diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 5b464e7..8e69aa4 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2527,3 +2527,11 @@ rhnsd = module
# gear policy
#
gear = module
+
+# Layer: contrib
+# Module: mongodb
+#
+# mongodb policy
+#
+
+mongodb = module
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index a3ec877..bb1bef1 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -8893,7 +8893,7 @@ index 2b9a3a1..f755e6b 100644
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
-index 531a8f2..0df9341 100644
+index 531a8f2..67b6c3d 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -8988,28 +8988,54 @@ index 531a8f2..0df9341 100644
## Create, read, write, and delete
## bind zone files.
##
-@@ -364,11 +428,17 @@ interface(`bind_admin',`
+@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',`
+
+ ########################################
+ ##
++## Allow the domain to read bind state files in /proc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bind_read_state',`
++ gen_require(`
++ type named_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, named_t)
++')
++
++########################################
++##
+ ## All of the rules required to
+ ## administrate an bind environment.
+ ##
+@@ -364,11 +447,17 @@ interface(`bind_admin',`
type named_t, named_tmp_t, named_log_t;
type named_cache_t, named_zone_t, named_initrc_exec_t;
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
- type named_keytab_t;
+ type named_keytab_t, named_unit_file_t;
- ')
-
-- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { named_t ndc_t })
++ ')
++
+ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
-+ ')
-+
+ ')
+
+- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { named_t ndc_t })
+ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -384,11 +454,15 @@ interface(`bind_admin',`
+@@ -384,11 +473,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, { named_keytab_t named_conf_t })
@@ -12704,10 +12730,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..0e17a32
+index 0000000..99cab6e
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,229 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -12718,7 +12744,6 @@ index 0000000..0e17a32
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
-+cloudform_domain_template(mongod)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
@@ -12751,21 +12776,6 @@ index 0000000..0e17a32
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
-+type mongod_initrc_exec_t;
-+init_script_file(mongod_initrc_exec_t)
-+
-+type mongod_log_t;
-+logging_log_file(mongod_log_t)
-+
-+type mongod_var_lib_t;
-+files_type(mongod_var_lib_t)
-+
-+type mongod_tmp_t;
-+files_tmp_file(mongod_tmp_t)
-+
-+type mongod_var_run_t;
-+files_pid_file(mongod_var_run_t)
-+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
@@ -12953,59 +12963,6 @@ index 0000000..0e17a32
+
+userdom_home_manager(iwhd_t)
+
-+########################################
-+#
-+# mongod local policy
-+#
-+
-+allow mongod_t self:process { execmem setsched signal };
-+
-+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
-+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
-+allow mongod_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
-+
-+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+
-+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
-+
-+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+#needed by dbomatic
-+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
-+
-+corecmd_exec_bin(mongod_t)
-+corecmd_exec_shell(mongod_t)
-+
-+corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_mongod_port(mongod_t)
-+corenet_tcp_connect_mongod_port(mongod_t)
-+corenet_tcp_connect_postgresql_port(mongod_t)
-+
-+kernel_read_vm_sysctls(mongod_t)
-+kernel_read_system_state(mongod_t)
-+
-+fs_getattr_all_fs(mongod_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(mongod_t)
-+')
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb..f348d27 100644
--- a/cmirrord.if
@@ -13257,6 +13214,312 @@ index 5f306dd..e01156f 100644
+ tftp_manage_config(cobblerd_t)
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
+diff --git a/cockpit.fc b/cockpit.fc
+new file mode 100644
+index 0000000..ee6e817
+--- /dev/null
++++ b/cockpit.fc
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/cockpit.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/lib/systemd/system/cockpit.socket -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/lib/systemd/system/cockpitd.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
++
++/usr/libexec/cockpitd -- gen_context(system_u:object_r:cockpit_exec_t,s0)
++
++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+diff --git a/cockpit.if b/cockpit.if
+new file mode 100644
+index 0000000..25e3237
+--- /dev/null
++++ b/cockpit.if
+@@ -0,0 +1,186 @@
++
++## policy for cockpit
++
++########################################
++##
++## Execute TEMPLATE in the cockpit domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cockpit_domtrans',`
++ gen_require(`
++ type cockpit_t, cockpit_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, cockpit_exec_t, cockpit_t)
++')
++
++########################################
++##
++## Search cockpit lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_search_lib',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ allow $1 cockpit_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read cockpit lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_read_lib_files',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++##
++## Manage cockpit lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_manage_lib_files',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++##
++## Manage cockpit lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_manage_lib_dirs',`
++ gen_require(`
++ type cockpit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
++')
++
++########################################
++##
++## Execute cockpit server in the cockpit domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cockpit_systemctl',`
++ gen_require(`
++ type cockpit_t;
++ type cockpit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 cockpit_unit_file_t:file read_file_perms;
++ allow $1 cockpit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cockpit_t)
++')
++
++
++########################################
++##
++## Send and receive messages from
++## cockpit over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cockpit_dbus_chat',`
++ gen_require(`
++ type cockpit_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 cockpit_t:dbus send_msg;
++ allow cockpit_t $1:dbus send_msg;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an cockpit environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`cockpit_admin',`
++ gen_require(`
++ type cockpit_t;
++ type cockpit_var_lib_t;
++ type cockpit_unit_file_t;
++ ')
++
++ allow $1 cockpit_t:process { signal_perms };
++ ps_process_pattern($1, cockpit_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cockpit_t:process ptrace;
++ ')
++
++ files_search_var_lib($1)
++ admin_pattern($1, cockpit_var_lib_t)
++
++ cockpit_systemctl($1)
++ admin_pattern($1, cockpit_unit_file_t)
++ allow $1 cockpit_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/cockpit.te b/cockpit.te
+new file mode 100644
+index 0000000..ede96a7
+--- /dev/null
++++ b/cockpit.te
+@@ -0,0 +1,93 @@
++policy_module(cockpit, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cockpit_t;
++type cockpit_exec_t;
++init_daemon_domain(cockpit_t, cockpit_exec_t)
++
++type cockpit_var_lib_t;
++files_type(cockpit_var_lib_t)
++
++type cockpit_unit_file_t;
++systemd_unit_file(cockpit_unit_file_t)
++
++########################################
++#
++# cockpit local policy
++#
++allow cockpit_t self:capability net_admin;
++allow cockpit_t self:fifo_file rw_fifo_file_perms;
++allow cockpit_t self:unix_stream_socket create_stream_socket_perms;
++allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow cockpit_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
++manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
++files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file })
++
++kernel_read_system_state(cockpit_t)
++kernel_read_network_state(cockpit_t)
++
++corecmd_exec_bin(cockpit_t)
++corecmd_exec_shell(cockpit_t)
++
++dev_read_sysfs(cockpit_t)
++
++domain_use_interactive_fds(cockpit_t)
++domain_read_all_domains_state(cockpit_t)
++
++files_read_etc_files(cockpit_t)
++files_list_tmp(cockpit_t)
++
++fs_read_tmpfs_symlinks(cockpit_t)
++fs_list_cgroup_dirs(cockpit_t)
++fs_read_cgroup_files(cockpit_t)
++fs_getattr_all_fs(cockpit_t)
++
++auth_use_nsswitch(cockpit_t)
++
++init_dbus_chat(cockpit_t)
++init_status(cockpit_t)
++init_read_state(cockpit_t)
++init_list_pid_dirs(cockpit_t)
++
++logging_send_syslog_msg(cockpit_t)
++
++miscfiles_read_localization(cockpit_t)
++
++systemd_status_all_unit_files(cockpit_t)
++systemd_read_logind_sessions_files(cockpit_t)
++
++udev_read_pid_files(cockpit_t)
++
++optional_policy(`
++ dbus_system_bus_client(cockpit_t)
++ dbus_connect_system_bus(cockpit_t)
++
++ optional_policy(`
++ accountsd_dbus_chat(cockpit_t)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat_disk(cockpit_t)
++ devicekit_dbus_chat_power(cockpit_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(cockpit_t)
++ networkmanager_stream_connect(cockpit_t)
++ ')
++
++ optional_policy(`
++ realmd_dbus_chat(cockpit_t)
++ ')
++')
++
++optional_policy(`
++ docker_stream_connect(cockpit_t)
++')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..8d70290 100644
--- a/collectd.fc
@@ -23835,10 +24098,10 @@ index 0000000..1048292
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..d5a606c
+index 0000000..acaabd3
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,266 @@
+@@ -0,0 +1,267 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24068,6 +24331,7 @@ index 0000000..d5a606c
+
+userdom_stream_connect(docker_t)
+userdom_search_user_home_content(docker_t)
++userdom_read_all_users_state(docker_t)
+
+optional_policy(`
+ dbus_system_bus_client(docker_t)
@@ -28272,10 +28536,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..95c3a2b
+index 0000000..7106428
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,51 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -28322,6 +28586,10 @@ index 0000000..95c3a2b
+
+optional_policy(`
+ dbus_system_domain(geoclue_t, geoclue_exec_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(geoclue_t)
++ ')
+')
diff --git a/gift.te b/gift.te
index 8a820fa..996b30c 100644
@@ -43927,20 +44195,59 @@ index b94102e..25d1d33 100644
+ ')
+')
diff --git a/mongodb.te b/mongodb.te
-index 169f236..a9a3284 100644
+index 169f236..2184be0 100644
--- a/mongodb.te
+++ b/mongodb.te
-@@ -41,7 +41,8 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
+@@ -21,19 +21,27 @@ files_type(mongod_var_lib_t)
+ type mongod_var_run_t;
+ files_pid_file(mongod_var_run_t)
+
++type mongod_tmp_t;
++files_tmp_file(mongod_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+
+-allow mongod_t self:process signal;
++
++allow mongod_t self:process { setsched signal };
+ allow mongod_t self:fifo_file rw_fifo_file_perms;
+
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
++allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
++
+ manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+ append_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+ create_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+ setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+-logging_log_filetrans(mongod_t, mongod_log_t, dir)
++logging_log_filetrans(mongod_t, mongod_log_t, { dir file })
+
+ manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+ manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+@@ -41,21 +49,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-files_pid_filetrans(mongod_t, mongod_var_run_t, dir)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
kernel_read_system_state(mongod_t)
++kernel_read_vm_sysctls(mongod_t)
++
++corecmd_exec_bin(mongod_t)
++corecmd_exec_shell(mongod_t)
-@@ -49,13 +50,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
+ corenet_all_recvfrom_unlabeled(mongod_t)
corenet_all_recvfrom_netlabel(mongod_t)
corenet_tcp_sendrecv_generic_if(mongod_t)
corenet_tcp_sendrecv_generic_node(mongod_t)
@@ -43955,6 +44262,18 @@ index 169f236..a9a3284 100644
fs_getattr_all_fs(mongod_t)
-miscfiles_read_localization(mongod_t)
++optional_policy(`
++ mysql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(mongod_t)
++')
++
++optional_policy(`
++ sysnet_dns_name_resolve(mongod_t)
++')
++
diff --git a/mono.te b/mono.te
index a6a8643..c0f6cf5 100644
--- a/mono.te
@@ -49397,7 +49716,7 @@ index 687af38..a77dc09 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe..ae0d53a 100644
+index 7584bbe..494cd37 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -49474,7 +49793,7 @@ index 7584bbe..ae0d53a 100644
manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-@@ -95,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +92,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
@@ -49501,11 +49820,13 @@ index 7584bbe..ae0d53a 100644
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
corenet_tcp_bind_mysqld_port(mysqld_t)
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
++corenet_tcp_bind_tram_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
-
-corecmd_exec_bin(mysqld_t)
-corecmd_exec_shell(mysqld_t)
++corenet_tcp_connect_tram_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
@@ -49546,7 +49867,7 @@ index 7584bbe..ae0d53a 100644
')
optional_policy(`
-@@ -146,6 +147,10 @@ optional_policy(`
+@@ -146,6 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -49557,7 +49878,7 @@ index 7584bbe..ae0d53a 100644
seutil_sigchld_newrole(mysqld_t)
')
-@@ -155,21 +160,18 @@ optional_policy(`
+@@ -155,21 +162,18 @@ optional_policy(`
#######################################
#
@@ -49584,7 +49905,7 @@ index 7584bbe..ae0d53a 100644
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +181,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -49595,7 +49916,7 @@ index 7584bbe..ae0d53a 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -49631,7 +49952,7 @@ index 7584bbe..ae0d53a 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -209,7 +217,7 @@ optional_policy(`
+@@ -209,7 +219,7 @@ optional_policy(`
########################################
#
@@ -49640,7 +49961,7 @@ index 7584bbe..ae0d53a 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -49658,7 +49979,7 @@ index 7584bbe..ae0d53a 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -89876,16 +90197,18 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..ab5d7e7
+index 0000000..e43fdd8
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
+/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
+
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
++
++/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000..94105ee
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dfaa269..dafc7a5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 46%{?dist}
+Release: 47%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 23 2014 Miroslav Grepl 3.13.1-47
+- mongod should not be a part of cloudforms.pp
+- Fix labeling in snapper.fc
+- Allow docker to read unconfined_t process state
+- geoclue dbus chats with NetworkManager
+- Add cockpit policy
+- Add interface to allow tools to check the processes state of bind/named
+- Allow myslqd to use the tram port for Galera/MariaDB
+
* Fri Apr 18 2014 Miroslav Grepl 3.13.1-46
- Allow init_t to setattr/relabelfrom dhcp state files
- Allow dmesg to read hwdata and memory dev