I installed the 6.8-rc1 kernel in a Fedora Rawhide KDE Plasma installation. When I've shut down or rebooted with the 6.8-rc1 kernel, plymouthd denials were shown in the journal which didn't appear with the 6.7.0 kernel.

Jan 23 07:32:57 audit[27434]: AVC avc:  denied  { read write } for  pid=27434 comm="plymouthd" name="kmsg" dev="devtmpfs" ino=10 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0

Jan 23 07:32:57 audit[27434]: AVC avc:  denied  { checkpoint_restore } for  pid=27434 comm="plymouthd" capability=40  scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability2 permissive=0

Jan 23 07:32:58 audit[27434]: AVC avc:  denied  { read } for  pid=27434 comm="plymouthd" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=3196 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

The denials of checkpoint_restore were sometimes shown several hundred times during shutdown or reboot. The denials were shown 4/5 times. The time the denials weren't shown was during a dnf offline upgrade where I had pressed Escape to see the details of the upgrade so the plymouth screen with the spinner wasn't shown during reboot. selinux-policy-40.9-1.fc40.noarch was used in enforcing mode. I have Secure Boot enabled which might be needed for the last denial. I'll attach the journal from a shutdown with the denials.

Reproducible: Sometimes

Steps to Reproduce:
1. Boot the 6.8.0-0.rc1.12.fc40 kernel in a Fedora Rawhide KDE Plasma installation
2. Log in to Plasma
3. Shut down or reboot
Actual Results:  
plymouthd denials when shutting down or rebooting with the 6.8-rc1 kernel

Expected Results:  
No denials should have been shown.