diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36b112b..81e947e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,6 +1,6 @@
 # github repo with selinux-policy sources
 %global giturl https://github.com/fedora-selinux/selinux-policy
-%global commit b1497c15f68bf0ceac2b19684582266e717bd079
+%global commit 84dd4309ad6d644edea2c3cf448f516f4e008c04
 %global shortcommit %(c=%{commit}; echo ${c:0:7})
 
 %define distro redhat
@@ -23,7 +23,7 @@
 %define CHECKPOLICYVER 3.2
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 35.8
+Version: 35.9
 Release: 1%{?dist}
 License: GPLv2+
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
@@ -808,6 +808,24 @@ exit 0
 %endif
 
 %changelog
+* Wed Jan 12 2022 Zdenek Pytela <zpytela@redhat.com> - 35.9-1
+- Allow sshd read filesystem sysctl files
+- Revert "Allow sshd read sysctl files"
+- Allow tlp read its systemd unit
+- Allow gssproxy access to various system files.
+- Allow gssproxy read, write, and map ica tmpfs files
+- Allow gssproxy read and write z90crypt device
+- Allow sssd_kcm read and write z90crypt device
+- Allow smbcontrol read the network state information
+- Allow virt_domain map vhost devices
+- Allow fcoemon request the kernel to load a module
+- Allow sshd read sysctl files
+- Ensure that `/run/systemd/*` are properly labeled
+- Allow admin userdomains use socketpair()
+- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
+- Allow lldpd connect to snmpd with a unix domain stream socket
+- Dontaudit pkcsslotd sys_admin capability
+
 * Thu Dec 23 2021 Zdenek Pytela <zpytela@redhat.com> - 35.8-1
 - Allow haproxy get attributes of filesystems with extended attributes
 - Allow haproxy get attributes of cgroup filesystems
diff --git a/sources b/sources
index f3ed5b2..7e2b686 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-b1497c1.tar.gz) = c306e46b857ee1ebc3cce7a5afa6e60a4bb6b8b79825f26983191e52313c6bad96ed1506d9a10f0af0638159d9c9d845d697548e727ea5a37589bdc2752ef586
-SHA512 (container-selinux.tgz) = 6d93bb74cb9a1102b6aced9f19fd1bbe951aa945d9cc817016c19a9570994009db5f8cf908db8b2d4a9aa81eeb7fc280130f8f99d6ab2185ebaea948f773734c
+SHA512 (selinux-policy-84dd430.tar.gz) = 4ce18a6104ac28748f09bba2bb42e535a8a2a06e5e209cc076250acd47585f141428ffd7e82a407b93ce977275db21e9929beb96be1d9db9cbf2cd24f89092be
+SHA512 (container-selinux.tgz) = 3427c9b46b93207f5be8dd6bc0d984b18940936fa0f23bb32a2f2fc7bba3146c67373d5217998643add7ff3731d27c346ee7378c52044487350e25db9af86e60
 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4