1e41f4b71Sopenharmony_ci# Configuring an OpenHarmony SELinux Policy for a Process
2e41f4b71Sopenharmony_ci
3e41f4b71Sopenharmony_ci## Native Process
4e41f4b71Sopenharmony_ci
5e41f4b71Sopenharmony_ci**Scenario**
6e41f4b71Sopenharmony_ci
7e41f4b71Sopenharmony_ciConfigure a policy for a native process incubated by **init** or **chipset_init** through the configuration file, for example, **ueventd** and **installs**.
8e41f4b71Sopenharmony_ci
9e41f4b71Sopenharmony_ci**Procedure**
10e41f4b71Sopenharmony_ci
11e41f4b71Sopenharmony_ci1. In the configuration file of the process, add the **secon** field to configure the mapping between the process and the label. If the **secon** field is not configured, the process will be intercepted when SELinux is enabled.
12e41f4b71Sopenharmony_ci    ```json
13e41f4b71Sopenharmony_ci    {
14e41f4b71Sopenharmony_ci        "services" : [{
15e41f4b71Sopenharmony_ci                "name" : "demo",
16e41f4b71Sopenharmony_ci                "path" : ["/system/bin/demo"],
17e41f4b71Sopenharmony_ci                "uid" : "demo",
18e41f4b71Sopenharmony_ci                "gid" : ["demo"],
19e41f4b71Sopenharmony_ci                "secon" : "u:r:demo:s0"
20e41f4b71Sopenharmony_ci            }
21e41f4b71Sopenharmony_ci        ]
22e41f4b71Sopenharmony_ci    }
23e41f4b71Sopenharmony_ci    ```
24e41f4b71Sopenharmony_ci2. In the **type.te** file, define the SELinux type **demo** in **SELinux tag u:r:demo:s0** to make **u:r:demo:s0** valid.
25e41f4b71Sopenharmony_ci
26e41f4b71Sopenharmony_ci    If **demo** is incubated by **init**, set it as follows:
27e41f4b71Sopenharmony_ci    ```text
28e41f4b71Sopenharmony_ci    type demo, native_system_domain, domain;
29e41f4b71Sopenharmony_ci    ```
30e41f4b71Sopenharmony_ci    If **demo** is incubated by **chipset_init**, set it as follows:
31e41f4b71Sopenharmony_ci    ```text
32e41f4b71Sopenharmony_ci    type demo, native_chipset_domain, domain;
33e41f4b71Sopenharmony_ci    ```
34e41f4b71Sopenharmony_ci
35e41f4b71Sopenharmony_ci## SA Process
36e41f4b71Sopenharmony_ci
37e41f4b71Sopenharmony_ci**Scenario**
38e41f4b71Sopenharmony_ci
39e41f4b71Sopenharmony_ciConfigure a policy for an SA process incubated by **init** through the configuration file, for example, **accountmgr** and **foundation**.
40e41f4b71Sopenharmony_ci
41e41f4b71Sopenharmony_ci**Procedure**
42e41f4b71Sopenharmony_ci
43e41f4b71Sopenharmony_ci1. In the configuration file of the process, add the **secon** field to configure the mapping between the process and the label. If the **secon** field is not configured, the process will be intercepted when SELinux is enabled.
44e41f4b71Sopenharmony_ci    ```json
45e41f4b71Sopenharmony_ci    {
46e41f4b71Sopenharmony_ci        "services" : [{
47e41f4b71Sopenharmony_ci                "name" : "demo",
48e41f4b71Sopenharmony_ci                "path" : ["/system/bin/sa_main", "/system/profile/demo.json"],
49e41f4b71Sopenharmony_ci                "uid" : "demo",
50e41f4b71Sopenharmony_ci                "gid" : ["demo"],
51e41f4b71Sopenharmony_ci                "secon" : "u:r:demo:s0"
52e41f4b71Sopenharmony_ci            }
53e41f4b71Sopenharmony_ci        ]
54e41f4b71Sopenharmony_ci    }
55e41f4b71Sopenharmony_ci    ```
56e41f4b71Sopenharmony_ci2. In the **type.te** file, define the SELinux type **demo** in **SELinux tag u:r:demo:s0** to make **u:r:demo:s0** valid.
57e41f4b71Sopenharmony_ci    ```text
58e41f4b71Sopenharmony_ci    type demo, sadomain, domain;
59e41f4b71Sopenharmony_ci    ```
60e41f4b71Sopenharmony_ci
61e41f4b71Sopenharmony_ci## HDF Service Process
62e41f4b71Sopenharmony_ci
63e41f4b71Sopenharmony_ci**Scenario**
64e41f4b71Sopenharmony_ci
65e41f4b71Sopenharmony_ciConfigure a policy for an HDF service process incubated by **init** or **chipset_init** through the configuration file, for example, **wifi_host** and **camera_host**.
66e41f4b71Sopenharmony_ci
67e41f4b71Sopenharmony_ci**Procedure**
68e41f4b71Sopenharmony_ci
69e41f4b71Sopenharmony_ci1. In the configuration file of the process, add the **secon** field to configure the mapping between the process and the label. If the **secon** field is not configured, the process will be intercepted when SELinux is enabled.
70e41f4b71Sopenharmony_ci    ```json
71e41f4b71Sopenharmony_ci    {
72e41f4b71Sopenharmony_ci        "services" : [{
73e41f4b71Sopenharmony_ci                "name" : "demo",
74e41f4b71Sopenharmony_ci                "path" : ["/vendor/bin/hdf_devhost", "0", "demo"],
75e41f4b71Sopenharmony_ci                "uid" : "demo",
76e41f4b71Sopenharmony_ci                "gid" : ["demo"],
77e41f4b71Sopenharmony_ci                "secon" : "u:r:demo:s0"
78e41f4b71Sopenharmony_ci            }
79e41f4b71Sopenharmony_ci        ]
80e41f4b71Sopenharmony_ci    }
81e41f4b71Sopenharmony_ci    ```
82e41f4b71Sopenharmony_ci
83e41f4b71Sopenharmony_ci2. In the **type.te** file, define the SELinux type **demo** in **SELinux tag u:r:demo:s0** to make **u:r:demo:s0** valid.
84e41f4b71Sopenharmony_ci    ```text
85e41f4b71Sopenharmony_ci    type demo, hdfdomain, domain;
86e41f4b71Sopenharmony_ci    ```
87e41f4b71Sopenharmony_ci
88e41f4b71Sopenharmony_ci## Application Process
89e41f4b71Sopenharmony_ci
90e41f4b71Sopenharmony_ci**Scenario**
91e41f4b71Sopenharmony_ci
92e41f4b71Sopenharmony_ciConfigure a policy for a system application process incubated by **appspawn**, for example, **com.ohos.permissionmanager**, to make it run with an independent label.
93e41f4b71Sopenharmony_ci
94e41f4b71Sopenharmony_ci**Procedure**
95e41f4b71Sopenharmony_ci
96e41f4b71Sopenharmony_ci1. In the **sehap_contexts** file, define the mappings between the application APL, bundle name and application process label, and data directory label. 
97e41f4b71Sopenharmony_ci   
98e41f4b71Sopenharmony_ci    For example, the application APL is **normal**, and the bundle name is **com.ohos.permissionmanager**. Then, the data directory label of the application is **u:object_r:permissionmanager_hap_data_file:s0**, and the process label of the application in running is **u:r:permissionmanager_hap:s0**.
99e41f4b71Sopenharmony_ci    
100e41f4b71Sopenharmony_ci    ```text
101e41f4b71Sopenharmony_ci    apl=normal name=com.ohos.permissionmanager domain=permissionmanager_hap type=permissionmanager_hap_data_file
102e41f4b71Sopenharmony_ci    ```
103e41f4b71Sopenharmony_ci    For details about the APL, see [Application APL](../../application-dev/security/AccessToken/app-permission-mgmt-overview.md#application-apl).
104e41f4b71Sopenharmony_ci    
105e41f4b71Sopenharmony_ci2. Define **permissionmanager_hap** and **permissionmanager_hap_data_file** in **type.te** to make **u:r:permissionmanager_hap:s0** and **u:object_r:permissionmanager_hap_data_file:s0** valid.
106e41f4b71Sopenharmony_ci    ```text
107e41f4b71Sopenharmony_ci    type permissionmanager_hap, normal_hap_attr, hap_domain, domain;
108e41f4b71Sopenharmony_ci    type permissionmanager_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr;
109e41f4b71Sopenharmony_ci    ```
110e41f4b71Sopenharmony_ci    In this example, the application APL is **normal**. The following table lists the reference configuration for applications of different APLs.
111e41f4b71Sopenharmony_ci
112e41f4b71Sopenharmony_ci    **Table 1** Mappings between APLs and application attributes
113e41f4b71Sopenharmony_ci    | APL| Application Process Attribute| Application Data Directory Attribute|
114e41f4b71Sopenharmony_ci    | -------- | -------- | -------- |
115e41f4b71Sopenharmony_ci    | normal | normal_hap_attr | normal_hap_data_file_attr |
116e41f4b71Sopenharmony_ci    | system_basic | system_basic_hap_attr | system_basic_hap_data_file_attr |
117e41f4b71Sopenharmony_ci    | system_core | system_core_hap_attr | system_core_hap_data_file_attr |
118