See spec file

modules-targeted-contrib.conf

@@ -2457,3 +2457,17 @@ ipa = module
 # mirrormanager policy
 #
 mirrormanager = module
+
+# Layer: contrib
+# Module: snapper 
+# 
+# snapper policy
+#
+snapper = module
+
+# Layer: contrib
+# Module: pcp
+# 
+# pcp policy
+#
+pcp = module

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -576,6 +576,61 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jan 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-14
+- Make rpm_transition_script accept a role
+- Clean up pcp.te
+- Added new policy for pcp
+- Allow bumbleed to connect to xserver port
+- Added support for named-sdb in bind policy
+- Allow NetworkManager to signal and sigkill init scripts
+- Allow pegasus_openlmi_storage_t to read hwdata
+- Fix rhcs_rw_cluster_tmpfs()
+- Allow fenced_t to bind on zented udp port
+- Fix mirrormanager_read_lib_files()
+- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
+- Dontaudit read/write to init stream socket for lsmd_plugin_t
+- Allow automount to read nfs link files
+- Allow lsm plugins to read/write lsmd stream socket
+- Allow svirt_lxc domains to umount dockersocket filesytem
+- Allow gnome keyring domains to create gnome config dirs
+- Allow rpm scritplets to create /run/gather with correct labeling
+- Add sblim_filetrans_named_content() interface
+- Allow ctdb to create sock files in /var/run/ctdb
+- Add also labeling for /var/run/ctdb
+- Add missing labeling for /var/lib/ctdb
+- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
+- Dontaudit hypervkvp to search homedirs
+- Dontaudit hypervkvp to search admin homedirs
+- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
+- Dontaudit xguest_t to read ABRT conf files
+- Add abrt_dontaudit_read_config()
+- Allow namespace-init to getattr on fs
+- Add thumb_role() also for xguest
+- Add filename transitions to create .spamassassin with correct labeling
+- Allow apache domain to read mirrormanager pid files
+- Allow domains to read/write shm and sem owned by mozilla_plugin_t
+- Allow alsactl to send a generic signal to kernel_t
+- Allow plymouthd to read run/udev/queue.bin
+- Allow sys_chroot for NM required by iodine service
+- Change glusterd to allow mounton all non security
+- Labeled ~/.nv/GLCache as being gstreamer output
+- Restrict the ability to set usermodehelpers and proc security settings.
+- Limit the ability to write to the files that configure kernel i
+- usermodehelpers and security-sensitive proc settings to the init domain. i
+- Permissive domains can also continue to set these values.
+- The current list is not exhaustive, just an initial set.
+- Not all of these files will exist on all kernels/devices.
+- Controlling access to certain kernel usermodehelpers, e.g. cgroup
+- release_agent, will require kernel changes to support and cannot be
+- addressed here.
+- Ideas come from Stephen Smalley and seandroid
+- Make rpm_transition_script accept a role
+- Make rpm_transition_script accept a role
+- Allow NetworkManager to signal and sigkill init scripts
+- Allow init_t to work on transitient and snapshot unit files
+- Add logging_manage_syslog_config()
+- Update sysnet_dns_name_resolve() to allow connect to dnssec port
+
 * Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
 - Remove file_t from the system and realias it with unlabeled_t