In case of some snap app here it is not possible to select storage of user project files to network share mounted at some sub-directory of /media. Snap app permissions were checked using Snap Store app and it was ensured that read/write files on removable storage devices is enabled. This is not sufficient to for snap app user to get access to /media from the app. Possibly “Read/write files on removable storage devices” referes to /mnt but not to /media. A long series of apparmor=“DENIED” were identified in journal for that app.
audit: type=1400 audit(1693816489.397:158): apparmor="DENIED" operation="capable" profile="snap.zotero-snap.zotero-snap" pid=2223 comm="zotero-bin" capability=21 capname="sys_admin"
audit: type=1400 audit(1693816489.917:159): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/proc/2223/net/arp" pid=2223 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693816602.101:187): apparmor="DENIED" operation="capable" profile="snap.zotero-snap.zotero-snap" pid=2702 comm="zotero-bin" capability=21 capname="sys_admin"
audit: type=1400 audit(1693816602.297:189): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/proc/2702/net/arp" pid=2702 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693816723.924:206): apparmor="DENIED" operation="capable" profile="snap.zotero-snap.zotero-snap" pid=3054 comm="zotero-bin" capability=21 capname="sys_admin"
audit: type=1400 audit(1693816875.871:210): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/proc/3269/net/arp" pid=3269 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817050.454:221): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/etc/fstab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817050.454:222): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817050.644:223): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817053.647:224): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/media/" pid=3269 comm="pool-zotero" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817125.681:226): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/etc/fstab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817125.711:227): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817125.717:228): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/etc/fstab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817125.721:229): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817173.447:241): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3269 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817181.871:242): apparmor="DENIED" operation="capable" profile="snap.zotero-snap.zotero-snap" pid=3768 comm="zotero-bin" capability=21 capname="sys_admin"
audit: type=1400 audit(1693817182.061:244): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/proc/3768/net/arp" pid=3768 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817191.894:254): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/etc/fstab" pid=3768 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817191.897:255): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3768 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817192.031:256): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3768 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693817243.527:258): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=3768 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818158.817:272): apparmor="DENIED" operation="capable" profile="snap.zotero-snap.zotero-snap" pid=4966 comm="zotero-bin" capability=21 capname="sys_admin"
audit: type=1400 audit(1693818159.027:274): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/proc/4966/net/arp" pid=4966 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818167.311:284): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/etc/fstab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818167.314:285): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818167.437:286): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818194.954:289): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818225.921:291): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/etc/fstab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818225.924:292): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818226.137:293): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818226.167:294): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818227.774:295): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1693818228.911:296): apparmor="DENIED" operation="open" profile="snap.zotero-snap.zotero-snap" name="/run/mount/utab" pid=4966 comm="zotero-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
As next apparmor profile files for that app were checked. One find following one line in one of three profile files found:
# Don't allow bind mounts to /media which has special
# sharing and propagates mount events outside of the snap namespace.
audit deny mount -> /media,
It is hard to understand rational behind this line as we are zero experts regarding snap technology. How should be optimal modification of apparmor profil look like in order to enable read/write access to one subfolder of /media?
Snap app maintainer: https://github.com/zotero/zotero