diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2b8f20f..d8eec8b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 2d39d24bc2473eac94a5ccdfa373e29db041d3fd
+%global commit0 a46eac200fe1261c59d4093721e3539139a1e45e
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 a69f9e63d83dd5f603147ddf7a349e075c80959d
+%global commit1 6c30b43e6935ef82dc07dc56f4cbcb220ec814aa
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -709,6 +709,28 @@ exit 0
 %endif
 
 %changelog
+* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
+- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
+- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
+- Add dac_override capability to ftpd_t domain
+- Allow gpg_t to create own tmpfs dirs and sockets
+- Allow rhsmcertd_t domain to relabel cert_t files
+- Add SELinux policy for kpatch
+- Allow nova_t domain to use pam
+- sysstat: grant sysstat_t the search_dir_perms set
+- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
+- Allow systemd_logind_t to read fixed dist device BZ(1645631)
+- Allow systemd_logind_t domain to read nvme devices BZ(1645567)
+- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981)
+- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
+- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
+- Allow X display manager to check status and reload services which are part of x_domain attribute
+- Add interface miscfiles_relabel_generic_cert()
+- Make kpatch policy active
+- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
+- Dontaudit sys_admin capability for netutils_t domain
+- Label tcp and udp ports 2611 as qpasa_agent_port_t
+
 * Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
 - Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
 
diff --git a/sources b/sources
index b670d9b..9bd4afc 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-2d39d24.tar.gz) = 0b25543fa70599a6086336fa90edf69acda23d7c5df861a88b5733e7c14947e5f05a178e7f8fb5ebc8da9c90c1a45a746265c9ced677f4887c5267252d0e59b4
-SHA512 (selinux-policy-contrib-a69f9e6.tar.gz) = c62e676a671e7972ea21e29c2b63c773d52364abc578aea4a5d58d283311dcef8fa8ea5f835802e2672a8ee0ee182c7d3d548df9de09df400d7dddc4ad26efce
-SHA512 (container-selinux.tgz) = 4551b22581627050aa1e3bb3af025f22203d6d551d2e45e364bd702b4ca89253c6c47bb32fdf8e80727a8586defbfcd0d52e2a612d97a22d8f76217666c7f864
+SHA512 (selinux-policy-a46eac2.tar.gz) = 88cf4f6801637eed42327796358b74c5db660d2f029c44693149e7339c595736a957626d2302b582fa11a628c655425ee819fabdb21551f819a253edb550f1d4
+SHA512 (selinux-policy-contrib-6c30b43.tar.gz) = fb6cc12a4547a61daedb140f07a0858edc584124442d4010849cf7a5dd8b421ea35825c428b9f4ca7fe6d0ef2ec99cd0798112545911fe5c42cfa55139533347
+SHA512 (container-selinux.tgz) = 7efc8fce110a6ae7ecb4574d7c9a2929997e23e31484924c74b37275121cde680311e46ec44fbdef8a8de89fca46b0c29811ab1a497627330ccf4021ddc47ec7