diff --git a/SOURCES/policy-rhel-7.6.z-base.patch b/SOURCES/policy-rhel-7.6.z-base.patch
index f63d0a4..ddd5e75 100644
--- a/SOURCES/policy-rhel-7.6.z-base.patch
+++ b/SOURCES/policy-rhel-7.6.z-base.patch
@@ -10,6 +10,53 @@ index b6debf340..329eb3922 100644
  	allow $1_sudo_t $3:key search;
  
  	# Enter this derived domain from the user domain
+diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
+index 5fa83a2fb..34fd0b0f1 100644
+--- a/policy/modules/kernel/domain.if
++++ b/policy/modules/kernel/domain.if
+@@ -602,6 +602,42 @@ interface(`domain_search_all_domains_state',`
+ 	allow $1 domain:dir search_dir_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Allow read and write  of process kernel keyrings
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to dontaudit.
++##	</summary>
++## </param>
++#
++interface(`domain_rw_all_domains_keyrings',`
++	gen_require(`
++		attribute domain;
++	')
++
++	allow $1 domain:key { read write};
++')
++
++########################################
++## <summary>
++##	Allow manage of process kernel keyrings
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to dontaudit.
++##	</summary>
++## </param>
++#
++interface(`domain_manage_all_domains_keyrings',`
++	gen_require(`
++		attribute domain;
++	')
++
++	allow $1 domain:key manage_key_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to search the process
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
 index c03a52c04..8569b19db 100644
 --- a/policy/modules/roles/staff.te
diff --git a/SOURCES/policy-rhel-7.6.z-contrib.patch b/SOURCES/policy-rhel-7.6.z-contrib.patch
index 4f47591..eed0798 100644
--- a/SOURCES/policy-rhel-7.6.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.6.z-contrib.patch
@@ -459,7 +459,7 @@ index 2ee527f2a..79a2a9c48 100644
 -	allow nfsd_t $1:dbus send_msg;
 -')
 diff --git a/rpc.te b/rpc.te
-index f4df4fda2..f585a7fb5 100644
+index f4df4fda2..b9665f773 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t)
@@ -511,6 +511,61 @@ index f4df4fda2..f585a7fb5 100644
  optional_policy(`
  	mount_exec(nfsd_t)
  	mount_manage_pid_files(nfsd_t)
+@@ -357,6 +331,8 @@ kernel_signal(gssd_t)
+ 
+ corecmd_exec_bin(gssd_t)
+ 
++domain_manage_all_domains_keyrings(gssd_t)
++
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
+diff --git a/rpm.te b/rpm.te
+index 7394a0dfc..4402cbe09 100644
+--- a/rpm.te
++++ b/rpm.te
+@@ -34,6 +34,7 @@ logging_log_file(rpm_log_t)
+ 
+ type rpm_var_lib_t;
+ files_type(rpm_var_lib_t)
++files_mountpoint(rpm_var_lib_t)
+ typealias rpm_var_lib_t alias var_lib_rpm_t;
+ 
+ type rpm_var_cache_t;
+diff --git a/snapper.fc b/snapper.fc
+index 4f4bdb397..0a43846a8 100644
+--- a/snapper.fc
++++ b/snapper.fc
+@@ -7,6 +7,7 @@
+ 
+ /mnt/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+ /\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
++
+ /usr/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+ /var/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+ /etc/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)
+diff --git a/snapper.te b/snapper.te
+index 8c9e4a200..5be6d3542 100644
+--- a/snapper.te
++++ b/snapper.te
+@@ -22,7 +22,7 @@ files_type(snapperd_data_t)
+ #
+ # snapperd local policy
+ #
+-allow snapperd_t self:capability { dac_read_search fowner sys_admin };
++allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin };
+ allow snapperd_t self:process setsched;
+ 
+ allow snapperd_t self:fifo_file rw_fifo_file_perms;
+@@ -57,6 +57,8 @@ files_read_all_files(snapperd_t)
+ files_read_all_symlinks(snapperd_t)
+ files_list_all(snapperd_t)
+ files_manage_isid_type_dirs(snapperd_t)
++files_manage_non_security_dirs(snapperd_t)
++files_relabel_non_security_files(snapperd_t)
+ 
+ fs_getattr_all_fs(snapperd_t)
+ fs_mount_xattr_fs(snapperd_t)
 diff --git a/sysstat.te b/sysstat.te
 index a2690e315..efb2f855c 100644
 --- a/sysstat.te
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 40d3140..ec77df7 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 229%{?dist}.6
+Release: 229%{?dist}.9
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -657,6 +657,22 @@ fi
 %endif
 
 %changelog
+* Thu Jan 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.9
+- Allow gssd_t domain to manage kernel keyrings of every domain.
+Resolves: rhbz#1665815
+- Add new interface domain_manage_all_domains_keyrings()
+Resolves: rhbz#1665815
+
+* Mon Jan 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.8
+- Add interface domain_rw_all_domains_keyrings()
+Resolves: rhbz#1665815
+- Allow gssd_t domain to read/write kernel keyrings of every domain.
+Resolves: rhbz#1665815
+
+* Thu Dec 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.7
+- Update snapperd policy to allow snapperd manage all non security dirs.
+Resolves: rhbz#1661158
+
 * Fri Nov 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.6
 - Allow nova_t domain to use pam
 Resolves: rhbz:#1645270