Aws-iot-greengrass on Debain Buster failed to exec onto a write-sealed clone: permission denied

# snap install aws-iot-greengrass
# snap set aws-iot-greengrass gg-certs=/path/to/cert.tar.gz
Jan 25 10:39:16 debian systemd[1]: Stopped Service for snap application aws-iot-greengrass.greengrassd.
Jan 25 10:39:16 debian systemd[1]: Starting Service for snap application aws-iot-greengrass.greengrassd...
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: Setting up greengrass daemon
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: Validating hardlink/softlink protection
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: Waiting for up to 16m50s for Daemon to start
Jan 25 10:39:17 debian audit[7595]: AVC apparmor="DENIED" operation="exec" profile="snap.aws-iot-greengrass.greengrassd" name="/" pid=7595 comm="daemon" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Jan 25 10:39:17 debian kernel: audit: type=1400 audit(1579977557.170:285): apparmor="DENIED" operation="exec" profile="snap.aws-iot-greengrass.greengrassd" name="/" pid=7595 comm="daemon" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: panic: failed to exec onto a write-sealed clone: permission denied
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: goroutine 1 [running]:
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: amazonaws.com/iot/greengrass/system/cloneBinary.ensureSelfCloned(0xcedb5c, 0x13)
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]:         /opt/src/src/amazonaws.com/iot/greengrass/system/cloneBinary/cloneBinary.go:105 +0x20a
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: The Greengrass daemon process with [pid = 7595] died
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: Error running the command - exit status 1
Jan 25 10:39:17 debian aws-iot-greengrass.greengrassd[7533]: Error running the reexec.Command - exit status 1
Jan 25 10:39:17 debian systemd[1]: snap.aws-iot-greengrass.greengrassd.service: Control process exited, code=exited, status=1/FAILURE
Jan 25 10:39:17 debian systemd[1]: snap.aws-iot-greengrass.greengrassd.service: Failed with result 'exit-code'.
Jan 25 10:39:17 debian systemd[1]: Failed to start Service for snap application aws-iot-greengrass.greengrassd.

What is the output of snap version for you?

snap    2.42.5
snapd   2.42.5
series  16
debian  10
kernel  4.19.0-6-amd64

Well this access should be allowed by snapd 2.38+, as you can see here: https://github.com/snapcore/snapd/pull/6162/commits/aa6607e8e5a6a72b35feec7ba6ac5ba738716b5d.

It’s possible that the version of apparmor on debian buster is not sufficient to handle this rule. Have you tried on a different OS?

No I just have Debian buster.

I’m not able to reproduce this on Ubuntu desktop. Can you put the contents of /var/lib/snapd/apparmor/profiles/snap.aws-iot-greengrass.greengrassd into a pastebin link here to look at? While unlikely, it is possible that your snapd for whatever reason doesn’t contain those rules.