diff --git a/.gitignore b/.gitignore
index 54a874f..9a0c058 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-68c5655.tar.gz
-SOURCES/selinux-policy-contrib-ff0abc8.tar.gz
+SOURCES/selinux-policy-contrib-20346b0.tar.gz
+SOURCES/selinux-policy-d76fcee.tar.gz
diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index fc7eae0..6669515 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,3 +1,3 @@
-d062b78207b84dff3bc74f0c67c21943040723d5 SOURCES/container-selinux.tgz
-3a55719eee1f5aea3664adad331ed48c3f14f2eb SOURCES/selinux-policy-68c5655.tar.gz
-31cc8d555c60212a119855c4d385b4e619c0e044 SOURCES/selinux-policy-contrib-ff0abc8.tar.gz
+ebdfca6c003d85c7ef844b24ddcce74f6a00fb0d SOURCES/container-selinux.tgz
+6c9e28f9df02de9eab3afee49ed11a5231bcf860 SOURCES/selinux-policy-contrib-20346b0.tar.gz
+251b98b0076ddfe2dc4ffac49838c089cbe90be7 SOURCES/selinux-policy-d76fcee.tar.gz
diff --git a/SOURCES/macro-expander b/SOURCES/macro-expander
index 61bd347..2670b61 100644
--- a/SOURCES/macro-expander
+++ b/SOURCES/macro-expander
@@ -40,7 +40,7 @@ then
 fi
 
 TEMP_STORE="$(mktemp -d)"
-cd $TEMP_STORE
+cd $TEMP_STORE || exit 1
 
 IFS="("
 set $1
@@ -67,7 +67,7 @@ if [ "x$GENCIL" = "x1" ]; then
     fi
 fi
 
-if [ "$GENTE" = "1" -o "x$GENCIL" != "x1" ]; then
+if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then
     m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
     if [ "x$GENTEMODULE" = "x1" ]; then
        #    sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
@@ -77,5 +77,5 @@ if [ "$GENTE" = "1" -o "x$GENCIL" != "x1" ]; then
     fi
 fi
 
-cd - > /dev/null
+cd - > /dev/null || exit 1
 cleanup
diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf
index 871e690..02c9839 100644
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@@ -292,6 +292,13 @@ cfengine = module
 # 
 cgroup = module
 
+# Layer: contrib
+# Module: cgdcbxd
+#
+# cgdcbxd policy
+#
+cgdcbxd = module
+
 # Layer: apps
 # Module: chrome
 #
@@ -2642,3 +2649,24 @@ boltd = module
 # kpatch
 #
 kpatch = module
+
+# Layer: contrib
+# Module: timedatex
+#
+# timedatex
+#
+timedatex = module
+
+# Layer: contrib
+# Module: rrdcached
+#
+# rrdcached
+#
+rrdcached = module
+
+# Layer: contrib
+# Module: stratisd
+#
+# stratisd
+#
+stratisd = module
diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum
index 8207eed..977a838 100644
--- a/SOURCES/users-minimum
+++ b/SOURCES/users-minimum
@@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
diff --git a/SOURCES/users-mls b/SOURCES/users-mls
index 05d2671..5469659 100644
--- a/SOURCES/users-mls
+++ b/SOURCES/users-mls
@@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted
index 8207eed..977a838 100644
--- a/SOURCES/users-targeted
+++ b/SOURCES/users-targeted
@@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 09ef214..b4c1356 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 68c5655db824d5bdd4876836d7f302df25bb09ae
+%global commit0 d76fceec695c24f195633137f40b5dacba5a8759
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 ff0abc8711cdbefbec47bcd9761b5524384bab3a
+%global commit1 20346b0f238e84d0ad58bc1a3c96f6ed3fb1da3d
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 9%{?dist}
+Release: 30%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -715,6 +715,438 @@ exit 0
 %endif
 
 %changelog
+* Fri Dec 13 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-30
+- Allow userdomain dbus chat with systemd_resolved_t
+Resolves: rhbz#1773463
+- Allow init_t read and setattr on /var/lib/fprintd
+Resolves: rhbz#1781696
+- Allow sysadm_t dbus chat with colord_t
+Resolves: rhbz#1772669
+- Allow confined users run fwupdmgr
+Resolves: rhbz#1772619
+- Allow confined users run machinectl
+Resolves: rhbz#1772625
+- Allow systemd labeled as init_t domain to create dirs labeled as var_t
+Resolves: rhbz#1778126
+- Allow systemd labeled as init_t domain to manage faillog_t objects
+Resolves: rhbz#1671019
+- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
+Resolves: rhbz#1781696
+- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
+Resolves: rhbz#1703231
+- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
+Resolves: rhbz#1777761
+- Change type in transition for /var/cache/{dnf,yum} directory
+Resolves: rhbz#1686833
+- Revert "Update zebra SELinux policy to make it work also with frr service"
+This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d.
+- Revert "Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t"
+This reverts commit a19eb1021cbd6c637344954cead54caae081e07c.
+- Allow stratis_t domain to request load modules
+Resolves: rhbz#1726259
+- Allow stratisd to connect to dbus
+Resolves: rhbz#1726259
+- Run stratisd service as stratisd_t
+Resolves: rhbz#1726259
+- Add support for smart card authentication in cockpit BZ(1690444)
+Resolves: rhbz#1771414
+- cockpit: Support split-out TLS proxy
+Resolves: rhbz#1771414
+- cockpit: Allow cockpit-session to read cockpit-tls state
+Resolves: rhbz#1771414
+- Update cockpit policy
+Resolves: rhbz#1771414
+- cockpit: Support https instance factory
+Resolves: rhbz#1771414
+- cockpit: Allow cockpit-session to read cockpit-tls state directory
+Resolves: rhbz#1771414
+- Fix nonexisting types in rtas_errd_rw_lock interface
+Resolves: rhbz#1744234
+
+* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-29
+- Allow timedatex_t domain to read relatime clock and adjtime_t files
+Resolves: rhbz#1771513
+
+* Fri Nov 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-28
+- Update timedatex policy to add macros
+Resolves: rhbz#1771513
+
+* Fri Nov 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-27
+- Allow timedatex_t domain dbus chat with both confined and unconfined users
+Resolves: rhbz#1771513
+- Fix typo bugs in rtas_errd_read_lock() interface
+Resolves: rhbz#1750096
+- Allow timedatex_t domain to systemctl chronyd domains
+Resolves: rhbz#1771513
+- Fix typo in dev_filetrans_all_named_dev()
+Resolves: rhbz#1750096
+
+* Mon Nov 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-26
+- New policy for rrdcached
+Resolves: rhbz#1726255
+- Update timedatex policy
+- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
+- Add new macro systemd_timedated_status to systemd.if to get timedated service status
+Resolves: rhbz#1730204
+- Update lldpad_t policy module
+Resolves: rhbz#1726246
+- Dontaudit sandbox web types to setattr lib_t dirs
+Resolves: rhbz#1739858
+- Fix typo in cachefiles device
+Resolves: rhbz#1750096
+
+* Thu Nov 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-25
+- Allow sssd_t domain to read gnome config and named cache files
+Resolves: rhbz#1743907
+- Allow httpd_t to signull mailman_cgi_t process
+Resolves: rhbz#1686462
+- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
+Resolves: rhbz#1758545
+- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
+Resolves: rhbz#1750096
+- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
+Resolves: rhbz#1750096
+- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
+Resolves:rhbz#1746511
+- Label libvirt drivers as virtd_exec_t
+Resolves: rhbz#1745076
+- Update apache and pkcs policies to make active opencryptoki rules
+Resolves: rhbz#1744198
+- Introduce new bolean httpd_use_opencryptoki
+Resolves: rhbz#1744198
+- Allow gssproxy_t domain read state of all processes on system
+Resolves: rhbz#1752031
+- Dontaudit tmpreaper_t getting attributes from sysctl_type files
+Resolves: rhbz#1730204
+- Added macro for timedatex to chat over dbus.
+Resolves: rhbz#1730204
+- Run timedatex service as timedatex_t
+Resolves: rhbz#1730204
+- Run lldpd service as lldpad_t.
+Resolves: rhbz#1726246
+- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
+- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
+Resolves: rhbz#1765065
+- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
+Resolves: rhbz#1744234
+- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
+Resolves: rhbz#1765065
+- Update tmpreaper_t policy due to fuser command
+Resolves: rhbz#1765065
+- Allow fail2ban_t domain to create netlink netfilter sockets.
+Resolves: rhbz#1766415
+- Label /dev/cachefilesd as cachefiles_device_t
+Resolves: rhbz#1750096
+- Label udp 8125 port as statsd_port_t
+Resolves: rhbz#1746511
+- Allow systemd(init_t) to load kernel modules
+Resolves: rhbz#1758255
+- Dontaudit sys_admin capability for auditd_t domains
+Resolves: rhbz#1669040
+- Allow x_userdomain to dbus_chat with timedatex.
+Resolves: rhbz#1730204
+
+* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-24
+- Allow confined users to run newaliases
+Resolves:rhbz#1750405
+- Add interface mysql_dontaudit_rw_db()
+Resolves: rhbz#1747926
+- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
+Resolves: rhbz#1739137
+- Allow tmpreaper_t domain to read all domains state
+Resolves: rhbz#1765065
+- Allow ipa_ods_exporter_t domain to read krb5_keytab files
+Resolves: rhbz#1759900
+- Allow rhsmcertd_t domain to read rtas_errd lock files
+Resolves: rhbz#1744234
+- Add new interface rtas_errd_read_lock()
+Resolves: rhbz#1744234
+- Donaudit ifconfig_t domain to read/write mysqld_db_t files
+Resolves: rhbz#1747926
+
+* Thu Oct 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-23
+- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t
+Resolves: rhbz#1714984
+- Dontaudit and disallow sys_admin capability for keepalived_t domain
+Resolves: rhbz#1729174
+- Allow processes labeled as keepalived_t domain to get process group
+Resolves: rhbz#1746955
+
+* Mon Oct 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
+- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
+Resolves: rhbz#1756006
+- Allow user domains to manage user session services
+Resolves: rhbz#1727887
+- Allow staff and user users to get status of user systemd session
+Resolves: rhbz#1727887
+
+* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
+- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
+Resolves: rhbz#1750405
+- Allow dlm_controld_t domain to read random device
+Resolves: rhbz#1752943
+- Allow haproxy_t domain to read network state of system
+Resolves: rhbz#1746974
+- Allow avahi_t to send msg to lpr_t
+Resolves: rhbz#1752843
+- Create new type ipmievd_helper_t domain for loading kernel modules.
+Resolves: rhbz#1673804
+- networkmanager: allow NetworkManager_t to create bluetooth_socket
+Resolves: rhbz#1747768
+- Label /etc/named direcotory as named_conf_t
+Resolves: rhbz#1759505
+- Update aide_t domain to allow this tool to analyze also /dev filesystem
+Resolves: rhbz#1758265
+- Update zebra SELinux policy to make it work also with frr service
+Resolves: rhbz#1714984
+- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
+Resolves: rhbz#1711909
+- Allow chronyc_t domain to append to all non_security files
+ Resolves: rhbz#1696252
+- Allow httpd_t domain to read/write named_cache_t files
+Resolves: rhbz#1690484
+- Add new interface bind_rw_cache()
+Resolves: rhbz#1690484
+- Label /var/run/mysql as mysqld_var_run_t
+Resolves: rhbz#1687867
+- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
+Resolves: rhbz#1612552
+- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
+Resolves: rhbz#1647971
+- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
+Resolves: rhbz#1663874
+- Update gnome_dontaudit_read_config
+Resolves: rhbz#1663874
+- Update  tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
+Resolves: rhbz#1687499
+- Update keepalived policy
+Resolves: rhbz#1728332
+- Add sys_admin capability for keepalived_t labeled processes
+Resolves: rhbz#1729174
+- Fix abrt_upload_watch_t in abrt policy
+Resolves: rhbz#1737419
+- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
+Resolves: rhbz#1737550
+- Allow amanda_t to manage its var lib files and read random_device_t
+Resolves: rhbz#1739137
+- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
+Resolves: rhbz#1743684
+- Allow pesign_t domain to read/write named cache files.
+Resolves: rhbz#1745429
+- Allow login user type to use systemd user session
+Resolves: rhbz#1727887
+- Allow avahi_t to send msg to xdm_t
+Resolves: rhbz#1755401
+- Allow ldconfig_t domain to manage initrc_tmp_t objects
+Resolves: rhbz#1756006
+- Add new interface init_write_initrc_tmp_pipes()
+- Add new interface init_manage_script_tmp_files()
+- Add new interface udev_getattr_rules_chr_files()
+- Run lvmdbusd service as lvm_t
+Resolves: rhbz#1726166
+- Label 2618/tcp and 2618/udp as priority_e_com_port_t
+- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
+- Label 2615/tcp and 2615/udp as firepower_port_t
+- Label 2610/tcp and 2610/udp as versa_tek_port_t
+- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
+- Label 3784/tcp and 3784/udp as bfd_control_port_t
+- Allow systemd labeled as init_t domain to remount rootfs filesystem
+Resolves: rhbz#1698197
+- Add interface files_remount_rootfs()
+- New interface files_append_non_security_files()
+- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
+Resolves: rhbz#1612552
+- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
+ Resolves: rhbz#1647971
+- Dontaudit sys_admin capability for iptables_t SELinux domain
+Resolves: rhbz#1669040
+- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
+Resolves: rhbz#1671019
+- Allow userdomains to dbus chat with policykit daemon
+Resolves: rhbz#1727902
+- Allow ipsec_t domain to read/write named cache files
+Resolves: rhbz#1743777
+- Add sys_admin capability for ipsec_t domain
+Resolves: rhbz#1753662
+
+* Mon Sep 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
+- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
+- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
+Resolves: rhbz#1720639
+
+* Fri Aug 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
+- Update cpucontrol_t SELinux policy
+Resolves: rhbz#1743930
+
+* Mon Aug 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
+- Allow dlm_controld_t domain to transition to the lvm_t
+Resolves: rhbz#1732956
+
+* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
+- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
+Resolves: rhbz#1669485
+- Fix typo in networkmanager_append_log() interface
+Resolves: rhbz#1687460
+- Update gpg policy to make ti working with confined users
+Resolves: rhbz#1640296
+
+* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
+- Allow audisp_remote_t domain to read kerberos keytab
+Resolves: rhbz#1740146
+
+* Mon Aug 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
+- Dontaudit abrt_t domain to read root_t files
+Resolves: rhbz#1734403
+- Allow ipa_dnskey_t domain to read kerberos keytab
+Resolves: rhbz#1730144
+- Update ibacm_t policy
+- Allow dlm_controld_t domain setgid capability
+Resolves: rhbz#1738608
+- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
+Resolves: rhbz#1740146
+- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
+Resolves: rhbz#1670139
+
+* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
+- Allow cgdcbxd_t domain to list cgroup dirs
+Resolves: rhbz#1651991
+
+* Mon Jul 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
+- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab
+Resolves: rhbz#1730144
+- Allow virtlockd process read virtlockd.conf file
+Resolves: rhbz#1733185
+- Relabel  /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
+Resolves: rhbz#1733185
+- Allow brltty to request to load kernel module
+Resolves: rhbz#1689955
+- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
+Resolves: rhbz#1729955
+- Dontaudit svirt_tcg_t domain to read process state of libvirt
+Resolves: rhbz#1732500
+- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
+Resolves: rhbz#1732381
+- Allow cyrus work with PrivateTmp
+Resolves: rhbz#1725023
+- Make cgdcbxd_t domain working with SELinux enforcing.
+Resolves: rhbz#1651991
+- Remove system_r role from staff_u user.
+Resolves: rhbz#1677052
+- Add systemd_private_tmp_type attribute
+Resolves: rhbz#1725023
+- Allow systemd to load kernel modules during boot process.
+Resolves: rhbz#1644805
+
+* Fri Jul 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
+- Make working wireshark execute byt confined users staff_t and sysadm_t
+Resolves: rhbz#1712788
+- Label user cron spool file with user_cron_spool_t
+Resolves: rhbz#1727342
+- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
+Resolves: rhbz#1668667
+- Update svnserve_t policy to make working svnserve hooks
+Resolves: rhbz#1729955
+- Allow varnishlog_t domain to check for presence of varnishd_t domains
+Resolves: rhbz#1730270
+- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
+Resolves: rhbz#1720648
+- Update sandboxX policy to make working firefox inside SELinux sandbox
+Resolves: rhbz#1663874
+- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
+Resolves: rhbz#1695248
+- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
+Resolves: rhbz#1690484
+- Allow opafm_t domain to modify scheduling information of another process.
+Resolves: rhbz#1725874
+- Allow gssd_t domain to list tmpfs_t dirs
+Resolves: rhbz#1674470
+- Allow mdadm_t domain to read tmpfs_t files
+Resolves: rhbz#1669996
+- Allow sbd_t domain to check presence of processes labeled as cluster_t
+Resolves: rhbz#1669595
+- Dontaudit httpd_sys_script_t to read systemd unit files
+Resolves: rhbz#1670139
+- Allow blkmapd_t domain to read nvme devices
+Resolves: rhbz#1669985
+- Update cpucontrol_t domain to make working microcode service
+Resolves: rhbz#1669485
+- Allow domain transition from logwatch_t do postfix_postqueue_t
+Resolves: rhbz#1669162
+- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
+Resolves: rhbz#1696252
+- Allow httpd_sys_script_t domain to mmap httpdcontent
+Resolves: rhbz#1693137
+- Allow sbd_t to manage cgroups_t files
+Resolves: rhbz#1715134
+- Update wireshark policy to make working tshar labeled as wireshark_t
+Resolves: rhbz#1711005
+- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
+Resolves: rhbz#1719083
+- Allow sbd_t domain to use nsswitch
+Resolves: rhbz#1723498
+- Allow sysadm_t and staff_t domains to read wireshark shared memory
+Resolves: rhbz#1712788
+- Label /usr/libexec/utempter/utempter  as utemper_exec_t
+Resolves: rhbz#1729571
+- Allow unconfined_domain_type to setattr own process lnk files.
+Resolves: rhbz#1730500
+- Add interface files_write_generic_pid_sockets()
+- Dontaudit writing to user home dirs by gnome-keyring-daemon
+Resolves: rhbz#1689797
+- Allow staff and admin domains to setpcap in user namespace
+Resolves: rhbz#1673922
+- Allow staff and sysadm to use lockdev
+Resolves: rhbz#1673269
+- Allow staff and sysadm users to run iotop.
+Resolves: rhbz#1671241
+- Dontaudit traceroute_t domain require sys_admin capability
+Resolves: rhbz#1671672
+- Dontaudit dbus chat between kernel_t and init_t
+Resolves: rhbz#1669095
+- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
+Resolves: rhbz#1696144
+
+* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
+- Fix minor changes to pass coverity scan
+Resolves: rhbz#1728578
+
+* Tue Jul 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
+- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
+- Label /var/kerberos/krb5 as krb5_keytab_t
+Resolves: rhbz#1669975
+- Allow sbd_t domain to manage cgroup dirs
+Resolves: rhbz#1715134
+- Allow wireshark_t domain to create netlink netfilter sockets
+Resolves: rhbz#1711005
+- Allow gpg_agent_t domain to use nsswitch
+Resolves: rhbz#1567073
+- Allow httpd script types to mmap httpd rw content
+Resolves: rhbz#1693137
+- Allow confined users to login via cockpit
+Resolves: rhbz#1718814
+- Replace "-" by "_" in speechdispatcher types names
+- Change condor_domain declaration in condor_systemctl
+- Update interface networkmanager_manage_pid_files() to allow manage also dirs
+Resolves: rhbz#1720070
+- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
+Resolves: rhbz#1719083
+- Fix all interfaces which cannot by compiled because of typos
+Resolves: rhbz#1687460
+- Allow auditd_t domain to send signals to audisp_remote_t domain
+Resolves: rhbz#1726659
+- Allow associate efivarfs_t on sysfs_t
+Resolves: rhbz#1709747
+- Allow userdomain attribute to manage cockpit_ws_t stream sockets
+Resolves: rhbz#1718814
+- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
+- Add interface ssh_agent_signal()
+- Dontaudit unpriv_userdomain to manage boot_t files
+Resolves: rhbz#1723773
+- Allow crack_t domain read /et/passwd files
+Resolves: rhbz#1721132
+- Allow dhcpc_t domain to manage network manager pid files
+Resolves: rhbz#1720070
+
 * Mon Jun 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
 - Allow redis_t domain to read public sssd files
 Resolves: rhbz#1718200