Cannot create directory /tmp/snap.rootfs_*/var/lib/snapd/lib/gl32: Permission denied

snap 2.32.1
snapd 2.32.1
series 16
ubuntu 17.10
kernel 4.13.0-38-generic

I’ve installed termius-app with “snap install termius-app”. When I try to run termius-app from the launcher, it does not launch. When I try to run either “termius-app” or “snap run termius-app” from the terminal, I get the following error:

cannot create directory /tmp/snap.rootfs_fS2lG0/var/lib/snapd/lib/gl32: Permission denied

1 Like

Same here on Ubuntu 16.04 with other apps like obs-studio and wavebox.

Here are all the folders with their access rights:

sudo ls -la /tmp/snap.rootfs_*                                                                                                                                                                                                        /tmp
/tmp/snap.rootfs_6JPZkw:
total 44
drwx------  2 root igor  4096 Apr  4 22:56 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_96C1iC:
total 44
drwx------  2 root igor  4096 Apr  4 22:47 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_cbnnqS:
total 44
drwx------  2 root igor  4096 Apr  4 22:50 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_EjrJI1:
total 44
drwx------  2 root igor  4096 Apr  4 23:00 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_HaXvcg:
total 44
drwx------  2 root igor  4096 Apr  4 22:50 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_taDQOQ:
total 44
drwx------  2 root igor  4096 Apr  4 22:46 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_udaGdb:
total 44
drwx------  2 root igor  4096 Apr  4 22:49 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_V3itzh:
total 44
drwx------  2 root root  4096 Apr  4 22:56 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..

/tmp/snap.rootfs_WsVZSk:
total 48
drwx------  3 root igor  4096 Apr  4 23:00 .
drwxrwxrwt 26 root root 36864 Apr  4 23:02 ..
drwxr-xr-x  3 root root  4096 Apr  4 23:00 var

I also cannot remove them as sudo as the device is busy error pops up.

1 Like

Can you please paste the apparmor denial (apt-get intsall pastebinit)

dmesg | grep DENIED | pastebinit`

As well as the apparmor profile for snap confine:

for f in /etc/apparmor.d/*.snap-confine*; do echo $f; pastebinit $f; done

Here are the results:



I ran into the same issue here, a temporary workaround is to edit /var/lib/snapd/apparmor/snap-confine/fix-gl32 and put this in there:

/tmp/*** rw,

Then run /etc/init.d/apparmor reload and things should work again. This is obviously not a proper fix for the problem, but a working workaround here.

1 Like

stgraber: That works for now, thanks!

That path should have been created by snapd package on the host. Can you dpkg -l snapd and dpkg -L snapd ?

dpkg -l snapd: https://paste.ubuntu.com/p/4MxF3ZXkgD/

dpkg -L snapd: https://paste.ubuntu.com/p/PWbb5cQySY/

Can anyone affected by this paste dmesg | grep DENIED please.

Sure, here you go:

[19425.433375] audit: type=1400 audit(1522940618.244:81): apparmor="DENIED" operation="capable" profile="/snap/core/4327/usr/lib/snapd/snap-confine" pid=12966 comm="snap-confine" capability=2  capname="dac_read_search"
[19425.434641] audit: type=1400 audit(1522940618.246:82): apparmor="DENIED" operation="mkdir" profile="/snap/core/4327/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_quC0oX/var/lib/snapd/lib/gl32/" pid=12966 comm="snap-confine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

This is trying to run wavebox that fails with an error:

cannot create directory /tmp/snap.rootfs_quC0oX/var/lib/snapd/lib/gl32: Permission denied

UPD: as for you other request, running

for f in /etc/apparmor.d/*.snap-confine*; do echo $f; pastebinit $f; done

results in

/etc/apparmor.d/snap.core.4327.usr.lib.snapd.snap-confine
/etc/apparmor.d/usr.lib.snapd.snap-confine.real
1 Like

Can you please edit /etc/apparmor.d/snap.core.4327.usr.lib.snapd.snap-confine and (before the final }) the following two lines:

capability dac_read_search,
/tmp/snap.*/var/lib/snapd/lib/gl32/ rw,

Then run apparmor_parser -r /etc/apparmor.d/snap.core.4327.usr.lib.snapd.snap-confine and retry?

EDITED to include the trailing / in the directory name

1 Like

I found the bug in the profile. I will fix this shortly

This solves the issue with gl32 that had no access rights and now the issue is

cannot create tmpfs target /tmp/snap.rootfs_XE9OKd/var/lib/snapd/lib/vulkan: Permission denied

The vulkan side of the issue should be fixed in the edge version of snap (snap refresh core --edge).

Try that please (you will have to re-edit the two lines in the new file name though, the core revision number will change)

@zyga-snapd what’s special about this case that does not get caught in https://github.com/snapcore/snapd/pull/4992 (or just the existing tests/main/interfaces-opengl-nvidia test)?

Works :+1: Did not need to modify any other files for this.

@mborzecki https://github.com/snapcore/snapd/pull/4993

Did a little digging as I kept wondering why this problem came up only now. The commit that works around flaky packaging and creates /var/lib/snapd/lib/{gl,gl32,vulkan} as needed is part of 2.32 and later.

I suspect it only happens with old snapd that didn’t have those directories and recent enough core. Core re-executes but the missing directories are created on demand. If you had them you would not run into the problem. If you didn’t have them, boom.

This fix will be in 2.32.3 release :slight_smile:

1 Like