Create .te file under sepolicy Edge-V


Can anyone suggest how to create .te file for any service?
And where do I add that .te file? In public or private?

You can refer to the following, there are many examples.


commit 589c40516dde95fc7c89edae35420b65554216d1
Author: goenjoy <>
Date:   Thu Aug 15 17:37:01 2019 +0800

    PCIE: add PCIE auto mount support

diff --git a/init.rk30board.rc b/init.rk30board.rc
index 14651b1..79a2b4d 100755
--- a/init.rk30board.rc
+++ b/init.rk30board.rc
@@ -355,6 +355,10 @@ service rk_store_keybox /vendor/bin/rk_store_keybox
     class main
+service fuse_pcie0 /system/bin/sdcard -u 1023 -g 1023 /mnt/media_rw/pcie0 /storage/pcie0
+    class late_start
+    disabled
 #vts audio property
 on property:vts.native_server.on=1
     setprop vendor.vts_test true
diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index bfc7713..be9fe31 100755
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -32,3 +32,6 @@ type cec_device, dev_type;
 #for hid audio
 type hidraw_device, dev_type;
+#for pcie
+type sda_block_device, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
old mode 100644
new mode 100755
index d767577..0879a03
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -65,7 +65,8 @@
 /dev/block/by-name/misc                         u:object_r:misc_block_device:s0
 /dev/block/by-name/security                     u:object_r:security_block_device:s0
 /dev/block/by-name/baseparameter                u:object_r:baseparameter_block_device:s0
+/dev/block/nvme0n1                              u:object_r:sda_block_device:s0
+/dev/block/nvme0n1p(.*)                         u:object_r:sda_block_device:s0
 /sys/devices/platform/fb/graphics/fb[0-9]/cabc                u:object_r:sysfs_fb:s0
 /sys/kernel/debug/mali/gpu_memory                u:object_r:sys_mali:s0
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
old mode 100644
new mode 100755
index 3cbdc97..f447506
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -12,4 +12,4 @@ allow tee block_device:dir { getattr search };
 allow tee security_block_device:blk_file { ioctl open read write };
 allow tee uboot_block_device:blk_file { ioctl open read write };
 allow tee rpmb_block_device:blk_file { ioctl open read write };
+allow tee sda_block_device:blk_file { read open write ioctl };

Yes, I have seen few examples and I have tried to run the script on android boot but it does not get started.

My shell script is in system/bin (
I have defined my service in “system/core/bootstat/bootstat.rc” file.

service xxx /system/bin/sh /system/bin/
class main
seclabel u:r:displaysize:s0

My xxx.te file is located at system/sepolicy/xxx.te.

type xxx, domain;
type xxx__exec, exec_type, file_type;

I have added my .te file in file located at system/sepolicy/

Just for your information, my shell script works okay when I execute it from adb shell.

So, what could be wrong here? Why my script does’t get executed on android boot?

I check the dmesg and I got following logs regarding my service

init: starting service ‘xxx’…
init: cannot setexeccon(‘u:r:xxx:s0’) for xxx: Invalid argument
init: Service ‘xxx’ (pid 1076) exited with status 6