android11 Framework Selinux 添加设备节点问题修改及具体实现_could not load context file from

file_contexts文件修改时，最后一行必须要有一个空行，否则会编译不过。

========================================================
file_contexts 最后一行修改不是空行，怎么都编不过，搞了半天，气死了~~

FAILED: out/target/product/ums****/obj/ETC/file_contexts.bin_intermediates/file_contexts.bin
**
Error: could not load context file from out/target/product/ums*/obj/ETC/file_contexts.bin_intermediates/file_contexts.concat.tmp

========================================================

• 具体修改

project system/
diff --git a/core/rootdir/init.rc b/core/rootdir/init.rc
index ceb223f3..5c615823 100644
--- a/core/rootdir/init.rc
+++ b/core/rootdir/init.rc
@@ -142,6 +142,7 @@ on init
     chmod 0664 /dev/stune/background/tasks
     chmod 0664 /dev/stune/top-app/tasks
     chmod 0664 /dev/stune/rt/tasks
 +    chmod 0666 /dev/scaner
 
     # Create an stune group for NNAPI HAL processes
     mkdir /dev/stune/nnapi-hal
diff --git a/core/rootdir/ueventd.rc b/core/rootdir/ueventd.rc
index 9c2cdf27..3466f87b 100644
--- a/core/rootdir/ueventd.rc
+++ b/core/rootdir/ueventd.rc
@@ -38,6 +38,8 @@ subsystem sound
 /dev/hwbinder             0666   root       root
 /dev/vndbinder            0666   root       root
 
+/dev/scaner                0666   root       root
 +  /dev/pmsg0                0222   root       log
 
 # kms driver for drm based gpu
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

• 修改是android R，api 30 的修改必须跟默认完全一致。
  api 26,27,28,29 需同步修改。

diff --git a/sepolicy/prebuilts/api/30.0/private/file_contexts b/sepolicy/prebuilts/api/30.0/private/file_contexts
index 9620b751..3cc51fe6 100644
--- a/sepolicy/prebuilts/api/30.0/private/file_contexts
+++ b/sepolicy/prebuilts/api/30.0/private/file_contexts
@@ -736,3 +736,6 @@
 #############################
 # mount point for read-write product partitions
 /mnt/product(/.*)?          u:object_r:mnt_product_file:s0
+
+# add /dev/scaner
+/dev/scaner                 u:object_r:scaner_device:s0
diff --git a/sepolicy/prebuilts/api/30.0/private/system_server.te b/sepolicy/prebuilts/api/30.0/private/system_server.te
index d4b4f169..329dea83 100644
--- a/sepolicy/prebuilts/api/30.0/private/system_server.te
+++ b/sepolicy/prebuilts/api/30.0/private/system_server.te
@@ -1171,3 +1171,6 @@ neverallow system_server self:perf_event ~{ open write cpu kernel };
 
 # Do not allow any domain other than init or system server to set the property
 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# /dev/scaner
+allow system_server scaner_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/sepolicy/prebuilts/api/30.0/public/device.te b/sepolicy/prebuilts/api/30.0/public/device.te
index 32563d67..af2eb877 100644
--- a/sepolicy/prebuilts/api/30.0/public/device.te
+++ b/sepolicy/prebuilts/api/30.0/public/device.te
@@ -112,3 +112,6 @@ type super_block_device, super_block_device_type, dev_type;
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
 type sdcard_block_device, dev_type;
+
+# /dev/scaner
+type scaner_device, dev_type;
\ No newline at end of file
diff --git a/sepolicy/prebuilts/api/30.0/public/init.te b/sepolicy/prebuilts/api/30.0/public/init.te
index 403b4c5e..1b53be17 100644
--- a/sepolicy/prebuilts/api/30.0/public/init.te
+++ b/sepolicy/prebuilts/api/30.0/public/init.te
@@ -71,6 +71,9 @@ allow init tmpfs:chr_file write;
 # Access /dev/console.
 allow init console_device:chr_file rw_file_perms;
 
+# Access /dev/scaner.
+allow init scaner_device:chr_file rw_file_perms;
+
 # Access /dev/tty0.
 allow init tty_device:chr_file rw_file_perms;
 
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 9620b751..3cc51fe6 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -736,3 +736,6 @@
 #############################
 # mount point for read-write product partitions
 /mnt/product(/.*)?          u:object_r:mnt_product_file:s0
+
+# add /dev/scaner
+/dev/scaner                 u:object_r:scaner_device:s0
diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te
index d4b4f169..329dea83 100644
--- a/sepolicy/private/system_server.te
+++ b/sepolicy/private/system_server.te
@@ -1171,3 +1171,6 @@ neverallow system_server self:perf_event ~{ open write cpu kernel };
 
 # Do not allow any domain other than init or system server to set the property
 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# /dev/scaner
+allow system_server scaner_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/sepolicy/public/device.te b/sepolicy/public/device.te
index 32563d67..af2eb877 100644
--- a/sepolicy/public/device.te
+++ b/sepolicy/public/device.te
@@ -112,3 +112,6 @@ type super_block_device, super_block_device_type, dev_type;
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
 type sdcard_block_device, dev_type;
+
+# /dev/scaner
+type scaner_device, dev_type;
\ No newline at end of file
diff --git a/sepolicy/public/init.te b/sepolicy/public/init.te
index 403b4c5e..1b53be17 100644
--- a/sepolicy/public/init.te
+++ b/sepolicy/public/init.te
@@ -71,6 +71,9 @@ allow init tmpfs:chr_file write;
 # Access /dev/console.
 allow init console_device:chr_file rw_file_perms;
 
+# Access /dev/scaner.
+allow init scaner_device:chr_file rw_file_perms;
+
 # Access /dev/tty0.
 allow init tty_device:chr_file rw_file_perms;
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

参考文档：

https://blog.csdn.net/Sqq_yj/article/details/122623193?spm=1001.2014.3001.5502
https://blog.csdn.net/solo_the_word/article/details/107624480