diff --git a/SOURCES/policy-rhel-7.6.z-base.patch b/SOURCES/policy-rhel-7.6.z-base.patch
index a687990..cde33e8 100644
--- a/SOURCES/policy-rhel-7.6.z-base.patch
+++ b/SOURCES/policy-rhel-7.6.z-base.patch
@@ -84,6 +84,37 @@ index c03a52c04..8569b19db 100644
auth_domtrans_pam_console(staff_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 8f75416ce..d5f2f5b4a 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -351,6 +351,26 @@ interface(`systemd_use_fds_logind',`
+ allow $1 systemd_logind_t:fd use;
+ ')
+
++########################################
++##
++## Read the process state (/proc/pid) of systemd_logind_t.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_logind_read_state',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:dir search_dir_perms;
++ allow $1 systemd_logind_t:file read_file_perms;
++ allow $1 systemd_logind_t:lnk_file read_lnk_file_perms;
++')
++
+ ######################################
+ ##
+ ## Read logind sessions files.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cceb511fc..f5139efd2 100644
--- a/policy/modules/system/userdomain.te
diff --git a/SOURCES/policy-rhel-7.6.z-contrib.patch b/SOURCES/policy-rhel-7.6.z-contrib.patch
index 1fe9199..61f121d 100644
--- a/SOURCES/policy-rhel-7.6.z-contrib.patch
+++ b/SOURCES/policy-rhel-7.6.z-contrib.patch
@@ -372,9 +372,27 @@ index 5a177cd5a..c7fd00ea0 100644
dev_rw_modem(modemmanager_t)
diff --git a/nagios.te b/nagios.te
-index a5e1cfda8..4141c6374 100644
+index a5e1cfda8..02b65a000 100644
--- a/nagios.te
+++ b/nagios.te
+@@ -115,7 +115,7 @@ userdom_use_inherited_user_ttys(nagios_plugin_domain)
+ # Nagios local policy
+ #
+
+-allow nagios_t self:capability { dac_read_search dac_override setgid setuid };
++allow nagios_t self:capability { chown dac_read_search dac_override setgid setuid };
+ dontaudit nagios_t self:capability sys_tty_config;
+ allow nagios_t self:process { setpgid signal_perms };
+ allow nagios_t self:fifo_file rw_fifo_file_perms;
+@@ -203,7 +203,7 @@ mta_kill_system_mail(nagios_t)
+ systemd_exec_systemctl(nagios_t)
+
+ tunable_policy(`nagios_run_sudo',`
+- allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };
++ allow nagios_t self:capability { chown setuid setgid sys_resource sys_ptrace };
+ allow nagios_t self:process { setrlimit setsched };
+
+ allow nagios_t self:key write;
@@ -217,6 +217,9 @@ tunable_policy(`nagios_run_sudo',`
selinux_compute_access_vector(nagios_t)
@@ -385,17 +403,42 @@ index a5e1cfda8..4141c6374 100644
logging_send_audit_msgs(nagios_t)
')
-@@ -365,6 +368,9 @@ tunable_policy(`nagios_run_sudo',`
+@@ -224,6 +227,10 @@ optional_policy(`
+ apache_systemctl(nagios_t)
+ ')
+
++optional_policy(`
++ dbus_system_bus_client(nagios_t)
++')
++
+ optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nagios_t)
+@@ -231,6 +238,12 @@ optional_policy(`
+ ')
+ ')
+
++optional_policy(`
++ tunable_policy(`nagios_run_sudo',`
++ init_read_utmp(nagios_t)
++ ')
++')
++
+ tunable_policy(`nagios_run_pnp4nagios',`
+ allow nagios_t nagios_log_t:file execute;
+ ')
+@@ -365,6 +378,10 @@ tunable_policy(`nagios_run_sudo',`
selinux_compute_access_vector(nrpe_t)
+ systemd_write_inherited_logind_sessions_pipes(nrpe_t)
+ systemd_dbus_chat_logind(nrpe_t)
++ systemd_logind_read_state(nrpe_t)
+
logging_send_audit_msgs(nrpe_t)
')
-@@ -375,6 +381,13 @@ optional_policy(`
+@@ -375,6 +392,14 @@ optional_policy(`
')
')
@@ -404,12 +447,24 @@ index a5e1cfda8..4141c6374 100644
+ sssd_read_config(nrpe_t)
+ sssd_manage_lib_files(nrpe_t)
+ sssd_read_pid_files(nrpe_t)
++ sssd_signull(nrpe_t)
+ ')
+')
tunable_policy(`nagios_use_nfs',`
fs_manage_nfs_files(nrpe_t)
-@@ -616,3 +629,7 @@ optional_policy(`
+@@ -382,6 +407,10 @@ tunable_policy(`nagios_use_nfs',`
+ fs_manage_nfs_symlinks(nrpe_t)
+ ')
+
++optional_policy(`
++ dbus_system_bus_client(nrpe_t)
++')
++
+ optional_policy(`
+ inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
+ ')
+@@ -616,3 +645,7 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -591,6 +646,19 @@ index 7394a0dfc..4402cbe09 100644
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_var_cache_t;
+diff --git a/sbd.te b/sbd.te
+index 202904c19..d415d2c8a 100644
+--- a/sbd.te
++++ b/sbd.te
+@@ -37,6 +37,8 @@ manage_files_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
+ manage_dirs_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t)
+ fs_tmpfs_filetrans(sbd_t, sbd_tmpfs_t, { file dir })
+
++auth_use_nsswitch(sbd_t)
++
+ kernel_read_system_state(sbd_t)
+ kernel_dgram_send(sbd_t)
+ kernel_rw_kernel_sysctl(sbd_t)
diff --git a/snapper.fc b/snapper.fc
index 4f4bdb397..0a43846a8 100644
--- a/snapper.fc
@@ -625,6 +693,35 @@ index 8c9e4a200..5be6d3542 100644
fs_getattr_all_fs(snapperd_t)
fs_mount_xattr_fs(snapperd_t)
+diff --git a/sssd.if b/sssd.if
+index 47530e258..2d4b9b2fa 100644
+--- a/sssd.if
++++ b/sssd.if
+@@ -502,6 +502,24 @@ interface(`sssd_rw_inherited_pipes',`
+ allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
++########################################
++##
++## Allow caller to signull sssd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sssd_signull',`
++ gen_require(`
++ type sssd_t;
++ ')
++
++ allow $1 sssd_t:process signull;
++')
++
+ ########################################
+ ##
+ ## Transition to sssd named content
diff --git a/sysstat.te b/sysstat.te
index a2690e315..efb2f855c 100644
--- a/sysstat.te
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index a07d48e..a47e230 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 229%{?dist}.12
+Release: 229%{?dist}.15
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -657,6 +657,21 @@ fi
%endif
%changelog
+* Wed Jul 10 2019 Lukas Vrabec - 3.13.1-229.15
+- Allow sbd_t domain to use nsswitch
+Resolves: rhbz#1728592
+
+* Mon May 27 2019 Lukas Vrabec - 3.13.1-229.14
+- Allow nrpe_t domain to read process state of systemd_logind_t
+- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
+- Allow nrpe_t domain to be dbus cliennt
+- Allow ngaios to use chown capability
+Resolves: rhbz#1692893
+
+* Tue Apr 23 2019 Lukas Vrabec - 3.13.1-229.13
+- Update Nagios policy when sudo is used
+Resolves: rhbz#1692893
+
* Tue Apr 09 2019 Lukas Vrabec - 3.13.1-229.12
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
Resolves: rhbz#1697868