diff --git a/0001-libsemanage-include-more-parameters-in-the-module-ch.patch b/0001-libsemanage-include-more-parameters-in-the-module-ch.patch
new file mode 100644
index 0000000..88218d7
--- /dev/null
+++ b/0001-libsemanage-include-more-parameters-in-the-module-ch.patch
@@ -0,0 +1,103 @@
+From a6b472835502d5fc9fc263db07de69527943ac91 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 8 Mar 2023 10:46:42 +0100
+Subject: [PATCH] libsemanage: include more parameters in the module checksum
+Content-type: text/plain
+
+The check_ext_changes option currently assumes that as long as the
+module content is unchanged, it is safe to assume that the policy.linked
+file doesn't need to be rebuilt. However, there are some additional
+parameters that can affect the content of this policy file, namely:
+* the disable_dontaudit and preserve_tunables flags
+* the target_platform and policyvers configuration values
+
+Include these in the checksum so that the option works correctly when
+only some of these input values are changed versus the current state.
+
+Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libsemanage/src/direct_api.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index 7aa081abb3b7..d740070d538e 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -863,6 +863,14 @@ static void update_checksum_with_len(Sha256Context *context, size_t s)
+ 	Sha256Update(context, buffer, 8);
+ }
+ 
++static void update_checksum_with_bool(Sha256Context *context, bool b)
++{
++	uint8_t byte;
++
++	byte = b ? UINT8_C(1) : UINT8_C(0);
++	Sha256Update(context, &byte, 1);
++}
++
+ static int semanage_compile_module(semanage_handle_t *sh,
+ 				   semanage_module_info_t *modinfo,
+ 				   Sha256Context *context)
+@@ -977,13 +985,21 @@ static int modinfo_cmp(const void *a, const void *b)
+ 	return strcmp(ma->name, mb->name);
+ }
+ 
++struct extra_checksum_params {
++	int disable_dontaudit;
++	int preserve_tunables;
++	int target_platform;
++	int policyvers;
++};
++
+ static int semanage_compile_hll_modules(semanage_handle_t *sh,
+ 					semanage_module_info_t *modinfos,
+ 					int num_modinfos,
++					const struct extra_checksum_params *extra,
+ 					char *cil_checksum)
+ {
+ 	/* to be incremented when checksum input data format changes */
+-	static const size_t CHECKSUM_EPOCH = 1;
++	static const size_t CHECKSUM_EPOCH = 2;
+ 
+ 	int i, status = 0;
+ 	char cil_path[PATH_MAX];
+@@ -1000,6 +1016,10 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,
+ 
+ 	Sha256Initialise(&context);
+ 	update_checksum_with_len(&context, CHECKSUM_EPOCH);
++	update_checksum_with_bool(&context, !!extra->disable_dontaudit);
++	update_checksum_with_bool(&context, !!extra->preserve_tunables);
++	update_checksum_with_len(&context, (size_t)extra->target_platform);
++	update_checksum_with_len(&context, (size_t)extra->policyvers);
+ 
+ 	/* prefix with module count to avoid collisions */
+ 	update_checksum_with_len(&context, num_modinfos);
+@@ -1134,6 +1154,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 	mode_t mask = umask(0077);
+ 	struct stat sb;
+ 	char modules_checksum[CHECKSUM_CONTENT_SIZE + 1 /* '\0' */];
++	struct extra_checksum_params extra;
+ 
+ 	int do_rebuild, do_write_kernel, do_install;
+ 	int fcontexts_modified, ports_modified, seusers_modified,
+@@ -1274,8 +1295,14 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 			goto cleanup;
+ 		}
+ 
++		extra = (struct extra_checksum_params){
++			.disable_dontaudit = sepol_get_disable_dontaudit(sh->sepolh),
++			.preserve_tunables = sepol_get_preserve_tunables(sh->sepolh),
++			.target_platform = sh->conf->target_platform,
++			.policyvers = sh->conf->policyvers,
++		};
+ 		retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos,
+-						      modules_checksum);
++						      &extra, modules_checksum);
+ 		if (retval < 0) {
+ 			ERR(sh, "Failed to compile hll files into cil files.\n");
+ 			goto cleanup;
+-- 
+2.40.0
+
diff --git a/libsemanage.spec b/libsemanage.spec
index 0815909..f5ad9b9 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -4,12 +4,13 @@
 Summary: SELinux binary policy manipulation library
 Name: libsemanage
 Version: 3.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPL-2.1-or-later
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libsemanage-3.5.tar.gz
 # git format-patch -N 3.5 -- libsemanage
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
+Patch0001: 0001-libsemanage-include-more-parameters-in-the-module-ch.patch
 # Patch list end
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@@ -154,6 +155,9 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf
 %{_libexecdir}/selinux/semanage_migrate_store
 
 %changelog
+* Fri Mar 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2
+- Include more parameters in the module checksum (#2173959)
+
 * Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
 - SELinux userspace 3.5 release