AppArmor "DENIED" operation="capable" with capability="setgid" for snap

nayan · May 22, 2024, 10:43am

Hi Snapcraft community,

I’m experiencing an AppArmor denial issue with my snap, and I’m seeking advice on how to properly address it.

Time: May 22 10:03:01
Log: apparmor="DENIED" operation="capable" profile="snap.test-app.LogApp" pid=19548 comm="logrotate" capability=6  capname="setgid"
Capability: setgid
Suggestions:
* adjust program to not require 'CAP_SETGID' (see 'man 7 capabilities')
* add one of 'ppp' to 'plugs'
* do nothing if program otherwise works properly

I would appreciate any insights or suggestions on how to proceed with resolving this denial.

KhazAkar · May 24, 2024, 8:27am

You can do 2 things:

Install your snap using --devmode flag
Run snappy-debug

Here is nice doc about it: Debugging snaps | Snapcraft documentation

zyga · May 24, 2024, 10:18am

Which group ID is your application trying to use? Snapd cannot use arbitrary groups - only root or one of the special non-root vaules like _daemon_