# Customize secuity services Customization is supported for memory and SEPolicy. For a large-size trusted application, you can customize the memory regions. ## Customize memory To customize memory, this feature is available to licensed users with authorized access. If you have access, see [Qualcomm Linux Security Guide - Addendum → Customize memory for trusted application](https://docs.qualcomm.com/bundle/resource/topics/80-70017-11A/customize-fru.html). ## Customize SEPolicy Qualcomm SEPolicy depends on the upstream SEPolicy. Therefore, the upstream SEPolicy’s make system is used for building and customizing the SEPolicy. Any customization to upstream code must be stored in the [patches](https://github.com/quic-yocto/meta-qcom-hwe/tree/kirkstone/dynamic-layers/selinux/recipes-security/sepolicy/patches) directory as a path to the upstream code. You can find the upstream code at [https://github.com/SELinuxProject/refpolicy/](https://github.com/SELinuxProject/refpolicy/). The Qualcomm code is configured to the monolithic SEPolicy mode and SELinux types as targeted. To modify the SEPolicy mode and the SELinux types, do the following: > > > - To change the SELinux type and mode, you can edit the [Qualcomm base file](https://github.com/quic-yocto/meta-qcom-distro/blob/kirkstone/conf/distro/include/qcom-base.inc). > - To add the SEPolicy patches, add it to the [patches folder](https://github.com/quic-yocto/meta-qcom-hwe/tree/kirkstone/dynamic-layers/selinux/recipes-security/sepolicy/patches) and update the respective selinux\_type bbappend files (refpolicy-targeted.bbappend or refpolicy-mls.bbappend), which aren’t set by default. Add selinux enablement code in distro and then edit PREFERRED\_PROVIDER\_virtual/refpolicy. **Compile SEPolicy** 1. To compile the SEPolicy, run the following commands: export SHELL=/bin/bash Copy to clipboard 2. Set up the build environment. For instructions, see [Qualcomm Linux Build Guide ➝ GitHub workflow for unregistered users.](https://docs.qualcomm.com/bundle/publicresource/topics/80-70017-254/github_workflow_unregistered_users.html) 3. Based on the SELinux type, compile only the SEPolicy with `bitbake  refpolicy-mls` or `bitbake  refpolicy-targeted`. bitbake Copy to clipboard **Modify and build** You can also modify and build incrementally. The audit2allow and research tools on Ubuntu 18 or 20 don’t support policy version33. The policy version33 is supported from Ubuntu 23. If you aren’t using Ubuntu 23, you can use a docker setup or a virtual machine to run audit2allow. **Install docker** The following command is used to install docker on Ubuntu with lower version. sudo docker pull ubuntu:23.04 sudo docker run -ti --rm ubuntu /bin/bash apt-get update apt-get -y install policycoreutils apt-get install -y policycoreutils-python-utils Copy to clipboard Then run audit2allow on this shell . Pull the policy version33 from the target `/etc/selinux/mls/policy/policy.33`. This policy is also available in the build tree. Use the mountbind or docker copy commands to share the policy with the docker. **Capture denials** If the command prompt doesn’t change when `policy.33` is pulled from the `target /build`, and if `denials.txt` is a file capturing the denials, use the following command: audit2allow -i denails.txt -p policy.33 Copy to clipboard **Command not found** If this command isn’t found, then use the following command to install the required package: sudo apt install policycoreutils-python-utils Copy to clipboard ## Next steps - For common logging and debugging techniques, see [Debug Qualcomm TEE and secure devices](https://docs.qualcomm.com/doc/80-70018-11/topic/debug.html#debug). - To configure Qualcomm TEE for securing devices that handle sensitive data and run trusted applications, see [Configure security services](https://docs.qualcomm.com/doc/80-70018-11/topic/configure.html#configure). Last Published: Apr 10, 2025 [Previous Topic Install or upgrade SoftSKU feature packs](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/upgrade-qualcomm-wes-feature-pack.md) [Next Topic Debug Qualcomm TEE and secure devices](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/debug.md)