"Permission denied" when running update_kernel.sh after flashing test image

153 views
Skip to first unread message

Harry Cutts

unread,
Sep 20, 2018, 5:53:37 PM9/20/18
to chromiu...@chromium.org
Hi,

I just flashed the latest canary test image (xbuddy://remote/samus/latest-canary/test) from xbuddy onto my Samus test device, and now I'm trying to install a kernel I've built. I've disabled rootfs verification (with make_dev_ssd.sh). When I run ./update_kernel.sh --remote $DEVICE_IP I get "Permission denied (13)" errors:
INFO    : Target reports arch is x86_64
INFO    : Target reports board is samus
INFO    : Target reports root device is /dev/sda
INFO    : System is not using verity: updating firmware and modules
copying kernel
rsync: symlink "/boot/.vmlinuz.3535" -> "vmlinuz-4.14.59" failed: Permission denied (13)
rsync: mkstemp "/boot/.System.map-3.14.0.LGhiZP" failed: Permission denied (13)
rsync: mkstemp "/boot/.System.map-4.14.59.4UXUTN" failed: Permission denied (13)
rsync: mkstemp "/boot/.config-3.14.0.dwU0TL" failed: Permission denied (13)
rsync: mkstemp "/boot/.config-4.14.59.tqYhUJ" failed: Permission denied (13)
rsync: mkstemp "/boot/.vmlinuz-3.14.0.xE64VH" failed: Permission denied (13)
rsync: mkstemp "/boot/.vmlinuz-4.14.59.VSVi1F" failed: Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1189) [sender=3.1.3]
SSHing in as root and trying touch /boot/foo also results in permission denied. I haven't encountered this before when working on this device. Is there a new step I need to take to make /boot writable?

Thanks,

Harry Cutts
Chrome OS Touch/Input team

Evan Warren Pratten

unread,
Sep 20, 2018, 5:58:30 PM9/20/18
to Harry Cutts, chromiu...@chromium.org
This is probably a dumb question, but have you tried running with sudo?

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev
---
You received this message because you are subscribed to the Google Groups "Chromium OS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-d...@chromium.org.

Harry Cutts

unread,
Sep 20, 2018, 7:14:17 PM9/20/18
to ewpr...@gmail.com, chromiu...@chromium.org
I just did, and the same thing happened. I believe the issue is the permissions on the device, and I get those errors even if I'm already root on the device.

Harry Cutts
Chrome OS Touch/Input team

Evan Warren Pratten

unread,
Sep 20, 2018, 7:25:47 PM9/20/18
to Harry Cutts, chromiu...@chromium.org
Have you tried removing the write protect screw (or flipping the switch, or shorting the jumper depending on your device)?

Also, have you tried a powerwash, or using the recovery tool first?

I had similar problems, and playing with some settings using Mr. Chromebox's scripts helped for me.

Harry Cutts

unread,
Sep 20, 2018, 7:27:24 PM9/20/18
to ewpr...@gmail.com, chromiu...@chromium.org
Samus devices don't have a write-protect screw, and the device has been freshly imaged. I've updated its kernel before using the same method.

Harry Cutts
Chrome OS Touch/Input team

Evan Warren Pratten

unread,
Sep 20, 2018, 7:29:25 PM9/20/18
to Harry Cutts, chromiu...@chromium.org
I am out of suggestions.

Good luck finding a solution!

I am curious what ends up fixing the problem.

Mike Frysinger

unread,
Sep 20, 2018, 8:07:45 PM9/20/18
to Evan Warren Pratten, Harry Cutts, chromium-os-dev
hold up. modifying the rootfs has no requirement to mess with the write protect settings in the firmware. please don't suggest people touch that.

have you disabled rootfs verification on your device? can you run:
mount -o remount,rw /
-mike

Harry Cutts

unread,
Sep 20, 2018, 8:21:38 PM9/20/18
to vap...@chromium.org, Evan Warren Pratten, chromiu...@chromium.org
Yes, I disabled rootfs verification with /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions 4. Running mount -o remount,rw / doesn't show any errors, but I still get the permission errors when running update_kernel.sh afterwards.

Harry Cutts
Chrome OS Touch/Input team

Mike Frysinger

unread,
Sep 20, 2018, 8:33:47 PM9/20/18
to Harry Cutts, Evan Warren Pratten, chromium-os-dev
do you see anything in `dmesg` ?

can you modify files in /etc ?
-mike

Harry Cutts

unread,
Sep 20, 2018, 9:26:58 PM9/20/18
to vap...@chromium.org, Evan Warren Pratten, chromiu...@chromium.org
The following appears in `dmesg` on the Samus when I run update_kernel.sh on my dev machine:

[14498.009494] EXT4-fs (sda5): re-mounted. Opts: 
[14498.150737] audit: type=1400 audit(1537492900.908:598): avc:  denied  { associate } for  pid=18247 comm="rsync" name=".vmlinuz.18247" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.191327] audit: type=1400 audit(1537492900.949:599): avc:  denied  { associate } for  pid=18248 comm="rsync" name=".System.map-3.14.0.Ss29E6" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.220222] audit: type=1400 audit(1537492900.978:600): avc:  denied  { associate } for  pid=18248 comm="rsync" name=".System.map-4.14.59.mv1FSY" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.235488] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14498.243356] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14498.254363] audit: type=1400 audit(1537492901.012:601): avc:  denied  { associate } for  pid=18248 comm="rsync" name=".config-3.14.0.wyLIbR" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.255457] audit: type=1400 audit(1537492901.013:602): avc:  denied  { associate } for  pid=18248 comm="rsync" name=".config-4.14.59.8xrWuJ" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.262983] audit: type=1400 audit(1537492901.020:603): avc:  denied  { associate } for  pid=18248 comm="rsync" name=".vmlinuz-3.14.0.a7PnPB" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.281175] audit: type=1400 audit(1537492901.038:604): avc:  denied  { associate } for  pid=18248 comm="rsync" name=".vmlinuz-4.14.59.CfBLcu" scontext=u:object_r:rootfs:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
[14498.610238] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14498.616976] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14498.962536] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14498.968270] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14499.316847] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14499.324567] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14499.672139] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14499.677840] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14500.019420] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[14500.026118] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs

I can't create new files in /etc, even as root, but I can modify them (I tried with /etc/profile).

Harry Cutts
Chrome OS Touch/Input team

Mike Frysinger

unread,
Sep 20, 2018, 9:48:15 PM9/20/18
to Harry Cutts, Evan Warren Pratten, chromium-os-dev
that shouldn't be happening.  i've updated crbug.com/874980 with your details.

i think you can workaround it by running `setenforce 0` on the system.
-mike

Harry Cutts

unread,
Sep 21, 2018, 1:24:34 PM9/21/18
to vap...@chromium.org, Evan Warren Pratten, chromiu...@chromium.org
Yep, `setenforce 0` fixes the errors, and I've verified that it's now running the new kernel. Thanks Mike!

Harry Cutts
Chrome OS Touch/Input team

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages