* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
    - Don't make kernel_t an unconfined domain
    - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
    - Allow kernel_t to execute systemctl to do a poweroff/reboot
    - Grant basic permissions to the domain created by systemd_systemctl_domain()
    - Allow kernel_t to request module loading
    - Allow kernel_t to do compute_create
    - Allow kernel_t to manage perf events
    - Grant almost all capabilities to kernel_t
    - Allow kernel_t to fully manage all devices
    - Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
    - Allow pulseaudio to write to session_dbusd tmp socket files
    - Allow systemd and unconfined_domain_type create user_namespace
    - Add the user_namespace security class
    - Reuse tmpfs_t also for the ramfs filesystem
    - Label udf tools with fsadm_exec_t
    - Allow networkmanager_dispatcher_plugin work with nscd
    - Watch_sb all file type directories.
    - Allow spamc read hardware state information files
    - Allow sysadm read ipmi devices
    - Allow insights client communicate with cupsd, mysqld, openvswitch, redis
    - Allow insights client read raw memory devices
    - Allow the spamd_update_t domain get generic filesystem attributes
    - Dontaudit systemd-gpt-generator the sys_admin capability
    - Allow ipsec_t only read tpm devices
    - Allow cups-pdf connect to the system log service
    - Allow postfix/smtpd read kerberos key table
    - Allow syslogd read network sysctls
    - Allow cdcc mmap dcc-client-map files
    - Add watch and watch_sb dosfs interface