Allow sssd domain transition on passkey_child execution conditionally
Allow login_userdomain watch lnk_files in /usr
Allow login_userdomain watch video4linux devices
Change systemd-network-generator transition to include class file
Revert "Change file transition for systemd-network-generator"
Allow nm-dispatcher winbind plugin read/write samba var files
Allow systemd-networkd write to cgroup files
Allow kdump create and use its memfd: objects

Allow fedora-third-party get generic filesystem attributes
Allow sssd use usb devices conditionally
Update policy for qatlib
Allow ssh_agent_type manage generic cache home files
Update make-rhat-patches.sh file to use the f39 dist-git branch in F39

Change file transition for systemd-network-generator
Additional support for gnome-initial-setup
Update gnome-initial-setup policy for geoclue
Allow openconnect vpn open vhost net device
Allow cifs.upcall to connect to SSSD also through the /var/run socket
Grant cifs.upcall more required capabilities
Allow xenstored map xenfs files
Update policy for fdo
Allow keepalived watch var_run dirs
Allow svirt to rw /dev/udmabuf
Allow qatlib to modify hardware state information.
Allow key.dns_resolve connect to avahi over a unix stream socket
Allow key.dns_resolve create and use unix datagram socket
Use quay.io as the container image source for CI

ci: Move srpm/rpm build to packit
.copr: Avoid subshell and changing directory
Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
Make insights_client_t an unconfined domain
Allow insights-client manage user temporary files
Allow insights-client create all rpm logs with a correct label
Allow insights-client manage generic logs
Allow cloud_init create dhclient var files and init_t manage net_conf_t
Allow insights-client read and write cluster tmpfs files
Allow ipsec read nsfs files
Make tuned work with mls policy
Remove nsplugin_role from mozilla.if
allow mon_procd_t self:cap_userns sys_ptrace
Allow pdns name_bind and name_connect all ports
Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
ci: Move to actions/checkout@v3 version
.copr: Replace chown call with standard workflow safe.directory setting
.copr: Enable `set -u` for robustness
.copr: Simplify root directory variable

Allow rhsmcertd dbus chat with policykit
Allow polkitd execute pkla-check-authorization with nnp transition
Allow user_u and staff_u get attributes of non-security dirs
Allow unconfined user filetrans chrome_sandbox_home_t
Allow svnserve execute postdrop with a transition
Do not make postfix_postdrop_t type an MTA executable file
Allow samba-dcerpc service manage samba tmp files
Add use_nfs_home_dirs boolean for mozilla_plugin
Fix labeling for no-stub-resolv.conf

Revert "Allow winbind-rpcd use its private tmp files"
Allow upsmon execute upsmon via a helper script
Allow openconnect vpn read/write inherited vhost net device
Allow winbind-rpcd use its private tmp files
Update samba-dcerpc policy for printing
Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
Allow nscd watch system db dirs
Allow qatlib to read sssd public files
Allow fedora-third-party read /sys and proc
Allow systemd-gpt-generator mount a tmpfs filesystem
Allow journald write to cgroup files
Allow rpc.mountd read network sysctls
Allow blueman read the contents of the sysfs filesystem
Allow logrotate_t to map generic files in /etc
Boolean: Allow virt_qemu_ga create ssh directory

Allow systemd-network-generator send system log messages
Dontaudit the execute permission on sock_file globally
Allow fsadm_t the file mounton permission
Allow named and ndc the io_uring sqpoll permission
Allow sssd io_uring sqpoll permission
Fix location for /run/nsd
Allow qemu-ga get fixed disk devices attributes
Update bitlbee policy
Label /usr/sbin/sos with sosreport_exec_t
Update policy for the sblim-sfcb service
Add the files_getattr_non_auth_dirs() interface
Fix the CI to work with DNF5

Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

Make systemd_tmpfiles_t MLS trusted for lowering the level of files
Revert "Allow insights client map cache_home_t"
Allow nfsidmapd connect to systemd-machined over a unix socket
Allow snapperd connect to kernel over a unix domain stream socket
Allow virt_qemu_ga_t create .ssh dir with correct label
Allow targetd read network sysctls
Set the abrt_handle_event boolean to on
Permit kernel_t to change the user identity in object contexts
Allow insights client map cache_home_t
Label /usr/sbin/mariadbd with mysqld_exec_t
Trim changelog so that it starts at F37 time
Define equivalency for /run/systemd/generator.early

Allow httpd tcp connect to redis port conditionally
Label only /usr/sbin/ripd and ripngd with zebra_exec_t
Dontaudit aide the execmem permission
Remove permissive from fdo
Allow sa-update manage spamc home files
Allow sa-update connect to systemlog services
Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
Allow bootupd search EFI directory

Change init_audit_control default value to true
Allow nfsidmapd connect to systemd-userdbd with a unix socket
Add the qatlib module
Add the fdo module
Add the bootupd module
Set default ports for keylime policy
Create policy for qatlib
Add policy for FIDO Device Onboard
Add policy for bootupd
Add the qatlib module
Add the fdo module
Add the bootupd module

Add support for kafs-dns requested by keyutils
Allow insights-client execmem
Add support for chronyd-restricted
Add init_explicit_domain() interface
Allow fsadm_t to get attributes of cgroup filesystems
Add list_dir_perms to kerberos_read_keytab
Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
Allow sendmail manage its runtime files
Allow keyutils_dns_resolver_exec_t be an entrypoint
Allow collectd_t read network state symlinks
Revert "Allow collectd_t read proc_net link files"
Allow nfsd_t to list exports_t dirs
Allow cupsd dbus chat with xdm
Allow haproxy read hardware state information
Add the kafs module

Label /dev/userfaultfd with userfaultfd_t
Allow blueman send general signals to unprivileged user domains
Allow dkim-milter domain transition to sendmail
Label /usr/sbin/cifs.idmap with cifs_helper_exec_t
Allow cifs-helper read sssd kerberos configuration files
Allow rpm_t sys_admin capability
Allow dovecot_deliver_t create/map dovecot_spool_t dir/file
Allow collectd_t read proc_net link files
Allow insights-client getsession process permission
Allow insights-client work with pipe and socket tmp files
Allow insights-client map generic log files
Update cyrus_stream_connect() to use sockets in /run
Allow keyutils-dns-resolver read/view kernel key ring
Label /var/log/kdump.log with kdump_log_t

Add support for the systemd-pstore service
Allow kdumpctl_t to execmem
Update sendmail policy module for opensmtpd
Allow nagios-mail-plugin exec postfix master
Allow subscription-manager execute ip
Allow ssh client connect with a user dbus instance
Add support for ksshaskpass
Allow rhsmcertd file transition in /run also for socket files
Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t
Allow plymouthd read/write X server miscellaneous devices
Allow systemd-sleep read udev pid files
Allow exim read network sysctls
Allow sendmail request load module
Allow named map its conf files
Allow squid map its cache files
Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition

Update policy for systemd-sleep
Remove permissive domain for rshim_t
Remove permissive domain for mptcpd_t
Allow systemd-bootchartd the sys_ptrace userns capability
Allow sysadm_t read nsfs files
Allow sysadm_t run kernel bpf programs
Update ssh_role_template for ssh-agent
Update ssh_role_template to allow read/write unallocated ttys
Add the booth module to modules.conf
Allow firewalld rw ica_tmpfs_t files

Remove permissive domain for cifs_helper_t
Update the cifs-helper policy
Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to()
Update pkcsslotd policy for sandboxing
Allow abrt_t read kernel persistent storage files
Dontaudit targetd search httpd config dirs
Allow init_t nnp domain transition to policykit_t
Allow rpcd_lsad setcap and use generic ptys
Allow samba-dcerpcd connect to systemd_machined over a unix socket
Allow wireguard to rw network sysctls
Add policy for boothd
Allow kernel to manage its own BPF objects