Allow init create and use vsock sockets
Allow ddclient send e-mail notifications
Allow postfix_master_t map postfix data files
Allow thumb_t append to init unix domain stream sockets
Allow spamd_update_t read hardware state information
Allow systemd-sleep create efivarfs files

Allow graphical applications work in Wayland
Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
Allow kdump work with PrivateTmp
Allow dovecot-auth work with PrivateTmp
Allow nfsd get attributes of all filesystems
Allow fido-device-onboard (FDO) read the crack database
Allow ntp to bind and connect to ntske port.
Allow apcupsd cgi scripts read /sys
Allow rpcbind read network sysctls

Support using systemd containers
Allow kernel_t to manage and relabel all files
Add missing optional_policy() to files_relabel_all_files()
Improve default file context(None) of /var/lib/authselect/backups
Allow targetd write to the syslog pid sock_file
Add ipa_pki_retrieve_key_exec() interface
Allow kdumpctl_t to list all directories with a filesystem type
Allow udev additional permissions
Allow udev load kernel module
Allow sysadm_t to mmap modules_object_t files
Add the unconfined_read_files() and unconfined_list_dirs() interfaces
Allow kernel_generic_helper_t to execute mount(1)

Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t
Allow systemd-localed create Xserver config dirs
Allow sssd read symlinks in /etc/sssd
Label /dev/gnss[0-9] with gnss_device_t
Allow systemd-sleep read/write efivarfs variables
ci: Fix version number of packit generated srpms
Dontaudit rhsmcertd write memory device
Allow ssh_agent_type create a sockfile in /run/user/USERID
Set default file context of /var/lib/authselect/backups to <<none>>
Allow prosody read network sysctls
Allow cupsd_t to use bpf capability

Allow sssd domain transition on passkey_child execution conditionally
Allow login_userdomain watch lnk_files in /usr
Allow login_userdomain watch video4linux devices
Change systemd-network-generator transition to include class file
Revert "Change file transition for systemd-network-generator"
Allow nm-dispatcher winbind plugin read/write samba var files
Allow systemd-networkd write to cgroup files
Allow kdump create and use its memfd: objects

Allow fedora-third-party get generic filesystem attributes
Allow sssd use usb devices conditionally
Update policy for qatlib
Allow ssh_agent_type manage generic cache home files
Update make-rhat-patches.sh file to use the f39 dist-git branch in F39

Change file transition for systemd-network-generator
Additional support for gnome-initial-setup
Update gnome-initial-setup policy for geoclue
Allow openconnect vpn open vhost net device
Allow cifs.upcall to connect to SSSD also through the /var/run socket
Grant cifs.upcall more required capabilities
Allow xenstored map xenfs files
Update policy for fdo
Allow keepalived watch var_run dirs
Allow svirt to rw /dev/udmabuf
Allow qatlib to modify hardware state information.
Allow key.dns_resolve connect to avahi over a unix stream socket
Allow key.dns_resolve create and use unix datagram socket
Use quay.io as the container image source for CI

ci: Move srpm/rpm build to packit
.copr: Avoid subshell and changing directory
Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file
Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
Make insights_client_t an unconfined domain
Allow insights-client manage user temporary files
Allow insights-client create all rpm logs with a correct label
Allow insights-client manage generic logs
Allow cloud_init create dhclient var files and init_t manage net_conf_t
Allow insights-client read and write cluster tmpfs files
Allow ipsec read nsfs files
Make tuned work with mls policy
Remove nsplugin_role from mozilla.if
allow mon_procd_t self:cap_userns sys_ptrace
Allow pdns name_bind and name_connect all ports
Set the MLS range of fsdaemon_t to s0 - mls_systemhigh
ci: Move to actions/checkout@v3 version
.copr: Replace chown call with standard workflow safe.directory setting
.copr: Enable `set -u` for robustness
.copr: Simplify root directory variable

Allow rhsmcertd dbus chat with policykit
Allow polkitd execute pkla-check-authorization with nnp transition
Allow user_u and staff_u get attributes of non-security dirs
Allow unconfined user filetrans chrome_sandbox_home_t
Allow svnserve execute postdrop with a transition
Do not make postfix_postdrop_t type an MTA executable file
Allow samba-dcerpc service manage samba tmp files
Add use_nfs_home_dirs boolean for mozilla_plugin
Fix labeling for no-stub-resolv.conf

Revert "Allow winbind-rpcd use its private tmp files"
Allow upsmon execute upsmon via a helper script
Allow openconnect vpn read/write inherited vhost net device
Allow winbind-rpcd use its private tmp files
Update samba-dcerpc policy for printing
Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty
Allow nscd watch system db dirs
Allow qatlib to read sssd public files
Allow fedora-third-party read /sys and proc
Allow systemd-gpt-generator mount a tmpfs filesystem
Allow journald write to cgroup files
Allow rpc.mountd read network sysctls
Allow blueman read the contents of the sysfs filesystem
Allow logrotate_t to map generic files in /etc
Boolean: Allow virt_qemu_ga create ssh directory

Allow systemd-network-generator send system log messages
Dontaudit the execute permission on sock_file globally
Allow fsadm_t the file mounton permission
Allow named and ndc the io_uring sqpoll permission
Allow sssd io_uring sqpoll permission
Fix location for /run/nsd
Allow qemu-ga get fixed disk devices attributes
Update bitlbee policy
Label /usr/sbin/sos with sosreport_exec_t
Update policy for the sblim-sfcb service
Add the files_getattr_non_auth_dirs() interface
Fix the CI to work with DNF5

Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

Make systemd_tmpfiles_t MLS trusted for lowering the level of files
Revert "Allow insights client map cache_home_t"
Allow nfsidmapd connect to systemd-machined over a unix socket
Allow snapperd connect to kernel over a unix domain stream socket
Allow virt_qemu_ga_t create .ssh dir with correct label
Allow targetd read network sysctls
Set the abrt_handle_event boolean to on
Permit kernel_t to change the user identity in object contexts
Allow insights client map cache_home_t
Label /usr/sbin/mariadbd with mysqld_exec_t
Trim changelog so that it starts at F37 time
Define equivalency for /run/systemd/generator.early

Allow httpd tcp connect to redis port conditionally
Label only /usr/sbin/ripd and ripngd with zebra_exec_t
Dontaudit aide the execmem permission
Remove permissive from fdo
Allow sa-update manage spamc home files
Allow sa-update connect to systemlog services
Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t
Allow bootupd search EFI directory

Change init_audit_control default value to true
Allow nfsidmapd connect to systemd-userdbd with a unix socket
Add the qatlib module
Add the fdo module
Add the bootupd module
Set default ports for keylime policy
Create policy for qatlib
Add policy for FIDO Device Onboard
Add policy for bootupd
Add the qatlib module
Add the fdo module
Add the bootupd module

Add support for kafs-dns requested by keyutils
Allow insights-client execmem
Add support for chronyd-restricted
Add init_explicit_domain() interface
Allow fsadm_t to get attributes of cgroup filesystems
Add list_dir_perms to kerberos_read_keytab
Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
Allow sendmail manage its runtime files
Allow keyutils_dns_resolver_exec_t be an entrypoint
Allow collectd_t read network state symlinks
Revert "Allow collectd_t read proc_net link files"
Allow nfsd_t to list exports_t dirs
Allow cupsd dbus chat with xdm
Allow haproxy read hardware state information
Add the kafs module