diff --git a/policy/modules.conf b/policy/modules.conf
index 5c6fd8a305..afc1b36950 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -3155,3 +3155,10 @@ nvme_stas = module
 # coreos_installer
 #
 coreos_installer = module
+
+# Layer: contrib
+# Module: hg
+#
+#  hg - Mercurial source control management
+#
+hg = module
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index 29ce498848..08eb5f2e62 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -1496,6 +1496,24 @@ interface(`apache_search_sys_scripts',`
 	search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
 ')
 
+########################################
+## <summary>
+##	List apache system CGI directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_list_sys_scripts',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_script_exec_t;
+	')
+
+	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete all user web content.
diff --git a/policy/modules/contrib/hg.fc b/policy/modules/contrib/hg.fc
new file mode 100644
index 0000000000..380ca09b97
--- /dev/null
+++ b/policy/modules/contrib/hg.fc
@@ -0,0 +1,4 @@
+/var/lib/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+/var/www/hg(/.*)?	gen_context(system_u:object_r:hg_content_t,s0)
+
+/var/www/cgi-bin/hgweb.*	--	gen_context(system_u:object_r:hg_script_exec_t,s0)
diff --git a/policy/modules/contrib/hg.if b/policy/modules/contrib/hg.if
new file mode 100644
index 0000000000..889987bdbd
--- /dev/null
+++ b/policy/modules/contrib/hg.if
@@ -0,0 +1 @@
+## <summary>Mercurial source control management</summary>
diff --git a/policy/modules/contrib/hg.te b/policy/modules/contrib/hg.te
new file mode 100644
index 0000000000..8af5b5a73b
--- /dev/null
+++ b/policy/modules/contrib/hg.te
@@ -0,0 +1,62 @@
+policy_module(hg, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_cifs, false)
+
+## <desc>
+##	<p>
+##	Determine whether Mercurial CGI
+##	can access nfs file systems.
+##	</p>
+## </desc>
+gen_tunable(hg_cgi_use_nfs, false)
+
+########################################
+#
+# CGI policy
+#
+
+optional_policy(`
+	apache_content_template(hg)
+	apache_content_alias_template(hg, hg)
+
+	list_dirs_pattern(hg_script_t, hg_content_t, hg_content_t)
+	read_files_pattern(hg_script_t, hg_content_t, hg_content_t)
+
+	auth_use_nsswitch(hg_script_t)
+
+	dev_read_sysfs(hg_script_t)
+
+	apache_search_config(hg_script_t)
+	apache_list_sys_scripts(hg_script_t)
+
+	kernel_dgram_send(hg_script_t)
+	optional_policy(`
+		abrt_stream_connect(hg_script_t)
+		logging_write_syslog_pid_socket(hg_script_t)
+	')
+
+	tunable_policy(`hg_cgi_use_cifs',`
+		fs_getattr_cifs(hg_script_t)
+		fs_read_cifs_files(hg_script_t)
+	',`
+		fs_dontaudit_read_cifs_files(hg_script_t)
+	')
+
+	tunable_policy(`hg_cgi_use_nfs',`
+		fs_getattr_nfs(hg_script_t)
+		fs_read_nfs_files(hg_script_t)
+	',`
+		fs_dontaudit_read_nfs_files(hg_script_t)
+	')
+')