Pycharm-community IDE getting D-BUS AppArmor denials


Could someone explain to me why the pycharm-community IDE snap, which has classic confinement, gets restricted by apparmor in the following situation?

  • I have a Python script that tries to access the org.freedesktop.DBus.Introspectable D-Bus interface of spotify (which is a snap, strict, but I don’t think that should matter), at /org/mpris/MediaPlayer2. The library that makes the D-Bus calls uses introspection for everything.
  • I want to run or debug the above script through the IDE, but I get denials like this:

Dec 25 15:01:37 dbus-daemon[3643]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Introspectable" member="Introspect" name=":1.284" mask="receive" pid=17246 label="snap.spotify.spotify" peer_pid=17188 peer_label="snap.pycharm-community.pycharm-community"

If I run the script outside the IDE, everything works. Is D-Bus introspection disallowed even on classic snaps?

What’s really odd, from a user/developer point of view, is that I am trying to run or debug a program through an IDE (which happens to be a classic snap), and I am getting blocked because the IDE doesn’t have some kind of permission, rather than my own program. That’s painful, because a developer might use such an IDE to write and debug code, without any intention of creating a snap (they are just using the IDE).

I do understand that any child process started by the IDE will have the same restrictions as the IDE itself, but it doesn’t seem right that such restrictions should exist in this case. I’m wondering if there is something the publisher can do in the pycharm-community snap config to mitigate this, or if this is a snapd problem.