diff --git a/.gitignore b/.gitignore
index 90d8dba..b7d91da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -84,3 +84,5 @@
 /snapd_2.54.2.only-vendor.tar.xz
 /snapd_2.54.3.no-vendor.tar.xz
 /snapd_2.54.3.only-vendor.tar.xz
+/snapd_2.54.4.no-vendor.tar.xz
+/snapd_2.54.4.only-vendor.tar.xz
diff --git a/0004-data-selinux-allow-the-snap-command-to-run-systemctl.patch b/0004-data-selinux-allow-the-snap-command-to-run-systemctl.patch
new file mode 100644
index 0000000..355417d
--- /dev/null
+++ b/0004-data-selinux-allow-the-snap-command-to-run-systemctl.patch
@@ -0,0 +1,32 @@
+From e995e0fafe55d0b73889b3995bbd982f4b362307 Mon Sep 17 00:00:00 2001
+Message-Id: <e995e0fafe55d0b73889b3995bbd982f4b362307.1646984489.git.maciej.zenon.borzecki@canonical.com>
+From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+Date: Wed, 23 Feb 2022 07:32:45 +0100
+Subject: [PATCH] data/selinux: allow the snap command to run systemctl
+
+Which can happen when there is a system key mismatch. Caught in the wild on
+Fedora.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057103
+
+Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+---
+ data/selinux/snappy.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te
+index cc6ba5b14b306977eaa555b35d803637c2f5aa3e..c79f789ab00d4bc7e996606d4d63db2ac78d7ebd 100644
+--- a/data/selinux/snappy.te
++++ b/data/selinux/snappy.te
+@@ -805,6 +805,8 @@ can_exec(snappy_cli_t, snappy_exec_t)
+ fs_getattr_tmpfs(snappy_cli_t)
+ fs_getattr_cgroup(snappy_cli_t)
+ 
++# execute systemctl is-system-running when system-key mismatch is detected
++systemd_exec_systemctl(snappy_cli_t)
+ 
+ ########################################
+ #
+-- 
+2.35.1
+
diff --git a/snapd.spec b/snapd.spec
index 3ca7f6c..a37844a 100644
--- a/snapd.spec
+++ b/snapd.spec
@@ -85,7 +85,7 @@
 %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
 
 Name:           snapd
-Version:        2.54.3
+Version:        2.54.4
 Release:        1%{?dist}
 Summary:        A transactional software package manager
 License:        GPLv3
@@ -95,6 +95,7 @@ Source1:        https://%{provider_prefix}/releases/download/%{version}/%{name}_
 Patch0:         0001-data-selinux-update-the-policy-to-allow-creating-rem.patch
 Patch1:         0002-data-selinux-update-SELinux-policy-with-more-bpf-all.patch
 Patch2:         0003-data-selinux-snap-confine-may-getattr-device-nodes-w.patch
+Patch3:         0004-data-selinux-allow-the-snap-command-to-run-systemctl.patch
 
 %if 0%{?with_goarches}
 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
@@ -941,6 +942,47 @@ fi
 
 
 %changelog
+* Fri Mar 11 2022 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.54.4-1
+- Release 2.54.4 to Fedora
+  - Includes a fix for RHBZ#2062678
+- Cherry pick a fix for RHBZ#2057103
+
+* Thu Mar 03 2022 Michael Vogt <michael.vogt@ubuntu.com>
+- New upstream release 2.54.4
+ - t/m/interfaces-network-manager: use different channel depending on
+   system
+ - many: backport attrer interface changes to 2.54
+ - tests: skip version check on lp-1871652 for sru validation
+ - i/builtin: allow modem-manager interface to access some files in
+   sysfs
+ - snapstate: make "remove vulnerable version" message more
+   friendly
+ - tests: fix "undo purging" step in snap-run-devmode-classic
+ - o/snapstate: deal with potentially invalid type of refresh.retain
+   value due to lax validation
+ - interfaces: custom-device
+ - packaging/ubuntu-16.04/control: adjust libfuse3 dependency
+ - data/env: fix fish env for all versions of fish
+ - packaging/ubuntu-16.04/snapd.postinst: start socket and service
+   first
+ - interfaces/u2f-devices: add U2F-TOKEN
+ - interfaces/seccomp: Add rseq to base seccomp template
+ - tests: remove disabled snaps before calling save_snapd_state
+ - overlord: skip manager tests on riscv for now
+ - interfaces/opengl: add support for ARM Mali
+ - devicestate: ensure permissions of /var/lib/snapd/void are
+   correct
+ - cmd/snap-update-ns: convert some unexpected decimal file mode
+   constants to octal.
+ - interfaces/shared-memory: support single wild-cards in the
+   read/write paths
+ - packaging: fix running autopkgtest
+ - i/builtin/xilinx-dma-host: add interface for Xilinx DMA driver
+ - tests: fix `tests/core/create-user` on testflinger pi3
+ - tests: fix parallel-install-basic on external UC16 devices
+ - tests: re-enable kernel-module-load tests on arm
+ - tests: do not run k8s smoke test on 32 bit systems
+
 * Thu Feb 17 2022 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.54.3-1
 - Release 2.54.3 to Fedora
 - Cherry pick SELinux policy fixes for RHBZ#1944390, RHBZ#2043160, RHBZ#2043161,
diff --git a/sources b/sources
index 7b3840d..854c729 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (snapd_2.54.3.no-vendor.tar.xz) = 734616733b56623049b4385c4bfea37d1d9fc18966360c7e210c06e3e3716ea73a47fbeaa0924a8e1c9fcc92f5158bdc9255cbf1707d2ad2a2c49c0e4cae9a33
-SHA512 (snapd_2.54.3.only-vendor.tar.xz) = 7c8fdab1316844e3ab03349d549d710b543da74b2ad5acff1e8c8f217c530e6e24d10a7dc1a9511aa1ac6cb151ca465062271deea09739a7222a42ef26408f11
+SHA512 (snapd_2.54.4.no-vendor.tar.xz) = 3ee98017d30c18f4367bae224a85bdf9991b37b9240783dfda3ceeac8fdc8332fea5c464de886e33e1b8e390b2c3d2cea515407b5306aadcc0397abf718ebfa0
+SHA512 (snapd_2.54.4.only-vendor.tar.xz) = 481bd06322427f343ac426f2b9ea5ae94acfd91dcf4aa269d85969c9d5e88776f8bed2240f017908e50975d24917e301b1f81d5fe41d2c3793e5bb57fa834811