinux_lsetfilecon_default ()
 sets the file context to the system defaults.
-.sp
-
+.
 .SH "RETURN VALUE"
 Returns zero on success or \-1 otherwise.
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selinux "(8), " selinux_file_context_cmp "(3), " selinux_file_context_verify "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3
index c69e16ed..a6ccf866 100644
--- a/libselinux/man/man3/selinux_policy_root.3
+++ b/libselinux/man/man3/selinux_policy_root.3
@@ -1,20 +1,21 @@
 .TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-selinux_policy_root \- return the path of the SELinux policy files for this machine.
+selinux_policy_root \- return the path of the SELinux policy files for this machine
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .B const char *selinux_policy_root(void);
-
-
+.
 .SH "DESCRIPTION"
-.B selinux_policy_root
-Reads the contents of the /etc/selinux/config file to determine which policy files should be used for this machine.
+.BR selinux_policy_root ()
+reads the contents of the
+.I /etc/selinux/config
+file to determine which policy files should be used for this machine.
+.
 .SH "RETURN VALUE"
 On success, returns a directory path containing the SELinux policy files.
 On failure, NULL is returned.
-
+.
 .SH "SEE ALSO"
 .BR selinux "(8)"
-
-
diff --git a/libselinux/man/man3/selinux_raw_context_to_color.3 b/libselinux/man/man3/selinux_raw_context_to_color.3
index d3ca83b5..3737f60e 100644
--- a/libselinux/man/man3/selinux_raw_context_to_color.3
+++ b/libselinux/man/man3/selinux_raw_context_to_color.3
@@ -1,8 +1,7 @@
 .TH "selinux_raw_context_to_color" "3" "08 April 2011" "SELinux API documentation"
-
 .SH "NAME"
-selinux_raw_context_to_color \- Return RGB color string for an SELinux security context.
-
+selinux_raw_context_to_color \- Return RGB color string for an SELinux security context
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -10,9 +9,9 @@ selinux_raw_context_to_color \- Return RGB color string for an SELinux security
 .RS
 .BI "char **" color_str ");"
 .RE
-
+.
 .SH "DESCRIPTION"
-.B selinux_raw_context_to_color
+.BR selinux_raw_context_to_color ()
 returns a 
 .I color_str
 associated to the raw context 
@@ -20,7 +19,7 @@ associated to the raw context
 provided that the 
 .BR mcstransd "(8)"
 daemon is running, the policy is an MLS type policy (MCS or MLS) and there is a color configuration file
-.BR secolor.conf "(5)"
+.BR \%secolor.conf (5)
 (see the
 .B FILES
 section).
@@ -39,7 +38,7 @@ string must be freed with
 If a color has not been configured for a specific user, role, type and/or range component of context 
 .IR raw ","
 then
-.B selinux_raw_context_to_color
+.BR \%selinux_raw_context_to_color ()
 will select the color returned in 
 .I color_str
 in order of precedence as follows:
@@ -55,7 +54,7 @@ user, role, type
 .RE
 
 If there are no entries in the 
-.B secolor.conf
+.BR secolor.conf (5)
 file for any of the components of context 
 .I raw
 (or the file is not present), then the default string returned in 
@@ -68,32 +67,32 @@ is:
 #000000 #ffffff #000000 #ffffff #000000 #ffffff #000000 #ffffff
 .sp
 .RE
-
+.
 .SH "RETURN VALUE"
 On success, zero is returned.
 .br
 On failure, \-1 is returned with 
 .I errno
 set appropriately.
-
+.
 .SH "ERRORS"
 .B ENOENT
 If the 
 .BR mcstransd "(8)"
 daemon is not running. 
-
+.
 .SH "FILES"
-.B selinux_raw_context_to_color
+.BR selinux_raw_context_to_color ()
 obtains the translated entry from the active policy 
 .BR secolor.conf "(5)"
 file as returned by
-.BR selinux_colors_path "(3)."
+.BR \%selinux_colors_path (3).
 The file format is described in 
-.BR secolor.conf "(5)."
-
+.BR \%secolor.conf (5).
+.
 .SH "NOTES"
 1. The primary use of 
-.B selinux_raw_context_to_color
+.BR selinux_raw_context_to_color ()
 is to return a color that corresponds to a range, that can then be used to highlight information at different MLS levels.
 .sp
 2. The 
@@ -101,11 +100,11 @@ is to return a color that corresponds to a range, that can then be used to highl
 daemon process security level must dominate the 
 .I raw
 security level passed to it by the 
-.B selinux_raw_context_to_color
+.BR selinux_raw_context_to_color ()
 function. If not, the range color selected will be as defined by the order of precedence.
-
+.
 .SH "EXAMPLE"
-.B selinux_raw_context_to_color
+.BR selinux_raw_context_to_color ()
 returns the foreground and background colors of the context string components (user:role:type:range) as RGB triples as follows:
 .sp
 
@@ -117,8 +116,8 @@ returns the foreground and background colors of the context string components (u
 .br
  black   white :  white   black  : tan    orange  : black   green 
 .br
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selinux "(8), " selinux_colors_path "(3), " mcstransd "(8), " secolor.conf "(5), " selinux_raw_to_trans_context "(3), " selinux_trans_to_raw_context "(3), " free "(3)"
-
-
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
index 4f8d74de..073e135e 100644
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -3,14 +3,15 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
 .TH "selinux_set_callback" "3" "20 Jun 2007" "" "SELinux API documentation"
 .SH "NAME"
-selinux_set_callback \- userspace SELinux callback facilities.
+selinux_set_callback \- userspace SELinux callback facilities
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "void selinux_set_callback(int " type ", union selinux_callback " callback ");"
-
+.
 .SH "DESCRIPTION"
-.B selinux_set_callback
+.BR selinux_set_callback ()
 sets the callback indicated by
 .I type
 to the value of
@@ -45,7 +46,7 @@ argument indicates the type of message and will be set to one of the following:
 .B SELINUX_INFO
 
 .B SELINUX_AVC
-
+.
 .TP
 .B SELINUX_CB_AUDIT
 .BI "int (*" func_audit ") (void *" auditdata ", security_class_t " cls ,
@@ -64,7 +65,7 @@ A human-readable interpretation should be printed to
 using no more than
 .I msgbufsize
 characters.
-
+.
 .TP
 .B SELINUX_CB_VALIDATE
 .BI "int (*" func_validate ") (security_context_t *" ctx ");"
@@ -78,7 +79,7 @@ The value of
 should be set to
 .B EINVAL
 to indicate an invalid context.
-
+.
 .TP
 .B SELINUX_CB_SETENFORCE
 .BI "int (*" func_setenforce ") (int " enforcing ");"
@@ -91,7 +92,7 @@ argument indicates the new value and is set to
 for enforcing mode, and
 .I 0
 for permissive mode.
-
+.
 .TP
 .B SELINUX_CB_POLICYLOAD
 .BI "int (*" func_policyload ") (int " seqno ");"
@@ -100,19 +101,18 @@ This callback is invoked when the system security policy is reloaded.
 The
 .I seqno
 argument is the current sequential number of the policy generation in the system.
-
+.
 .SH "RETURN VALUE"
 None.
-
+.
 .SH "ERRORS"
 None.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR selabel_open (3),
 .BR avc_init (3),
-.BR avc_netlink_open(3),
+.BR avc_netlink_open (3),
 .BR selinux (8)
-
diff --git a/libselinux/man/man3/selinux_set_mapping.3 b/libselinux/man/man3/selinux_set_mapping.3
index 7ac069ac..a93f7b29 100644
--- a/libselinux/man/man3/selinux_set_mapping.3
+++ b/libselinux/man/man3/selinux_set_mapping.3
@@ -3,7 +3,8 @@
 .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008
 .TH "selinux_set_mapping" "3" "12 Jun 2008" "" "SELinux API documentation"
 .SH "NAME"
-selinux_set_mapping \- establish dynamic object class and permission mapping.
+selinux_set_mapping \- establish dynamic object class and permission mapping
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -15,9 +16,9 @@ struct security_class_mapping {
 .fi
 .sp
 .BI "int selinux_set_mapping(struct security_class_mapping *" map ");"
-
+.
 .SH "DESCRIPTION"
-.B selinux_set_mapping
+.BR selinux_set_mapping ()
 establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy.  Use of this function is highly preferred over the generated constants in the libselinux header files, as this method allows the policy's class and permission values to change over time.
 
 After the mapping is established, all libselinux functions that operate on class and permission values take the user-provided numbers, which are determined as follows:
@@ -33,12 +34,12 @@ field should refer to the string name of an object class, and the corresponding
 field should refer to an array of permission bit names terminated by a NULL string.
 
 The object classes named in the mapping and the bit indexes of each set of permission bits named in the mapping are numbered in order starting from 1.  These numbers are the values that should be passed to subsequent libselinux calls.
-
+.
 .SH "RETURN VALUE"
-Zero is returned on success.  On error, -1 is returned and
+Zero is returned on success.  On error, \-1 is returned and
 .I errno
 is set appropriately.
-
+.
 .SH "ERRORS"
 .TP
 .B EINVAL
@@ -46,7 +47,7 @@ One of the class or permission names requested in the mapping is not present in
 .TP
 .B ENOMEM
 An attempt to allocate memory failed.
-
+.
 .SH "EXAMPLE"
 .RS
 .ta 4n 10n
@@ -78,10 +79,10 @@ and
 (for the 
 .B file
 class) will be identified by 1, 2, 4, and 8 respectively.  Classes and permissions not listed in the mapping cannot be used.
-
+.
 .SH "AUTHOR"
 Eamon Walsh <ewalsh@tycho.nsa.gov>
-
+.
 .SH "SEE ALSO"
 .BR avc_open (8),
 .BR selinux (8)
diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3
index 9cb9249b..014314ef 100644
--- a/libselinux/man/man3/selinux_status_open.3
+++ b/libselinux/man/man3/selinux_status_open.3
@@ -3,7 +3,8 @@
 selinux_status_open, selinux_status_close, selinux_status_updated,
 selinux_status_getenforce, selinux_status_policyload and
 selinux_status_deny_unknown \- reference the SELinux kernel status
-without invocation of system calls.
+without invocation of system calls
+.
 .SH "SYNOPSIS"
 .B #include <selinux/avc.h>
 .sp
@@ -18,7 +19,7 @@ without invocation of system calls.
 .BI "int selinux_status_policyload(void);"
 .sp
 .BI "int selinux_status_deny_unknown(void);"
-.sp
+.
 .SH "DESCRIPTION"
 Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
 placed on
@@ -27,14 +28,14 @@ entry. It enables userspace applications to mmap this page with read-only
 mode, then it informs some status without system call invocations.
 .sp
 In some cases that a userspace application tries to apply heavy frequest
-access control; such as row\-level security in databases, it will face
+access control; such as row-level security in databases, it will face
 unignorable cost to communicate with kernel space to check invalidation
 of userspace avc.
 .sp
 These functions provides applications a way to know some kernel events
-without system\-call invocation or worker thread for monitoring.
+without system-call invocation or worker thread for monitoring.
 .sp
-.BR selinux_status_open
+.BR selinux_status_open ()
 tries to
 .BR open (2)
 .I /selinux/status
@@ -51,46 +52,49 @@ and overwrite corresponding callbacks ( setenforce and policyload).
 Thus, we need to pay attention to the interaction with these interfaces,
 when fallback mode is enabled.
 .sp
-.BR selinux_status_close
+.BR selinux_status_close ()
 unmap the kernel status page and close its file descriptor, or close the
 netlink socket if fallbacked.
 .sp
-.BR selinux_status_updated
+.BR selinux_status_updated ()
 informs us whether something has been updated since the last call.
 It returns 0 if nothing was happened, however, 1 if something has been
-updated in this duration, or -1 on error.
+updated in this duration, or \-1 on error.
 .sp
-.BR selinux_status_getenforce
+.BR selinux_status_getenforce ()
 returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
-or -1 on error.
+or \-1 on error.
 Same as
 .BR security_getenforce (3)
 except with or without system call invocation.
 .sp
-.BR selinux_status_policyload
-returns times of policy reloaded on the running system, or -1 on error.
+.BR selinux_status_policyload ()
+returns times of policy reloaded on the running system, or \-1 on error.
 Note that it is not a reliable value on fallback-mode until it receive
 the first event message via netlink socket.
 Thus, don't use this value to know actual times of policy reloaded.
 .sp
-.BR selinux_status_deny_unknown
+.BR selinux_status_deny_unknown ()
 returns 0 if SELinux treats policy queries on undefined object classes or
-permissions as being allowed, 1 if such queries are denied, or -1 on error.
+permissions as being allowed, 1 if such queries are denied, or \-1 on error.
 .sp
 Also note that these interfaces are not thread-safe, so you have to protect
 them from concurrent calls using exclusive locks when multiple threads are
 performing.
+.
 .SH "RETURN VALUE"
-.BR selinux_status_open
+.BR selinux_status_open ()
 returns 0 or 1 on success. 1 means we are ready to use these interfaces,
 but netlink socket was opened as fallback instead of the kernel status page.
-On error, -1 shall be returned.
+On error, \-1 shall be returned.
 .sp
 Any other functions with a return value shall return its characteristic
-value as described above, or -1 on errors.
-.sp
+value as described above, or \-1 on errors.
+.
 .SH "SEE ALSO"
-.BR mmap (2)
-.BR avc_netlink_open (3)
-.BR security_getenforce (3)
+.ad l
+.nh
+.BR mmap (2),
+.BR avc_netlink_open (3),
+.BR security_getenforce (3),
 .BR security_deny_unknown (3)
diff --git a/libselinux/man/man3/set_matchpathcon_flags.3 b/libselinux/man/man3/set_matchpathcon_flags.3
index 037fe05b..2841becc 100644
--- a/libselinux/man/man3/set_matchpathcon_flags.3
+++ b/libselinux/man/man3/set_matchpathcon_flags.3
@@ -1,42 +1,41 @@
 .TH "set_matchpathcon_flags" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
 .SH "NAME"
-set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying.
-
+set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-
 .BI "void set_matchpathcon_flags(unsigned int " flags ");"
-
-.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char * " context "));"
-
+.sp
+.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char *" context "));"
+.sp
 .BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
-
+.
 .SH "DESCRIPTION"
-.B set_matchpathcon_flags
+.BR set_matchpathcon_flags ()
 sets the flags controlling the operation of 
-.B matchpathcon_init
+.BR matchpathcon_init (3)
 and subsequently
-.B matchpathcon_index
+.BR matchpathcon_index (3)
 or
-.B matchpathcon.
+.BR matchpathcon (3).
 If the 
 .B MATCHPATHCON_BASEONLY
 flag is set, then only the base file contexts configuration file
 will be processed, not any dynamically generated entries or local customizations.
 .sp
 
-.B set_matchpathcon_invalidcon
+.BR set_matchpathcon_invalidcon ()
 sets the function used by 
-.B matchpathcon_init
+.BR matchpathcon_init (3)
 when checking the validity of a context in the file contexts
 configuration.  If not set, then this defaults to a test based 
 on 
-.B security_check_context(3),
+.BR security_check_context (3),
 which checks validity against the active policy on a SELinux system.
 This can be set to instead perform checking based on a binary policy file,
 e.g. using 
-.B sepol_check_context(3),
+.BR sepol_check_context (3),
 as is done by 
 .B setfiles \-c.
 The function is also responsible for reporting any such error, and
@@ -47,16 +46,17 @@ and
 in such error messages.
 .sp
 
-.B set_matchpathcon_printf
+.BR set_matchpathcon_printf ()
 sets the function used by 
-.B matchpathcon_init
+.BR matchpathcon_init (3)
 when displaying errors about the file contexts configuration.  If not set, 
 then this defaults to fprintf(stderr, fmt, ...).  This can be set to redirect
 error reporting to a different destination.
-.sp
-
+.
 .SH "RETURN VALUE"
 Returns zero on success or \-1 otherwise.
-
+.
 .SH "SEE ALSO"
+.ad l
+.nh
 .BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/setfilecon.3 b/libselinux/man/man3/setfilecon.3
index 18030cd2..7da024ba 100644
--- a/libselinux/man/man3/setfilecon.3
+++ b/libselinux/man/man3/setfilecon.3
@@ -1,41 +1,53 @@
 .TH "setfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
 setfilecon, fsetfilecon, lsetfilecon \- set SELinux security context of a file
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int setfilecon(const char *" path ", security_context_t "con );
-
+.sp
 .BI "int lsetfilecon(const char *" path ", security_context_t "con );
-
+.sp
 .BI "int fsetfilecon(int "fd ", security_context_t "con );
-
+.
 .SH "DESCRIPTION"
-.B setfilecon
+.BR setfilecon ()
 sets the security context of the file system object.
 
-.B lsetfilecon
+.BR lsetfilecon ()
 is identical to setfilecon, except in the case of a symbolic link, where the
 link itself has it's context set, not the file that it refers to.
 
-.B fsetfilecon
+.BR fsetfilecon ()
 is identical to setfilecon, only the open file pointed to by filedes (as
-returned by open(2)) has it's context set in place of path.
-
+returned by
+.BR open (2))
+has it's context set in place of path.
+.
 .SH "RETURN VALUE"
-On success, zero is returned. On failure, -1 is returned and errno is
-set appropriately.
-
+On success, zero is returned. On failure, \-1 is returned and
+.I errno
+is set appropriately.
+.
+.SH "ERRORS"
 If there is insufficient space remaining to store the extended
-attribute, errno is set to either ENOSPC, or EDQUOT if quota enforce-
-ment was the cause.
-
-If extended attributes are not supported by the filesystem, or are dis-
-abled, errno is set to ENOTSUP.
-
-The errors documented for the stat(2) system call are also applicable
-here.
-
+attribute,
+.I errno
+is set to either
+.BR ENOSPC ,
+or
+.B EDQUOT
+if quota enforcement was the cause.
+
+If extended attributes are not supported by the filesystem, or are disabled,
+.I errno
+is set to
+.BR ENOTSUP .
+
+The errors documented for the
+.BR stat (2)
+system call are also applicable here.
+.
 .SH "SEE ALSO"
 .BR selinux "(3), " freecon "(3), " getfilecon "(3), " setfscreatecon "(3)"