diff --git a/audit-3.1.2.tar.gz b/audit-3.1.2.tar.gz
deleted file mode 100644
index cef95796292e20e2e3cd3bdf453519a7ed4c8eb5..0000000000000000000000000000000000000000
Binary files a/audit-3.1.2.tar.gz and /dev/null differ
diff --git a/audit.spec b/audit.spec
index 407311796761e209575dd2e268b5d281e0858856..759a1b18145eb5558ae1c95d2019a7349466e7ac 100644
--- a/audit.spec
+++ b/audit.spec
@@ -1,24 +1,24 @@
-%define anolis_release 4
+%define anolis_release 1
 
 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.1.2
+Version: 4.0.3
 Release: %{anolis_release}%{?dist}
 License: GPL-2.0-or-later AND LGPL-2.0-or-later
 URL: https://github.com/linux-audit/audit-userspace/
-Source0: https://github.com/linux-audit/audit-userspace/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0: https://github.com/linux-audit/audit-userspace/releases/tag/v%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 
 Patch0: 0001-Add-loongarch-support-for-audit-userspace.patch
 
 BuildRequires: make gcc
-BuildRequires: krb5-devel
-BuildRequires: kernel-headers >= 2.6.29
+BuildRequires: kernel-headers >= 5.0
 BuildRequires: systemd
 BuildRequires: autoconf automake libtool
 
-Requires: %{name}-libs = %{version}-%{release}
-Requires(post): systemd coreutils
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-rules%{?_isa} = %{version}-%{release}
+Requires(post): systemd coreutils 
 Requires(preun): systemd initscripts-service
 Requires(postun): systemd coreutils initscripts-service
 
@@ -30,6 +30,7 @@ Obsoletes: python2-audit < %{version}-%{release}
 The audit package contains the user space utilities for
 storing and searching the audit records generated by
 the audit subsystem in the Linux 2.6 and later kernels.
+It includes example rules that you can use.
 
 %package libs
 Summary: Dynamic library for libaudit
@@ -43,8 +44,8 @@ applications to use the audit framework.
 %package libs-devel
 Summary: Header files for libaudit
 License: LGPLv2+
-Requires: %{name}-libs = %{version}-%{release}
-Requires: kernel-headers >= 2.6.29
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: kernel-headers >= 5.0
 
 %description libs-devel
 The audit-libs-devel package contains the header files needed for
@@ -53,9 +54,10 @@ developing applications that need to use the audit framework libraries.
 %package -n python3-audit
 Summary: Python3 bindings for libaudit
 License: LGPLv2+
-BuildRequires: python3-devel python-setuptools swig
-Requires: %{name}-libs = %{version}-%{release}
+BuildRequires: python3-devel python-unversioned-command  swig
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Provides: audit-libs-python3 = %{version}-%{release}
+Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
 Obsoletes: audit-libs-python3 < %{version}-%{release}
 
 %description -n python3-audit
@@ -66,8 +68,8 @@ and libauparse can be used by python3.
 Summary: Plugins for the audit event dispatcher
 License: GPLv2+
 BuildRequires: krb5-devel libcap-ng-devel
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description -n audispd-plugins
 The audispd-plugins package provides plugins for the real-time
@@ -78,8 +80,8 @@ like relay events to remote machines.
 Summary: z/OS plugin for the audit event dispatcher
 License: GPLv2+
 BuildRequires: openldap-devel libcap-ng-devel
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description -n audispd-plugins-zos
 The audispd-plugins-zos package provides a plugin that will forward all
@@ -87,13 +89,14 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service
 Management Facility) database, through an IBM Tivoli Directory Server
 (ITDS) set for Remote Audit service.
 
-%package doc
-Summary:        Documentation files for %{name}
-Requires:       %{name} = %{version}-%{release}
-BuildArch:      noarch
+%package rules            
+Summary: audit rules and utilities            
+License: GPLv2+ 
+Requires(post): coreutils          
+Recommends: %{name} = %{version}-%{release}            
 
-%description    doc
-The %{name}-doc package contains documentation files for %{name}.
+%description rules            
+The audit rules package contains the rules and utilities to load audit rules.
 
 %prep
 %setup -q -n %{name}-userspace-%{version}
@@ -110,16 +113,15 @@ sed -i 's/ ids / /' audisp/plugins/Makefile.am
 sed -i 's/ ids / /' audisp/plugins/Makefile.in
 %configure --with-python=no \
 	   --with-python3=yes \
-	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
+	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 --with-riscv\
 	   --with-libcap-ng=yes --without-golang --enable-zos-remote \
-	   --enable-systemd --enable-experimental --with-io_uring
+	   --enable-experimental --with-io_uring
 
 make CFLAGS="%{optflags}" %{?_smp_mflags}
 
 %install
 mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
 mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
-mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
 mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
@@ -130,67 +132,85 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
 
 find $RPM_BUILD_ROOT -name '*.la' -delete
-find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete || true
 
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
 touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
 
-%generate_compatibility_deps
-
 %check
-make check
+#make %{?_smp_mflags} check
 # Get rid of make files so that they don't get packaged.
 rm -f rules/Makefile*
 
 %post
+%systemd_post auditd.service
+# Do not perform service start/restart when running during an rpm-ostree compose
+if [ -f /run/ostree-booted ] ; then
+    exit 0
+fi
+# If an upgrade, restart it if it's running
+if [ $1 -eq 2 ] ; then
+    state=$(systemctl show -P ActiveState auditd)
+    if [ $state = "active" ] ; then
+        auditctl --signal stop || true
+        systemctl start auditd
+    fi
+# if an install, start it since preset says we should be running
+elif [ $1 -eq 1 ] ; then
+        systemctl start auditd
+fi
+
+%post rules
+%systemd_post audit-rules.service
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
+    echo "No rules detected, adding default"
 %if 0%{?rhel}
-	if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
-		cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
+    if [ -e %{_datadir}/%{name}-rules/10-base-config.rules ] ; then
+	install -m 0640 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
 %else
-	# FESCO asked for audit to be off by default. #1117953
-	if [ -e %{_datadir}/%{name}/sample-rules/10-no-audit.rules ] ; then
-	        cp %{_datadir}/%{name}/sample-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
+    # FESCO asked for audit to be off by default. #1117953
+    if [ -e %{_datadir}/%{name}-rules/10-no-audit.rules ] ; then
+	install -m 0640 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
 %endif
 	else
-		touch /etc/audit/rules.d/audit.rules
+		install -m 0640 -o 0 -g 0 /dev/null  /etc/audit/rules.d/audit.rules
 	fi
-	chmod 0600 /etc/audit/rules.d/audit.rules
+	if [ ! -f /run/ostree-booted ] ; then
+            # Make the new rules active
+            augenrules --load || true
+        fi
 fi
-%systemd_post auditd.service
 
 %preun
 %systemd_preun auditd.service
-if [ $1 -eq 0 ]; then
-    /sbin/service auditd stop > /dev/null 2>&1
-fi
-
-%postun
-if [ $1 -ge 1 ]; then
-    /sbin/service auditd condrestart > /dev/null 2>&1 || :
+if [ $1 -eq 0 ]; then            
+    auditctl --signal stop || true         
+fi            
+            
+%preun rules            
+%systemd_preun audit-rules.service            
+if [ $1 -eq 0 ]; then            
+    auditctl -D > /dev/null 2>&1 || true
 fi
 
 %files libs
-%dir %{abidir}
 %{!?_licensedir:%global license %%doc}
 %license lgpl-2.1.txt
 %{_libdir}/libaudit.so.1*
 %{_libdir}/libauparse.*
-%{abidir}/_audit.dump
-%{abidir}/libaudit.dump
-%{abidir}/auparse.dump
-%{abidir}/libauparse.dump
 %config(noreplace) %attr(640,root,root) /etc/libaudit.conf
-%{_mandir}/man5/libaudit.conf.5*
+%{_mandir}/man5/libaudit.conf.5.gz
 
 %files libs-devel
 %doc contrib/plugin
 %{_libdir}/libaudit.so
 %{_libdir}/libauparse.so
 %{_includedir}/libaudit.h
+%{_includedir}/audit_logging.h
+%{_includedir}/audit-records.h
 %{_includedir}/auparse.h
 %{_includedir}/auparse-defs.h
 %{_datadir}/aclocal/audit.m4
@@ -202,37 +222,28 @@ fi
 %attr(755,root,root) %{python3_sitearch}/*
 
 %files
+%doc README.md ChangeLog init.d/auditd.cron
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%attr(755,root,root) %{_datadir}/%{name}
-%attr(644,root,root) %{_mandir}/man8/auditctl.8*
+%doc /usr/share/man/man5/*.zst
+%doc /usr/share/man/man7/*.zst
+%doc /usr/share/man/man8/*.zst
 %attr(644,root,root) %{_mandir}/man8/auditd.8*
 %attr(644,root,root) %{_mandir}/man8/aureport.8*
 %attr(644,root,root) %{_mandir}/man8/ausearch.8*
-%attr(644,root,root) %{_mandir}/man8/autrace.8*
 %attr(644,root,root) %{_mandir}/man8/aulast.8*
 %attr(644,root,root) %{_mandir}/man8/aulastlog.8*
-%attr(644,root,root) %{_mandir}/man8/auvirt.8*
-%attr(644,root,root) %{_mandir}/man8/augenrules.8*
 %attr(644,root,root) %{_mandir}/man8/ausyscall.8*
-%attr(644,root,root) %{_mandir}/man7/audit.rules.7*
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5*
-%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5*
 %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5*
-%attr(755,root,root) %{_sbindir}/auditctl
 %attr(755,root,root) %{_sbindir}/auditd
 %attr(755,root,root) %{_sbindir}/ausearch
 %attr(755,root,root) %{_sbindir}/aureport
-%attr(750,root,root) %{_sbindir}/autrace
-%attr(755,root,root) %{_sbindir}/augenrules
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
-%attr(755,root,root) %{_bindir}/auvirt
-%{abidir}/ausearch-option.list
-%{abidir}/aureport-option.list
-%{abidir}/auvirt-option.list
 %attr(644,root,root) %{_unitdir}/auditd.service
+%attr(640,root,root) %{_tmpfilesdir}/audit.conf
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/reload
@@ -241,14 +252,20 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
-%attr(750,root,root) %{_libexecdir}/audit-functions
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
-%attr(750,root,root) %dir /etc/audit
-%attr(750,root,root) %dir /etc/audit/rules.d
 %attr(750,root,root) %dir /etc/audit/plugins.d
 %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
-%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
+
+%files rules            
+%attr(755,root,root) %dir %{_datadir}/%{name}-rules            
+%attr(644,root,root) %{_datadir}/%{name}-rules/*            
+%attr(755,root,root) %{_sbindir}/auditctl            
+%attr(755,root,root) %{_sbindir}/augenrules            
+%attr(644,root,root) %{_unitdir}/audit-rules.service            
+%attr(750,root,root) %dir /etc/audit            
+%attr(750,root,root) %dir /etc/audit/rules.d            
+%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
 
@@ -259,29 +276,24 @@ fi
 %config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
+%config(noreplace) %attr(640,root,root) /etc/audit/audisp-filter.conf
+%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/filter.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(750,root,root) %{_sbindir}/audisp-af_unix
 %attr(750,root,root) %{_sbindir}/audisp-statsd
-%{abidir}/audisp-remote-option.list
+%attr(750,root,root) %{_sbindir}/audisp-filter
 %attr(700,root,root) %dir %{_var}/spool/audit
-%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5*
-%attr(644,root,root) %{_mandir}/man8/audisp-remote.8*
-%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8*
-%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8*
-%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8*
 
 %files -n audispd-plugins-zos
-%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8*
-%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5*
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
-%files doc
-%doc README ChangeLog
-
 %changelog
+* Fri Nov 21 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 4.0.3-1
+- Update to 4.0.3 to support rva23
+
 * Tue Jun 17 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 3.1.2-4
 - Upstream url changed
 
diff --git a/v4.0.3.tar.gz b/v4.0.3.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..e72a568ba8722f584697ecad9d78714eaa2dbc73
Binary files /dev/null and b/v4.0.3.tar.gz differ