The error output actually comes from snappy-debug.security scanlog – but unfortunately, no suggestions are provided. I also thought it would be unrelated to NM at first, but the error pops up each time my backend application tries to interact with NM.
What’s more problematic is that running any nmcli command from within my strict confined snap (e. g. sudo my-snap.app) results in this error when called directly:
Error: Could not create NMClient object: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.1910" (uid=0 pid=24265 comm="/snap/my-snap/x1/bin/nmcli -f NAME c show -" label="snap.my-snap.nmcli-cmd (enforce)") interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" error name="(unset)" requested_reply="0" destination=":1.13" (uid=0 pid=1556 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined").
As you can see, my nmcli-cmd app runs as root and calls the bundled nmcli.
The nmcli-cmd app is a shell script:
#!/bin/sh
$SNAP/bin/nmcli -f NAME c show --active
I’ve also dis- and reconnected the network-manager:service interface multiple times, to no avail.
Could it in fact be the nmcli version mismatch? Would sending DBus calls directly work around this problem? I’ve ran some quick tests with dbus-send and they do not seem to throw errors, but I’m completely new to DBus calls.