diff --git a/.gitignore b/.gitignore
index 4da3240..9ef9ae4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -325,3 +325,5 @@ serefpolicy*
 /selinux-policy-62d90da.tar.gz
 /selinux-policy-contrib-a01743f.tar.gz
 /selinux-policy-4cbc1ae.tar.gz
+/selinux-policy-contrib-a0e3869.tar.gz
+/selinux-policy-509e071.tar.gz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 274426e..138d794 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 4cbc1ae7dbe8f08edee55b33d1031f0ee0c6ff4e
+%global commit0 509e071fb3ded4e982bdf7fdcdc8bbc8f7779172
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 a01743f0cd8f3fd2aa99b32ff01697eeb0918b0c
+%global commit1 a0e386916f8bbd64918c3ab98267431e8a78bfe9
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -709,6 +709,37 @@ exit 0
 %endif
 
 %changelog
+* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
+- Remove all ganesha bits from gluster and rpc policy
+- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
+- Add dac_override capability to ssad_t domains
+- Allow pesign_t domain to read gnome home configs
+- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
+- Allow rngd_t domains read kernel state
+- Allow certmonger_t domains to read bind cache
+- Allow ypbind_t domain to stream connect to sssd
+- Allow rngd_t domain to setsched
+- Allow sanlock_t domain to read/write sysfs_t files
+- Add dac_override capability to postfix_local_t domain
+- Allow ypbind_t to search sssd_var_lib_t dirs
+- Allow virt_qemu_ga_t domain to write to user_tmp_t files
+- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
+- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
+- Add new interface sssd_signal()
+- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
+- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
+- Add sys_resource capability to the systemd_passwd_agent_t domain
+- Allow ipsec_t domains to read bind cache
+- kernel/files.fc: Label /run/motd as etc_t
+- Allow systemd to stream connect to userdomain processes
+- Label /var/lib/private/systemd/ as init_var_lib_t
+- Allow initrc_t domain to create new socket labeled as init_T
+- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
+- Add tracefs_t type to mountpoint attribute
+- Allow useradd_t and groupadd_t domains to send signals to sssd_t
+- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
+- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
+
 * Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
 - Update pesign policy to allow pesign_t domain to read bind cache files/dirs
 - Add dac_override capability to mdadm_t domain
diff --git a/sources b/sources
index e52dc2e..814e5e9 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-contrib-a01743f.tar.gz) = 4f21db7f96599c85d4d16b275b693338f63c00083e0931e4658d93c23ee969f6670c7dcde67d54e3c55718577759bd14f7ee68c3e82896e0b6334077fbc98686
-SHA512 (selinux-policy-4cbc1ae.tar.gz) = 0d6a5f5df9dda62b72ad037f124eed91e06d7657d15c0d6155b6e5449b6fca034c6ac1759fb5cb42ab39ea9973a5149403267afc21f15f849e86bea1d6b61f62
-SHA512 (container-selinux.tgz) = d4cc25cfd87b9efd77424f3a799044a927488756e31bd157f59613acb0bb4da19013fc2e22ff9194b2ebfb6c57d33a98d7a1f76e9720f1ac8fa889b39807f0ac
+SHA512 (selinux-policy-contrib-a0e3869.tar.gz) = ba019a31f71790b65f07fad44ffcab0d50d1b4a4086ea7f3b756d67895aac1b6e0d01514f192bc07c9ede1f35fe7b2ab28b7d3a159255e305d8c08e65d393427
+SHA512 (selinux-policy-509e071.tar.gz) = cd4c1411aa74c43491d4482d537aa25b3dd670afef72e6da927e515cdb7ed66515f6d700c9bd02167f03faec3034733b6f61a82e58ba0a8ec2a85e14d33be3e2
+SHA512 (container-selinux.tgz) = 1e5c84f12624082b371cf56228ea17a39c4ba55689ca65d85498b51e5762129fe34099061ef42d052577a64ae89d8abd60e15bc81878db251155438202ee0165