diff --git a/sepolicy/base/public/parameter.te b/sepolicy/base/public/parameter.te
index e3f56fd797b8d037f2f714bf5127e02ddfc77f5f..93d985097c6cf55359e6606567c2bc31655f3b4c 100644
--- a/sepolicy/base/public/parameter.te
+++ b/sepolicy/base/public/parameter.te
@@ -69,6 +69,7 @@ type print_param, parameter_attr;
 type i18n_param, parameter_attr;
 type const_i18n_param, parameter_attr;
 type hichecker_writable_param, parameter_attr;
+type webengine_param, parameter_attr;
 # avc:  denied  { relabelfrom } for  pid=1 comm="init" path="/dev/__paramerters__/u:object_r:hilog_private_param:s0" dev=""ino=218 scontext=u:r:init:s0 tcontext=u:object_r:hilog_private_param:s0 tclass=file permissive=0
 allow init parameter_attr:file { relabelto relabelfrom };
 allow parameter_attr tmpfs:filesystem associate;
diff --git a/sepolicy/base/public/parameter_contexts b/sepolicy/base/public/parameter_contexts
index ed891581804a8deb6f0eb41486fa31789ac8927d..d3fb87108730c35b20f8d180280856118ef63721 100644
--- a/sepolicy/base/public/parameter_contexts
+++ b/sepolicy/base/public/parameter_contexts
@@ -75,3 +75,4 @@ accesstoken.permission.                 u:object_r:accesstoken_perm_param:s0
 persist.bluetooth.                      u:object_r:bluetooth_param:s0
 persist.global.                         u:object_r:i18n_param:s0
 const.global.                           u:object_r:const_i18n_param:s0
+web.engine.                             u:object_r:webengine_param:s0
\ No newline at end of file
diff --git a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te
index e4261689c3f400d6e73f148663b16c9d98a0266f..50ee43056564ca8a93c64a6b3219669e76591696 100644
--- a/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te
+++ b/sepolicy/ohos_policy/startup/appspawn/system/appspawn.te
@@ -260,3 +260,9 @@ allow appspawn dev_kmsg_file:chr_file { open write };
 
 # for create hybridspawn socket
 allow appspawn init:unix_stream_socket { accept getattr getopt listen };
+
+# avc: denied { set } for parameter=web.engine.default pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0
+# avc: denied { set } for parameter=web.engine.enforce pid=10001 uid=0 gid=0 scontext=u:r:appspawn:s0 tcontext=u:object_r:default_param:s0 tclass=parameter_service permissive=0
+allow appspawn webengine_param:parameter_service { set };
+allow { hap_domain isolated_render appspawn init isolated_gpu } webengine_param:file { map open read };
+