diff --git a/Changelog b/Changelog
index 617f49ec3..d00f2cfaa 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,237 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Chris PeBenito (94):
+      Module version bump for systemd-user-sessions fc entry from Dominick Grift
+      Module version bumps for 2 patches from Dominick Grift.
+      Module version bump for vm overcommit sysctl interfaces from Laurent
+         Bigonville.
+      Update contrib.
+      Module version bump for Xorg and SSH patches from Nicolas Iooss.
+      Add neverallow for mac_override capability. It is not used by SELinux.
+      Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into
+         bigon-overcommit-1
+      Merge branch 'bigon-overcommit-1'
+      Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into
+         bigon-systemd-1
+      Merge branch 'bigon-systemd-1'
+      Module version bump for syslog and systemd changes from Laurent Bigonville
+      Merge pull request #19 from shootingatshadow/fc_sort
+      Merge branch 'xorg-1' of git://github.com/bigon/refpolicy into
+         bigon-xorg-1
+      Merge branch 'bigon-xorg-1'
+      Module version bump for Debian Xorg fc fixes from Laurent Bigonville
+      Add a type and genfscon for nsfs.
+      Module version bump for systemd PrivateNetwork patch from Nicolas Iooss
+      Module version bump for systemd audit_read capability from Laurent
+         Bigonville
+      Merge pull request #21 from fishilico/typos
+      Module version bump for patches from Nicolas Iooss and Grant Ridder.
+      Update contrib.
+      Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and
+         Laurent Bigonville
+      Module version bump for ipset fc entry from Laurent Bigonville.
+      Update contrib.
+      Whitespace fix in iptables.fc.
+      Module version bump for iptables fc entries from Laurent Bigonville and
+         Lukas Vrabec.
+      Update contrib.
+      Module version bump for iptables/firewalld patch from Laurent Bigonville.
+      Merge pull request #29 from bigon/appconfig-lxc
+      Module version bump for getty patch from Luis Ressel.
+      Module version bump for tboot utils from Luis Ressel and systemd fix from
+         Jason Zaman.
+      Merge branch 'corecommands-archlinux' of
+         https://github.com/fishilico/selinux-refpolicy-patched
+      Merge branch 'dev_setattr_dlm_control-typo' of
+         https://github.com/fishilico/selinux-refpolicy-patched
+      Merge branch 'kdevtmpfs-unlink' of
+         https://github.com/fishilico/selinux-refpolicy-patched
+      Module version bump for several Arch fixes from Nicolas Iooss.
+      Update contrib.
+      Reduce broad entrypoints for unconfined domains.
+      Update Travis-CI build to newest SELinux userspace release.
+      Update su for libselinux-2.5 changes.
+      Merge branch 'selinux-1' of https://github.com/bigon/refpolicy
+      Module version bump for Debian fc entries from Laurent Bigonville.
+      Module version bump for patches from Dominick Grift and Lukas Vrabec.
+      Add user namespace capability object classes.
+      Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz
+         Andrejczuk.
+      Module version bump for nftables fc entry from Jason Zaman.
+      Update contrib.
+      Module version bump for LMNR port from Laurent Bigonville.
+      Module version bump for systemd-resolved patch from Laurent BIgonville.
+      Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master
+      Merge branch 'qqo-master'
+      Module version bump for mlstrustedsocket from qqo.
+      Module version bumps + contrib update for user_runtime from Jason Zaman.
+      Update contrib.
+      Module version bump for corecommands update from Garrett Holmstrom.
+      Module version bump for MLS relabeling patch from Lukas Vrabec.
+      Get attributes of generic ptys, from Russell Coker.
+      Module version bump for user_udp_server tunable from Russell Coker.
+      libraries: Move libsystemd fc entry.
+      libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.
+      Update contrib.
+      Systemd units from Russell Coker.
+      corenetwork: Add port labeling for Global Catalog over LDAPS.
+      corenetwork: Missed version bump for previous commit.
+      Update contrib.
+      Allow the system user domains to chat over dbus with a few other domains
+         (e.g. gnome session).
+      Update alsa module use from Guido Trentalancia.
+      Update the sysnetwork module to add some permissions needed by the dhcp
+         client (another separate patch makes changes to the ifconfig part).
+      Ifconfig should be able to read firmware files in /lib (i.e. some network
+         cards need to load their firmware) and it should not audit attempts to
+         load kernel modules directly.
+      Remove redundant libs_read_lib_files() for ifconfig_t.
+      Module version bump for various patches from Guido Trentalancia.
+      Update contrib.
+      Update for the xserver module:
+      userdomain: Fix compile errors.
+      Update contrib.
+      Merge pull request #38 from fishilico/travis-nosudo
+      Module version bump for module_load perm use from Guido Trentalancia.
+      Update contrib.
+      Merge pull request #39 from rfkrocktk/feature/vagrant
+      Merge pull request #40 from jer-gentoo/patch-1
+      userdomain: Move enable_mls block in userdom_common_user_template().
+      Module version bumps for LVM and useromain patches from Guido
+         Trentalancia.
+      Update contrib.
+      Additional change from Guido Trentalancia related to evolution.
+      Module version bump for selinuxutil fix from Jason Zaman.
+      Update contrib.
+      Update contrib.
+      Merge branch 'feature/syncthing' of https://github.com/rfkrocktk/refpolicy
+         into rfkrocktk-feature/syncthing
+      Merge branch 'rfkrocktk-feature/syncthing'
+      Module version bumps for syncthing from Naftuli Tzvi Kay.
+      Merge pull request #41 from SeanPlacchetti/patch-1
+      Merge pull request #42 from SeanPlacchetti/patch-1
+      Merge pull request #43 from williamcroberts/google-patch
+      Update contrib.
+      Bump module versions for release.
+
+Dan Walsh (1):
+      Add label for efivarfs
+
+Dominick Grift (5):
+      systemd: add missing file context spec for systemd-user-sessions
+         executable file
+      authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
+      kernel: implement sysctl_vm_overcommit_t for
+         /proc/sys/vm/overcommit_memory
+      systemd: Add support for --log-target
+      Update refpolicy to handle hwloc
+
+Garrett Holmstrom (1):
+      corecmd: Remove fcontext for /etc/sysconfig/libvirtd
+
+Grant Ridder (1):
+      Add redis-sentinel port to redis network_port def
+
+Guido Trentalancia (6):
+      Add module_load permission to class system
+      Add module_load permission to can_load_kernmodule
+      Remove deprecated semodule options from Makefile
+      Update the lvm module
+      Improve tunable support for rw operations on noxattr fs / removable media
+      userdomain: introduce the user certificate file context (was miscfiles:
+         introduce the user certificate file context)
+
+Jason Zaman (6):
+      system/init: move systemd_ interfaces into optional_policy
+      iptables: add fcontext for nftables
+      authlogin: remove fcontext for /var/run/user
+      userdomain: Introduce types for /run/user
+      userdomain: user_tmp requires searching /run/user
+      userdomain: introduce interfaces for user runtime
+
+Jason Zaman via refpolicy (1):
+      selinuxutil: allow setfiles to read semanage store
+
+Jeroen Roovers (1):
+      Use $(AWK) not plain awk
+
+Laurent Bigonville (15):
+      Add interfaces to read/write /proc/sys/vm/overcommit_memory
+      Give some systemd domain access to /proc/sys/kernel/random/boot_id
+      On Debian, systemd binaries are installed in / not /usr
+      Allow syslogd_t to read sysctl_vm_overcommit_t
+      Label Xorg server binary correctly on Debian
+      Allow systemd the audit_read capability
+      Allow logind to read efivarfs files
+      Add label for /sbin/ipset
+      Label /var/run/ebtables.lock as iptables_var_run_t.
+      Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld
+      Add lxc_contexts config file
+      Add some labels for SELinux tools path in Debian
+      Add the validate_trans access vector to the security class
+      Add llmnr/5355 (Link-local Multicast Name Resolution)
+      Add policy for systemd-resolved
+
+Luis Ressel (2):
+      Allow getty the sys_admin capability
+      Allow sysadm to run txt-stat.
+
+Lukas Vrabec (4):
+      Label /var/run/xtables.lock as iptables_var_run_t.
+      SELinux support for cgroup2 filesystem.
+      Add new MLS attribute to allow relabeling objects higher than system low.
+         This exception is needed for package managers when processing sensitive
+         data.
+      Systemd by version 231 starts using shared library and systemd daemons
+         execute it. For this reason lib_t type is needed.
+
+Mike Palmiotto (1):
+      Add mls support for some db classes
+
+Naftuli Tzvi Kay (2):
+      Add Syncthing Support to Policy
+      Add Vagrant box for development.
+
+Nicolas Iooss (18):
+      Label Xorg server binary correctly on Arch Linux
+      Label OpenSSH files correctly on Arch Linux
+      Label OpenSSH systemd unit files
+      Allow systemd services to use PrivateNetwork feature
+      Fix typo in init_dbus_chat requirements
+      Fix typos in comments from corenetwork module
+      man: Spelling fixes
+      Fix interface descriptions when duplicate ones are found
+      Label /sys/kernel/debug/tracing filesystem
+      Label TexLive scripts bin_t
+      Label system-config-printer applet properly on Arch Linux
+      Label gedit plugins properly on Arch Linux
+      Label some user session DBus services as bin_t
+      Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t
+      Fix typo in dev_setattr_dlm_control interface requirements
+      Allow kdevtmpfs to unlink fixed disk devices
+      Fix typo in module compilation message
+      Make Travis-CI build without using sudo
+
+Rahul Chaudhry (1):
+      fc_sort: cleanup warnings caught by clang tidy / static analyzer.
+
+Russell Coker (2):
+      user_udp_server tunable
+      getattr on unlabeled blk devs
+
+Sean Placchetti (2):
+      Update to refpolicy spec file
+      Update specfile
+
+Vit Mojzis (1):
+      Add interface to allow reading files in efivarfs - contains Linux Kernel
+         configuration options for UEFI systems (UEFI Runtime Variables)
+
+William Roberts (1):
+      fc_sort: strip whitespace errors
+
+qqo (1):
+      Adds attribute mlstrustedsocket, along with the interface.
+
 * Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
 Alexander Wetzel (1):
       adds vfio device support to base policy
diff --git a/VERSION b/VERSION
index 382483ec9..f0110194e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20151208
+2.20161023
diff --git a/policy/modules/contrib b/policy/modules/contrib
index f86706a14..082f271d9 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit f86706a14b661be798c4929d533b99d0bf4449e7
+Subproject commit 082f271d9304aaa8e7d8107d94ba47b71b875a8d