diff --git a/SOURCES/policy-rhel-7.4.z-contrib.patch b/SOURCES/policy-rhel-7.4.z-contrib.patch
index dc4e90c..a700ae7 100644
--- a/SOURCES/policy-rhel-7.4.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.4.z-contrib.patch
@@ -1,3 +1,15 @@
+diff --git a/certmonger.te b/certmonger.te
+index 0803529e4..0585431e1 100644
+--- a/certmonger.te
++++ b/certmonger.te
+@@ -144,6 +144,7 @@ optional_policy(`
+ optional_policy(`
+ 	pki_rw_tomcat_cert(certmonger_t)
+ 	pki_read_tomcat_lib_files(certmonger_t)
++    pki_tomcat_systemctl(certmonger_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/lldpad.te b/lldpad.te
 index 42e5578f2..3399d597a 100644
 --- a/lldpad.te
@@ -10,6 +22,38 @@ index 42e5578f2..3399d597a 100644
 +optional_policy(`
 +    virt_dgram_send(lldpad_t)
 +')
+diff --git a/pki.if b/pki.if
+index f18fcc68f..f69ae0298 100644
+--- a/pki.if
++++ b/pki.if
+@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
+ 	files_search_pids($1)
+ 	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+ ')
++
++########################################
++## <summary>
++##	Execute pki in the pkit_tomcat_t domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`pki_tomcat_systemctl',`
++	gen_require(`
++		type pki_tomcat_t;
++		type pki_tomcat_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 pki_tomcat_unit_file_t:file read_file_perms;
++	allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, pki_tomcat_t)
++')
 diff --git a/tomcat.te b/tomcat.te
 index 97bdd60c9..386c4b7ac 100644
 --- a/tomcat.te
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 2e37a69..60f6192 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 166%{?dist}.4
+Release: 166%{?dist}.5
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -655,6 +655,10 @@ fi
 %endif
 
 %changelog
+* Wed Aug 30 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.5
+- Allow certmonger using systemctl on pki_tomcat unit files
+Resolves: rhbz#1486552
+
 * Sat Aug 26 2017 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-166.4
 - Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
 Resolves: rhbz#1485308