diff --git a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
index 895b13126f985f13af4e6b57e41dd6fdafa2baa2..10800a5f0da10fafbdd849f670931f0fd65c6f69 100644
--- a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
+++ b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
@@ -1,4 +1,4 @@
-From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001
+From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001
 From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
 Date: Mon, 20 Mar 2023 20:42:49 +0800
 Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
@@ -7,14 +7,14 @@ Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
 This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.
 
 ---
- policy/modules/kernel/kernel.te | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
+ policy/modules/kernel/kernel.te | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
 
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index fc6f5f8..daf0801 100644
+index 7dce828..0c1d125 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t)
+@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t)
  term_use_all_terms(kernel_t)
  term_use_ptmx(kernel_t)
  
@@ -34,8 +34,15 @@ index fc6f5f8..daf0801 100644
 +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 +corecmd_exec_bin(kernel_t)
  
+ # Enable running `/usr/bin/env [u]mount ...` to support ZFS automounting.
+ # See the module/os/linux/zfs/zfs_ctldir.c file in
+ # https://github.com/openzfs/zfs/ for the usermode helper calls.
+-optional_policy(`
+-	mount_domtrans(kernel_generic_helper_t)
+-')
+ 
  domain_use_all_fds(kernel_t)
  domain_signal_all_domains(kernel_t)
 -- 
-2.27.0
+2.33.0
 
diff --git a/add-qemu_exec_t-for-stratovirt.patch b/add-qemu_exec_t-for-stratovirt.patch
index 91d45d29461dd08f86e43b547ce472219bd0f67a..3b27e8292cdf5c610469238fbfbd488c975c3ef9 100644
--- a/add-qemu_exec_t-for-stratovirt.patch
+++ b/add-qemu_exec_t-for-stratovirt.patch
@@ -1,25 +1,24 @@
-From 601ffc24a1d00f20833eb104913634dedb51b95d Mon Sep 17 00:00:00 2001
-From: root <root@localhost.localdomain>
-Date: Fri, 20 Aug 2021 10:50:31 +0800
+From 3f9a66fb7bb35a101d8be50d8f2fa238af62d11f Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Tue, 26 Dec 2023 17:18:00 +0800
 Subject: [PATCH] add qemu_exec_t for stratovirt
 
-Signed-off-by: root <root@localhost.localdomain>
 ---
- policy/modules/contrib/virt.fc | 1 +
+ policy/modules/contrib/virt_supplementary.fc | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
-index d12dac0..c12f009 100644
---- a/policy/modules/contrib/virt.fc
-+++ b/policy/modules/contrib/virt.fc
-@@ -100,6 +100,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
- /usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/bin/stratovirt     --      gen_context(system_u:object_r:qemu_exec_t,s0)
+diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc
+index d27441f..5563457 100644
+--- a/policy/modules/contrib/virt_supplementary.fc
++++ b/policy/modules/contrib/virt_supplementary.fc
+@@ -62,6 +62,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv
+ /usr/bin/qemu-system-.*                 --      gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/qemu-kvm                       --      gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/libexec/qemu.*                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/stratovirt                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
  
- /etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
- /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+ # support for QEMU-GA
+ /etc/qemu-ga/fsfreeze-hook\.d(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 -- 
-2.30.0
+2.27.0
 
diff --git a/allow-init_t-create-fifo-file-in-net_conf-dir.patch b/allow-init_t-create-fifo-file-in-net_conf-dir.patch
index 89a98962cba0c9866361a6a0e3866a0a52a2dcff..a41b6f34aceec28d2ac124fcfdee780983fc1e8d 100644
--- a/allow-init_t-create-fifo-file-in-net_conf-dir.patch
+++ b/allow-init_t-create-fifo-file-in-net_conf-dir.patch
@@ -1,6 +1,6 @@
-From b00033d4825cfc3ae9787c94ffa7e5408acf9a4b Mon Sep 17 00:00:00 2001
-From: Huaxin Lu <luhuaxin1@huawei.com>
-Date: Sun, 29 Jan 2023 00:36:01 +0800
+From ebfc55113be3be3a298a14e767712cc5e16a50c3 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Thu, 28 Dec 2023 19:17:52 +0800
 Subject: [PATCH] allow init_t create fifo file in net_conf dir
 
 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
@@ -9,17 +9,17 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8b84aa1..15b57a7 100644
+index 4f2ce88..5fc8fed 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -872,6 +872,7 @@ optional_policy(`
- 
+@@ -879,6 +879,7 @@ optional_policy(`
  optional_policy(`
      sysnet_filetrans_cloud_net_conf(init_t)
+     sysnet_manage_config_pipes(init_t)
 +    manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t)
  ')
  
  optional_policy(`
 -- 
-2.33.0
+2.27.0
 
diff --git a/fix-selinux-label-for-hostname-digest-list.patch b/fix-selinux-label-for-hostname-digest-list.patch
index ca696723ebb197f869e9a1ca8c19d4986276e1ac..44afe43b11124f03965db676fe5cbfed5ed3d0ac 100644
--- a/fix-selinux-label-for-hostname-digest-list.patch
+++ b/fix-selinux-label-for-hostname-digest-list.patch
@@ -15,9 +15,9 @@ index cfafbfa..bb5e759 100644
 @@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
  /root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
  
- /etc/.*hostname.*			--		gen_context(system_u:object_r:hostname_etc_t,s0)
-+/etc/[^/]*hostname.*                    --              gen_context(system_u:object_r:hostname_etc_t,s0)
- /etc/machine-info		--		gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/.*hostname.*	--	gen_context(system_u:object_r:hostname_etc_t,s0)
++/etc/[^/]*hostname.*	--	gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/machine-info	--	gen_context(system_u:object_r:hostname_etc_t,s0)
  /etc/udev/.*hwdb.*	--	gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
  
 -- 
diff --git a/selinux-policy.spec b/selinux-policy.spec
index aa545d1ddff3488717973cc4d4a417bb1c0f4a04..51b10e0aae78d697b0888922bd4c367abbb9f25b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -11,12 +11,12 @@
 
 Summary: SELinux policy configuration
 Name:    selinux-policy
-Version: 38.21
+Version: 40.7
 Release: 1
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
-Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz
+Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v40.7.tar.gz
 
 # Tool helps during policy development, to expand system m4 macros to raw allow rules
 # Git repo: https://github.com/fedora-selinux/macro-expander.git
@@ -742,6 +742,19 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 28 2023 jinlun<jinlun@huawei.com> - 40.7-1
+- update version to 40.7
+  - Allow chronyd-restricted read chronyd key files
+  - Allow systemd-sleep set attributes of efivarfs files
+  - Make name_zone_t and named_var_run_t a part of the mountpoint attribute
+  - Update cifs interfaces to include fs_search_auto_mountpoints()
+  - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
+  - Add map_read map_write to kernel_prog_run_bpf
+  - Add policy for nvme-stas
+  - Make new virt drivers permissive
+  - Allow named and ndc use the io_uring api
+  - Allow sssd send SIGKILL to passket_child running in ipa_otpd_t
+
 * Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1
 - update version to 38.21
 
diff --git a/v38.21.tar.gz b/v38.21.tar.gz
deleted file mode 100644
index 0badc87abdd5c6e9420693c44ea2dda74c2eb132..0000000000000000000000000000000000000000
Binary files a/v38.21.tar.gz and /dev/null differ
diff --git a/v40.7.tar.gz b/v40.7.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..03b06ba3bd0f04e2ab48fdb76c8dc6b48c3c857d
Binary files /dev/null and b/v40.7.tar.gz differ