AppArmor "DENIED" operation="capable" with capability="setgid" for snap

Hi Snapcraft community,

I’m experiencing an AppArmor denial issue with my snap, and I’m seeking advice on how to properly address it.

Time: May 22 10:03:01
Log: apparmor="DENIED" operation="capable" profile="snap.test-app.LogApp" pid=19548 comm="logrotate" capability=6  capname="setgid"
Capability: setgid
* adjust program to not require 'CAP_SETGID' (see 'man 7 capabilities')
* add one of 'ppp' to 'plugs'
* do nothing if program otherwise works properly

I would appreciate any insights or suggestions on how to proceed with resolving this denial.

You can do 2 things:

  1. Install your snap using --devmode flag
  2. Run snappy-debug

Here is nice doc about it: Debugging snaps | Snapcraft documentation

Which group ID is your application trying to use? Snapd cannot use arbitrary groups - only root or one of the special non-root vaules like _daemon_