diff --git a/.gitignore b/.gitignore
index 656c76a..4bb0911 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-33fd484.tar.gz
-SOURCES/selinux-policy-contrib-4beb213.tar.gz
+SOURCES/selinux-policy-contrib-5a34aed.tar.gz
+SOURCES/selinux-policy-f03e96b.tar.gz
diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index 36c1b3a..41241d4 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,3 +1,3 @@
-99c5dc0dbb5f824b2cc29d18e8911401677e0bb1 SOURCES/container-selinux.tgz
-4da13e377b1e178962423475a04832ed39581394 SOURCES/selinux-policy-33fd484.tar.gz
-45d3dbd0265f43953376baacdbc070a566eb429b SOURCES/selinux-policy-contrib-4beb213.tar.gz
+cb067707a9936c8284f209ddb8f4a3011a302730 SOURCES/container-selinux.tgz
+00ac11cfcd23af70f64c6e2b80cd729e1b86036b SOURCES/selinux-policy-contrib-5a34aed.tar.gz
+ee9152107300c1098258d3228ca6322f92cd64da SOURCES/selinux-policy-f03e96b.tar.gz
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index fc9caf0..8876df1 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 33fd4847deb2522105cfba82da5efb707025934c
+%global commit0 f03e96be44ed92351de89ee0fa275391dbeaf3ea
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 4beb213356f6020d4ea6635dda6842cef88fb357
+%global commit1 5a34aedf6563624d8543cbc708ba2a29be508872
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 65%{?dist}
+Release: 66%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -715,6 +715,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Mar 04 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-66
+- Disallow user_t run su/sudo and staff_t run su
+Resolves: rhbz#1907517
+
 * Mon Feb 22 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-65
 - Relabel /usr/sbin/charon-systemd as ipsec_exec_t
 Resolves: rhbz#1889542