1# Parameter Management 2## Overview 3### Function Introduction 4 5The parameter management module, namely, sysparam, provides an easy-to-use key-value pair access interface for system services to configure service functions based on their own system parameters. 6 7### System Parameter Definition 8 9Each subsystem defines the system parameters of its own modules, including the system parameter name, default value, and access permission information. 10#### System Parameter Definition File 11 12- The system parameter definition file ends with the **.para** extension. An example of the file format is as follows: 13 14 ``` 15 const.product.name=OHOS-PRODUCT 16 const.os.version.api=26 17 const.telephony.enable=false|true 18 ``` 19#### System Parameter Name (Key) 20 21- Naming format 22 23 A system parameter name consists of multiple segments in dotted notation. Each segment can be a string that consists of letters, digits, and underscores (_). The total length cannot exceed 96 bytes. System parameter names are categorized into the following two types. 24 25 Naming of system parameters 26 27 | Category| Name| Example| Description| 28 | -------- | -------- | -------- | -------- | 29 | Parameter| Parameter Name | const.product.**name** | Complete system parameter name. It does not end with a period (.).| 30 | Directory| Parameter Directory | const.**. | Name of the directory storing system parameters with the same prefix. It ends with a period (.).| 31 32- Type 33 34 System parameters are categorized into three types. 35 36 System parameter types 37 38 | Category| Prefix| Description| 39 | -------- | -------- | -------- | 40 | Constant| const. | Constant parameter, which will not be changed once a value is assigned. The value can contain a maximum of 4,096 bytes (including the terminator).| 41 | Writable| Others| Writable parameter, which will be lost after system restart. The value can contain a maximum of 96 bytes (including the terminator).| 42 | Persistent| persist. | Writable and persistent parameter, which will not be lost after system restart. The value can contain a maximum of 96 bytes (including the terminator).| 43 44 The general naming format is as follows: 45 46 ```java 47 [ const | persist ].$sub_system.$desc 48 ``` 49 **$sub_system** is the name of the subsystem or module. 50 51 **$desc** indicates the description of a system parameter. The description can contain multiple segments in dotted notation. 52 53#### System Parameter Value 54 55- Types 56 57Types of system parameter values 58 59| Category| Example| Description| 60| -------- | -------- | -------- | 61| String | const.product.name=OHOS-PRODUCT | A multi-line string must be enclosed in double quotation marks ("").| 62| Number | const.os.version.api=26 | Numbers do not need to be enclosed in quotation marks.| 63| Boolean | const.telephony.enable=false | A Boolean value can be **0**, **1**, **false**, or **true**.| 64 65### System Parameter Permission Configuration 66 67DAC and MAC are supported. 68#### Default Permission 69 70If no DAC or MAC permission has been defined for a system parameter, the default permission is as follows: 71 72| [DAC] User | [DAC] Group | [DAC] UGO | [MAC] SELinux Label | 73| ---------- | ----------- | --------- | ------------------- | 74| root | root | 775 | default_param | 75 76Other processes access system parameters with the default permission as follows: 77 78| Operation | System Native Process| System Application Process| Third-party Application Process| 79| ----- | -------------- | ------------ | ------------ | 80| get | Allowed | Allowed | Allowed | 81| watch | Allowed | Allowed | Allowed | 82| set | Not allowed | Not allowed | Not allowed | 83 84#### DAC Permission Configuration 85 86- DAC definition file 87 88 Currently, the control of system parameter access permissions is implemented in discretionary access control (DAC) mode. The access permission definition file ends with the **.para.dac** extension. It is available in the **/base/startup/init/services/etc/param/ohos.para.dac** directory of the init module. The following is an example of the file content: 89 90 ``` 91 const.product. = root:root:0775 92 persist.init. = root:root:0775 93 startup.appspawn. = root:root:0750 94 startup.uevent. = ueventd:ueventd:0775 95 ``` 96 97 As shown above, we can use **parameter directory** to define the same access permission for system parameters with the same prefix. The DAC information is divided into three segments, user, group, and UGO rule, which are separated using a semicolon (:). 98 99 The following figure shows the structure of the UGO rule. 100 101 **Figure 1** UGO rule structure 102 103  104 105#### MAC Permission Configuration 106 107 - SELinux tag 108 109 To add a SELinux tag to system parameters, you first need to define the tag in the **/base/security/selinux_adapter/sepolicy/base/public/parameter.te** file. For example: 110 111 ```java 112 type servicectrl_param, parameter_attr 113 ``` 114 115 After the tag is defined, add the system parameter prefix associated with the tag to **/base/security/selinux_adapter/sepolicy/base/public/parameter_contexts**. The following uses the prefix **ohos.servicectrl** as an example: 116 117 ```java 118 ohos.servicectrl. u:object_r:servicectrl_param:s0 119 ``` 120 121 - Grant operation permissions. For example, to grant operation permissions such as map for the init process, add the following content to the **/base/security/selinux/sepolicy/ohos_policy/startup/init/public/init.te** file: 122 123 ```java 124 allow servicectrl_param tmpfs:filesystem associate; 125 allow init servicectrl_param:file { map open read relabelto relabelfrom }; 126 ``` 127 128 - Set the write permission. For example, grant the system parameter write permission for services such as **init**, **samgr**, and **hdf_devmgr**. 129 130 ```java 131 allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set }; 132 ``` 133 134 - Set the read permission. If you want to grant the permission only for certain services, replace **xxx** with the services in the following code: 135 136 ```java 137 allow { xxx } servicectrl_param:file { map open read }; 138 ``` 139 140 - If you want to grant the permission for all services, use the following code: 141 142 ```java 143 allow { domain -limit_domain } servicectrl_param:file { map open read }; 144 ``` 145 146#### Basic Requirements for System Parameter Permissions 147 148 The system parameters mapping to a SELinux tag take up an independent shared memory area. It is recommended that system parameters of the same type share a SELinux tag to reduce the overhead of the system shared memory. 149 150 Take the sample component as an example. You are advised to add the following types of tags for access control: 151 152 a) For open read-only system parameters, use **default_param** instead of defining new tags. . 153 154 b) For writable system parameters, add the **{component}_writable_param** tag. 155 156 c) For readable system parameters (privacy data) within a component, add the **[optional]{component}_private_param** tag. 157 158### System Parameter Tag Configuration 159 160#### Configuring the Size of the System Parameter Tag File 161 162By default, 1 KB memory is allocated to each tag, which can store about five system parameters. If a large number of system parameters are supported under a tag, expand the memory size for the tag in the **ohso.para.size** file. 163 164This can be done through either **/system/etc/param/ohos.para.size** or **/sys_prod/etc/param/ohos.para.size**. 165 166The configuration rule is as follows: 167 168System parameter tag = Size 169 170Example: 171 172``` 173devinfo_public_param=30720 174hilog_param=40960 175``` 176 177Default shared memory size of system parameters: 80 KB 178 179#### Description of System Parameter Tags 180 181 The init process creates the corresponding shared memory mapping file in the **/dev/__parameters__/** directory based on the system parameter tag. The shared memory is used to store the system parameters bound to the tag. 182 183 Example of a shared memory file: 184 185 ``` 186 -rwxr-xr-- 1 root root 30720 2017-08-10 16:22 u:object_r:default_param:s0 187 -rwxr-xr-- 1 root root 1024 2017-08-10 16:22 u:object_r:devinfo_private_param:s0 188 -rwxr-xr-- 1 root root 30720 2017-08-10 16:22 u:object_r:devinfo_public_param:s0 189 -rwxr-xr-- 1 root root 40960 2017-08-10 16:22 u:object_r:hilog_param:s0 190 ``` 191 192 The system parameter tags are defined in the **/base/security/selinux_adapter/sepolicy/base/public/parameter.te** file. 193 194 System parameter tag definition: 195 196 ``` 197 type default_param, parameter_attr; 198 type devinfo_private_param, parameter_attr; 199 type devinfo_public_param, parameter_attr; 200 type hilog_param, parameter_attr; 201 ``` 202 203 The mappings between system parameter tags and system parameters are defined in the **/base/security/selinux_adapter/sepolicy/base/public/parameter_contexts** file. 204 205 The following uses the **hilog_param** tag as an example: 206 207 ``` 208 hilog. u:object_r:hilog_param:s0 # System parameters with the hilog. prefix are stored in the shared memory corresponding to the hilog_param tag. 209 persist.sys.hilog. u:object_r:hilog_param:s0 # System parameters with the persist.sys.hilog. prefix are also stored in the shared memory corresponding to the hilog_param tag. 210 ``` 211### Checking Shared Memory Usage of System Parameters 212 213 You can run the **param dump [verbose]** command to query the shared memory usage of system parameters. 214 215 The following is an example of the query result: 216 217 ``` 218 Dump all parameters begin ... 219 Local security information 220 pid: 1612 uid: 0 gid: 0 221 map file: u:object_r:default_param:s0 // Name of the system parameter tag (name of the shared memory mapping file) 222 total size: 10485720 // Size of the system parameter tag file (size of the shared memory mapped to the tag) 223 first offset: 0 // Offset of the first parameter node 224 current offset: 15948 // Offset of the current parameter node 225 total node: 242 // Total number of nodes in the tag 226 total param node: 219 // Total number of parameter nodes 227 total security node: 0 // Number of SELinux nodes 228 commitId : 26 // 229 commitPersistId : 0 // 230 node info: // Information about all nodes under the tag 231 ... ... 232 ``` 233### System Parameter Loading 234 235The following table describes the sequence of loading system parameters. 236| Category| Directory| Description| 237| -------- | -------- | -------- | 238| Kernel parameters | /proc/cmdline | Convert some values of kernel parameters into system parameters. Specifically, convert all **ohospara.xxx=valXXX** parameters to **ohos.boot.xxx=valXXX** parameters.| 239| OS system parameters| /system/etc/param/ohos_const/*.para | Load the definition file containing OS constants preferentially. | 240| Vendor parameters| /vendor/etc/param/*.para | Load the system parameters defined by vendors with the secondary priority. | 241| System parameters| /system/etc/param/*.para | Load the parameters defined by each subsystem. If a system parameter already exists, ignore it.| 242| Persistent parameters| /data/parameters/ | If persistent parameters exist, load them at last. Persistent parameters will overwrite the default system parameters that have been loaded.| 243 244### Parameter and Tag Viewing 245 246 Currently, parameter and tag statistics are recorded in the database by subsystem and component. You can set up the [OpenHarmony real-time architecture information collection and analysis system](https://gitee.com/handyohos/ohos_archinfo/tree/master) to view the statistics. 247 248 For details about how to set up the system, see the [Analyser Module](https://gitee.com/handyohos/ohos_archinfo/blob/master/analyser/README.md) for OpenHarmony real-time architecture information analysis. 249 250 For details about how to collect database information, see the [Collector Module](https://gitee.com/handyohos/ohos_archinfo/tree/master#/handyohos/ohos_archinfo/blob/master/collector/README.md) for OpenHarmony real-time architecture information collection. 251 252 You can also obtain the database from the daily dayu200-db build. 253### Basic System Parameter Operations 254 255Operation primitives for system parameters 256 257 258 259Description of operation primitives 260| Function| Description| 261| -------- | -------- | 262| get | Obtains the value of a system parameter. | 263| set | Sets the value of a system parameter. | 264| wait | Waits for value change of a system parameter synchronously.| 265| watch | Observes value change of a system parameter asynchronously.| 266 267### Constraints 268 269The service management module is available only for the mini system and standard system. 270 271## How to Develop 272 273### Overview 274You can set specific system parameters as needed to meet your service demand. 275 276### APIs 277 278 - Shell commands 279 280 You can manage system parameters by using shell commands. This operation mode is available only for the standard system. The following table lists the shell commands. 281 282 **Table 6** Description of shell commands 283 284 | Function| Description| 285 | -------- | -------- | 286 | param get [**key**] | Obtains the system parameter value of the specified key. If no key name is specified, all system parameter values will be returned.| 287 | param set **key value** | Sets the specified value for the specified key.| 288 | param wait **key** **value** | Waits for the system parameter value of the specified key to match the specified value. Fuzzy match is supported. For example, <strong>*</strong> indicates any value, and <strong>val*</strong> indicates matching of only the first three val characters.| 289 290 - syspara APIs 291 292 The following table lists the APIs used to obtain system parameter values. The return result is a const string and the free operation is not supported. 293 294 **Table 7** Description of syspara APIs 295 | API| Description| 296 | -------- | -------- | 297 | int GetParameter(const char\* key, const char\* def, char\* value, unsigned int len) | Obtains system parameters.| 298 | int SetParameter(const char\* key, const char\* value) | Sets or updates system parameters.| 299 | const char\* GetDeviceType(void) | Obtains the device type.| 300 | const char\* GetManufacture(void) | Obtains the device manufacturer.| 301 | const char\* GetBrand(void) | Obtains the device brand.| 302 | const char\* GetMarketName(void) | Obtains the device marketing name.| 303 | const char\* GetProductSeries(void) | Obtains the device series name.| 304 | const char\* GetProductModel(void) | Obtains the device authentication model.| 305 | const char\* GetSoftwareModel(void) | Obtains the device software model.| 306 | const char\* GetHardwareModel(void) | Obtains the device hardware model.| 307 | const char\* GetHardwareProfile(void) | Obtains the device hardware profile.| 308 | const char\* GetSerial(void) | Obtains the device serial number (SN).| 309 | const char\* GetOSFullName(void) | Obtains the operating system name.| 310 | const char\* GetDisplayVersion(void) | Obtains the software version visible to users.| 311 | const char\* GetBootloaderVersion(void) | Obtains the bootloader version of this device.| 312 | const char\* GetSecurityPatchTag(void) | Obtains the security patch tag.| 313 | const char\* GetAbiList(void) | Obtains the list of application binary interfaces (ABIs) supported on this device.| 314 | int GetSdkApiVersion(void) | Obtains the SDK API level that matches the current system software.| 315 | int GetFirstApiVersion(void) | Obtains the first SDK API level of the system software.| 316 | const char\* GetIncrementalVersion(void) | Obtains the incremental version.| 317 | const char\* GetVersionId(void) | Obtains the version ID.| 318 | const char\* GetBuildType(void) | Obtains the build type.| 319 | const char\* GetBuildUser(void) | Obtains the build account user name.| 320 | const char\* GetBuildHost(void) | Obtains the build host name.| 321 | const char\* GetBuildTime(void) | Obtains the build time.| 322 | const char\* GetBuildRootHash(void) | Obtains the buildroot hash value of this version.| 323 | const char\* GetOsReleaseType(void) | Obtains the system release type.| 324 | int GetDevUdid(char \*udid, int size) | Obtains the device identifier (UDID).| 325 | const char *AclGetSerial(void); | Obtains the device SN (with ACL check).| 326 | int AclGetDevUdid(char *udid, int size); | Obtains the UDID (with ACL check).| 327 328### Procedure 329 3301. System parameter definition 331 332 You can define default system parameters and implement permission control on them by configuring the subsystem or product **.para** and **.para.dac** files. 333 334 On a standard system, use the **ohos_prebuilt_para** template to install the configuration file to the **/etc/param/** directory. The following is an example of the GN script: 335 336 ```go 337 import("//base/startup/init/services/etc/param/param_fixer.gni") 338 339 ohos_prebuilt_para("ohos.para") { 340 source = "//base/startup/init/services/etc/ohos.para" 341 part_name = "init" 342 module_install_dir = "etc/param" 343 } 344 345 ohos_prebuilt_para("ohos.para.dac") { 346 source = "//base/startup/init/services/etc/ohos.para.dac" 347 part_name = "init" 348 module_install_dir = "etc/param" 349 } 350 ``` 351 352 On a small system, run the **copy** command to copy the corresponding system parameter definition file to the **system/etc/param** directory. 353 ```go 354 copy("ohos.para") { 355 sources = [ "//base/startup/init/services/etc/param/ohos.para" ] 356 outputs = [ "$root_out_dir/system/etc/param/ohos.para" ] 357 } 358 copy("ohos.para.dac") { 359 sources = [ "//base/startup/init/services/etc/param/ohos.para.dac" ] 360 outputs = [ "$root_out_dir/system/etc/param/ohos.para.dac" ] 361 } 362 ``` 363 On a mini system, convert all defined default system parameters into header files through **action** and compile them into the system. 364 ```go 365 action("lite_const_param_to") { 366 script = "//base/startup/init/scripts/param_cfg_to_code.py" 367 args = [ 368 "--source", 369 rebase_path( 370 "//base/startup/init/services/etc_lite/param/ohos_const/ohospara"), 371 "--dest_dir", 372 rebase_path("$root_out_dir/gen/init/"), 373 "--priority", 374 "0", 375 ] 376 outputs = [ "$target_gen_dir/${target_name}_param_cfg_to_code.log" ] 377 } 378 ``` 3792. Development example 380 ``` 381 // set && get 382 char key1[] = "rw.sys.version"; 383 char value1[] = "10.1.0"; 384 int ret = SetParameter(key1, value1); 385 char valueGet1[128] = {0}; 386 ret = GetParameter(key1, "version=10.1.0", valueGet1, 128); 387 388 // get sysparm 389 char* value1 = GetDeviceType(); 390 printf("Product type =%s\n", value1); 391 392 char* value2 = GetManufacture(); 393 printf("Manufacture =%s\n", value2); 394 395 char* value3 = GetBrand(); 396 printf("GetBrand =%s\n", value3); 397 398 char* value4 = GetMarketName(); 399 printf("MarketName =%s\n", value4); 400 401 char* value5 = GetProductSeries(); 402 printf("ProductSeries =%s\n", value5); 403 404 char* value6 = GetProductModel(); 405 printf("ProductModel =%s\n", value6); 406 407 char* value7 = GetSoftwareModel(); 408 printf("SoftwareModel =%s\n", value7); 409 410 char* value8 = GetHardwareModel(); 411 printf("HardwareModel =%s\n", value8); 412 413 char* value9 = GetHardwareProfile(); 414 printf("Software profile =%s\n", value9); 415 416 char* value10 = GetSerial(); 417 printf("Serial =%s\n", value10); 418 419 char* value11 = GetOSFullName(); 420 printf("OS name =%s\n", value11); 421 422 char* value12 = GetDisplayVersion(); 423 printf("Display version =%s\n", value12); 424 425 char* value13 = GetBootloaderVersion(); 426 printf("bootloader version =%s\n", value13); 427 428 char* value14 = GetSecurityPatchTag(); 429 printf("secure patch level =%s\n", value14); 430 431 char* value15 = GetAbiList(); 432 printf("abi list =%s\n", value15); 433 434 int value16 = GetFirstApiVersion(); 435 printf("first api level =%d\n", value16); 436 437 char* value17 = GetIncrementalVersion(); 438 printf("Incremental version = %s\n", value17); 439 440 char* value18 = GetVersionId(); 441 printf("formal id =%s\n", value18); 442 443 char* value19 = GetBuildType(); 444 printf("build type =%s\n", value19); 445 446 char* value20 = GetBuildUser(); 447 printf("build user =%s\n", value20); 448 449 char* value21 = GetBuildHost(); 450 printf("Build host = %s\n", value21); 451 452 char* value22 = GetBuildTime(); 453 printf("build time =%s\n", value22); 454 455 char* value23 = GetBuildRootHash(); 456 printf("build root later..., %s\n", value23); 457 458 char* value24 = GetOsReleaseType(); 459 printf("OS release type =%s\n", value24); 460 461 char* value25 = GetOsReleaseType(); 462 printf("OS release type =%s\n", value25); 463 464 char value26[65] = {0}; 465 GetDevUdid(value26, 65); 466 printf("device udid =%s\n", value26); 467 ``` 468### System Parameter Error Codes 469 470**Description of system parameter error codes** 471 472| Enum | Value| Description | 473| -------------------------------- | ------ | ----------------------------------------- | 474| PARAM_CODE_ERROR | -1 | System error. | 475| PARAM_CODE_SUCCESS | 0 | Operation success. | 476| PARAM_CODE_INVALID_PARAM | 100 | Empty input parameter of the system parameter API. | 477| PARAM_CODE_INVALID_NAME | 101 | Invalid length or invalid characters in the system parameter key. | 478| PARAM_CODE_INVALID_VALUE | 102 | Invalid length or invalid characters in the system parameter value. | 479| PARAM_CODE_REACHED_MAX | 103 | Number of tree nodes reaching the maximum. | 480| PARAM_CODE_NOT_SUPPORT | 104 | API not supported. | 481| PARAM_CODE_TIMEOUT | 105 | Server access timed out. | 482| PARAM_CODE_NOT_FOUND | 106 | Parameter not found. | 483| PARAM_CODE_READ_ONLY | 107 | System parameter read-only. | 484| PARAM_CODE_IPC_ERROR | 108 | IPC communication error. | 485| PARAM_CODE_NODE_EXIST | 109 | System parameter node already exists. | 486| PARAM_WATCHER_CALLBACK_EXIST | 110 | Watcher callback repeatedly added. | 487| PARAM_WATCHER_GET_SERVICE_FAILED | 111 | Failed to obtain the service for watcher. | 488| PARAM_CODE_MEMORY_MAP_FAILED | 112 | Failed to create the shared memory mapping for a file. | 489| PARAM_WORKSPACE_NOT_INIT | 113 | Workspace not initialized. | 490| PARAM_CODE_FAIL_CONNECT | 114 | Failed to connect to paramServer. | 491| PARAM_CODE_MEMORY_NOT_ENOUGH | 115 | Insufficient system parameter space. | 492| DAC_RESULT_INVALID_PARAM | 1000 | Unused code, which defines the start value of permission errors. | 493| DAC_RESULT_FORBIDED | 1001 | DAC permission disabled. | 494| SELINUX_RESULT_FORBIDED | 1002 | SELinux permission disabled. | 495| PARAM_CODE_MAX | 1003 | Maximum enum value. | 496 497**Key Logs for Locating Errors** 498 499- system parameter set: 500 501 SetParameter failed! the errNum is: xx! 502 503 SystemSetParameter failed! name is : xxx, errNum is: xx! 504 505- system parameter get: 506 507 GetParameter_ failed! the errNum is: xx! 508 509 SystemReadParam failed! name is: xxxx, errNum is: xx! 510 511- system parameter wait: 512 513 WaitParameter failed! the errNum is: xx! 514 515 SystemWaitParameter failed! name is: xxx, errNum is: xx! 516 517- system parameter Watcher: 518 519 WatchParameter failed! the errNum is xx! 520 521 SystemWatchParameter is failed! keyPrefix is:xxx, errNum is:xx! 522## FAQs 523 524### How to Set a System Parameter 525 526 1. On the shell side, run **hdc shell** to launch the shell CLI of the device, and then run **param set param.key.***system parameter key* param.value.*system parameter value* to set the system parameter. If the operation is successful, no further processing is required. 527 528 2. On the application side, call **SetParameter** to set the system parameter. For details, see [APIs](#apis). 529 530 3. If **param set** fails, locate the fault based on the log. 531 532 If the fault is due to insufficient DAC permissions, declare the required permissions by referring to [DAC Permission Configuration](#dac-permission-configuration). 533 534 If the fault is due to insufficient SELinux permissions, grant the required permissions by referring to the **avc: denied** alarm information. 535 536 If the fault is due to insufficient memory, expand the memory by referring to [System Parameter Tag Configuration](#system-parameter-tag-configuration). 537 538### How to Read a System Parameter 539 540 1. On the shell side, run **hdc shell** to launch the shell CLI of the device, and then run **param get param.key.***system parameter key* to obtain the system parameter. If the operation is successful, no further processing is required. 541 542 2. On the application side, call **GetParameter** to obtain the system parameter. For details, see [APIs](#apis). 543 544 3. If **param get** fails, locate the fault based on the log. 545 546 Check whether the parameter has been set. If yes, go to the next step. If no, set the system parameter. 547 548 If the fault is due to insufficient DAC permissions, declare the required permissions by referring to [DAC Permission Configuration](#dac-permission-configuration). 549 550 If the fault is due to insufficient SELinux permissions, grant the required permissions by referring to the **avc: denied** alarm information. 551 552### How to Subscribe to System Parameter Changes 553 554 1. On the shell side, run **hdc shell** to launch the shell CLI of the device, and then run **param shell** to switch to the parameter shell CLI. Run **watcher parameter param.key.***system parameter key* to subscribe to changes of the system parameter. If there is a change in the system parameter, a message similar to "Receive parameter commit 691 change aaa.aaa 11111" is received. 555 556 2. On the application side, call **WatchParameter** to subscribe to changes of the system parameter. For details, see [APIs](#apis). 557 558 3. If **watcher parameter** fails, locate the fault based on the log. 559 560 If the fault is due to insufficient DAC permissions, declare the required permissions by referring to [DAC Permission Configuration](#dac-permission-configuration). 561 562 If the fault is due to insufficient SELinux permissions, grant the required permissions by referring to the **avc: denied** alarm information. 563 564### How to Enable Third-Party Applications to Access System Parameters 565 566The default DAC rules grant only the **get** and **watch** permissions for third-party applications. If a third-party application requires the **set** permission, you need to reset DAC rules. In addition, SELinux permissions of third-party applications are left unspecified by default. If needed, set the SELinux permissions by referring to the [MAC Permission Configuration](#mac-permission-configuration). 567
