diff --git a/.gitignore b/.gitignore
index 27b0d2d..8c4174a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-13935d5.tar.gz
-SOURCES/selinux-policy-contrib-78ae674.tar.gz
+SOURCES/selinux-policy-contrib-fd10e7c.tar.gz
+SOURCES/selinux-policy-db25c0e.tar.gz
diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index f93ee2c..f9fba18 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,3 +1,3 @@
-b74e206ce51098e33143b874e40c27464e27b49d SOURCES/container-selinux.tgz
-8152bb1e073bb4ed468929d2425d542bbb40e6b6 SOURCES/selinux-policy-13935d5.tar.gz
-70e0f19da48e9cbbeb6a96e3d27d0dcb8d32dc55 SOURCES/selinux-policy-contrib-78ae674.tar.gz
+96c4e7788edd3c312cf691480a58bb403d0a13ef SOURCES/container-selinux.tgz
+b3cd1635dfa8d9c1e2a207cad5df4682771d85b6 SOURCES/selinux-policy-contrib-fd10e7c.tar.gz
+4ddf11da780b6eaa124536869c85baec229640c1 SOURCES/selinux-policy-db25c0e.tar.gz
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 82e8d6a..59e5256 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 13935d5ca9a5c6d6a7d4a9688af0cc552c2b492d
+%global commit0 db25c0eff1c59aff96dd7d14e5d3043dae2aee9e
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 78ae6747c0330040bda2829aac2e5be4bf921670
+%global commit1 fd10e7cb92ddfd82248e1c8f5f68eadfbd74b4f7
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 41%{?dist}.8
+Release: 54%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -715,42 +715,234 @@ exit 0
 %endif
 
 %changelog
-* Fri Oct 02 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.8
-- Allow ptp4l_t sys_admin capability to run bpf programs
-Resolves: rhbz#1884267
-
-* Thu Oct 01 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.7
-- Allow ptp4l_t create and use packet_socket sockets
-Resolves: rhbz#1884267
-
-* Thu Aug 06 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.6
-- Label systemd-growfs and systemd-makefs as fsadm_exec_t
-Resolves: rhbz#1859162
+* Thu Sep 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54
+- Allow plymouth sys_chroot capability
+Resolves: rhbz#1869814
+
+* Sun Aug 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-53
+- Allow certmonger fowner capability
+Resolves: rhbz#1870596
+- Define named file transition for saslauthd on /tmp/krb5_0.rcache2
+Resolves: rhbz#1870300
+- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
+Resolves: rhbz#1867115
+
+* Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-52
+- Add ipa_helper_noatsecure() interface unconditionally
+Resolves: rhbz#1853432
+- Conditionally allow nagios_plugin_domain dbus chat with init
+Resolves: rhbz#1750821
+- Revert "Update allow rules set for nrpe_t domain"
+Resolves: rhbz#1750821
+- Add ipa_helper_noatsecure() interface to ipa.if
+Resolves: rhbz#1853432
+- Allow tomcat map user temporary files
+Resolves: rhbz#1857675
+- Allow tomcat manage user temporary files
+Resolves: rhbz#1857675
+- Add file context for /sys/kernel/tracing
+Resolves: rhbz#1847331
+- Define named file transition for sshd on /tmp/krb5_0.rcache2
+Resolves: rhbz#1848953
+
+* Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-51
+- Allow kadmind manage kerberos host rcache
+Resolves: rhbz#1863043
+- Allow virtlockd only getattr and lock block devices
+Resolves: rhbz#1832756
+- Allow qemu-ga read all non security file types conditionally
+Resolves: rhbz#1747960
+- Allow virtlockd manage VMs posix file locks
+Resolves: rhbz#1832756
+- Add dev_lock_all_blk_files() interface
+Resolves: rhbz#1832756
+- Allow systemd-logind dbus chat with fwupd
+Resolves: rhbz#1851932
 - Update xserver_rw_session macro
-Resolves: rhbz#1866362
-
-* Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.5
+Resolves: rhbz#1851448
+
+* Wed Jul 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-50
+- Revert "Allow qemu-kvm read and write /dev/mapper/control"
+This reverts commit f948eaf3d010215fc912e42013e4f88870279093.
+- Allow smbd get attributes of device files labeled samba_share_t
+Resolves: rhbz#1851816
+- Allow tomcat read user temporary files
+Resolves: rhbz#1857675
+- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
+Resolves: rhbz#1815281
+- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
+Resolves: rhbz#1848953
+- Allow auditd manage kerberos host rcache files
+Resolves: rhbz#1855770
+
+* Thu Jul 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-49
+- Additional support for keepalived running in a namespace
+Resolves: rhbz#1815281
+- Allow keepalived manage its private type runtime directories
+Resolves: rhbz#1815281
+- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
+Resolves: rhbz#1853432
+- Allow oddjob_t process noatsecure permission for ipa_helper_t
+Resolves: rhbz#1853432
+- Allow domain dbus chat with systemd-resolved
+Resolves: rhbz#1852378
+- Define file context for /var/run/netns directory only
+Related: rhbz#1815281
+
+* Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-48
+- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
+Resolves: rhbz#1836820
+
+* Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-47
+- Allow virtlogd_t manage virt lib files
+Resolves: rhbz#1832756
+- Allow pdns server to read system state
+Resolves: rhbz#1801214
+- Support systemctl --user in machinectl
+Resolves: rhbz#1788616
+- Allow chkpwd_t read and write systemd-machined devpts character nodes
+Resolves: rhbz#1788616
+- Allow init_t write to inherited systemd-logind sessions pipes
+Resolves: rhbz#1788616
+- Label systemd-growfs and systemd-makefs as fsadm_exec_t
+Resolves: rhbz#1820798
+- Allow staff_u and user_u setattr generic usb devices
+Resolves: rhbz#1783325
+- Allow sysadm_t dbus chat with accountsd
+Resolves: rhbz#1828809
+
+* Tue Jun 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-46
+- Fix description tag for the sssd_connect_all_unreserved_ports tunable
+Related: rhbz#1826748
+- Allow journalctl process set its resource limits
+Resolves: rhbz#1825894
+- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
+Resolves: rhbz#1802062
+- Make keepalived work with network namespaces
+Resolves: rhbz#1815281
+- Create sssd_connect_all_unreserved_ports boolean
+Resolves: rhbz#1826748
+- Allow hypervkvpd to request kernel to load a module
+Resolves: rhbz#1842414
+- Allow systemd_private_tmp(dirsrv_tmp_t)
+Resolves: rhbz#1836820
+- Allow radiusd connect to gssproxy over unix domain stream socket
+Resolves: rhbz#1813572
+- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
+Resolves: rhbz#1832231
+- Modify kernel_rw_key() not to include append permission
+Related: rhbz#1802062
+- Add kernel_rw_key() interface to access to kernel keyrings
+Related: rhbz#1802062
+- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
+Resolves: rhbz#1836820
 - Allow systemd-modules to load kernel modules
-Resolves: rhbz#1850953
-
-* Thu May 14 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.4
+Resolves: rhbz#1823246
+- Add cachefiles_dev_t as a typealias to cachefiles_device_t
+Resolves: rhbz#1814796
+
+* Mon Jun 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-45
+- Remove files_mmap_usr_files() call for particular domains
+Related: rhbz#1801214
+- Allow dirsrv_t list cgroup directories
+Resolves: rhbz#1836795
+- Create the kerberos_write_kadmind_tmp_files() interface
+Related: rhbz#1841488
+- Allow realmd_t dbus chat with accountsd_t
+Resolves: rhbz#1792895
+- Allow nagios_plugin_domain execute programs in bin directories
+Resolves: rhbz#1815621
+- Update allow rules set for nrpe_t domain
+Resolves: rhbz#1750821
+- Allow Gluster mount client to mount files_type
+Resolves: rhbz#1753626
+- Allow qemu-kvm read and write /dev/mapper/control
+Resolves: rhbz#1835909
+- Introduce logrotate_use_cifs boolean
+Resolves: rhbz#1795923
+- Allow ptp4l_t sys_admin capability to run bpf programs
+Resolves: rhbz#1759214
+- Allow rhsmd mmap /etc/passwd
+Resolves: rhbz#1814644
+- Remove files_mmap_usr_files() call for systemd_localed_t
+Related: rhbz#1801214
+- Allow domain mmap usr_t files
+Resolves: rhbz#1801214
+- Allow libkrb5 lib read client keytabs
+Resolves: rhbz#1831769
+- Add files_dontaudit_manage_boot_dirs() interface
+Related: rhbz#1803868
+- Create files_create_non_security_dirs() interface
+Related: rhbz#1840265
+- Add new interface dev_mounton_all_device_nodes()
+Related: rhbz#1840265
+- Add new interface dev_create_all_files()
+Related: rhbz#1840265
+- Allow sshd write to kadmind temporary files
+Resolves: rhbz#1841488
+- Create init_create_dirs boolean to allow init create directories
+Resolves: rhbz#1832231
+- Do not audit staff_t and user_t attempts to manage boot_t entries
+Resolves: rhbz#1803868
+- Allow systemd to relabel all files on system.
+Resolves: rhbz#1818981
+- Make dbus-broker service working on s390x arch
+Resolves: rhbz#1840265
+
+* Wed May 20 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-44
+- Make boinc_var_lib_t label system mountdir attribute
+Resolves: rhbz#1779070
+- Allow aide to be executed by systemd with correct (aide_t) domain
+Resolves: rhbz#1814809
+- Allow chronyc_t domain to use nsswitch
+Resolves: rhbz#1772852
+- Allow nscd_socket_use() for domains in nscd_use() unconditionally
+Resolves: rhbz#1772852
 - Allow gluster geo-replication in rsync mode
 Resolves: rhbz#1831109
-
-* Mon Apr 27 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.3
-- Allow init_t set the nice level of all domains
-Resolves: rhbz#1827637
-
-* Thu Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.2
+- Update networkmanager_read_pid_files() to allow also list_dir_perms
+Resolves: rhbz#1781818
+- Allow associating all labels with CephFS
+Resolves: bz#1814689
+- Allow tcpdump sniffing offloaded (RDMA) traffic
+Resolves: rhbz#1834773
+
+* Fri Apr 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-43
+- Update radiusd policy
+Resolves: rhbz#1803407
+- Allow sssd read NetworkManager's runtime directory
+Resolves: rhbz#1781818
+- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
+Resolves: rhbz#1777506
+- Allow ipa_helper_t to read kr5_keytab_t files
+Resolves: rhbz#1769423
+- Add ibacm_t ipc_lock capability
+Resolves: rhbz#1754719
+- Allow opafm_t to create and use netlink rdma sockets.
+Resolves: rhbz#1786670
+- Allow ptp4l_t create and use packet_socket sockets
+Resolves: rhbz#1759214
+- Update ctdbd_t policy
+Resolves: rhbz#1735748
 - Allow glusterd synchronize between master and slave
 Resolves: rhbz#1824662
+- Allow auditd poweroff or switch to single mode
+Resolves: rhbz#1826788
+- Allow init_t set the nice level of all domains
+Resolves: rhbz#1819121
+- Label /etc/sysconfig/ip6?tables\.save as system_conf_t
+Resolves: rhbz#1776873
+- Add file context entry and file transition for /var/run/pam_timestamp
+Resolves: rhbz#1791957
 
-* Mon Apr 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41.1
+* Wed Apr 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-42
 - Allow ssh-keygen create file in /var/lib/glusterd
-Resolves: rhbz#1821759
+Resolves: rhbz#1816663
 - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
-Resolves: rhbz#1821226
+Resolves: rhbz#1819243
 - Remove container interface calling by named_filetrans_domain.
+- Makefile: fix tmp/%.mod.fc target
+Resolves: rhbz#1821191
 
 * Mon Mar 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41
 - Allow NetworkManager read its unit files and manage services