We are using dbus-run-session to start a private session bus.
We would like to just keep the apps on a private session bus rather than expose them on the system bus.
The snap is running in --devmode.
I have plugs and slots configured in the snapcraft.yaml file and they are connecting and working.
The logs are being spammed by this message:
Jul 21 08:55:26 localhost kernel: [ 6824.928999] audit: type=1400 audit(1532163326.786:642152): apparmor=“ALLOWED” operation=“open” profile=“snap.com.xxx.xxx-run//null-/usr/bin/dbus-run-session//null-/usr/bin/dbus-daemon” name="/sys/kernel/security/apparmor/.access" pid=17146 comm=“dbus-daemon” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
I am interpreting this to mean that our xxx-run shell script has spawned a dbus-run-session, and that has spawned a dbus-daemon.
The dbus-daemon wants rw access to /sys/kernel/security/apparmor/.access
The logging is happening because we are in --devmode for the snap install, so it is being allowed, but to progress out of --devmode we need to get the apparmor profiles corrected.
I can’t figure out which interface to use to allow the dbus-daemon read/write access to /sys/kernel/security/apparmor/.access
I’ve not even figured out how to edit the apparmor profiles in /var/lib/snapd/apparmor/profiles
to get a one-time manually edited profile.