diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te
index 4fc2fa1ed7cf407f5e963ca1404fb68f5976e180..be16cd358dd492a5dbdc0d5b7714a90903274595 100644
--- a/sepolicy/base/public/domain.te
+++ b/sepolicy/base/public/domain.te
@@ -101,7 +101,7 @@ neverallow { domain -init -appspawn -nwebspawn -cjappspawn -nativespawn -rgm_vio
 # /data/local/tmp dir using for debug.
 neverallow { domain -data_local_tmp_violator_dir developer_only(`-wukong -atm -snapshot_display -bm -mediatool -perftest') -hdcd -SP_daemon -installs -init -hiprofilerd -hiprofiler_plugins -native_daemon -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -sh -uitest updater_only(`-updater') } data_local_tmp:dir never_write_dir;
 
-neverallow { domain developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool -perftest') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -violator_sa_domain_data_local_tmp -violator_lldb_data_local_tmp } data_local_tmp:dir { open search };
+neverallow { domain -storage_daemon developer_only(`-wukong -atm -lldb_server -appspawn -snapshot_display -hiprofiler_cmd -bm -processdump -data_local_tmp_violator_dir -mediatool -perftest') -hdcd -SP_daemon -hap_domain -init -installs -foundation -sh -hiprofilerd -hiprofiler_plugins -hiperf -native_daemon -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf -camera_host -snapshot_display -aa -bm') -uitest updater_only(`-updater') -violator_sa_domain_data_local_tmp -violator_lldb_data_local_tmp } data_local_tmp:dir { open search };
 
 # only samgr can be binder manager.
 neverallow { domain -samgr } *:binder set_context_mgr;
diff --git a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
index 959db241eb40c09543d9b3e33b6aded8dfbf5a78..7950e0ec22524d03cc29d3c51a07c2fc5c796204 100644
--- a/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
+++ b/sepolicy/ohos_policy/filemanagement/storage_service/system/storage_daemon.te
@@ -43,6 +43,12 @@ allow storage_daemon domain:dir { search read open };
 allow storage_daemon domain:lnk_file { read };
 allow storage_daemon domain:process { sigkill };
 
+allow storage_daemon data_file_attr:dir { getattr read open search };
+allow storage_daemon data_file_attr:file { getattr };
+allow storage_daemon data_file_attr:lnk_file { getattr };
+allow storage_daemon data_file_attr:fifo_file { getattr };
+allow storage_daemon data_file_attr:sock_file { getattr };
+
 #avc:  denied  { call } for  pid=255 comm="storage_daemon" scontext=u:r:storage_daemon:s0 tcontext=u:r:accesstoken_service:s0 tclass=binder permissive=1
 allow storage_daemon accesstoken_service:binder { call };
 
diff --git a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te
index 035115ca077dd88a0627e2746a2880286864492a..e0ab495f03781c42852a36084b3368e7ac140053 100644
--- a/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te
+++ b/sepolicy/ohos_policy/hiviewdfx/hilog/system/hilogd.te
@@ -92,6 +92,7 @@ neverallow * hilogd:process dyntransition;
 # protect persist tmp file and info file
 neverallow {
     domain
+    -storage_daemon
     -installs
     developer_only(`-wukong')
     developer_only(`-hiprofiler_plugins')
@@ -104,6 +105,8 @@ neverallow {
     updater_only(`-hiview_light')
 } data_hilogd_file:file { rw_file_perms };
 
+neverallow storage_daemon data_hilogd_file:file ~{ getattr };
+
 # shell can read but cannot write hilogd files
 neverallow { domain -hilogd -installs } data_hilogd_file:file { append create rename setattr write };
 
diff --git a/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te b/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te
index 4400fa06be7242aa9d770ef4ef289132f97d698e..f6fc2a3ad0144312bac5fbf18c8d6068c285627a 100644
--- a/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te
+++ b/sepolicy/ohos_policy/hiviewdfx/hitrace/public/hitrace.te
@@ -13,8 +13,10 @@
 
 neverallow { domain -hitrace -bytrace -hiview -hiprofiler_plugins } hitrace_param:parameter_service set;
 
-neverallow { domain -hitrace -bytrace -hiview -updater -init } data_log_hitrace:dir { add_name open read search watch write create remove_name getattr };
-neverallow { domain -hitrace -bytrace -hiview -updater -init } data_log_hitrace:file { create getattr lock map open read write unlink rename append ioctl };
+neverallow { domain -storage_daemon -hitrace -bytrace -hiview -updater -init } data_log_hitrace:dir { add_name open read search watch write create remove_name getattr };
+neverallow storage_daemon data_log_hitrace:dir ~{ getattr read open search };
+neverallow { domain -storage_daemon -hitrace -bytrace -hiview -updater -init } data_log_hitrace:file { create getattr lock map open read write unlink rename append ioctl };
+neverallow storage_daemon data_log_hitrace:file ~{ getattr };
 neverallow { domain -hiview -updater } data_log_hitrace:fifo_file { create read write open unlink };
 
 allow hitrace_param tmpfs:filesystem { associate };
diff --git a/sepolicy/ohos_policy/security/access_token/system/neverallow.te b/sepolicy/ohos_policy/security/access_token/system/neverallow.te
index 8be5be8727259221d431b9af896ab4df9d2d2541..3ebce8c0ba5b0321301071d441dbb052fcc13ca2 100644
--- a/sepolicy/ohos_policy/security/access_token/system/neverallow.te
+++ b/sepolicy/ohos_policy/security/access_token/system/neverallow.te
@@ -11,8 +11,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-neverallow { domain -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_dir updater_only(`-updater') } accesstoken_data_file:dir *;
-neverallow { domain -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_file updater_only(`-updater') } accesstoken_data_file:file *;
+neverallow { domain -storage_daemon -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_dir updater_only(`-updater') } accesstoken_data_file:dir *;
+neverallow storage_daemon accesstoken_data_file:dir ~{ getattr read open search };
+neverallow { domain -storage_daemon -accesstoken_service -init -privacy_service -accesstoken_data_file_violator_file updater_only(`-updater') } accesstoken_data_file:file *;
+neverallow storage_daemon accesstoken_data_file:file ~{ getattr };
 
 neverallow accesstoken_service accesstoken_data_file:dir ~{ create search add_name open read write remove_name ioctl };
 neverallow accesstoken_service accesstoken_data_file:file ~{ open read getattr ioctl lock write create unlink map setattr };
diff --git a/sepolicy/ohos_policy/update/module_update/system/domain.te b/sepolicy/ohos_policy/update/module_update/system/domain.te
index 44ebb53ab17b15d55040730c66bf81269196bde8..13d63d8a150b95472efa19a7b5c2c3e7e545befb 100644
--- a/sepolicy/ohos_policy/update/module_update/system/domain.te
+++ b/sepolicy/ohos_policy/update/module_update/system/domain.te
@@ -11,8 +11,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-neverallow { domain -init -module_update_service -module_update_file_violator_file_dir updater_only(`-updater') } { data_module_update
+neverallow { domain -storage_daemon -init -module_update_service -module_update_file_violator_file_dir updater_only(`-updater') } { data_module_update
   data_module_update_package system_module_update_file }:{ file dir } *;
+neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:file ~{ getattr };
+neverallow storage_daemon { data_module_update data_module_update_package system_module_update_file }:dir ~{ getattr read open search };
 
 # sa process which support module update should add itself here
 neverallow { domain -init -module_update_service -foundation -module_update_binary_file_violator_file_dir } { module_update_file