diff --git a/.gitignore b/.gitignore
index 21596a8..9f37235 100644
--- a/.gitignore
+++ b/.gitignore
@@ -294,3 +294,5 @@ serefpolicy*
 /selinux-policy-61f6126.tar.gz
 /selinux-policy-b05b119.tar.gz
 /selinux-policy-contrib-2dd0063.tar.gz
+/selinux-policy-contrib-487de26.tar.gz
+/selinux-policy-b96e707.tar.gz
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e3e9393..20b333a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 b05b119f976cb652f49bff5a6676eadd9dc01a5e
+%global commit0 b96e707c32e577cb118b5bed4a1963ffb30eee94
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 2dd0063de5360db3475c4d40fd8ceb91120a1f40
+%global commit1 487de26324135aff6ad7295d759be67e8c1f7318
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.1
-Release: 34%{?dist}
+Release: 35%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -718,6 +718,28 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-35
+- Allow cupsd_t domain to mmap cupsd_etc_t files
+- Allow kadmind_t domain to mmap krb5kdc_principal_t
+- Allow virtlogd_t domain to read virt_etc_t link files
+- Allow dirsrv_t domain to read crack db
+- Dontaudit pegasus_t to require sys_admin capability
+- Allow mysqld_t domain to exec mysqld_exec_t binary files
+- Allow abrt_t odmain to read rhsmcertd lib files
+- Allow winbind_t domain to request kernel module loads
+- Allow tomcat_domain to read cgroup_t files
+- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
+- Allow innd_t domain to mmap news_spool_t files
+- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
+- Allow fenced_t domain to reboot
+- Allow amanda_t domain to read network system state
+- Allow abrt_t domain to read rhsmcertd logs
+- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
+- Revert "Allow unconfined and sysadm users to use bpftool BZ(1591440)"
+- Allow userdomain sudo domains to use generic ptys
+- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)
+- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)
+
 * Tue Jul 03 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-34
 - Add dac_read_search capability to thumb_t domain
 - Add dac_override capability to cups_pdf_t domain BZ(1594271)
diff --git a/sources b/sources
index c4a14cb..4290000 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (selinux-policy-b05b119.tar.gz) = bf1b58d01306a5ae8b79b02bb54bf8481bdba7edc736fe8ecf6abb0bd533bd7e25568466e2acd2167dd76a0ef3379eef4c920aeb8d9f0fb42f501f23afcd1f29
-SHA512 (selinux-policy-contrib-2dd0063.tar.gz) = 6be34ba2d21cc6efd286de80cf377600282a725f7416e39f595cf903aa16afac515351f217418b4429aa7972f6a4339a4da87f6bcb1688faf7fb238fcb08b7bd
-SHA512 (container-selinux.tgz) = 02efde2e9637eefa0e5a20104b0388a3a6a227401166a82e73c08b423cb8b798e3e9cc0ee036c8c6b17d09bcca5293886eee25cd6338c6284e8a7f2dcf722498
+SHA512 (selinux-policy-contrib-487de26.tar.gz) = 83ba573017a2bcf10079e47ca7b64e425f11416bfe37b9276458e70a5abe4c7bdca205d7045d75f740b9be56211a48971bdcb095a09f185eb479c9f2d10aaa81
+SHA512 (selinux-policy-b96e707.tar.gz) = d21db19820791879403bbe840f81ab2bc2c585c7b62009b2f0f96ad7667b537815f96a317bbef508e641fcedc0e76aec8f91b2e4bb691dbcca8ecaa1088afd1f
+SHA512 (container-selinux.tgz) = 7e7f8ced11c32aa6bfb1676b0bf3a9f3c4758be109af183bffcac168e41b9b0b509ba283a6989a0d6a21e941832357c7bbc7e2384e494d271fd3943de17ec2de