Post-refresh hook generating a confinement warning

I have a post-refresh hook in place for my snap.
It generates the following strict confinement warning:

Log: apparmor=“ALLOWED” operation=“capable” info=“optional: no audit” error=-1 profile=“” pid=31521 comm=“snap-exec” capability=12 capname=“net_admin”

Capability: net_admin


I removed everything from my post refresh hook script but it seems just the presence of the script causes the warning.
Is there a known issue here?
Because the operation is ALLOWED does it mean I can ignore it?

I don’t have an answer right now, but it might help others who read this post for you to paste the output from:

  • sudo snap version
  • sudo snap debug confinement, and
  • sudo snap debug sandbox-features

These should help understand the state of your system and which OS you’re running. When pasting, add triple backtics (```) above and below the paste so that the formatting is preserved (though these particular pastes shouldn’t need that)

I build my snap with confinement:strict in the snapcraft.yaml file. I install my snap with --devmode and it is in this way I receive the warning. If I install my snap with --dangerous I do not receive the warning.

Here is the requested information:

**ubuntu@ubuntu**:**~/INSTALL**$ sudo snap version

snap 2.51.4

snapd 2.51.4

series 16

ubuntu 20.04

kernel 5.4.0-1042-raspi
ubuntu@ubuntu:~/INSTALL$ sudo snap debug confinement
ubuntu@ubuntu:~/INSTALL$ sudo snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

yes, you can, you asked it to allow it when installing with the --devmode switch … if it does not produce any error without --devmode this is just some log spam from apparmors audit mode but not doing any harm.

ok, good to know, thank you