diff --git a/SOURCES/policy-rhel-7.6.z-base.patch b/SOURCES/policy-rhel-7.6.z-base.patch
index f63d0a4..ddd5e75 100644
--- a/SOURCES/policy-rhel-7.6.z-base.patch
+++ b/SOURCES/policy-rhel-7.6.z-base.patch
@@ -10,6 +10,53 @@ index b6debf340..329eb3922 100644
allow $1_sudo_t $3:key search;
# Enter this derived domain from the user domain
+diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
+index 5fa83a2fb..34fd0b0f1 100644
+--- a/policy/modules/kernel/domain.if
++++ b/policy/modules/kernel/domain.if
+@@ -602,6 +602,42 @@ interface(`domain_search_all_domains_state',`
+ allow $1 domain:dir search_dir_perms;
+ ')
+
++########################################
++##
++## Allow read and write of process kernel keyrings
++##
++##
++##
++## Domain to dontaudit.
++##
++##
++#
++interface(`domain_rw_all_domains_keyrings',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:key { read write};
++')
++
++########################################
++##
++## Allow manage of process kernel keyrings
++##
++##
++##
++## Domain to dontaudit.
++##
++##
++#
++interface(`domain_manage_all_domains_keyrings',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:key manage_key_perms;
++')
++
+ ########################################
+ ##
+ ## Do not audit attempts to search the process
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index c03a52c04..8569b19db 100644
--- a/policy/modules/roles/staff.te
diff --git a/SOURCES/policy-rhel-7.6.z-contrib.patch b/SOURCES/policy-rhel-7.6.z-contrib.patch
index 4f47591..eed0798 100644
--- a/SOURCES/policy-rhel-7.6.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.6.z-contrib.patch
@@ -459,7 +459,7 @@ index 2ee527f2a..79a2a9c48 100644
- allow nfsd_t $1:dbus send_msg;
-')
diff --git a/rpc.te b/rpc.te
-index f4df4fda2..f585a7fb5 100644
+index f4df4fda2..b9665f773 100644
--- a/rpc.te
+++ b/rpc.te
@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t)
@@ -511,6 +511,61 @@ index f4df4fda2..f585a7fb5 100644
optional_policy(`
mount_exec(nfsd_t)
mount_manage_pid_files(nfsd_t)
+@@ -357,6 +331,8 @@ kernel_signal(gssd_t)
+
+ corecmd_exec_bin(gssd_t)
+
++domain_manage_all_domains_keyrings(gssd_t)
++
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
+diff --git a/rpm.te b/rpm.te
+index 7394a0dfc..4402cbe09 100644
+--- a/rpm.te
++++ b/rpm.te
+@@ -34,6 +34,7 @@ logging_log_file(rpm_log_t)
+
+ type rpm_var_lib_t;
+ files_type(rpm_var_lib_t)
++files_mountpoint(rpm_var_lib_t)
+ typealias rpm_var_lib_t alias var_lib_rpm_t;
+
+ type rpm_var_cache_t;
+diff --git a/snapper.fc b/snapper.fc
+index 4f4bdb397..0a43846a8 100644
+--- a/snapper.fc
++++ b/snapper.fc
+@@ -7,6 +7,7 @@
+
+ /mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+ /\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
++
+ /usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+ /var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+ /etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+diff --git a/snapper.te b/snapper.te
+index 8c9e4a200..5be6d3542 100644
+--- a/snapper.te
++++ b/snapper.te
+@@ -22,7 +22,7 @@ files_type(snapperd_data_t)
+ #
+ # snapperd local policy
+ #
+-allow snapperd_t self:capability { dac_read_search fowner sys_admin };
++allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin };
+ allow snapperd_t self:process setsched;
+
+ allow snapperd_t self:fifo_file rw_fifo_file_perms;
+@@ -57,6 +57,8 @@ files_read_all_files(snapperd_t)
+ files_read_all_symlinks(snapperd_t)
+ files_list_all(snapperd_t)
+ files_manage_isid_type_dirs(snapperd_t)
++files_manage_non_security_dirs(snapperd_t)
++files_relabel_non_security_files(snapperd_t)
+
+ fs_getattr_all_fs(snapperd_t)
+ fs_mount_xattr_fs(snapperd_t)
diff --git a/sysstat.te b/sysstat.te
index a2690e315..efb2f855c 100644
--- a/sysstat.te
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 40d3140..ec77df7 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 229%{?dist}.6
+Release: 229%{?dist}.9
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -657,6 +657,22 @@ fi
%endif
%changelog
+* Thu Jan 17 2019 Lukas Vrabec - 3.13.1-229.9
+- Allow gssd_t domain to manage kernel keyrings of every domain.
+Resolves: rhbz#1665815
+- Add new interface domain_manage_all_domains_keyrings()
+Resolves: rhbz#1665815
+
+* Mon Jan 14 2019 Lukas Vrabec - 3.13.1-229.8
+- Add interface domain_rw_all_domains_keyrings()
+Resolves: rhbz#1665815
+- Allow gssd_t domain to read/write kernel keyrings of every domain.
+Resolves: rhbz#1665815
+
+* Thu Dec 20 2018 Lukas Vrabec - 3.13.1-229.7
+- Update snapperd policy to allow snapperd manage all non security dirs.
+Resolves: rhbz#1661158
+
* Fri Nov 02 2018 Lukas Vrabec - 3.13.1-229.6
- Allow nova_t domain to use pam
Resolves: rhbz:#1645270