1# Configuring an OpenHarmony SELinux Policy for a Process
2
3## Native Process
4
5**Scenario**
6
7Configure a policy for a native process incubated by **init** or **chipset_init** through the configuration file, for example, **ueventd** and **installs**.
8
9**Procedure**
10
111. In the configuration file of the process, add the **secon** field to configure the mapping between the process and the label. If the **secon** field is not configured, the process will be intercepted when SELinux is enabled.
12    ```json
13    {
14        "services" : [{
15                "name" : "demo",
16                "path" : ["/system/bin/demo"],
17                "uid" : "demo",
18                "gid" : ["demo"],
19                "secon" : "u:r:demo:s0"
20            }
21        ]
22    }
23    ```
242. In the **type.te** file, define the SELinux type **demo** in **SELinux tag u:r:demo:s0** to make **u:r:demo:s0** valid.
25
26    If **demo** is incubated by **init**, set it as follows:
27    ```text
28    type demo, native_system_domain, domain;
29    ```
30    If **demo** is incubated by **chipset_init**, set it as follows:
31    ```text
32    type demo, native_chipset_domain, domain;
33    ```
34
35## SA Process
36
37**Scenario**
38
39Configure a policy for an SA process incubated by **init** through the configuration file, for example, **accountmgr** and **foundation**.
40
41**Procedure**
42
431. In the configuration file of the process, add the **secon** field to configure the mapping between the process and the label. If the **secon** field is not configured, the process will be intercepted when SELinux is enabled.
44    ```json
45    {
46        "services" : [{
47                "name" : "demo",
48                "path" : ["/system/bin/sa_main", "/system/profile/demo.json"],
49                "uid" : "demo",
50                "gid" : ["demo"],
51                "secon" : "u:r:demo:s0"
52            }
53        ]
54    }
55    ```
562. In the **type.te** file, define the SELinux type **demo** in **SELinux tag u:r:demo:s0** to make **u:r:demo:s0** valid.
57    ```text
58    type demo, sadomain, domain;
59    ```
60
61## HDF Service Process
62
63**Scenario**
64
65Configure a policy for an HDF service process incubated by **init** or **chipset_init** through the configuration file, for example, **wifi_host** and **camera_host**.
66
67**Procedure**
68
691. In the configuration file of the process, add the **secon** field to configure the mapping between the process and the label. If the **secon** field is not configured, the process will be intercepted when SELinux is enabled.
70    ```json
71    {
72        "services" : [{
73                "name" : "demo",
74                "path" : ["/vendor/bin/hdf_devhost", "0", "demo"],
75                "uid" : "demo",
76                "gid" : ["demo"],
77                "secon" : "u:r:demo:s0"
78            }
79        ]
80    }
81    ```
82
832. In the **type.te** file, define the SELinux type **demo** in **SELinux tag u:r:demo:s0** to make **u:r:demo:s0** valid.
84    ```text
85    type demo, hdfdomain, domain;
86    ```
87
88## Application Process
89
90**Scenario**
91
92Configure a policy for a system application process incubated by **appspawn**, for example, **com.ohos.permissionmanager**, to make it run with an independent label.
93
94**Procedure**
95
961. In the **sehap_contexts** file, define the mappings between the application APL, bundle name and application process label, and data directory label.
97
98    For example, the application APL is **normal**, and the bundle name is **com.ohos.permissionmanager**. Then, the data directory label of the application is **u:object_r:permissionmanager_hap_data_file:s0**, and the process label of the application in running is **u:r:permissionmanager_hap:s0**.
99
100    ```text
101    apl=normal name=com.ohos.permissionmanager domain=permissionmanager_hap type=permissionmanager_hap_data_file
102    ```
103    For details about the APL, see [Application APL](../../application-dev/security/AccessToken/app-permission-mgmt-overview.md#application-apl).
104
1052. Define **permissionmanager_hap** and **permissionmanager_hap_data_file** in **type.te** to make **u:r:permissionmanager_hap:s0** and **u:object_r:permissionmanager_hap_data_file:s0** valid.
106    ```text
107    type permissionmanager_hap, normal_hap_attr, hap_domain, domain;
108    type permissionmanager_hap_data_file, normal_hap_data_file_attr, hap_file_attr, data_file_attr, file_attr;
109    ```
110    In this example, the application APL is **normal**. The following table lists the reference configuration for applications of different APLs.
111
112    **Table 1** Mappings between APLs and application attributes
113    | APL| Application Process Attribute| Application Data Directory Attribute|
114    | -------- | -------- | -------- |
115    | normal | normal_hap_attr | normal_hap_data_file_attr |
116    | system_basic | system_basic_hap_attr | system_basic_hap_data_file_attr |
117    | system_core | system_core_hap_attr | system_core_hap_data_file_attr |
118