diff --git a/services/etc/param/ohos.para.dac b/services/etc/param/ohos.para.dac
index 29754afd5e64f221d6e55bac3c6cbf3c14bdf4c2..d58ba849c5a0e3f2dc7155ef7d828eeb3d76c0f1 100755
--- a/services/etc/param/ohos.para.dac
+++ b/services/etc/param/ohos.para.dac
@@ -31,3 +31,5 @@ persist.window.boot. = root:system:0775
 debug.bytrace.   = root:system:0775
 
 persist.distributed_hardware.device_manager. = system:system:0775
+bootevent. = samgr:samgr:0777
+hw_sc. = root:root:0777
diff --git a/services/param/adapter/param_dac.c b/services/param/adapter/param_dac.c
index 8a81c601e32233215c1437c614c9127dd70a4b4b..b488940fa041f20e93e3b7d44a90e707dbb38dbb 100644
--- a/services/param/adapter/param_dac.c
+++ b/services/param/adapter/param_dac.c
@@ -237,8 +237,13 @@ static int DacCheckParamPermission(const ParamSecurityLabel *srcLabel, const cha
     if ((node->mode & localMode) != 0) {
         ret = DAC_RESULT_PERMISSION;
     }
-    PARAM_LOGV("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode);
-    PARAM_LOGV("Cfg label %d gid:%d uid:%d mode 0%o result %d", labelIndex, node->gid, node->uid, node->mode, ret);
+    if (ret != DAC_RESULT_PERMISSION) {
+        PARAM_LOGW("Param '%s' label gid:%d uid:%d mode 0%o", name, srcLabel->cred.gid, srcLabel->cred.uid, localMode);
+        PARAM_LOGW("Cfg label %d gid:%d uid:%d mode 0%o ", labelIndex, node->gid, node->uid, node->mode);
+#ifndef STARTUP_INIT_TEST
+        ret = DAC_RESULT_PERMISSION;
+#endif
+    }
     return ret;
 }
 
diff --git a/services/param/adapter/param_selinux.c b/services/param/adapter/param_selinux.c
index 9ee8fb23e650c63b519bbdbf40202fe8d9a7af8d..12c6b3af13244e2bd459269152afb144c81d257b 100644
--- a/services/param/adapter/param_selinux.c
+++ b/services/param/adapter/param_selinux.c
@@ -193,7 +193,10 @@ static int SelinuxCheckParamPermission(const ParamSecurityLabel *srcLabel, const
 #endif
     }
     if (ret != 0) {
-        PARAM_LOGI("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
+        PARAM_LOGW("Selinux check name %s pid %d uid %d %d result %d", name, uc.pid, uc.uid, uc.gid, ret);
+        ret = DAC_RESULT_FORBIDED;
+    } else {
+        ret = DAC_RESULT_PERMISSION;
     }
     return ret;
 }
diff --git a/services/param/base/param_base.c b/services/param/base/param_base.c
index fa3ac0843d101df318069c7d94b243cc4f748bb6..7e9d6d7ee075ef2d3bbdbcaf3c83251b84b49363 100644
--- a/services/param/base/param_base.c
+++ b/services/param/base/param_base.c
@@ -299,12 +299,11 @@ INIT_INNER_API int CheckParamPermission(const ParamSecurityLabel *srcLabel, cons
                 continue;
             }
             if (ops->securityCheckParamPermission == NULL) {
-                ret = DAC_RESULT_FORBIDED;
                 continue;
             }
             ret = ops->securityCheckParamPermission(srcLabel, name, mode);
-            PARAM_LOGV("CheckParamPermission %s %s ret %d", ops->name, name, ret);
-            if (ret == DAC_RESULT_PERMISSION) {
+            if (ret == DAC_RESULT_FORBIDED) {
+                PARAM_LOGW("CheckParamPermission %s %s FORBID", ops->name, name);
                 break;
             }
         }
diff --git a/services/param/include/param_utils.h b/services/param/include/param_utils.h
index e2fbecdb3d409e713a202d784d3eb0d051570474..4585cd74731a4dcb1ce8fe9cdb02e498d54d5d7d 100644
--- a/services/param/include/param_utils.h
+++ b/services/param/include/param_utils.h
@@ -101,6 +101,7 @@ typedef struct cmdLineInfo {
 #define PARAM_LOGI(fmt, ...) STARTUP_LOGI(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
 #define PARAM_LOGE(fmt, ...) STARTUP_LOGE(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
 #define PARAM_LOGV(fmt, ...) STARTUP_LOGV(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
+#define PARAM_LOGW(fmt, ...) STARTUP_LOGW(PARAN_DOMAIN, PARAN_LABEL, fmt, ##__VA_ARGS__)
 
 #define PARAM_CHECK(retCode, exper, ...) \
     if (!(retCode)) {                \
diff --git a/test/unittest/param/client_unittest.cpp b/test/unittest/param/client_unittest.cpp
index 9944c14ffabac36993b34541969792baf607ea26..91794cf76dec9208b507ae849083f3aa455af847 100644
--- a/test/unittest/param/client_unittest.cpp
+++ b/test/unittest/param/client_unittest.cpp
@@ -135,8 +135,9 @@ static void TestPermission()
     EXPECT_EQ(ret, testResult);
 #endif
     u_int32_t len = sizeof(tmp);
+    SetTestPermissionResult(DAC_RESULT_FORBIDED);
     ret = SystemGetParameter(testName, tmp, &len);
-    EXPECT_EQ(ret, testResult);
+    EXPECT_EQ(ret, DAC_RESULT_FORBIDED);
     RegisterSecurityOps(0);
     SetTestPermissionResult(0); // recover testpermission result
 }
diff --git a/test/unittest/param/watcher_agent_unittest.cpp b/test/unittest/param/watcher_agent_unittest.cpp
index 394fcc8126b8b3a3cf3fcd3cbb7300458cf7b474..c8aca076fd0614ff3d220fdcb91009268f80f73e 100644
--- a/test/unittest/param/watcher_agent_unittest.cpp
+++ b/test/unittest/param/watcher_agent_unittest.cpp
@@ -61,7 +61,7 @@ public:
         ret = SystemWatchParameter("test.permission.watcher.tes^^^^t1*", TestParameterChange, nullptr);
         EXPECT_NE(ret, 0);
         ret = SystemWatchParameter("test.permission.read.test1*", TestParameterChange, nullptr);
-        EXPECT_EQ(ret, 0);
+        EXPECT_EQ(ret, DAC_RESULT_FORBIDED);
         return 0;
     }
 
@@ -78,7 +78,7 @@ public:
         ret = SystemWatchParameter("test.permission.watcher.tes^^^^t1*", nullptr, nullptr);
         EXPECT_NE(ret, 0);
         ret = SystemWatchParameter("test.permission.read.test1*", nullptr, nullptr);
-        EXPECT_EQ(ret, 0);
+        EXPECT_EQ(ret, DAC_RESULT_FORBIDED);
         return 0;
     }