diff --git a/sepolicy/base/public/domain.te b/sepolicy/base/public/domain.te
index fbed8a72bdf043ffb7f3e1ff78f1593e5c06a535..cea2efdda187dc3de76710c18b65c7a1a6d8bb93 100644
--- a/sepolicy/base/public/domain.te
+++ b/sepolicy/base/public/domain.te
@@ -238,7 +238,7 @@ neverallow { domain -init } debugfs:{ file lnk_file } never_rw_file;
 neverallow { domain -init -appspawn -nwebspawn -normal_hap_attr } { system_file_attr vendor_file_attr }:dir_file_class_set mounton;
 
 neverallow { domain -kernel -hap_domain -locationhub
-             -sh debug_only(`-hdcd') -audio_host } data_file:file never_write_file;
+             -sh debug_only(`-hdcd') -audio_host -netmanager } data_file:file never_write_file;
 
 neverallow { domain -hdcd -hap_domain -sh -hiprofilerd -native_daemon -hiprofiler_plugins -hiperf -bytrace -hitrace debug_only(`-hiprofiler_cmd -hiebpf') } data_local_tmp:file open;
 
diff --git a/sepolicy/base/public/hap_domain.te b/sepolicy/base/public/hap_domain.te
index 0b437956880d5424958b46b114bf888bcceb5309..fa706a2bc134ecad7992a8ee02f84b0323d0166f 100644
--- a/sepolicy/base/public/hap_domain.te
+++ b/sepolicy/base/public/hap_domain.te
@@ -72,7 +72,7 @@ neverallow hap_domain dev_attr:blk_file { read write };
 
 #limit hap access dev file.
 neverallow hap_domain { dev_attr -dev_ashmem_file -dev_at_file -dev_binder_file -dev_dri_file -dev_file -dev_null_file -dev_random_file -dev_zero_file
-                      -dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_bbox }:chr_file { open ioctl read write};
+                      -dev_unix_socket_file -dev_mali -tty_device -dev_fuse_file -dev_tun_file -dev_bbox }:chr_file { open ioctl read write};
 neverallow hap_domain dev_bbox:chr_file { read };
 neverallowxperm hap_domain dev_bbox:chr_file ioctl ~{ 0xab01 0xab04 0xab09 0xad01 0xaf04 0xaf06 };
 neverallow { hap_domain -dev_fuse_file_violator } dev_fuse_file:chr_file { open ioctl read write};
diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te
index 41f0f8bc3e025eec0fa99623c488ebbf30254db4..967caa3f2298a95a6ea0f3eac8283886cd2d2f32 100644
--- a/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te
+++ b/sepolicy/ohos_policy/communication/netmanager/system/netmanager.te
@@ -53,6 +53,9 @@ allow netmanager telephony_sa:binder { call };
 allow netmanager time_service:binder { call };
 allow netmanager wifi_manager_service:binder { call transfer };
 allow netmanager sa_comm_net_tethering_manager_service:samgr_class { add };
+allow netmanager sa_comm_vpn_manager_service:samgr_class { add };
+allow netmanager sa_accountmgr:samgr_class { get };
+allow netmanager sa_foundation_bms:samgr_class { get };
 allow netmanager sa_net_conn_manager:samgr_class { get };
 allow netmanager sa_wifi_hotspot_ability:samgr_class { get };
 allow netmanager sa_wifi_p2p_ability:samgr_class { get };
@@ -60,7 +63,10 @@ allow netmanager sa_wifi_scan_ability:samgr_class { get };
 allow netmanager sa_wifi_device_ability:samgr_class { get };
 allow netmanager sa_bluetooth_server:samgr_class { get };
 allow netmanager bluetooth_service:binder { call transfer };
+allow netmanager data_file:file { read write };
+allow netmanager accountmgr:binder { call };
 allow system_core_hap sa_comm_net_tethering_manager_service:samgr_class { get };
+allow sh sa_comm_vpn_manager_service:samgr_class { get };
 allow sh sa_comm_net_tethering_manager_service:samgr_class { get };
 allow sh netmanager:binder { call transfer };
 allow netmanager kernel:system { module_request };
@@ -68,6 +74,7 @@ allow netmanager accessibility_param:file { read open map };
 allow netmanager fwmark_service:sock_file { write };
 allow netmanager dnsproxy_service:sock_file { write };
 allow netmanager netmanager:process { setfscreate };
+allow accountmgr netmanager:binder { transfer };
 allow netmanager usb_service:binder { call };
 allow netmanager sa_usb_service:samgr_class { get };
 allow init configfs:dir { rmdir };
diff --git a/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te b/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te
index 39e1ffab55b019f7adc8599dfeea7fa0edc42875..4f22408111a9b1661e68b82aececa794cc395e36 100644
--- a/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te
+++ b/sepolicy/ohos_policy/communication/netmanager/system/netsysnative.te
@@ -50,6 +50,20 @@ allow netsysnative normal_hap_attr:udp_socket { read write getopt setopt };
 allow netsysnative normal_hap_attr:unix_stream_socket { read write getopt setopt };
 allow init dev_unix_file:sock_file { unlink };
 allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8933 };
+allow netsysnative sh:fd { use };
+allow netsysnative sh:tcp_socket { read write getopt setopt };
+allow netsysnative sh:unix_stream_socket { connectto };
+allow netsysnative dev_tun_file:chr_file {open read write ioctl};
+allow netsysnative fwmark_service:sock_file { write };
+allow netsysnative netsysnative:tun_socket { create relabelfrom relabelto };
+allow netsysnative data_file:sock_file { write };
+allow netsysnative system_basic_hap:unix_stream_socket { connectto };
+allow netsysnative system_basic_hap:fd { use };
+allow netsysnative system_basic_hap:tcp_socket { read write getopt setopt };
+allow sh musl_param:file { open map };
+allow sh data_file:sock_file { setattr };
+allow sh netsysnative:fd { use };
+allow sh dev_tun_file:chr_file { read write };
 
 allowxperm netsysnative netsysnative:unix_dgram_socket ioctl { 0x8927 0x8954 };
 debug_only(`
diff --git a/sepolicy/ohos_policy/communication/netmanager/system/normal_hap.te b/sepolicy/ohos_policy/communication/netmanager/system/normal_hap.te
index e8b7c7d683ed5765e66dc13853fc60997cfc685e..f5d7cfbe368ea604657611f2e7968e6d941f37c6 100644
--- a/sepolicy/ohos_policy/communication/netmanager/system/normal_hap.te
+++ b/sepolicy/ohos_policy/communication/netmanager/system/normal_hap.te
@@ -11,6 +11,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+allow normal_hap normal_hap:udp_socket { getopt };
+allow normal_hap sa_comm_vpn_manager_service:samgr_class { get };
+allow normal_hap fwmark_service:sock_file { write };
 allow normal_hap_attr normal_hap_attr:udp_socket { getopt };
 allow normal_hap_attr fwmark_service:sock_file { write };
 allow normal_hap_attr netmanager:binder { call transfer };
diff --git a/sepolicy/ohos_policy/communication/netmanager/system/system_basic_hap.te b/sepolicy/ohos_policy/communication/netmanager/system/system_basic_hap.te
index c857d2b5bd437ec5c748f1c91eb60473a37db6c2..a1fc67d516b5f619d472b58f2437d4dc56dad95a 100644
--- a/sepolicy/ohos_policy/communication/netmanager/system/system_basic_hap.te
+++ b/sepolicy/ohos_policy/communication/netmanager/system/system_basic_hap.te
@@ -11,6 +11,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+allow system_basic_hap arkcompiler_param:file { open read map };
+allow system_basic_hap sa_comm_vpn_manager_service:samgr_class { get };
+allow system_basic_hap data_file:dir { write add_name remove_name };
+allow system_basic_hap data_file:sock_file { create setattr unlink };
+allow system_basic_hap netsysnative:fd { use };
+allow system_basic_hap dev_tun_file:chr_file { read write };
+allow system_basic_hap fwmark_service:sock_file { write };
 allow system_basic_hap sa_comm_net_tethering_manager_service:samgr_class { get };
 
 allow system_basic_hap fwmark_service:sock_file { write };
diff --git a/sepolicy/ohos_policy/communication/netmanager/system/system_core_hap.te b/sepolicy/ohos_policy/communication/netmanager/system/system_core_hap.te
index 8a727a4fde0619972e40884d4b3d8aa9ef17daf5..4c59afc741282d0787184d1d30443213dc9be626 100644
--- a/sepolicy/ohos_policy/communication/netmanager/system/system_core_hap.te
+++ b/sepolicy/ohos_policy/communication/netmanager/system/system_core_hap.te
@@ -13,6 +13,7 @@
 
 allow system_core_hap netmanager:binder { call };
 allow system_core_hap netmanager:binder { transfer };
+allow system_core_hap sa_comm_vpn_manager_service:samgr_class { get };
 
 allow system_core_hap netsysnative:unix_stream_socket { connectto read write };
 allow system_core_hap system_core_hap:tcp_socket { getattr create setopt bind connect getopt read write };
diff --git a/sepolicy/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te b/sepolicy/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te
index bd92f233ee654b4f1eaef2c30729e47d9710b2a1..749c18de37428fdf51799ff80eb37fe98012159f 100644
--- a/sepolicy/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te
+++ b/sepolicy/ohos_policy/hiviewdfx/hidumper/system/hidumper_service.te
@@ -188,6 +188,7 @@ allow hidumper_service sa_bgtaskmgr:samgr_class get;
 allow hidumper_service sa_bluetooth_server:samgr_class get;
 allow hidumper_service sa_comm_dns_manager_service:samgr_class get;
 allow hidumper_service sa_comm_ethernet_manager_service:samgr_class get;
+allow hidumper_service sa_comm_vpn_manager_service:samgr_class get;
 allow hidumper_service sa_comm_mdns_manager_service:samgr_class get;
 allow hidumper_service sa_comm_net_stats_manager_service:samgr_class get;
 allow hidumper_service sa_dataobs_mgr_service_service:samgr_class get;