diff --git a/.gitignore b/.gitignore
index 8a83fe3..a6a3a7a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -336,3 +336,5 @@ serefpolicy*
 /selinux-policy-contrib-992defd.tar.gz
 /selinux-policy-contrib-b4944ea.tar.gz
 /selinux-policy-07bdaa4.tar.gz
+/selinux-policy-contrib-8b8ce9b.tar.gz
+/selinux-policy-8258bc1.tar.gz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e11dbd6..5841e4e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 07bdaa4e38ad031370335669a7df22fc8836dea0
+%global commit0 8258bc10ab4591c277398a872364355be7b15cd4
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 b4944ea2d50d41863dec6ba41d1cc815395da494
+%global commit1 8b8ce9b1a026b041163de4ab4ef29e9515dbf541
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -706,6 +706,24 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
+- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243
+- Allow ddclient_t to setcap Resolves: rhbz#1674298
+- Add dac_override capability to vpnc_t domain
+- Add dac_override capability to spamd_t domain
+- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run
+- Allow read network state of system for processes labeled as ibacm_t
+- Allow ibacm_t domain to send dgram sockets to kernel processes
+- Allow dovecot_t to connect to MySQL UNIX socket
+- Fix CI for use on forks
+- Fix typo bug in sensord policy
+- Update ibacm_t policy after testing lastest version of this component
+- Allow sensord_t domain to mmap own log files
+- Allow virt_doamin to read/write dev device
+- Add dac_override capability for ipa_helper_t
+- Update policy with multiple allow rules to make working installing VM in MLS policy
+- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
+
 * Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
 - Allow sensord_t domain to use nsswitch and execute shell
 - Allow opafm_t domain to execute lib_t files
diff --git a/sources b/sources
index ee82a56..faebbe6 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-contrib-b4944ea.tar.gz) = bc11049c77dd13e96a94e12a70e219d076c33c46aa2ba093a970661985dc3810d2b7702997b65fd6eaeecdbacd22524be2f707f1a951c9c84b35328d83b3f0f6
-SHA512 (selinux-policy-07bdaa4.tar.gz) = ae462e33c51e445f69551a0a327dcd5b63a38824d96205a69cebed43e0bdb1b37644e2faec4d4dcc6fea09de07793ea240926e2e8d1467be3f3c829f7c825899
-SHA512 (container-selinux.tgz) = 942c04ccf72c164442d0f7db96457cb7d1b2d1871312552e9da42757b3f60d4853e3ec30fc178d0cec69e294ffced74dcd0ecfcda1c6511531d2f170a6d82073
+SHA512 (selinux-policy-contrib-8b8ce9b.tar.gz) = 4f4903d5c0fe059c4478e7989c40bbb7513cc36cb1fcf6ec30de77d73d85954252116ab424dbda180ec73fd49ee7832967ca816e17177eb360e31d38509db5a1
+SHA512 (selinux-policy-8258bc1.tar.gz) = ab3d2a9fe55732e67a76323a1ed1556ff7d79738c95e3b9d411c71589d92478e3507468eb085a2e2a45bd5081317d00253b78cc47be0622cff40716cf046402c
+SHA512 (container-selinux.tgz) = 89579044b28cab6d41f830d591317bd8ff5db968bf698b68e69d5b36aca871e85a7c7155c38703e07be6c41e16b655b0747eb0a47aa04169da87fab0fcfe9d91