Hoping for some help debugging this issue.
I’m having some trouble with snaps that make use of content snaps (such as gnome-3-38-2004), and presumably also other snaps that make use of the snapd-snap.socket interface, failing to run:
❯ snap-store
error: cannot communicate with server: Post http://localhost/v2/snapctl: dial unix /run/snapd-snap.socket: socket: permission denied
ERROR: not connected to the gnome-3-38-2004 content interface.
[1] 62850 exit 1 snap-store
I can confirm that snapd is running, that the /run/snapd-snap.socket exists, and that its permissions (root:root srw-rw-rw-) should allow access. Rather, I’m getting an AppArmor denial, and I’m not sure why:
[16479.428515] audit: type=1400 audit(1666655750.790:5968): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="snap.snap-store.snap-store" pid=63588 comm="getent" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[16479.431623] audit: type=1400 audit(1666655750.810:5969): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="snap.snap-store.snap-store" pid=63588 comm="getent" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[16480.922498] audit: type=1400 audit(1666655752.300:5970): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="snap.snap-store.snap-store" pid=63595 comm="snapctl" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
Any thoughts would be much appreciated!
Supplementary information follows, starting with the output of snap connections snap-store:
Interface Plug Slot Notes
appstream-metadata snap-store:appstream-metadata :appstream-metadata -
content[gnome-3-38-2004] snap-store:gnome-3-38-2004 gnome-3-38-2004:gnome-3-38-2004 -
content[gtk-3-themes] snap-store:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] snap-store:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] snap-store:sound-themes gtk-common-themes:sound-themes -
dbus - snap-store:packagekit-svc -
dbus - snap-store:snap-store -
desktop snap-store:desktop :desktop -
desktop-legacy snap-store:desktop-legacy :desktop-legacy -
fwupd snap-store:fwupd :fwupd -
gsettings snap-store:gsettings :gsettings -
network snap-store:network :network -
network-manager snap-store:network-manager - -
network-status snap-store:network-status :network-status -
opengl snap-store:opengl :opengl -
packagekit-control snap-store:packagekit-control :packagekit-control -
password-manager-service snap-store:password-manager-service :password-manager-service -
personal-files snap-store:dot-snap-auth-json - -
snapd-control snap-store:snapd-control :snapd-control -
system-files snap-store:hostfs-usr-share-applications :system-files -
system-observe snap-store:system-observe :system-observe -
upower-observe snap-store:upower-observe :upower-observe -
wayland snap-store:wayland :wayland -
x11 snap-store:x11 :x11 -
snap version:
snap 2.57.5
snapd unavailable
series 16
Windows Subsystem for Linux -
kernel 5.15.68.1-20221008-2-microsoft-custom-WSL2+ (amd64)
and confinement information:
❯ snap debug confinement
strict
❯ snap debug sandbox-features
apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:qipcrtr-socket parser:unsafe policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging