1# Parameter Management 2 3## Overview 4 5### Function Introduction 6 7The parameter management module, namely, sysparam, provides an easy-to-use key-value pair access interface for system services to configure service functions based on their own system parameters. 8 9### System Parameter Definition 10 11Each subsystem defines the system parameters of its own modules, including the system parameter name, default value, and access permission information. 12#### System Parameter Definition File 13 14- The system parameter definition file ends with the **.para** extension. An example of the file format is as follows: 15 16 ``` 17 const.product.name=OHOS-PRODUCT 18 const.os.version.api=26 19 const.telephony.enable=false|true 20 ``` 21 22#### System Parameter Name (Key) 23 24- Naming format 25 26 A system parameter name consists of multiple segments in dotted notation. Each segment can be a string that consists of letters, digits, and underscores (_). The total length cannot exceed 96 bytes. System parameter names are categorized into the following two types. 27 28 Naming of system parameters 29 30 | Category| Name| Example| Description| 31 | -------- | -------- | -------- | -------- | 32 | Parameter| Parameter Name | const.product.name | Complete system parameter name. It does not end with a period (.).| 33 | Directory| Parameter Directory | const.**.| Name of the directory storing system parameters with the same prefix. It ends with a period (.).| 34 35- Type 36 37 System parameters are categorized into three types. 38 39 System parameter types 40 41 | Category| Prefix| Description| 42 | -------- | -------- | -------- | 43 | Constant| const. | Constant parameter, which will not be changed once a value is assigned. The value can contain a maximum of 4,096 bytes (including the terminator).| 44 | Writable| Others| Writable parameter, which will be lost after system restart. The value can contain a maximum of 96 bytes (including the terminator).| 45 | Persistent| persist. | Writable and persistent parameter, which will not be lost after system restart. The value can contain a maximum of 96 bytes (including the terminator).| 46 47 The general naming format is as follows: 48 49 ```java 50 [ const | persist ].$sub_system.$desc 51 ``` 52 **$sub_system** is the name of the subsystem or module. 53 54 **$desc** indicates the description of a system parameter. The description can contain multiple segments in dotted notation. 55 56#### System Parameter Value 57 58- Types 59 60Types of system parameter values 61 62| Category| Example| Description| 63| -------- | -------- | -------- | 64| String | const.product.name=OHOS-PRODUCT | A multi-line string must be enclosed in double quotation marks ("").| 65| Number | const.os.version.api=26 | Numbers do not need to be enclosed in quotation marks.| 66| Boolean | const.telephony.enable=false | A Boolean value can be **0**, **1**, **false**, or **true**.| 67 68### System Parameter Permission Configuration 69 70DAC and MAC are supported. 71 72#### Default Permission 73 74If no DAC or MAC permission has been defined for a system parameter, the default permission is as follows: 75 76| [DAC] User | [DAC] Group | [DAC] UGO | [MAC] SELinux Label | 77| ---------- | ----------- | --------- | ------------------- | 78| root | root | 775 | default_param | 79 80Other processes access system parameters with the default permission as follows: 81 82| Operation | System Native Process| System Application Process| Third-party Application Process| 83| ----- | -------------- | ------------ | ------------ | 84| get | Allowed | Allowed | Allowed | 85| watch | Allowed | Allowed | Allowed | 86| set | Not allowed | Not allowed | Not allowed | 87 88#### DAC Permission Configuration 89 90- DAC definition file 91 92 Currently, the control of system parameter access permissions is implemented in discretionary access control (DAC) mode. The access permission definition file ends with the **.para.dac** extension. It is available in the **/base/startup/init/services/etc/param/ohos.para.dac** directory of the init module. The following is an example of the file content: 93 94 ``` 95 const.product. = root:root:0775 96 persist.init. = root:root:0775 97 startup.appspawn. = root:root:0750 98 startup.uevent. = ueventd:ueventd:0775 99 ``` 100 101 As shown above, we can use **parameter directory** to define the same access permission for system parameters with the same prefix. The DAC information is divided into three segments, user, group, and UGO rule, which are separated using a semicolon (:). 102 103 The following figure shows the structure of the UGO rule. 104 105 **Figure 1** UGO rule structure 106 107  108 109#### MAC Permission Configuration 110 111- SELinux tag 112 113 To add a SELinux tag to system parameters, you first need to define the tag in the **/base/security/selinux_adapter/sepolicy/base/public/parameter.te** file. For example: 114 115 ```java 116 type servicectrl_param, parameter_attr 117 ``` 118 119 After the tag is defined, add the system parameter prefix associated with the tag to **/base/security/selinux_adapter/sepolicy/base/public/parameter_contexts**. The following uses the prefix **ohos.servicectrl** as an example: 120 121 ```java 122 ohos.servicectrl. u:object_r:servicectrl_param:s0 123 ``` 124 125- Grant operation permissions. For example, to grant operation permissions such as map for the init process, add the following content to the **/base/security/selinux/sepolicy/ohos_policy/startup/init/public/init.te** file: 126 127 ```java 128 allow servicectrl_param tmpfs:filesystem associate; 129 allow init servicectrl_param:file { map open read relabelto relabelfrom }; 130 ``` 131 132- Set the write permission. For example, grant the system parameter write permission for services such as **init**, **samgr**, and **hdf_devmgr**. 133 134 ```java 135 allow { init samgr hdf_devmgr } servicectrl_param:parameter_service { set }; 136 ``` 137 138- Set the read permission. If you want to grant the permission only for certain services, replace **xxx** with the services in the following code: 139 140 ```java 141 allow { xxx } servicectrl_param:file { map open read }; 142 ``` 143 144- If you want to grant the permission for all services, use the following code: 145 146 ```java 147 allow { domain -limit_domain } servicectrl_param:file { map open read }; 148 ``` 149 150#### Basic Requirements for System Parameter Permissions 151 152The system parameters mapping to a SELinux tag take up an independent shared memory area. It is recommended that system parameters of the same type share a SELinux tag to reduce the overhead of the system shared memory. 153 154Take the sample component as an example. You are advised to add the following types of tags for access control: 155 156a) For open read-only system parameters, use **default_param** instead of defining new tags. . 157 158b) For writable system parameters, add the **{component}_writable_param** tag. 159 160c) For readable system parameters (privacy data) within a component, add the **[optional]{component}_private_param** tag. 161 162### System Parameter Tag Configuration 163 164#### Configuring the Size of the System Parameter Tag File 165 166By default, 1 KB memory is allocated to each tag, which can store about five system parameters. If a large number of system parameters are supported under a tag, expand the memory size for the tag in the **ohso.para.size** file. 167 168This can be done through either **/system/etc/param/ohos.para.size** or **/sys_prod/etc/param/ohos.para.size**. 169 170The configuration rule is as follows: 171 172System parameter tag = Size 173 174Example: 175 176``` 177devinfo_public_param=30720 178hilog_param=40960 179``` 180 181Default shared memory size of system parameters: 80 KB 182 183#### Description of System Parameter Tags 184 185The init process creates the corresponding shared memory mapping file in the **/dev/__parameters__/** directory based on the system parameter tag. The shared memory is used to store the system parameters bound to the tag. 186 187Example of a shared memory file: 188 189``` 190-rwxr-xr-- 1 root root 30720 2017-08-10 16:22 u:object_r:default_param:s0 191-rwxr-xr-- 1 root root 1024 2017-08-10 16:22 u:object_r:devinfo_private_param:s0 192-rwxr-xr-- 1 root root 30720 2017-08-10 16:22 u:object_r:devinfo_public_param:s0 193-rwxr-xr-- 1 root root 40960 2017-08-10 16:22 u:object_r:hilog_param:s0 194``` 195 196The system parameter tags are defined in the **/base/security/selinux_adapter/sepolicy/base/public/parameter.te** file. 197 198System parameter tag definition: 199 200``` 201type default_param, parameter_attr; 202type devinfo_private_param, parameter_attr; 203type devinfo_public_param, parameter_attr; 204type hilog_param, parameter_attr; 205``` 206 207The mappings between system parameter tags and system parameters are defined in the **/base/security/selinux_adapter/sepolicy/base/public/parameter_contexts** file. 208 209The following uses the **hilog_param** tag as an example: 210 211``` 212hilog. u:object_r:hilog_param:s0 # System parameters with the hilog. prefix are stored in the shared memory corresponding to the hilog_param tag. 213persist.sys.hilog. u:object_r:hilog_param:s0 # System parameters with the persist.sys.hilog. prefix are also stored in the shared memory corresponding to the hilog_param tag. 214``` 215 216### Checking Shared Memory Usage of System Parameters 217 218You can run the **param dump [verbose]** command to query the shared memory usage of system parameters. 219 220The following is an example of the query result: 221 222``` 223Dump all parameters begin ... 224Local security information 225pid: 1612 uid: 0 gid: 0 226map file: u:object_r:default_param:s0 // Name of the system parameter tag (name of the shared memory mapping file) 227total size: 10485720 // Size of the system parameter tag file (size of the shared memory mapped to the tag) 228first offset: 0 // Offset of the first parameter node 229current offset: 15948 // Offset of the current parameter node 230total node: 242 // Total number of nodes in the tag 231total param node: 219 // Total number of parameter nodes 232total security node: 0 // Number of SELinux nodes 233commitId : 26 // 234commitPersistId : 0 // 235node info: // Information about all nodes under the tag 236... ... 237``` 238 239### System Parameter Loading 240 241The following table describes the sequence of loading system parameters. 242 243| Category| Path| Description| 244| -------- | -------- | -------- | 245| Kernel parameters | /proc/cmdline | Convert some values of kernel parameters into system parameters. Specifically, convert all **ohospara.xxx=valXXX** parameters to **ohos.boot.xxx=valXXX** parameters.| 246| OS system parameters| /system/etc/param/ohos_const/*.para | Load the definition file containing OS constants preferentially. | 247| Vendor parameters| /vendor/etc/param/*.para | Load the system parameters defined by vendors with the secondary priority. | 248| System parameters| /system/etc/param/*.para | Load the parameters defined by each subsystem. If a system parameter already exists, ignore it.| 249| Persistent parameters| /data/parameters/ | If persistent parameters exist, load them at last. Persistent parameters will overwrite the default system parameters that have been loaded.| 250 251### Parameter and Tag Viewing 252 253Currently, parameter and tag statistics are recorded in the database by subsystem and component. You can set up the [OpenHarmony real-time architecture information collection and analysis system](https://gitee.com/handyohos/ohos_archinfo/tree/master) to view the statistics. 254 255For details about how to set up the system, see the [Analyser Module](https://gitee.com/handyohos/ohos_archinfo/blob/master/analyser/README.md) for OpenHarmony real-time architecture information analysis. 256 257For details about how to collect database information, see the [Collector Module](https://gitee.com/handyohos/ohos_archinfo/tree/master#/handyohos/ohos_archinfo/blob/master/collector/README.md) for OpenHarmony real-time architecture information collection. 258 259You can also obtain the database from the daily dayu200-db build. 260 261### Basic System Parameter Operations 262 263Operation primitives for system parameters 264 265 266 267Description of operation primitives 268 269| Function| Description| 270| -------- | -------- | 271| get | Obtains the value of a system parameter. | 272| set | Sets the value of a system parameter. | 273| wait | Waits for value change of a system parameter synchronously.| 274| watch | Observes value change of a system parameter asynchronously.| 275 276### Constraints 277 278The service management module is available only for the mini system and standard system. 279 280## How to Develop 281 282### Overview 283 284You can set specific system parameters as needed to meet your service demand. 285 286### APIs 287 288- Shell commands 289 290 You can manage system parameters by using shell commands. This operation mode is available only for the standard system. The following table lists the shell commands. 291 292 **Table 6** Description of shell commands 293 294 | Function| Description| 295 | -------- | -------- | 296 | param get [**key**] | Obtains the system parameter value of the specified key. If no key name is specified, all system parameter values will be returned.| 297 | param set **key value** | Sets the specified value for the specified key.| 298 | param wait **key** **value** | Waits for the system parameter value of the specified key to match the specified value. Fuzzy match is supported. For example, <strong>*</strong> indicates any value, and <strong>val*</strong> indicates matching of only the first three val characters.| 299 300- syspara APIs 301 302 The following table lists the APIs used to obtain system parameter values. The return result is a const string and the free operation is not supported. 303 304 **Table 7** Description of syspara APIs 305 306 | API| Description| 307 | -------- | -------- | 308 | int GetParameter(const char\* key, const char\* def, char\* value, unsigned int len) | Obtains system parameters.| 309 | int SetParameter(const char\* key, const char\* value) | Sets or updates system parameters.| 310 | const char\* GetDeviceType(void) | Obtains the device type.| 311 | const char\* GetManufacture(void) | Obtains the device manufacturer.| 312 | const char\* GetBrand(void) | Obtains the device brand.| 313 | const char\* GetMarketName(void) | Obtains the device marketing name.| 314 | const char\* GetProductSeries(void) | Obtains the device series name.| 315 | const char\* GetProductModel(void) | Obtains the device authentication model.| 316 | const char\* GetSoftwareModel(void) | Obtains the device software model.| 317 | const char\* GetHardwareModel(void) | Obtains the device hardware model.| 318 | const char\* GetHardwareProfile(void) | Obtains the device hardware profile.| 319 | const char\* GetSerial(void) | Obtains the device serial number (SN).| 320 | const char\* GetOSFullName(void) | Obtains the operating system name.| 321 | const char\* GetDisplayVersion(void) | Obtains the software version visible to users.| 322 | const char\* GetBootloaderVersion(void) | Obtains the bootloader version of this device.| 323 | const char\* GetSecurityPatchTag(void) | Obtains the security patch tag.| 324 | const char\* GetAbiList(void) | Obtains the list of application binary interfaces (ABIs) supported on this device.| 325 | int GetSdkApiVersion(void) | Obtains the SDK API level that matches the current system software.| 326 | int GetFirstApiVersion(void) | Obtains the first SDK API level of the system software.| 327 | const char\* GetIncrementalVersion(void) | Obtains the incremental version.| 328 | const char\* GetVersionId(void) | Obtains the version ID.| 329 | const char\* GetBuildType(void) | Obtains the build type.| 330 | const char\* GetBuildUser(void) | Obtains the build account user name.| 331 | const char\* GetBuildHost(void) | Obtains the build host name.| 332 | const char\* GetBuildTime(void) | Obtains the build time.| 333 | const char\* GetBuildRootHash(void) | Obtains the buildroot hash value of this version.| 334 | const char\* GetOsReleaseType(void) | Obtains the system release type.| 335 | int GetDevUdid(char \*udid, int size) | Obtains the device identifier (UDID).| 336 | const char *AclGetSerial(void) | Obtains the device SN (with ACL check).| 337 | int AclGetDevUdid(char *udid, int size) | Obtains the UDID (with ACL check).| 338 339### Procedure 340 3411. System parameter definition 342 343 You can define default system parameters and implement permission control on them by configuring the subsystem or product **.para** and **.para.dac** files. 344 345 On a standard system, use the **ohos_prebuilt_para** template to install the configuration file to the **/etc/param/** directory. The following is an example of the GN script: 346 347 ```go 348 import("//base/startup/init/services/etc/param/param_fixer.gni") 349 350 ohos_prebuilt_para("ohos.para") { 351 source = "//base/startup/init/services/etc/ohos.para" 352 part_name = "init" 353 module_install_dir = "etc/param" 354 } 355 356 ohos_prebuilt_para("ohos.para.dac") { 357 source = "//base/startup/init/services/etc/ohos.para.dac" 358 part_name = "init" 359 module_install_dir = "etc/param" 360 } 361 ``` 362 363 On a small system, run the **copy** command to copy the corresponding system parameter definition file to the **system/etc/param** directory. 364 ```go 365 copy("ohos.para") { 366 sources = [ "//base/startup/init/services/etc/param/ohos.para" ] 367 outputs = [ "$root_out_dir/system/etc/param/ohos.para" ] 368 } 369 copy("ohos.para.dac") { 370 sources = [ "//base/startup/init/services/etc/param/ohos.para.dac" ] 371 outputs = [ "$root_out_dir/system/etc/param/ohos.para.dac" ] 372 } 373 ``` 374 On a mini system, convert all defined default system parameters into header files through **action** and compile them into the system. 375 ```go 376 action("lite_const_param_to") { 377 script = "//base/startup/init/scripts/param_cfg_to_code.py" 378 args = [ 379 "--source", 380 rebase_path( 381 "//base/startup/init/services/etc_lite/param/ohos_const/ohospara"), 382 "--dest_dir", 383 rebase_path("$root_out_dir/gen/init/"), 384 "--priority", 385 "0", 386 ] 387 outputs = [ "$target_gen_dir/${target_name}_param_cfg_to_code.log" ] 388 } 389 ``` 3902. Development example 391 392 ``` 393 // set && get 394 char key1[] = "rw.sys.version"; 395 char value1[] = "10.1.0"; 396 int ret = SetParameter(key1, value1); 397 char valueGet1[128] = {0}; 398 ret = GetParameter(key1, "version=10.1.0", valueGet1, 128); 399 400 // get sysparm 401 char* value1 = GetDeviceType(); 402 printf("Product type =%s\n", value1); 403 404 char* value2 = GetManufacture(); 405 printf("Manufacture =%s\n", value2); 406 407 char* value3 = GetBrand(); 408 printf("GetBrand =%s\n", value3); 409 410 char* value4 = GetMarketName(); 411 printf("MarketName =%s\n", value4); 412 413 char* value5 = GetProductSeries(); 414 printf("ProductSeries =%s\n", value5); 415 416 char* value6 = GetProductModel(); 417 printf("ProductModel =%s\n", value6); 418 419 char* value7 = GetSoftwareModel(); 420 printf("SoftwareModel =%s\n", value7); 421 422 char* value8 = GetHardwareModel(); 423 printf("HardwareModel =%s\n", value8); 424 425 char* value9 = GetHardwareProfile(); 426 printf("Software profile =%s\n", value9); 427 428 char* value10 = GetSerial(); 429 printf("Serial =%s\n", value10); 430 431 char* value11 = GetOSFullName(); 432 printf("OS name =%s\n", value11); 433 434 char* value12 = GetDisplayVersion(); 435 printf("Display version =%s\n", value12); 436 437 char* value13 = GetBootloaderVersion(); 438 printf("bootloader version =%s\n", value13); 439 440 char* value14 = GetSecurityPatchTag(); 441 printf("secure patch level =%s\n", value14); 442 443 char* value15 = GetAbiList(); 444 printf("abi list =%s\n", value15); 445 446 int value16 = GetFirstApiVersion(); 447 printf("first api level =%d\n", value16); 448 449 char* value17 = GetIncrementalVersion(); 450 printf("Incremental version = %s\n", value17); 451 452 char* value18 = GetVersionId(); 453 printf("formal id =%s\n", value18); 454 455 char* value19 = GetBuildType(); 456 printf("build type =%s\n", value19); 457 458 char* value20 = GetBuildUser(); 459 printf("build user =%s\n", value20); 460 461 char* value21 = GetBuildHost(); 462 printf("Build host = %s\n", value21); 463 464 char* value22 = GetBuildTime(); 465 printf("build time =%s\n", value22); 466 467 char* value23 = GetBuildRootHash(); 468 printf("build root later..., %s\n", value23); 469 470 char* value24 = GetOsReleaseType(); 471 printf("OS release type =%s\n", value24); 472 473 char* value25 = GetOsReleaseType(); 474 printf("OS release type =%s\n", value25); 475 476 char value26[65] = {0}; 477 GetDevUdid(value26, 65); 478 printf("device udid =%s\n", value26); 479 ``` 480### System Parameter Error Codes 481 482**Description of system parameter error codes** 483 484| Enum | Value| Description | 485| -------------------------------- | ------ | ----------------------------------------- | 486| PARAM_CODE_ERROR | -1 | System error. | 487| PARAM_CODE_SUCCESS | 0 | Operation success. | 488| PARAM_CODE_INVALID_PARAM | 100 | Empty input parameter of the system parameter API. | 489| PARAM_CODE_INVALID_NAME | 101 | Invalid length or invalid characters in the system parameter key. | 490| PARAM_CODE_INVALID_VALUE | 102 | Invalid length or invalid characters in the system parameter value. | 491| PARAM_CODE_REACHED_MAX | 103 | Number of tree nodes reaching the maximum. | 492| PARAM_CODE_NOT_SUPPORT | 104 | API not supported. | 493| PARAM_CODE_TIMEOUT | 105 | Server access timed out. | 494| PARAM_CODE_NOT_FOUND | 106 | Parameter not found. | 495| PARAM_CODE_READ_ONLY | 107 | System parameter read-only. | 496| PARAM_CODE_IPC_ERROR | 108 | IPC communication error. | 497| PARAM_CODE_NODE_EXIST | 109 | System parameter node already exists. | 498| PARAM_WATCHER_CALLBACK_EXIST | 110 | Watcher callback repeatedly added. | 499| PARAM_WATCHER_GET_SERVICE_FAILED | 111 | Failed to obtain the service for watcher. | 500| PARAM_CODE_MEMORY_MAP_FAILED | 112 | Failed to create the shared memory mapping for a file. | 501| PARAM_WORKSPACE_NOT_INIT | 113 | Workspace not initialized. | 502| PARAM_CODE_FAIL_CONNECT | 114 | Failed to connect to paramServer. | 503| PARAM_CODE_MEMORY_NOT_ENOUGH | 115 | Insufficient system parameter space. | 504| DAC_RESULT_INVALID_PARAM | 1000 | Unused code, which defines the start value of permission errors. | 505| DAC_RESULT_FORBIDED | 1001 | DAC permission disabled. | 506| SELINUX_RESULT_FORBIDED | 1002 | SELinux permission disabled. | 507| PARAM_CODE_MAX | 1003 | Maximum enum value. | 508 509**Key Logs for Locating Errors** 510 511- system parameter set: 512 513 SetParameter failed! the errNum is: xx! 514 515 SystemSetParameter failed! name is : xxx, errNum is: xx! 516 517- system parameter get: 518 519 GetParameter_ failed! the errNum is: xx! 520 521 SystemReadParam failed! name is: xxxx, errNum is: xx! 522 523- system parameter wait: 524 525 WaitParameter failed! the errNum is: xx! 526 527 SystemWaitParameter failed! name is: xxx, errNum is: xx! 528 529- system parameter Watcher: 530 531 WatchParameter failed! the errNum is xx! 532 533 SystemWatchParameter is failed! keyPrefix is:xxx, errNum is:xx! 534 535## FAQs 536 537### How to Set a System Parameter 538 5391. On the shell side, run **hdc shell** to launch the shell CLI of the device, and then run **param set param.key.***system parameter key* param.value.*system parameter value* to set the system parameter. If the operation is successful, no further processing is required. 540 5412. On the application side, call **SetParameter** to set the system parameter. For details, see [APIs](#apis). 542 5433. If **param set** fails, locate the fault based on the log. 544 545 - If the fault is due to insufficient DAC permissions, declare the required permissions by referring to [DAC Permission Configuration](#dac-permission-configuration). 546 547 - If the fault is due to insufficient SELinux permissions, grant the required permissions by referring to the **avc: denied** alarm information. 548 549 - If the fault is due to insufficient memory, expand the memory by referring to [System Parameter Tag Configuration](#system-parameter-tag-configuration). 550 551### How to Read a System Parameter 552 5531. On the shell side, run **hdc shell** to launch the shell CLI of the device, and then run **param get param.key.***system parameter key* to obtain the system parameter. If the operation is successful, no further processing is required. 554 5552. On the application side, call **GetParameter** to obtain the system parameter. For details, see [APIs](#apis). 556 5573. If **param get** fails, locate the fault based on the log. 558 559 Check whether the parameter has been set. If yes, go to the next step. If no, set the system parameter. 560 561 If the fault is due to insufficient DAC permissions, declare the required permissions by referring to [DAC Permission Configuration](#dac-permission-configuration). 562 563 If the fault is due to insufficient SELinux permissions, grant the required permissions by referring to the **avc: denied** alarm information. 564 565### How to Subscribe to System Parameter Changes 566 5671. On the shell side, run **hdc shell** to launch the shell CLI of the device, and then run **param shell** to switch to the parameter shell CLI. Run **watcher parameter param.key.***system parameter key* to subscribe to changes of the system parameter. If there is a change in the system parameter, a message similar to "Receive parameter commit 691 change aaa.aaa 11111" is received. 568 5692. On the application side, call **WatchParameter** to subscribe to changes of the system parameter. For details, see [APIs](#apis). 570 5713. If **watcher parameter** fails, locate the fault based on the log. 572 573 If the fault is due to insufficient DAC permissions, declare the required permissions by referring to [DAC Permission Configuration](#dac-permission-configuration). 574 575 If the fault is due to insufficient SELinux permissions, grant the required permissions by referring to the **avc: denied** alarm information. 576 577### How to Enable Third-Party Applications to Access System Parameters 578 579The default DAC rules grant only the **get** and **watch** permissions for third-party applications. If a third-party application requires the **set** permission, you need to reset DAC rules. In addition, SELinux permissions of third-party applications are left unspecified by default. If needed, set the SELinux permissions by referring to the [MAC Permission Configuration](#mac-permission-configuration). 580 581<!--no_check-->
