diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 5b464e7..8e69aa4 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2527,3 +2527,11 @@ rhnsd = module
 # gear policy
 #
 gear = module
+
+# Layer: contrib
+# Module: mongodb
+#
+# mongodb policy
+#
+
+mongodb = module
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a3ec877..bb1bef1 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8893,7 +8893,7 @@ index 2b9a3a1..f755e6b 100644
 +/var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 +')
 diff --git a/bind.if b/bind.if
-index 531a8f2..0df9341 100644
+index 531a8f2..67b6c3d 100644
 --- a/bind.if
 +++ b/bind.if
 @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -8988,28 +8988,54 @@ index 531a8f2..0df9341 100644
  ##	Create, read, write, and delete
  ##	bind zone files.
  ## </summary>
-@@ -364,11 +428,17 @@ interface(`bind_admin',`
+@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the domain to read bind state files in /proc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bind_read_state',`
++	gen_require(`
++		type named_t;
++	')
++
++	kernel_search_proc($1)
++	ps_process_pattern($1, named_t)
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to
+ ##	administrate an bind environment.
+ ## </summary>
+@@ -364,11 +447,17 @@ interface(`bind_admin',`
  		type named_t, named_tmp_t, named_log_t;
  		type named_cache_t, named_zone_t, named_initrc_exec_t;
  		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
 -		type named_keytab_t;
 +		type named_keytab_t, named_unit_file_t;
- 	')
- 
--	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
--	ps_process_pattern($1, { named_t ndc_t })
++	')
++
 +	allow $1 named_t:process signal_perms;
 +	ps_process_pattern($1, named_t)
 +
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 named_t:process ptrace;
-+	')
-+
+ 	')
+ 
+-	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+-	ps_process_pattern($1, { named_t ndc_t })
 +	bind_run_ndc($1, $2)
  
  	init_labeled_script_domtrans($1, named_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -384,11 +454,15 @@ interface(`bind_admin',`
+@@ -384,11 +473,15 @@ interface(`bind_admin',`
  	files_list_etc($1)
  	admin_pattern($1, { named_keytab_t named_conf_t })
  
@@ -12704,10 +12730,10 @@ index 0000000..8ac848b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..0e17a32
+index 0000000..99cab6e
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,229 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -12718,7 +12744,6 @@ index 0000000..0e17a32
 +
 +cloudform_domain_template(deltacloudd)
 +cloudform_domain_template(iwhd)
-+cloudform_domain_template(mongod)
 +cloudform_domain_template(cloud_init)
 +
 +type cloud_init_tmp_t;
@@ -12751,21 +12776,6 @@ index 0000000..0e17a32
 +type iwhd_var_run_t;
 +files_pid_file(iwhd_var_run_t)
 +
-+type mongod_initrc_exec_t;
-+init_script_file(mongod_initrc_exec_t)
-+
-+type mongod_log_t;
-+logging_log_file(mongod_log_t)
-+
-+type mongod_var_lib_t;
-+files_type(mongod_var_lib_t)
-+
-+type mongod_tmp_t;
-+files_tmp_file(mongod_tmp_t)
-+
-+type mongod_var_run_t;
-+files_pid_file(mongod_var_run_t)
-+
 +type iwhd_log_t;
 +logging_log_file(iwhd_log_t)
 +
@@ -12953,59 +12963,6 @@ index 0000000..0e17a32
 +
 +userdom_home_manager(iwhd_t)
 +
-+########################################
-+#
-+# mongod local policy
-+#
-+
-+allow mongod_t self:process { execmem setsched signal };
-+
-+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
-+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
-+allow mongod_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
-+
-+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+
-+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
-+
-+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+#needed by dbomatic
-+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
-+
-+corecmd_exec_bin(mongod_t)
-+corecmd_exec_shell(mongod_t)
-+
-+corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_mongod_port(mongod_t)
-+corenet_tcp_connect_mongod_port(mongod_t)
-+corenet_tcp_connect_postgresql_port(mongod_t)
-+
-+kernel_read_vm_sysctls(mongod_t)
-+kernel_read_system_state(mongod_t)
-+
-+fs_getattr_all_fs(mongod_t)
-+
-+optional_policy(`
-+	mysql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+	postgresql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+	sysnet_dns_name_resolve(mongod_t)
-+')
 diff --git a/cmirrord.if b/cmirrord.if
 index cc4e7cb..f348d27 100644
 --- a/cmirrord.if
@@ -13257,6 +13214,312 @@ index 5f306dd..e01156f 100644
 +	tftp_manage_config(cobblerd_t)
  	tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
  ')
+diff --git a/cockpit.fc b/cockpit.fc
+new file mode 100644
+index 0000000..ee6e817
+--- /dev/null
++++ b/cockpit.fc
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/cockpit.service		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/lib/systemd/system/cockpit.socket		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/lib/systemd/system/cockpitd.service		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/libexec/cockpitd		--	gen_context(system_u:object_r:cockpit_exec_t,s0)
++
++/var/lib/cockpit(/.*)?		gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+diff --git a/cockpit.if b/cockpit.if
+new file mode 100644
+index 0000000..25e3237
+--- /dev/null
++++ b/cockpit.if
+@@ -0,0 +1,186 @@
++
++## <summary>policy for cockpit</summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the cockpit domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cockpit_domtrans',`
++	gen_require(`
++		type cockpit_t, cockpit_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, cockpit_exec_t, cockpit_t)
++')
++
++########################################
++## <summary>
++##	Search cockpit lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cockpit_search_lib',`
++	gen_require(`
++		type cockpit_var_lib_t;
++	')
++
++	allow $1 cockpit_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read cockpit lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cockpit_read_lib_files',`
++	gen_require(`
++		type cockpit_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage cockpit lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cockpit_manage_lib_files',`
++	gen_require(`
++		type cockpit_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage cockpit lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cockpit_manage_lib_dirs',`
++	gen_require(`
++		type cockpit_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Execute cockpit server in the cockpit domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`cockpit_systemctl',`
++	gen_require(`
++		type cockpit_t;
++		type cockpit_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 cockpit_unit_file_t:file read_file_perms;
++	allow $1 cockpit_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, cockpit_t)
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	cockpit over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cockpit_dbus_chat',`
++	gen_require(`
++		type cockpit_t;
++		class dbus send_msg;
++	')
++
++	allow $1 cockpit_t:dbus send_msg;
++	allow cockpit_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an cockpit environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`cockpit_admin',`
++	gen_require(`
++		type cockpit_t;
++		type cockpit_var_lib_t;
++	type cockpit_unit_file_t;
++	')
++
++	allow $1 cockpit_t:process { signal_perms };
++	ps_process_pattern($1, cockpit_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 cockpit_t:process ptrace;
++    ')
++
++	files_search_var_lib($1)
++	admin_pattern($1, cockpit_var_lib_t)
++
++	cockpit_systemctl($1)
++	admin_pattern($1, cockpit_unit_file_t)
++	allow $1 cockpit_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/cockpit.te b/cockpit.te
+new file mode 100644
+index 0000000..ede96a7
+--- /dev/null
++++ b/cockpit.te
+@@ -0,0 +1,93 @@
++policy_module(cockpit, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cockpit_t;
++type cockpit_exec_t;
++init_daemon_domain(cockpit_t, cockpit_exec_t)
++
++type cockpit_var_lib_t;
++files_type(cockpit_var_lib_t)
++
++type cockpit_unit_file_t;
++systemd_unit_file(cockpit_unit_file_t)
++
++########################################
++#
++# cockpit local policy
++#
++allow cockpit_t self:capability net_admin;
++allow cockpit_t self:fifo_file rw_fifo_file_perms;
++allow cockpit_t self:unix_stream_socket create_stream_socket_perms;
++allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow cockpit_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
++files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file })
++
++kernel_read_system_state(cockpit_t)
++kernel_read_network_state(cockpit_t)
++
++corecmd_exec_bin(cockpit_t)
++corecmd_exec_shell(cockpit_t)
++
++dev_read_sysfs(cockpit_t)
++
++domain_use_interactive_fds(cockpit_t)
++domain_read_all_domains_state(cockpit_t)
++
++files_read_etc_files(cockpit_t)
++files_list_tmp(cockpit_t)
++
++fs_read_tmpfs_symlinks(cockpit_t)
++fs_list_cgroup_dirs(cockpit_t)
++fs_read_cgroup_files(cockpit_t)
++fs_getattr_all_fs(cockpit_t)
++
++auth_use_nsswitch(cockpit_t)
++
++init_dbus_chat(cockpit_t)
++init_status(cockpit_t)
++init_read_state(cockpit_t)
++init_list_pid_dirs(cockpit_t)
++
++logging_send_syslog_msg(cockpit_t)
++
++miscfiles_read_localization(cockpit_t)
++
++systemd_status_all_unit_files(cockpit_t)
++systemd_read_logind_sessions_files(cockpit_t)
++
++udev_read_pid_files(cockpit_t)
++
++optional_policy(`
++	dbus_system_bus_client(cockpit_t)
++	dbus_connect_system_bus(cockpit_t)
++
++	optional_policy(`
++		accountsd_dbus_chat(cockpit_t)
++	')
++
++	optional_policy(`
++		devicekit_dbus_chat_disk(cockpit_t)
++		devicekit_dbus_chat_power(cockpit_t)
++	')
++
++	optional_policy(`
++		networkmanager_dbus_chat(cockpit_t)
++		networkmanager_stream_connect(cockpit_t)
++	')
++
++	optional_policy(`
++		realmd_dbus_chat(cockpit_t)
++	')
++')
++
++optional_policy(`
++	docker_stream_connect(cockpit_t)
++')
 diff --git a/collectd.fc b/collectd.fc
 index 79a3abe..8d70290 100644
 --- a/collectd.fc
@@ -23835,10 +24098,10 @@ index 0000000..1048292
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..d5a606c
+index 0000000..acaabd3
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,266 @@
+@@ -0,0 +1,267 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -24068,6 +24331,7 @@ index 0000000..d5a606c
 +
 +userdom_stream_connect(docker_t)
 +userdom_search_user_home_content(docker_t)
++userdom_read_all_users_state(docker_t)
 +
 +optional_policy(`
 +	dbus_system_bus_client(docker_t)
@@ -28272,10 +28536,10 @@ index 0000000..9e17d3e
 +')
 diff --git a/geoclue.te b/geoclue.te
 new file mode 100644
-index 0000000..95c3a2b
+index 0000000..7106428
 --- /dev/null
 +++ b/geoclue.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,51 @@
 +policy_module(geoclue, 1.0.0)
 +
 +########################################
@@ -28322,6 +28586,10 @@ index 0000000..95c3a2b
 +
 +optional_policy(`
 +	dbus_system_domain(geoclue_t, geoclue_exec_t)
++
++	optional_policy(`
++		networkmanager_dbus_chat(geoclue_t)
++	')
 +')
 diff --git a/gift.te b/gift.te
 index 8a820fa..996b30c 100644
@@ -43927,20 +44195,59 @@ index b94102e..25d1d33 100644
 +	')
 +')
 diff --git a/mongodb.te b/mongodb.te
-index 169f236..a9a3284 100644
+index 169f236..2184be0 100644
 --- a/mongodb.te
 +++ b/mongodb.te
-@@ -41,7 +41,8 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -21,19 +21,27 @@ files_type(mongod_var_lib_t)
+ type mongod_var_run_t;
+ files_pid_file(mongod_var_run_t)
+ 
++type mongod_tmp_t;
++files_tmp_file(mongod_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+ 
+-allow mongod_t self:process signal;
++
++allow mongod_t self:process { setsched signal };
+ allow mongod_t self:fifo_file rw_fifo_file_perms;
+ 
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
++allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
++
+ manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+ append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+ create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+ setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+-logging_log_filetrans(mongod_t, mongod_log_t, dir)
++logging_log_filetrans(mongod_t, mongod_log_t, { dir file })
+ 
+ manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+ manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+@@ -41,21 +49,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
  
  manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
  manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 -files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
 +manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 +files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
  
  kernel_read_system_state(mongod_t)
++kernel_read_vm_sysctls(mongod_t)
++
++corecmd_exec_bin(mongod_t)
++corecmd_exec_shell(mongod_t)
  
-@@ -49,13 +50,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
+ corenet_all_recvfrom_unlabeled(mongod_t)
  corenet_all_recvfrom_netlabel(mongod_t)
  corenet_tcp_sendrecv_generic_if(mongod_t)
  corenet_tcp_sendrecv_generic_node(mongod_t)
@@ -43955,6 +44262,18 @@ index 169f236..a9a3284 100644
  fs_getattr_all_fs(mongod_t)
  
 -miscfiles_read_localization(mongod_t)
++optional_policy(`
++	mysql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++	postgresql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++	sysnet_dns_name_resolve(mongod_t)
++')
++
 diff --git a/mono.te b/mono.te
 index a6a8643..c0f6cf5 100644
 --- a/mono.te
@@ -49397,7 +49716,7 @@ index 687af38..a77dc09 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..ae0d53a 100644
+index 7584bbe..494cd37 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -49474,7 +49793,7 @@ index 7584bbe..ae0d53a 100644
  
  manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
  manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-@@ -95,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +92,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -49501,11 +49820,13 @@ index 7584bbe..ae0d53a 100644
 -corenet_sendrecv_mysqld_server_packets(mysqld_t)
  corenet_tcp_bind_mysqld_port(mysqld_t)
 -corenet_sendrecv_mysqld_client_packets(mysqld_t)
++corenet_tcp_bind_tram_port(mysqld_t)
  corenet_tcp_connect_mysqld_port(mysqld_t)
 -corenet_tcp_sendrecv_mysqld_port(mysqld_t)
 -
 -corecmd_exec_bin(mysqld_t)
 -corecmd_exec_shell(mysqld_t)
++corenet_tcp_connect_tram_port(mysqld_t)
 +corenet_sendrecv_mysqld_client_packets(mysqld_t)
 +corenet_sendrecv_mysqld_server_packets(mysqld_t)
  
@@ -49546,7 +49867,7 @@ index 7584bbe..ae0d53a 100644
  ')
  
  optional_policy(`
-@@ -146,6 +147,10 @@ optional_policy(`
+@@ -146,6 +149,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49557,7 +49878,7 @@ index 7584bbe..ae0d53a 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -155,21 +160,18 @@ optional_policy(`
+@@ -155,21 +162,18 @@ optional_policy(`
  
  #######################################
  #
@@ -49584,7 +49905,7 @@ index 7584bbe..ae0d53a 100644
  
  list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
  manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +181,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
  logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  
  manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -49595,7 +49916,7 @@ index 7584bbe..ae0d53a 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
  corecmd_exec_bin(mysqld_safe_t)
  corecmd_exec_shell(mysqld_safe_t)
  
@@ -49631,7 +49952,7 @@ index 7584bbe..ae0d53a 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -209,7 +217,7 @@ optional_policy(`
+@@ -209,7 +219,7 @@ optional_policy(`
  
  ########################################
  #
@@ -49640,7 +49961,7 @@ index 7584bbe..ae0d53a 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -49658,7 +49979,7 @@ index 7584bbe..ae0d53a 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -89876,16 +90197,18 @@ index cbfe369..6594af3 100644
  	files_search_var_lib($1)
 diff --git a/snapper.fc b/snapper.fc
 new file mode 100644
-index 0000000..ab5d7e7
+index 0000000..e43fdd8
 --- /dev/null
 +++ b/snapper.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
 +/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
 +
 +/etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
 +/etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
 +
 +/var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
++
++/mnt/(.*/)?.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
 diff --git a/snapper.if b/snapper.if
 new file mode 100644
 index 0000000..94105ee
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dfaa269..dafc7a5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 46%{?dist}
+Release: 47%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Apr 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-47
+- mongod should not be a part of cloudforms.pp
+- Fix labeling in snapper.fc
+- Allow docker to read unconfined_t process state
+- geoclue dbus chats with NetworkManager
+- Add cockpit policy
+- Add interface to allow tools to check the processes state of bind/named
+- Allow myslqd to use the tram port for Galera/MariaDB
+
 * Fri Apr 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-46
 - Allow init_t to setattr/relabelfrom dhcp state files
 - Allow dmesg to read hwdata and memory dev