diff --git a/.gitignore b/.gitignore
index 2ee29b6..267186c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
-SOURCES/config.tgz
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-49222dd.tar.gz
-SOURCES/selinux-policy-contrib-a81a28a.tar.gz
+SOURCES/selinux-policy-9c02e99.tar.gz
+SOURCES/selinux-policy-contrib-c8ebb9f.tar.gz
diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index fac645b..3b74b98 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,4 +1,3 @@
-260c8b8f890ddf2aba881acc0650cc3b5b0252d1 SOURCES/config.tgz
-ef119406ac3c18205334707d428aa92902e78830 SOURCES/container-selinux.tgz
-c00ffb50bdd7ad1c165a991710251d84ddba88f8 SOURCES/selinux-policy-49222dd.tar.gz
-311efebcca058e89ec9b4a96a7f99a441eed8f77 SOURCES/selinux-policy-contrib-a81a28a.tar.gz
+53ade5f3e668c078acfccdf1ec8094ac58f4847a SOURCES/container-selinux.tgz
+a39a2f69b1b5871767129babffd3fd3d7f1aca4f SOURCES/selinux-policy-9c02e99.tar.gz
+a357a9d089222708f0da5084425992182873bdfe SOURCES/selinux-policy-contrib-c8ebb9f.tar.gz
diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist
index cde00a1..f64b231 100644
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@@ -12,7 +12,8 @@
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
-/var/home            /home
+/home-inst            /home
+/home/home-inst            /home
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
diff --git a/SOURCES/macro-expander b/SOURCES/macro-expander
new file mode 100644
index 0000000..2670b61
--- /dev/null
+++ b/SOURCES/macro-expander
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+function usage {
+    echo "Usage: $0 [ -c | -t [ -M ] ] <macro>"
+    echo "Options:
+  -c     generate CIL output
+  -t     generate standard policy source format (.te) allow rules - this is default
+  -M     generate complete module .te output
+"
+}
+
+function cleanup {
+    rm -rf $TEMP_STORE
+}
+
+while getopts "chMt" opt; do
+    case $opt in
+        c) GENCIL=1
+           ;;
+        t) GENTE=1
+           ;;
+        M) GENTEMODULE=1
+           ;;
+        h) usage
+           exit 0
+           ;;
+        \?) usage
+           exit 1
+           ;;
+    esac
+done
+
+shift $((OPTIND-1))
+
+SELINUX_MACRO=$1
+
+if [ -z "$SELINUX_MACRO" ]
+then
+    exit 1
+fi
+
+TEMP_STORE="$(mktemp -d)"
+cd $TEMP_STORE || exit 1
+
+IFS="("
+set $1
+SELINUX_DOMAIN="${2::-1}"
+
+echo -e "policy_module(expander, 1.0.0) \n" \
+     "gen_require(\`\n" \
+     "type $SELINUX_DOMAIN ; \n" \
+     "')" > expander.te
+
+echo "$SELINUX_MACRO" >> expander.te
+
+make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null
+
+if [ "x$GENCIL" = "x1" ]; then
+
+    make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null
+    MAKE_RESULT=$?
+
+    if [ $MAKE_RESULT -ne 2 ]
+    then
+        /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null
+        grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u
+    fi
+fi
+
+if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then
+    m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
+    if [ "x$GENTEMODULE" = "x1" ]; then
+       #    sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
+        sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp
+    else
+        grep  '^\s*allow' expander.tmp | sed 's/^\s*//'
+    fi
+fi
+
+cd - > /dev/null || exit 1
+cleanup
diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf
index 2c90709..ebff470 100644
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@@ -292,6 +292,13 @@ cfengine = module
 # 
 cgroup = module
 
+# Layer: contrib
+# Module: cgdcbxd
+#
+# cgdcbxd policy
+#
+cgdcbxd = module
+
 # Layer: apps
 # Module: chrome
 #
@@ -2602,13 +2609,6 @@ sbd = module
 tlp = module
 
 # Layer: contrib
-# Module: ejabberd
-#
-# ejabberd
-#
-ejabberd = module
-
-# Layer: contrib
 # Module: conntrackd
 #
 # conntrackd
@@ -2637,6 +2637,13 @@ ibacm = module
 opafm = module
 
 # Layer: contrib
+# Module: boltd
+#
+# boltd
+#
+boltd = module
+
+# Layer: contrib
 # Module: kpatch
 #
 # kpatch
diff --git a/SOURCES/rpm.macros b/SOURCES/rpm.macros
index a6e8e7c..3eadcbf 100644
--- a/SOURCES/rpm.macros
+++ b/SOURCES/rpm.macros
@@ -55,7 +55,7 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
+  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
 fi \
 %{nil}
 
@@ -69,7 +69,7 @@ fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
     %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
+    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
   fi \
 fi \
 %{nil}
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 941bfef..32bcd7d 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 49222dd20c1712a7a9aba791f0627025845a24c3
+%global commit0 9c02e9977eedf96c45a26ed4a1d0c5e6c3f2c8d9
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 a81a28a49561ca0890dfb4b79aff47fe2b2568b7
+%global commit1 c8ebb9fb34b06455a41e1ff59626c186d8602452
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -24,14 +24,13 @@
 %define BUILD_MLS 1
 %endif
 %define POLICYVER 31
-%define POLICYCOREUTILSVER 2.7-19
-%define CHECKPOLICYVER 2.7-7
+%define POLICYCOREUTILSVER 2.9
+%define CHECKPOLICYVER 2.9
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.14.1
-Release: 61%{?dist}.2
+Version: 3.14.3
+Release: 20%{?dist}
 License: GPLv2+
-Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
 Source1: modules-targeted-base.conf
@@ -50,7 +49,6 @@ Source17: booleans-minimum.conf
 Source18: setrans-minimum.conf
 Source19: securetty_types-minimum
 Source20: customizable_types
-Source21: config.tgz
 Source22: users-mls
 Source23: users-targeted
 Source25: users-minimum
@@ -59,6 +57,12 @@ Source27: selinux-policy.conf
 Source28: permissivedomains.cil
 Source30: booleans.subs_dist
 
+# Tool helps during policy development, to expand system m4 macros to raw allow rules
+# Git repo: https://gitlab.cee.redhat.com/SELinux/macro-expander
+Source33: macro-expander
+
+# Include SELinux policy for container from separate container-selinux repo
+# Git repo: https://github.com/containers/container-selinux.git
 Source35: container-selinux.tgz
 
 # Do a factory reset when there's no policy.kern file in a store
@@ -68,7 +72,7 @@ Source35: container-selinux.tgz
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros
 
-Url: %{git0-base}
+Url: %{git0}
 BuildArch: noarch
 BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
 BuildRequires: gcc
@@ -82,7 +86,6 @@ Based off of reference policy: Checked out revision  2.20091117
 
 
 %files 
-%defattr(-,root,root,-)
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %dir %{_usr}/share/selinux
@@ -95,7 +98,6 @@ Based off of reference policy: Checked out revision  2.20091117
 
 %package sandbox
 Summary: SELinux policy sandbox
-Group: System Environment/Base
 Requires(pre): selinux-policy-base = %{version}-%{release}
 Requires(pre): selinux-policy-targeted = %{version}-%{release}
 
@@ -103,7 +105,6 @@ Requires(pre): selinux-policy-targeted = %{version}-%{release}
 SELinux sandbox policy used for the policycoreutils-sandbox package
 
 %files sandbox
-%defattr(-,root,root,-)
 %verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
 
 %post sandbox
@@ -126,7 +127,6 @@ exit 0
 
 %package devel
 Summary: SELinux policy devel
-Group: System Environment/Base
 Requires(pre): selinux-policy = %{version}-%{release}
 Requires: selinux-policy = %{version}-%{release}
 Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
@@ -137,7 +137,7 @@ Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
 SELinux policy development and man page package
 
 %files devel
-%defattr(-,root,root,-)
+%{_bindir}/macro-expander
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
@@ -155,7 +155,6 @@ exit 0
 
 %package doc
 Summary: SELinux policy documentation
-Group: System Environment/Base
 Requires(pre): selinux-policy = %{version}-%{release}
 Requires: selinux-policy = %{version}-%{release}
 
@@ -163,7 +162,6 @@ Requires: selinux-policy = %{version}-%{release}
 SELinux policy documentation package
 
 %files doc
-%defattr(-,root,root,-)
 %{_mandir}/man*/*
 %{_mandir}/ru/*/*
 %doc %{_usr}/share/doc/%{name}
@@ -276,7 +274,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
 /usr/sbin/selinuxenabled; \
 if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
-     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null > /dev/null; \
+     /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
      rm -f ${FILE_CONTEXT}.pre; \
 fi; \
 if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
@@ -355,10 +353,9 @@ refpolicy_path=`pwd`
 cp $contrib_path/* $refpolicy_path/policy/modules/contrib
 
 mkdir selinux_config
-for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
  cp $i selinux_config
 done
-tar zxvf selinux_config/config.tgz
 
 %install
 export PYTHON=%{__python3}
@@ -370,6 +367,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/config
 touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
 cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
+mkdir -p %{buildroot}%{_bindir}
+cp %{SOURCE33} %{buildroot}%{_bindir}/
 
 # Always create policy module package directories
 mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
@@ -422,6 +421,9 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %installFactoryResetFiles mls
 %endif
 
+# remove leftovers when save-previous=true (semanage.conf) is used
+rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
+
 mkdir -p %{buildroot}%{_mandir}
 cp -R  man/* %{buildroot}%{_mandir}
 make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs
@@ -485,7 +487,6 @@ exit 0
 %package targeted
 Summary: SELinux targeted base policy
 Provides: selinux-policy-base = %{version}-%{release}
-Group: System Environment/Base
 Obsoletes: selinux-policy-targeted-sources < 2
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
@@ -553,7 +554,6 @@ fi
 exit 0
 
 %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
-%defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u 
 %fileList targeted
@@ -564,7 +564,6 @@ exit 0
 %package minimum
 Summary: SELinux minimum base policy
 Provides: selinux-policy-base = %{version}-%{release}
-Group: System Environment/Base
 Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
@@ -649,7 +648,6 @@ fi
 exit 0
 
 %files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
-%defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u 
 %fileList minimum
@@ -658,7 +656,6 @@ exit 0
 %if %{BUILD_MLS}
 %package mls 
 Summary: SELinux mls base policy
-Group: System Environment/Base
 Provides: selinux-policy-base = %{version}-%{release}
 Obsoletes: selinux-policy-mls-sources < 2
 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
@@ -713,19 +710,285 @@ exit 0
 
 
 %files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
-%defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
 %fileList mls
 %endif
 
 %changelog
-* Mon Aug 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-61.2
+* Mon Sep 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
+- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
+- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
+Resolves: rhbz#1720639
+
+* Fri Aug 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
+- Update cpucontrol_t SELinux policy
+Resolves: rhbz#1743930
+
+* Mon Aug 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
+- Allow dlm_controld_t domain to transition to the lvm_t
+Resolves: rhbz#1732956
+
+* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
+- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
+Resolves: rhbz#1669485
+- Fix typo in networkmanager_append_log() interface
+Resolves: rhbz#1687460
+- Update gpg policy to make ti working with confined users
+Resolves: rhbz#1640296
+
+* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
+- Allow audisp_remote_t domain to read kerberos keytab
+Resolves: rhbz#1740146
+
+* Mon Aug 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
+- Dontaudit abrt_t domain to read root_t files
+Resolves: rhbz#1734403
+- Allow ipa_dnskey_t domain to read kerberos keytab
+Resolves: rhbz#1730144
+- Update ibacm_t policy
+- Allow dlm_controld_t domain setgid capability
+Resolves: rhbz#1738608
+- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
+Resolves: rhbz#1740146
+- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
+Resolves: rhbz#1670139
+
+* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
+- Allow cgdcbxd_t domain to list cgroup dirs
+Resolves: rhbz#1651991
+
+* Mon Jul 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
+- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab
+Resolves: rhbz#1730144
+- Allow virtlockd process read virtlockd.conf file
+Resolves: rhbz#1733185
+- Relabel  /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
+Resolves: rhbz#1733185
+- Allow brltty to request to load kernel module
+Resolves: rhbz#1689955
+- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
+Resolves: rhbz#1729955
+- Dontaudit svirt_tcg_t domain to read process state of libvirt
+Resolves: rhbz#1732500
+- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
+Resolves: rhbz#1732381
+- Allow cyrus work with PrivateTmp
+Resolves: rhbz#1725023
+- Make cgdcbxd_t domain working with SELinux enforcing.
+Resolves: rhbz#1651991
+- Remove system_r role from staff_u user.
+Resolves: rhbz#1677052
+- Add systemd_private_tmp_type attribute
+Resolves: rhbz#1725023
+- Allow systemd to load kernel modules during boot process.
+Resolves: rhbz#1644805
+
+* Fri Jul 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
+- Make working wireshark execute byt confined users staff_t and sysadm_t
+Resolves: rhbz#1712788
+- Label user cron spool file with user_cron_spool_t
+Resolves: rhbz#1727342
+- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
+Resolves: rhbz#1668667
+- Update svnserve_t policy to make working svnserve hooks
+Resolves: rhbz#1729955
+- Allow varnishlog_t domain to check for presence of varnishd_t domains
+Resolves: rhbz#1730270
+- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
+Resolves: rhbz#1720648
+- Update sandboxX policy to make working firefox inside SELinux sandbox
+Resolves: rhbz#1663874
+- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
+Resolves: rhbz#1695248
+- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
+Resolves: rhbz#1690484
+- Allow opafm_t domain to modify scheduling information of another process.
+Resolves: rhbz#1725874
+- Allow gssd_t domain to list tmpfs_t dirs
+Resolves: rhbz#1674470
+- Allow mdadm_t domain to read tmpfs_t files
+Resolves: rhbz#1669996
+- Allow sbd_t domain to check presence of processes labeled as cluster_t
+Resolves: rhbz#1669595
+- Dontaudit httpd_sys_script_t to read systemd unit files
+Resolves: rhbz#1670139
+- Allow blkmapd_t domain to read nvme devices
+Resolves: rhbz#1669985
+- Update cpucontrol_t domain to make working microcode service
+Resolves: rhbz#1669485
+- Allow domain transition from logwatch_t do postfix_postqueue_t
+Resolves: rhbz#1669162
+- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
+Resolves: rhbz#1696252
+- Allow httpd_sys_script_t domain to mmap httpdcontent
+Resolves: rhbz#1693137
+- Allow sbd_t to manage cgroups_t files
+Resolves: rhbz#1715134
+- Update wireshark policy to make working tshar labeled as wireshark_t
+Resolves: rhbz#1711005
+- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
+Resolves: rhbz#1719083
 - Allow sbd_t domain to use nsswitch
-Resolves: rhbz#1733905
-
-* Fri May 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-61.1
-- Allow unconfined users to use smc unlabeled sockets
-Resolves: rhbz#1708098
+Resolves: rhbz#1723498
+- Allow sysadm_t and staff_t domains to read wireshark shared memory
+Resolves: rhbz#1712788
+- Label /usr/libexec/utempter/utempter  as utemper_exec_t
+Resolves: rhbz#1729571
+- Allow unconfined_domain_type to setattr own process lnk files.
+Resolves: rhbz#1730500
+- Add interface files_write_generic_pid_sockets()
+- Dontaudit writing to user home dirs by gnome-keyring-daemon
+Resolves: rhbz#1689797
+- Allow staff and admin domains to setpcap in user namespace
+Resolves: rhbz#1673922
+- Allow staff and sysadm to use lockdev
+Resolves: rhbz#1673269
+- Allow staff and sysadm users to run iotop.
+Resolves: rhbz#1671241
+- Dontaudit traceroute_t domain require sys_admin capability
+Resolves: rhbz#1671672
+- Dontaudit dbus chat between kernel_t and init_t
+Resolves: rhbz#1669095
+- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
+Resolves: rhbz#1696144
+
+* Tue Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
+- Fix minor changes to pass coverity scan
+Resolves: rhbz#1728578
+
+* Tue Jul 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
+- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
+- Label /var/kerberos/krb5 as krb5_keytab_t
+Resolves: rhbz#1669975
+- Allow sbd_t domain to manage cgroup dirs
+Resolves: rhbz#1715134
+- Allow wireshark_t domain to create netlink netfilter sockets
+Resolves: rhbz#1711005
+- Allow gpg_agent_t domain to use nsswitch
+Resolves: rhbz#1567073
+- Allow httpd script types to mmap httpd rw content
+Resolves: rhbz#1693137
+- Allow confined users to login via cockpit
+Resolves: rhbz#1718814
+- Replace "-" by "_" in speechdispatcher types names
+- Change condor_domain declaration in condor_systemctl
+- Update interface networkmanager_manage_pid_files() to allow manage also dirs
+Resolves: rhbz#1720070
+- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
+Resolves: rhbz#1719083
+- Fix all interfaces which cannot by compiled because of typos
+Resolves: rhbz#1687460
+- Allow auditd_t domain to send signals to audisp_remote_t domain
+Resolves: rhbz#1726659
+- Allow associate efivarfs_t on sysfs_t
+Resolves: rhbz#1709747
+- Allow userdomain attribute to manage cockpit_ws_t stream sockets
+Resolves: rhbz#1718814
+- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
+- Add interface ssh_agent_signal()
+- Dontaudit unpriv_userdomain to manage boot_t files
+Resolves: rhbz#1723773
+- Allow crack_t domain read /et/passwd files
+Resolves: rhbz#1721132
+- Allow dhcpc_t domain to manage network manager pid files
+Resolves: rhbz#1720070
+
+* Mon Jun 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
+- Allow redis_t domain to read public sssd files
+Resolves: rhbz#1718200
+- Label /usr/sbin/nft as iptables_exec_t
+Resolves: rhbz#1656891
+
+* Wed Jun 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8
+- Allow sbd_t domain to read tmpfs_t symlinks
+Resolves: rhbz#1715134
+
+* Mon Jun 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-7
+- Allow kadmind_t domain to read home config data
+Resolves: rhbz#1664983
+- Allow sbd_t domain to readwrite cgroups
+Resolves: rhbz#1715134
+- Label /var/log/pacemaker/pacemaker as cluster_var_log_t
+Resolves: rhbz#1712058
+- Allow certmonger_t domain to manage named cache files/dirs
+
+* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6
+- Allow kadmind_t domain to read pkcs11 module configs
+Resolves: rhbz#1664983
+- Allow kadmind_t domain to read named_cache_t files
+Resolves: rhbz#1703241
+- Fix bind_read_cache() interface to allow only read perms to caller domains
+- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets
+Resolves: rhbz#1711909
+- Allow wireshark_t domain to create fifo temp files
+Resolves: rhbz#1711005
+- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
+Resolves :rhbz#1656837
+- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
+Resolves: rhbz#1648854
+- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
+Resolves:rhbz#1688671
+- Add dac_override capability to namespace_init_t domain
+Resolves: rhbz#1557420
+- Label /usr/sbin/corosync-qdevice as cluster_exec_t
+Resolves: rhbz#1690925
+- Label /usr/libexec/dnf-utils as debuginfo_exec_t
+Resolves: rhbz#1711183
+- Allow rtkit_scheduled for sysadm
+Resolves: rhbz#1703241
+- Fix find commands in Makefiles
+- Allow associate all filesystem_types with fs_t
+Resolves: rhbz#1614209
+- Allow init_t to manage session_dbusd_tmp_t dirs
+Resolves: rhbz#1688671
+- Allow systemd_gpt_generator_t to read/write to clearance
+Resolves: rhbz#1558573
+- Allow su_domain_type to getattr to /dev/gpmctl
+Resolves: rhbz#1593667
+
+* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5
+- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t
+Resolves :rhbz#1656837
+- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files
+Resolves: rhbz#1648854
+- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t
+Resolves:rhbz#1688671
+- Add dac_override capability to namespace_init_t domain
+Resolves: rhbz#1557420
+- Label /usr/sbin/corosync-qdevice as cluster_exec_t
+Resolves: rhbz#1690925
+- Label /usr/libexec/dnf-utils as debuginfo_exec_t
+Resolves: rhbz#1711183
+- Label /usr/bin/tshark as wireshark_exec_t
+Resolves: rhbz#1710962
+- Allow rhsmcertd_t domain to read rpm cache files
+Resolves: rhbz#1641648
+- Allow associate all filesystem_types with fs_t
+Resolves: rhbz#1614209
+- Allow init_t to manage session_dbusd_tmp_t dirs
+Resolves: rhbz#1688671
+- Allow systemd_gpt_generator_t to read/write to clearance
+Resolves: rhbz#1558573
+- Allow su_domain_type to getattr to /dev/gpmctl
+Resolves: rhbz#1593667
+- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
+Resolves: rhbz#1709372
+
+* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-4
+- Rebase with Fedora 30 package selinux-policy-3.14.3-34.fc30
+Resolves: rhbz#1673107
+
+* Tue Apr 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-3
+- Rebase with Fedora 30 package selinux-policy-3.14.3-31.fc30
+Resolves: rhbz#1673107
+
+* Tue Apr 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2
+- Fix interface kernel_mounton_kernel_sysctl()
+Resolves: rhbz#1700222
+
+* Wed Apr 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1
+- Rebase with Fedora 30 package selinux-policy-3.14.3-28.fc30
+Resolves: rhbz#1673107
 
 * Fri Feb 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-61
 - Add dac_override capability for sbd_t SELinux domain