diff --git a/SOURCES/policy-rhel-7.4.z-contrib.patch b/SOURCES/policy-rhel-7.4.z-contrib.patch
index dc4e90c..a700ae7 100644
--- a/SOURCES/policy-rhel-7.4.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.4.z-contrib.patch
@@ -1,3 +1,15 @@
+diff --git a/certmonger.te b/certmonger.te
+index 0803529e4..0585431e1 100644
+--- a/certmonger.te
++++ b/certmonger.te
+@@ -144,6 +144,7 @@ optional_policy(`
+ optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
+ pki_read_tomcat_lib_files(certmonger_t)
++ pki_tomcat_systemctl(certmonger_t)
+ ')
+
+ optional_policy(`
diff --git a/lldpad.te b/lldpad.te
index 42e5578f2..3399d597a 100644
--- a/lldpad.te
@@ -10,6 +22,38 @@ index 42e5578f2..3399d597a 100644
+optional_policy(`
+ virt_dgram_send(lldpad_t)
+')
+diff --git a/pki.if b/pki.if
+index f18fcc68f..f69ae0298 100644
+--- a/pki.if
++++ b/pki.if
+@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
+ files_search_pids($1)
+ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+ ')
++
++########################################
++##
++## Execute pki in the pkit_tomcat_t domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`pki_tomcat_systemctl',`
++ gen_require(`
++ type pki_tomcat_t;
++ type pki_tomcat_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
++ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, pki_tomcat_t)
++')
diff --git a/tomcat.te b/tomcat.te
index 97bdd60c9..386c4b7ac 100644
--- a/tomcat.te
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 2e37a69..60f6192 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 166%{?dist}.4
+Release: 166%{?dist}.5
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -655,6 +655,10 @@ fi
%endif
%changelog
+* Wed Aug 30 2017 Lukas Vrabec - 3.13.1-166.5
+- Allow certmonger using systemctl on pki_tomcat unit files
+Resolves: rhbz#1486552
+
* Sat Aug 26 2017 Lukas Vrabec - 3.13.1-166.4
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
Resolves: rhbz#1485308