diff --git a/syscare.spec b/syscare.spec
index 08086fd..d9fde01 100644
--- a/syscare.spec
+++ b/syscare.spec
@@ -2,19 +2,19 @@
 
 Name:           syscare
 Version:        1.0.0
-Release:        2
+Release:        3
 Summary:        system hot-fix service
 
 License:        MulanPSL-2.0 GPL-2.0-only
 URL:            https://gitee.com/openeuler/syscare
 Source0:        %{name}-%{version}.tar.gz
-Patch1:         v1.0.0-2.patch
+Patch1:         v1.0.0-3.patch
 
 BuildRequires:  rust cargo gcc gcc-g++ cmake make
 BuildRequires:  elfutils-libelf-devel
 BuildRequires:  kernel-devel
 
-Requires:       kpatch-runtime
+Requires:       kpatch-runtime coreutils
 
 %description
 SysCare is a system-level hot-fix software that provides single-machine-level and cluster-level security patches and system error hot-fixes for the operating system.
@@ -107,6 +107,8 @@ depmod -a > /dev/null 2>&1 || true
 %endif
 
 %changelog
+* Thu Dec 15 2022 snoweay<snoweay@163.com> - 1.0.0-3
+- Change kernel patches' scontext before apply not at rpm-post.
 * Wed Dec 14 2022 snoweay<snoweay@163.com> - 1.0.0-2
 - Fix some issues:
 - manager: Allow apply to actived kernel patch
diff --git a/v1.0.0-2.patch b/v1.0.0-3.patch
similarity index 73%
rename from v1.0.0-2.patch
rename to v1.0.0-3.patch
index 3c9c909..e72d9b1 100644
--- a/v1.0.0-2.patch
+++ b/v1.0.0-3.patch
@@ -1,7 +1,7 @@
 From 81008c77dba79eb311ad537051086f10ba1ccd22 Mon Sep 17 00:00:00 2001
 From: Longjun Luo <luolongjuna@gmail.com>
 Date: Tue, 13 Dec 2022 16:08:45 +0800
-Subject: [PATCH 1/6] kmod: make it normal when using hack-gcc without env
+Subject: [PATCH 1/8] kmod: make it normal when using hack-gcc without env
 
 Signed-off-by: Longjun Luo <luolongjuna@gmail.com>
 ---
@@ -30,7 +30,7 @@ index 87cdc3e..9f45cb7 100755
 From 024e9cd683055ca1702710a60d9c8abebfdbcbb3 Mon Sep 17 00:00:00 2001
 From: snoweay <snoweay@163.com>
 Date: Wed, 14 Dec 2022 01:37:26 +0000
-Subject: [PATCH 2/6] manager: Allow apply to actived kernel patch
+Subject: [PATCH 2/8] manager: Allow apply to actived kernel patch
 
 Signed-off-by: snoweay <snoweay@163.com>
 ---
@@ -57,7 +57,7 @@ index 6e6c86a..8ee3bd0 100755
 From 5874b79701fe7854575f710277f241a63a50afeb Mon Sep 17 00:00:00 2001
 From: renoseven <dev@renoseven.net>
 Date: Wed, 14 Dec 2022 03:34:01 +0800
-Subject: [PATCH 3/6] build: only 'NOT-APPLIED' patch package can be removed
+Subject: [PATCH 3/8] build: only 'NOT-APPLIED' patch package can be removed
 
 Signed-off-by: renoseven <dev@renoseven.net>
 ---
@@ -86,7 +86,7 @@ index 9781eb1..917e12e 100644
 From 1506b703935004b04fbf73f8875f33b5a8b8fe87 Mon Sep 17 00:00:00 2001
 From: renoseven <dev@renoseven.net>
 Date: Wed, 14 Dec 2022 23:50:03 +0800
-Subject: [PATCH 4/6] build: fix 'kernel patch cannot be insmod during system
+Subject: [PATCH 4/8] build: fix 'kernel patch cannot be insmod during system
  start' issue
 
 1. change ko file(s) security context type to 'modules_object_t' after
@@ -119,7 +119,7 @@ index 917e12e..f76e109 100644
 From dc73e5833888096518321e6ba15503d9806199fb Mon Sep 17 00:00:00 2001
 From: Longjun Luo <luolongjuna@gmail.com>
 Date: Wed, 14 Dec 2022 12:43:46 +0800
-Subject: [PATCH 5/6] kmod: adjust order of the misc device (un)register
+Subject: [PATCH 5/8] kmod: adjust order of the misc device (un)register
 
 After all init finished, then provides the device
 for users.
@@ -186,7 +186,7 @@ index c96836b..d1328aa 100644
 From d54264a83c2cc997ebaba0be8c32fc90682a9c04 Mon Sep 17 00:00:00 2001
 From: lzwycc <lzw32321226@163.com>
 Date: Wed, 14 Dec 2022 19:44:23 +0800
-Subject: [PATCH 6/6] kmod: unregister when rmmod upatch
+Subject: [PATCH 6/8] kmod: unregister when rmmod upatch
 
 unregister compiler and assembler when rmmod upatch
 
@@ -323,3 +323,101 @@ index 9f45cb7..899b83f 100755
 -- 
 2.33.0
 
+
+From 8b8a62377a425c273c2a584ff9f299f88b70f0e5 Mon Sep 17 00:00:00 2001
+From: snoweay <snoweay@163.com>
+Date: Thu, 15 Dec 2022 18:34:53 +0800
+Subject: [PATCH 7/8] Revert "build: fix 'kernel patch cannot be insmod during
+ system start' issue"
+
+This reverts commit 1506b703935004b04fbf73f8875f33b5a8b8fe87.
+---
+ build/src/package/rpm_spec_generator.rs | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/build/src/package/rpm_spec_generator.rs b/build/src/package/rpm_spec_generator.rs
+index f76e109..917e12e 100644
+--- a/build/src/package/rpm_spec_generator.rs
++++ b/build/src/package/rpm_spec_generator.rs
+@@ -114,10 +114,6 @@ impl RpmSpecGenerator {
+         writeln!(writer, "%{{patch_root}}")?;
+         writeln!(writer)?;
+ 
+-        writeln!(writer, "%post")?;
+-        writeln!(writer, "readonly KO_LIST=\"$(find %{{patch_root}} -name *.ko)\"")?;
+-        writeln!(writer, "chcon -t modules_object_t \"${{KO_LIST}}\"")?;
+-
+         writeln!(writer, "%preun")?;
+         writeln!(writer, "if [ \"$(syscare status %{{patch_name}})\" != \"NOT-APPLIED\" ]; then")?;
+         writeln!(writer, "    echo \"error: cannot remove applied patch \'%{{patch_name}}\'\" >&2")?;
+-- 
+2.33.0
+
+
+From 5171debddcbd632cb25c30d2325f0a655945c0f2 Mon Sep 17 00:00:00 2001
+From: snoweay <snoweay@163.com>
+Date: Thu, 15 Dec 2022 18:37:42 +0800
+Subject: [PATCH 8/8] manager: Set kpatch's scontext to modules_object_t
+
+Signed-off-by: snoweay <snoweay@163.com>
+---
+ manager/cli/main.sh | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/manager/cli/main.sh b/manager/cli/main.sh
+index 8ee3bd0..c056f62 100755
+--- a/manager/cli/main.sh
++++ b/manager/cli/main.sh
+@@ -130,7 +130,7 @@ function get_patch_type() {
+ }
+ 
+ function get_patch_elf_path() {
+-	[ "${PATCH_TYPE}" == "kernel" ] && return
++	[ "${PATCH_TYPE}" == "kernel" ] && return 0
+ 
+ 	local patch_name="$1"
+ 	local patch_root=$(get_patch_root_by_patch_name "${patch_name}")
+@@ -164,12 +164,21 @@ function do_build() {
+ 	"${SYSCARE_PATCH_BUILD}" "$@"
+ }
+ 
++function set_kpatch_scontext() {
++	local getenforce_bin=$(which getenforce 2> /dev/null)
++	[ -n "${getenforce_bin}" ] || return 0
++
++	"${getenforce_bin}" | grep -q "Enforcing" 2> /dev/null || return 0
++	 chcon -t modules_object_t "${PATCH_ROOT}/${PATCH_NAME}.ko"
++}
++
+ function apply_patch() {
+ 	if  [ "${PATCH_TYPE}" == "kernel" ] ; then
+ 		check_kversion || return 1
+-		[ "${PATCH_STATUS}" == "ACTIVED" ] && return
++		[ "${PATCH_STATUS}" == "ACTIVED" ] && return 0
+ 
+ 		if [ "${PATCH_STATUS}" == "NOT-APPLIED" ]; then
++			set_kpatch_scontext
+ 			insmod "${PATCH_ROOT}/${PATCH_NAME}.ko" || return 1
+ 		fi
+ 		PATCH_STATUS="DEACTIVED"
+@@ -191,7 +200,7 @@ function apply_patch() {
+ 
+ function remove_patch() {
+ 	if [ "${PATCH_TYPE}" == "kernel" ] ; then
+-		[ "${PATCH_STATUS}" == "NOT-APPLIED" ] && return
++		[ "${PATCH_STATUS}" == "NOT-APPLIED" ] && return 0
+ 		[ "${PATCH_STATUS}" == "ACTIVED" ] && deactive_patch
+ 		rmmod "${PATCH_NAME}" || return 1
+ 	else
+@@ -306,7 +315,7 @@ function initialize_patch_info() {
+ 	if [ "${PATCH_TYPE}" == "kernel" ]; then
+ 		if [ ! -f "${KPATCH_STATE_FILE}" ]; then
+ 			PATCH_STATUS="NOT-APPLIED"
+-			return
++			return 0
+ 		fi
+ 
+ 		if [ $(cat "${KPATCH_STATE_FILE}") -eq 1 ]; then
+-- 
+2.33.0
+