diff --git a/.github/workflows/lint-policy.yml b/.github/workflows/lint-policy.yml
index f7004ce631..69aceadea0 100644
--- a/.github/workflows/lint-policy.yml
+++ b/.github/workflows/lint-policy.yml
@@ -71,3 +71,17 @@ jobs:
 
     - name: Run file context checker
       run: python${{ inputs.python-version }} -t -t -E -W error testing/check_fc_files.py
+
+  codespell:
+    runs-on: ubuntu-22.04
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update -q
+        sudo apt-get install -qy codespell
+
+    - name: Run codespell
+      run: codespell --skip Changelog,Changelog.contrib,Changelog.old --ignore-words-list busses,chage,doesnt,lik,msdos,nd,racoon,shouldnt,startd,te,thats,xwindows --context 1 .
diff --git a/policy/mls b/policy/mls
index 3cf4110d67..6a4e78cc29 100644
--- a/policy/mls
+++ b/policy/mls
@@ -2,7 +2,7 @@ ifdef(`enable_mls',`
 #
 # Define sensitivities
 #
-# Domination of sensitivities is in increasin
+# Domination of sensitivities is in increasing
 # numerical order, with s0 being the lowest
 
 gen_sens(mls_num_sens)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 875c5df819..56d35ded47 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -43,7 +43,7 @@ dev_node(bootloader_tmp_t)
 
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 dontaudit bootloader_t self:capability { net_admin sys_resource };
-allow bootloader_t self:process { execmem signal_perms };
+allow bootloader_t self:process { execmem getsched signal_perms };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
 allow bootloader_t bootloader_etc_t:file read_file_perms;
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index d48d60279e..52c043df5e 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -32,7 +32,7 @@ type uml_switch_t;
 type uml_switch_exec_t;
 init_daemon_domain(uml_switch_t, uml_switch_exec_t)
 
-type uml_switch_runtime_t alias uml_swich_var_run_t;
+type uml_switch_runtime_t alias uml_switch_var_run_t;
 files_runtime_file(uml_switch_runtime_t)
 
 ########################################
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index d2f346efa0..857844ba0a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1612,7 +1612,7 @@ interface(`corenet_tcp_bind_all_ports',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind TCP sockets to any ports.
+##	Do not audit attempts to bind TCP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1667,7 +1667,7 @@ interface(`corenet_sctp_connect_generic_port',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind UDP sockets to any ports.
+##	Do not audit attempts to bind UDP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1881,7 +1881,7 @@ interface(`corenet_tcp_connect_reserved_port',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind SCTP sockets to any ports.
+##	Do not audit attempts to bind SCTP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2474,7 +2474,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 
 ########################################
 ## <summary>
-##	Receive TCP packets from an unlabled connection.
+##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3325,7 +3325,7 @@ interface(`corenet_relabelto_all_server_packets',`
 
 ########################################
 ## <summary>
-##	Receive SCTP packets from an unlabled connection.
+##	Receive SCTP packets from an unlabeled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index e512750a28..5c1d69f7b8 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -125,7 +125,7 @@ ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
 ')
 
 #
-# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
+# ib_pkey(name, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
 #
 define(`ib_pkey',`
 type $1_ibpkey_t, ibpkey_type;
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 24c480290a..199d6479a6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5628,6 +5628,25 @@ interface(`dev_rw_vsock',`
 	rw_chr_files_pattern($1, device_t, vsock_device_t)
 ')
 
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for the vsock device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_vsock_dev',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
+')
+
 ########################################
 ## <summary>
 ##	Read from watchdog devices.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index a3eeba4afc..84c0069abb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -86,7 +86,7 @@ genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_onli
 type crash_device_t;
 dev_node(crash_device_t)
 
-# for the IBM zSeries z90crypt hardware ssl accelorator
+# for the IBM zSeries z90crypt hardware ssl accelerator
 type crypt_device_t;
 dev_node(crypt_device_t)
 
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 944d6d3b30..fca31ffb0a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -417,7 +417,7 @@ interface(`domain_dontaudit_use_interactive_fds',`
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to domains whose file
-##	discriptors are widely inheritable.
+##	descriptors are widely inheritable.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 811efef945..e1fafd4abd 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3838,7 +3838,7 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to execuite files
+##	Do not audit attempts to execute files
 ##	in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
@@ -3848,7 +3848,7 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_execuite_etc_runtime_files',`
+interface(`files_dontaudit_exec_etc_runtime_files',`
 	gen_require(`
 		type etc_runtime_t;
 	')
@@ -3856,6 +3856,23 @@ interface(`files_dontaudit_execuite_etc_runtime_files',`
 	dontaudit $1 etc_runtime_t:file execute;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execute files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_execuite_etc_runtime_files',`
+	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_exec_etc_runtime_files() instead.')
+	files_dontaudit_exec_etc_runtime_files($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read files
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8cad5ed326..65c814a97e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -388,6 +388,7 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		dev_manage_input_dev(kernel_t)
 		dev_filetrans_input_dev(kernel_t)
+		dev_filetrans_vsock_dev(kernel_t)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 97b236aa9a..d2ccfd0ed0 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -15,7 +15,7 @@ gen_bool(secure_mode_policyload,false)
 
 ## <desc>
 ## <p>
-## Boolean to determine whether the system permits setting Booelan values.
+## Boolean to determine whether the system permits setting Boolean values.
 ## </p>
 ## </desc>
 gen_bool(secure_mode_setbool,false)
diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if
index b79854374c..325672d2f5 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -54,7 +54,7 @@ template(`cockpit_role_template',`
 	dev_dontaudit_execute_dev_nodes($2)
 
 	files_dontaudit_execute_default_files($2)
-	files_dontaudit_execuite_etc_runtime_files($2)
+	files_dontaudit_exec_etc_runtime_files($2)
 	files_dontaudit_exec_runtime($2)
 	files_watch_etc_files($2)
 	files_watch_root_dirs($2)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 1c88308369..c71ae54f47 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1009,7 +1009,7 @@ allow spc_t self:process { getcap setexec setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 3ed8ef4390..3e0a8014f3 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -37,7 +37,7 @@ logging_log_file(corosync_var_log_t)
 #
 
 allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource };
-# for hearbeat
+# for heartbeat
 allow corosync_t self:capability { chown net_raw };
 allow corosync_t self:process { setpgid setrlimit setsched signal signull };
 allow corosync_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/gssproxy.if b/policy/modules/services/gssproxy.if
index 693d5228e3..34c9631bec 100644
--- a/policy/modules/services/gssproxy.if
+++ b/policy/modules/services/gssproxy.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute gssproxy in the gssproxy domin.
+##	Execute gssproxy in the gssproxy domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te
index e4046dd2dd..d302820ed9 100644
--- a/policy/modules/services/haproxy.te
+++ b/policy/modules/services/haproxy.te
@@ -62,7 +62,7 @@ files_tmpfs_file(haproxy_tmpfs_t)
 #
 
 allow haproxy_t self:process { getsched setrlimit signal };
-allow haproxy_t self:capability { kill setuid setgid };
+allow haproxy_t self:capability { kill setgid setuid };
 dontaudit haproxy_t self:capability net_admin;
 allow haproxy_t self:fifo_file rw_fifo_file_perms;
 allow haproxy_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/iiosensorproxy.if b/policy/modules/services/iiosensorproxy.if
index 0dc70034c8..f991edf018 100644
--- a/policy/modules/services/iiosensorproxy.if
+++ b/policy/modules/services/iiosensorproxy.if
@@ -2,7 +2,7 @@
 ##
 ## <desc>
 ## Industrial I/O subsystem is intended to provide support for devices
-## that in some sense are analog to digital or digital to analog convertors
+## that in some sense are analog to digital or digital to analog converters
 ## .
 ## Devices that fall into this category are:
 ##  * ADCs
diff --git a/policy/modules/services/iiosensorproxy.te b/policy/modules/services/iiosensorproxy.te
index a820877fad..348c2839ba 100644
--- a/policy/modules/services/iiosensorproxy.te
+++ b/policy/modules/services/iiosensorproxy.te
@@ -5,7 +5,7 @@ policy_module(iiosensorproxy)
 # iio-sensor-proxy (Debian package iio-sensor-proxy)
 # IIO sensors to D-Bus proxy
 # Industrial I/O subsystem is intended to provide support for devices
-# that in some sense are analog to digital or digital to analog convertors
+# that in some sense are analog to digital or digital to analog converters
 # .
 # Devices that fall into this category are:
 #  * ADCs
diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if
index d7cbf4ddbf..4394dd3f2b 100644
--- a/policy/modules/services/lircd.if
+++ b/policy/modules/services/lircd.if
@@ -1,4 +1,4 @@
-## <summary>Linux infared remote control daemon.</summary>
+## <summary>Linux infrared remote control daemon.</summary>
 
 ########################################
 ## <summary>
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index cf7f567db8..610e4bff33 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -90,7 +90,7 @@ interface(`ppp_home_filetrans_ppp_home',`
 
 ########################################
 ## <summary>
-##	Inherit and use ppp file discriptors.
+##	Inherit and use ppp file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,7 +109,7 @@ interface(`ppp_use_fds',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit
-##	and use ppp file discriptors.
+##	and use ppp file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index a30d01afc0..93bfa8d26f 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -10,6 +10,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /usr/lib/misc/sshd-session	--	gen_context(system_u:object_r:sshd_exec_t,s0)
 /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/sshd-session	--	gen_context(system_u:object_r:sshd_exec_t,s0)
 /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
index 3fb94581db..998e5ee073 100644
--- a/policy/modules/services/tgtd.if
+++ b/policy/modules/services/tgtd.if
@@ -21,7 +21,7 @@ interface(`tgtd_rw_semaphores',`
 ######################################
 ## <summary>
 ##	Create, read, write, and delete
-##	tgtd sempaphores.
+##	tgtd semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 01e8a125d8..9b28d670e0 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -1083,7 +1083,7 @@ interface(`virt_lxc_sigchld',`
 
 ########################################
 ## <summary>
-##	Read and write virtd lxc unamed pipes.
+##	Read and write virtd lxc unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1195,7 +1195,7 @@ interface(`virt_virsh_sigchld',`
 
 ########################################
 ## <summary>
-##	Read and write virsh unamed pipes.
+##	Read and write virsh unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
index 8268483eb2..971a36edb0 100644
--- a/policy/modules/system/iscsi.if
+++ b/policy/modules/system/iscsi.if
@@ -22,7 +22,7 @@ interface(`iscsid_domtrans',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	iscsid sempaphores.
+##	iscsid semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 4ba131d292..4b7d926b71 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched signal };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d58aba30b2..5fe522163d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -585,8 +585,10 @@ kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
 kernel_dontaudit_getattr_proc(systemd_generator_t)
-# Where an unlabeled mountpoint is encounted:
+# Where an unlabeled mountpoint is encountered:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
+# vmware_vsock
+kernel_request_load_module(systemd_generator_t)
 
 modutils_domtrans(systemd_generator_t)
 
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index c870bcc009..fff809d3d5 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -50,6 +50,9 @@ interface(`unconfined_domain_noaudit',`
 	# Write access is for setting attributes under /proc/self/attr.
 	allow $1 self:file rw_file_perms;
 
+	# io_uring
+	allow $1 self:anon_inode { create map read write };
+
 	# Userland object managers
 	allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv };
 	allow $1 self:dbus { acquire_svc send_msg };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 73bb7c4106..aa389da0f6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -109,7 +109,7 @@ template(`userdom_base_user_template',`
 	files_read_world_readable_symlinks($1_t)
 	files_read_world_readable_pipes($1_t)
 	files_read_world_readable_sockets($1_t)
-	# old broswer_domain():
+	# old browser_domain():
 	files_dontaudit_list_non_security($1_t)
 	files_dontaudit_getattr_non_security_files($1_t)
 	files_dontaudit_getattr_non_security_symlinks($1_t)
@@ -2531,7 +2531,7 @@ interface(`userdom_manage_user_home_content_files',`
 		type user_home_dir_t, user_home_t;
 	')
 
-	manage_files_pattern($1, user_home_t, user_home_t)
+	mmap_manage_files_pattern($1, user_home_t, user_home_t)
 	allow $1 user_home_dir_t:dir search_dir_perms;
 	files_search_home($1)
 ')
@@ -4453,7 +4453,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 
 #######################################
 ## <summary>
-##	Read and write unpriviledged user SysV sempaphores.
+##	Read and write unprivileged user SysV semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4471,7 +4471,7 @@ interface(`userdom_rw_unpriv_user_semaphores',`
 
 ########################################
 ## <summary>
-##	Manage unpriviledged user SysV sempaphores.
+##	Manage unprivileged user SysV semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4489,7 +4489,7 @@ interface(`userdom_manage_unpriv_user_semaphores',`
 
 #######################################
 ## <summary>
-##	Read and write unpriviledged user SysV shared
+##	Read and write unprivileged user SysV shared
 ##	memory segments.
 ## </summary>
 ## <param name="domain">
@@ -4508,7 +4508,7 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
 
 ########################################
 ## <summary>
-##	Manage unpriviledged user SysV shared
+##	Manage unprivileged user SysV shared
 ##	memory segments.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 2faabdfa9f..73b52998d1 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -115,6 +115,14 @@ policycap nnp_nosuid_transition;
 #
 #policycap ioctl_skip_cloexec;
 
+# Enable separate user space context for processes started before first
+# policy load.
+# Requires libsepol 3.7 and kernel 6.8.
+#
+# Added checks:
+# (none)
+#policycap userspace_initial_context;
+
 # Enable netlink xperms support. Requires libsepol 3.8+
 # and kernel 6.13.
 #
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
index 83b27f352e..7376f45062 100644
--- a/support/gennetfilter.py
+++ b/support/gennetfilter.py
@@ -171,15 +171,15 @@ def parse_corenet(file_name):
 			# parse out the parameters
 			openparen = corenet_line.find('(')+1
 			closeparen = corenet_line.find(')',openparen)
-			parms = re.split(r'[^-a-zA-Z0-9_]+',corenet_line[openparen:closeparen])
-			name = parms[0]
-			del parms[0]
+			params = re.split(r'[^-a-zA-Z0-9_]+',corenet_line[openparen:closeparen])
+			name = params[0]
+			del params[0]
 
 			ports = []
-			while len(parms) > 0:
+			while len(params) > 0:
 				# add a port combination.
-				ports.append(Port(parms[0],parms[1],parms[2]))
-				del parms[:3]
+				ports.append(Port(params[0],params[1],params[2]))
+				del params[:3]
 
 			packets.append(Packet(name,ports))
 
diff --git a/support/validate-appconfig.py b/support/validate-appconfig.py
index 1f4ed727aa..9a92c13557 100755
--- a/support/validate-appconfig.py
+++ b/support/validate-appconfig.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 # SPDX-License-Identifier: GPL-2.0-only
-"""Validate refpolicy userpace configuration files (appconfig) have valid contexts."""
+"""Validate refpolicy userspace configuration files (appconfig) have valid contexts."""
 
 import argparse
 from contextlib import suppress
@@ -183,7 +183,7 @@ def validate_domain_transition(self, source_domain: str, target_domain: str, /)
                     valid = False
 
             #
-            # Vaidate domain (TE) transition
+            # Validate domain (TE) transition
             #
             if source_type == target_type:
                 # unlikely
@@ -395,7 +395,7 @@ def validate_single_line_context_files(validator: ContextValidator,
                                        filenames: list[Path], /) -> bool:
     """
     Validate the contexts in the files with single context per line.  This
-    is primarily for files tha have a single context, such as initrc_context,
+    is primarily for files that have a single context, such as initrc_context,
     but can also be used for virtual_image_context, which can have multiple
     lines of a single context.
     """
@@ -688,7 +688,7 @@ def format(self, record: logging.LogRecord) -> str:
     try:
         # Validate the <associate> elements under <selinux>
         sys.exit(0 if validate_appconfig_files(args.APPCONFIG_DIR,
-                                       	       policy_path=args.POLICY_PATH,
+                                               policy_path=args.POLICY_PATH,
                                                chkcon_path=args.chkcon,
                                                lxc=args.lxc,
                                                sepgsql=args.sepgsql,
diff --git a/testing/check_fc_files.py b/testing/check_fc_files.py
index 1d41a3b7a1..9849b2b5df 100755
--- a/testing/check_fc_files.py
+++ b/testing/check_fc_files.py
@@ -55,6 +55,7 @@
     ('[0-9]+', '0'),  # Match at least one digit
     ('(\\.bin)?', ''),  # Match an optional extension
     ('(-.*)?', ''),  # Match an optional suffix with a minus sign
+    ('(-[0-9\\.]+)?', ''), # Match an optional version suffix
 )
 
 # File types in a .fc file