diff --git a/container-selinux.tgz b/container-selinux.tgz
index e02fb41a18aba6090c3ffb5de6e22abd40b81a60..8d06bd44a5b95b3b3907df09014bede38921d12b 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
index 49eb9c235612ed8af07e0d622cb0e66d6fac4236..f7e6ad84eb15e444d22537a1fcb72c67ba2a09fd 100644
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -1004,8 +1004,6 @@ ppp = module
 # 
 prelink = module
 
-unprivuser = module
-
 # Layer: services
 # Module: privoxy
 #
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index efed11fbf085b2cf3025d8598de3574780443b67..ba8dbf036701089d5165b23f0f9acb547dda84e7 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -342,13 +342,6 @@ cmirrord = module
 # 
 cobbler = module
 
-# Layer: contrib
-# Module: cockpit
-#
-# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
-# 
-cockpit = module
-
 # Layer: services
 # Module: collectd
 #
@@ -2381,13 +2374,6 @@ minissdpd = module
 #
 freeipmi = module
 
-# Layer: contrib
-# Module: freeipmi
-# 
-# ipa policy module contain SELinux policies for IPA services
-#
-ipa = module
-
 # Layer: contrib
 # Module: mirrormanager
 # 
@@ -2677,3 +2663,24 @@ ica = module
 # fedoratp
 #
 fedoratp = module
+
+# Layer: contrib
+# Module: insights_client
+#
+# insights_client
+#
+insights_client = module
+
+# Layer: contrib
+# Module: stalld
+#
+# stalld
+#
+stalld = module
+
+# Layer: contrib
+# Module: rhcd
+#
+# rhcd
+#
+rhcd = module
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fa79382114e612d3c7d15e6632b71fb51ef46192..75a31eb5d5c39e314af7743b61eda6e264d8de7d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,4 +1,4 @@
-
+%define anolis_release 1
 %define distro redhat
 %define polyinstatiate n
 %define monolithic n
@@ -15,14 +15,16 @@
 %define BUILD_MLS 1
 %endif
 %define POLICYVER 33
-%define POLICYCOREUTILSVER 3.3-1
+%define POLICYCOREUTILSVER 3.4
 %define CHECKPOLICYVER 3.2
 
 Summary:       SELinux policy configuration
 Name:          selinux-policy
-Version:       36.4
-Release:       1%{?dist}
+Version:       37.18
+Release:       %{anolis_release}%{?dist}
 License:       GPLv2+
+Url:           https://github.com/fedora-selinux/selinux-policy
+
 Source0:       https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v%{version}.tar.gz
 Source1:       modules-targeted-base.conf
 Source2:       booleans-targeted.conf
@@ -36,6 +38,7 @@ Source8:       setrans-mls.conf
 Source14:      securetty_types-targeted
 Source15:      securetty_types-mls
 
+#Source16:      modules-minimum.conf
 Source17:      booleans-minimum.conf
 Source18:      setrans-minimum.conf
 Source19:      securetty_types-minimum
@@ -49,17 +52,22 @@ Source28:      permissivedomains.cil
 Source30:      booleans.subs_dist
 Source31:      modules-targeted-contrib.conf
 Source32:      modules-mls-contrib.conf
+
+# Tool helps during policy development, to expand system m4 macros to raw allow rules	
+# Git repo: https://github.com/fedora-selinux/macro-expander.git
+#Source33: https://github.com/fedora-selinux/macro-expander/blob/master/macro-expander.sh
 Source33:      macro-expander
 
+# Include SELinux policy for container from separate container-selinux repo
 # Git repo: https://github.com/containers/container-selinux.git
-#Source35:      https://github.com/containers/container-selinux/archive/refs/tags/v2.180.0.tar.gz
+#Source35:  https://github.com/containers/container-selinux/archive/refs/tags/v2.180.0.tar.gz
 Source35:      container-selinux.tgz
 
 Source36:      selinux-check-proper-disable.service
 
+# Provide rpm macros for packages installing SELinux modules
 Source102:     rpm.macros
 
-Url:           https://github.com/fedora-selinux/selinux-policy
 BuildArch:     noarch
 BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
 BuildRequires: make
@@ -69,11 +77,12 @@ Requires(post): /bin/awk /usr/bin/sha512sum
 Requires:      rpm-plugin-selinux
 Requires:      selinux-policy-any = %{version}-%{release}
 Provides:      selinux-policy-base = %{version}-%{release}
+Suggests:      selinux-policy-targeted
 
 %description
 SELinux core policy package.
 Originally based off of reference policy,
-the policy has been adjusted to provide support for Fedora.
+the policy has been adjusted to provide support for Anolis.
 
 %files
 %{!?_licensedir:%global license %%doc}
@@ -133,7 +142,9 @@ This package contains:
 and some additional files.
 
 %files devel
+%dir %{abidir}
 %{_bindir}/macro-expander
+%{abidir}/macro-expander-option.list
 %dir %{_datadir}/selinux/devel
 %dir %{_datadir}/selinux/devel/include
 %{_datadir}/selinux/devel/include/*
@@ -143,7 +154,7 @@ and some additional files.
 %{_datadir}/selinux/devel/Makefile
 %{_datadir}/selinux/devel/example.*
 %{_datadir}/selinux/devel/policy.*
-%ghost %{_sharedstatedir}/sepolgen/interface_info
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
 
 %post devel
 %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
@@ -158,11 +169,6 @@ Requires: selinux-policy = %{version}-%{release}
 SELinux policy documentation package.
 This package contains manual pages and documentation of the policy modules.
 
-#%files doc
-#%{_mandir}/man*/*
-#%{_mandir}/ru/*/*
-#%doc %{_datadir}/doc/%{name}
-
 %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
 
 %define makeCmds() \
@@ -267,6 +273,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
 %nil
 
 %define relabel() \
@@ -278,7 +285,7 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
      %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
      rm -f ${FILE_CONTEXT}.pre; \
 fi; \
-
+# rebuilding the rpm database still can sometimes result in an incorrect context \
 %{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
 if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
     continue; \
@@ -338,6 +345,18 @@ for i in $contrib_modules $base_modules; do \
     fi; \
 done;
 
+# Make sure the config is consistent with what packages are installed in the system
+# this covers cases when system is installed with selinux-policy-{mls,minimal}
+# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
+# been rebooted yet.
+# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
+# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
+# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
+# Steps:
+# * load values from config and its backup
+# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
+# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
+# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
 %define checkConfigConsistency() \
 if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
     . %{_sysconfdir}/selinux/.config_backup; \
@@ -361,6 +380,10 @@ if [ -s %{_sysconfdir}/selinux/config ]; then \
     fi; \
 fi;
 
+# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
+# of variables inside so that they are easy to use later
+# This should be done in "pretrans" because config content can change during RPM operations
+# The macro has to be used in a script slot with "-p <lua>"
 %define backupConfigLua() \
 local sysconfdir = rpm.expand("%{_sysconfdir}") \
 local config_file = sysconfdir .. "/selinux/config" \
@@ -388,6 +411,7 @@ for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOU
 done
 
 %install
+# Build targeted policy
 %{__rm} -fR %{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
@@ -398,16 +422,21 @@ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
 mkdir -p %{buildroot}%{_bindir}
 install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/
 
+# Always create policy module package directories
 mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_datadir}/selinux/packages
 
+# Install devel
 make clean
 %if %{BUILD_TARGETED}
+# Build targeted policy
 %makeCmds targeted mcs allow
 %makeModulesConf targeted base contrib
 %installCmds targeted mcs allow
+# install permissivedomains.cil
 %{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
+# recreate sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
 %make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
 mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
@@ -416,6 +445,7 @@ mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
 %endif
 
 %if %{BUILD_MINIMUM}
+# Build minimum policy
 %makeCmds minimum mcs allow
 %makeModulesConf targeted base contrib
 %installCmds minimum mcs allow
@@ -425,6 +455,7 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %endif
 
 %if %{BUILD_MLS}
+# Build mls policy
 %makeCmds mls mls deny
 %makeModulesConf mls base contrib
 %installCmds mls mls deny
@@ -432,6 +463,7 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %nonBaseModulesList mls
 %endif
 
+# remove leftovers when save-previous=true (semanage.conf) is used
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
 
 mkdir -p %{buildroot}%{_mandir}
@@ -458,10 +490,15 @@ install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
 
 rm -rf selinux_config
 
+%generate_compatibility_deps
+
 %post
 %systemd_post selinux-check-proper-disable.service
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
 
+#
+#     New install so we will default to targeted policy
+#
 echo "
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
@@ -543,6 +580,7 @@ exit 0
 
 %posttrans targeted
 %checkConfigConsistency targeted
+%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
 
 %postun targeted
 if [ $1 = 0 ]; then
@@ -655,6 +693,7 @@ exit 0
 
 %posttrans minimum
 %checkConfigConsistency minimum
+%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
 
 %postun minimum
 if [ $1 = 0 ]; then
@@ -728,6 +767,7 @@ exit 0
 
 %posttrans mls
 %checkConfigConsistency mls
+%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
 
 %postun mls
 if [ $1 = 0 ]; then
@@ -776,5 +816,8 @@ exit 0
 
 
 %changelog
+* Tue Jan 31 2023 Guyu Wang <guyu.wgy@linux.alibaba.com> - 37.18-1
+- Update to 37.18
+
 * Wed Mar 16 2022 forrest_ly <flin@linux.alibaba.com> - 36.4-1 
 - Init for Anolis OS 23
diff --git a/users-minimum b/users-minimum
index 8207eed482a0a21d7877bd22395646c7bae3ea35..66af86081a45eeebbb1b5f3e9141651e97ec3283 100644
--- a/users-minimum
+++ b/users-minimum
@@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/users-mls b/users-mls
index 05d26712efe0bd41abcea6464ff5f2c4c31b005f..8fad9ea21e122378c02559a46335daa10dca890c 100644
--- a/users-mls
+++ b/users-mls
@@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/users-targeted b/users-targeted
index 8207eed482a0a21d7877bd22395646c7bae3ea35..a875306f1258f02deacfcb82d3537c85f84988db 100644
--- a/users-targeted
+++ b/users-targeted
@@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(guest_u, user, guest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/v36.4.tar.gz b/v36.4.tar.gz
deleted file mode 100644
index 8de751fffa00b00b4ca83769523eb933e166ca8a..0000000000000000000000000000000000000000
Binary files a/v36.4.tar.gz and /dev/null differ
diff --git a/v37.18.tar.gz b/v37.18.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..ddc856aa1adf828caa642ece81105e3b4580c448
Binary files /dev/null and b/v37.18.tar.gz differ