diff --git a/services/samgr/native/BUILD.gn b/services/samgr/native/BUILD.gn
index 26fdf8d503a9aed1b8f7b68619ab101524353203..49803cd7a7c3a2e33b92209b4803796abfc8c25f 100644
--- a/services/samgr/native/BUILD.gn
+++ b/services/samgr/native/BUILD.gn
@@ -82,6 +82,11 @@ ohos_executable("samgr") {
       "ipc:libdbinder",
       "utils_base:utils",
     ]
+
+    if (build_selinux) {
+      external_deps += [ "selinux:libservice_checker" ]
+      defines = [ "WITH_SELINUX" ]
+    }
     public_deps = [ "//third_party/libxml2:libxml2" ]
     part_name = "samgr_standard"
   }
diff --git a/services/samgr/native/samgr_standard.cfg b/services/samgr/native/samgr_standard.cfg
index 8a6256aa97d2dc5fe34a7a335605572b875cc493..3811f20801e53e9d5f7e3d665c9a73b4c8df19be 100644
--- a/services/samgr/native/samgr_standard.cfg
+++ b/services/samgr/native/samgr_standard.cfg
@@ -4,7 +4,7 @@
             "path" : ["/system/bin/samgr"],
             "critical" : [1, 1, 60],
             "uid" : "system",
-            "gid" : ["system"],
+            "gid" : ["system", "readproc"],
             "start-mode" : "boot"
         }
     ]
diff --git a/services/samgr/native/samgr_standard_musl.cfg b/services/samgr/native/samgr_standard_musl.cfg
index 154574db92fbffb0445cdb119a6baf8a97851eaa..99d5e27ddac375d9c9fcea197a9249ed95fd4491 100644
--- a/services/samgr/native/samgr_standard_musl.cfg
+++ b/services/samgr/native/samgr_standard_musl.cfg
@@ -2,9 +2,8 @@
     "services" : [{
             "name" : "samgr",
             "path" : ["/system/bin/samgr"],
-            "critical" : [1, 1, 60],
             "uid" : "samgr",
-            "gid" : ["samgr"],
+            "gid" : ["samgr", "readproc"],
             "secon" : "u:r:samgr:s0",
             "start-mode" : "boot"
         }
diff --git a/services/samgr/native/source/system_ability_manager_stub.cpp b/services/samgr/native/source/system_ability_manager_stub.cpp
index 44dc4033c1795eb3bc047f58cbfd65cc1ff19bd1..1a62561fb38f83773922df80c231a3e718251a25 100644
--- a/services/samgr/native/source/system_ability_manager_stub.cpp
+++ b/services/samgr/native/source/system_ability_manager_stub.cpp
@@ -24,8 +24,57 @@
 #include "system_ability_manager.h"
 #include "tools.h"
 
-using namespace OHOS::Security;
+#ifdef WITH_SELINUX
+#include "service_checker.h"
+#endif
+
+namespace {
+#ifdef WITH_SELINUX
+    std::unique_ptr<ServiceChecker> selinuxChecker_ = std::make_unique<ServiceChecker>(false);
+#endif
+
+    bool CheckGetSAPermission(const int32_t said)
+    {
+#ifdef WITH_SELINUX
+        auto callingPid = OHOS::IPCSkeleton::GetCallingPid();
+        return selinuxChecker_->GetServiceCheck(callingPid, std::to_string(said)) == 0;
+#else
+        return true; // if not support selinux, not check selinux permission
+#endif
+    }
+
+    bool CheckAddOrRemovePermission(const int32_t said)
+    {
+#ifdef WITH_SELINUX
+        auto callingPid = OHOS::IPCSkeleton::GetCallingPid();
+        return selinuxChecker_->AddServiceCheck(callingPid, std::to_string(said)) == 0;
+#else
+        return true; // if not support selinux, not check selinux permission
+#endif
+    }
+
+    bool CheckGetRemoteSAPermission(const int32_t said)
+    {
+#ifdef WITH_SELINUX
+        auto callingPid = OHOS::IPCSkeleton::GetCallingPid();
+        return selinuxChecker_->GetRemoteServiceCheck(callingPid, std::to_string(said)) == 0;
+#else
+        return true; // if not support selinux, not check selinux permission
+#endif
+    }
+
+    bool CheckListSAPermission()
+    {
+#ifdef WITH_SELINUX
+        auto callingPid = OHOS::IPCSkeleton::GetCallingPid();
+        return selinuxChecker_->ListServiceCheck(callingPid) == 0;
+#else
+        return true; // if not support selinux, not check selinux permission
+#endif
+    }
+}
 
+using namespace OHOS::Security;
 namespace OHOS {
 SystemAbilityManagerStub::SystemAbilityManagerStub()
 {
@@ -54,6 +103,7 @@ SystemAbilityManagerStub::SystemAbilityManagerStub()
     memberFuncMap_[LOAD_SYSTEM_ABILITY_TRANSACTION] =
         &SystemAbilityManagerStub::LoadSystemAbilityInner;
 }
+
 int32_t SystemAbilityManagerStub::OnRemoteRequest(uint32_t code,
     MessageParcel& data, MessageParcel& reply, MessageOption &option)
 {
@@ -86,6 +136,12 @@ int32_t SystemAbilityManagerStub::ListSystemAbilityInner(MessageParcel& data, Me
         HILOGE("ListSystemAbilityInner PERMISSION DENIED!");
         return ERR_PERMISSION_DENIED;
     }
+
+    if (!CheckListSAPermission()) {
+        HILOGE("ListSystemAbilityInner selinux permission denied!");
+        return ERR_PERMISSION_DENIED;
+    }
+
     int32_t dumpFlag = 0;
     bool ret = data.ReadInt32(dumpFlag);
     if (!ret) {
@@ -189,6 +245,11 @@ int32_t SystemAbilityManagerStub::CheckRemtSystemAbilityInner(MessageParcel& dat
         return ERR_NULL_OBJECT;
     }
 
+    if (!CheckGetRemoteSAPermission(systemAbilityId)) {
+        HILOGE("CheckRemtSystemAbilityInner selinux permission denied!, SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     std::string deviceId;
     bool ret = data.ReadString(deviceId);
     if (!ret) {
@@ -216,6 +277,12 @@ int32_t SystemAbilityManagerStub::AddOndemandSystemAbilityInner(MessageParcel& d
         HILOGW("SystemAbilityManagerStub::AddOndemandSystemAbilityInner read systemAbilityId failed!");
         return ERR_NULL_OBJECT;
     }
+
+    if (!CheckAddOrRemovePermission(systemAbilityId)) {
+        HILOGE("AddOndemandSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     std::u16string localManagerName = data.ReadString16();
     if (localManagerName.empty()) {
         HILOGW("SystemAbilityManagerStub::AddOndemandSystemAbilityInner read localName failed!");
@@ -240,6 +307,12 @@ int32_t SystemAbilityManagerStub::CheckSystemAbilityImmeInner(MessageParcel& dat
         HILOGW("SystemAbilityManagerStub::CheckSystemAbilityImmeInner read systemAbilityId failed!");
         return ERR_NULL_OBJECT;
     }
+
+    if (!CheckGetSAPermission(systemAbilityId)) {
+        HILOGE("CheckSystemAbilityImmeInner selinux permission denied! SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     bool isExist = false;
     bool ret = data.ReadBool(isExist);
     if (!ret) {
@@ -295,6 +368,12 @@ int32_t SystemAbilityManagerStub::AddSystemAbilityInner(MessageParcel& data, Mes
         HILOGW("SystemAbilityManagerStub::AddSystemAbilityExtraInner read systemAbilityId failed!");
         return ERR_NULL_OBJECT;
     }
+
+    if (!CheckAddOrRemovePermission(systemAbilityId)) {
+        HILOGE("AddSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     auto object = data.ReadRemoteObject();
     if (object == nullptr) {
         HILOGW("SystemAbilityManagerStub::AddSystemAbilityExtraInner readParcelable failed!");
@@ -323,6 +402,12 @@ int32_t SystemAbilityManagerStub::GetSystemAbilityInner(MessageParcel& data, Mes
         HILOGW("SystemAbilityManagerStub::GetSystemAbilityInner read systemAbilityId failed!");
         return ERR_NULL_OBJECT;
     }
+
+    if (!CheckGetSAPermission(systemAbilityId)) {
+        HILOGE("GetSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     bool ret = reply.WriteRemoteObject(GetSystemAbility(systemAbilityId));
     if (!ret) {
         HILOGW("SystemAbilityManagerStub:GetSystemAbilityInner write reply failed.");
@@ -338,6 +423,12 @@ int32_t SystemAbilityManagerStub::CheckSystemAbilityInner(MessageParcel& data, M
         HILOGW("SystemAbilityManagerStub::CheckSystemAbilityInner read systemAbilityId failed!");
         return ERR_NULL_OBJECT;
     }
+
+    if (!CheckGetSAPermission(systemAbilityId)) {
+        HILOGE("CheckSystemAbilityInner selinux permission denied! SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     bool ret = reply.WriteRemoteObject(CheckSystemAbility(systemAbilityId));
     if (!ret) {
         return ERR_FLATTEN_OBJECT;
@@ -356,6 +447,12 @@ int32_t SystemAbilityManagerStub::RemoveSystemAbilityInner(MessageParcel& data,
         HILOGW("SystemAbilityManagerStub::RemoveSystemAbilityInner read systemAbilityId failed!");
         return ERR_NULL_OBJECT;
     }
+
+    if (!CheckAddOrRemovePermission(systemAbilityId)) {
+        HILOGE("RemoveSystemAbilityInner selinux permission denied!SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     int32_t result = RemoveSystemAbility(systemAbilityId);
     HILOGI("SystemAbilityManagerStub::RemoveSystemAbilityInner result is %{public}d", result);
     bool ret = reply.WriteInt32(result);
@@ -402,6 +499,12 @@ int32_t SystemAbilityManagerStub::LoadSystemAbilityInner(MessageParcel& data, Me
         HILOGW("SystemAbilityManagerStub::LoadSystemAbilityInner read systemAbilityId failed!");
         return ERR_INVALID_VALUE;
     }
+
+    if (!CheckGetSAPermission(systemAbilityId)) {
+        HILOGE("LoadSystemAbilityInner selinux permission denied!SA : %{public}d", systemAbilityId);
+        return ERR_PERMISSION_DENIED;
+    }
+
     sptr<IRemoteObject> remoteObject = data.ReadRemoteObject();
     if (remoteObject == nullptr) {
         HILOGW("SystemAbilityManagerStub::LoadSystemAbilityInner read callback failed!");