Slack snap won't install: "cannot create writable mimic over /etc: cannot open file /etc/passwd: permission denied"

When I try to install Slack:

# snap install slack
error: cannot perform the following tasks:
- Run configure hook of "slack" snap if present (run hook "configure": 
-----
cannot update snap namespace: cannot create writable mimic over "/etc": cannot open file "/etc/passwd": permission denied
snap-update-ns failed with code 1
-----)

This is on RHEL 7.9, with snap installed via EPEL.

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)

# yum info snapd
Loaded plugins: enabled_repos_upload, langpacks, nvidia, package_upload, product-id, search-disabled-repos, subscription-manager, tracer_upload
Installed Packages
Name        : snapd
Arch        : x86_64
Version     : 2.54.4
Release     : 1.el7
Size        : 46 M
Repo        : installed
From repo   : epel-7server
Summary     : A transactional software package manager
URL         : https://github.com/snapcore/snapd
License     : GPLv3
Description : Snappy is a modern, cross-distribution, transactional package manager
            : designed for working with self-contained, immutable packages.

# snap --version
snap    2.54.4-1.el7
snapd   2.54.4-1.el7
series  16
rhel    7.9
kernel  3.10.0-1160.59.1.el7.x86_64

I’ve already put SELinux into Permissive mode and it still fails. Other packages such as atom, postman or spotify all install without problem. Attempting to install using Classic mode also fails:

# snap install --classic slack
error: cannot perform the following tasks:
- Run configure hook of "slack" snap if present (run hook "configure": 
-----
cannot update snap namespace: cannot create writable mimic over "/etc": cannot open file "/etc/passwd": permission denied
snap-update-ns failed with code 1
-----)

Sadly my RHEL subscription has expired so I can’t try on real RHEL image. Things seem to work on CentOS7 though, with snapd installed from EPEL, so the same source as you would have on RHEL. The SELinux profiles of snapd are permissive anyway, so you’d get AVC entries but nothihg more. I suspect something else is causing this, maybe some local config. Any denials though? ausearch -m AVC will show that. What are the permissions of /etc/passwd?

Hi, thanks for the quick reply. I was getting various denials such as this:

Apr 05 15:26:20 work-21 setroubleshoot[4846]: SELinux is preventing /usr/libexec/snapd/snap-confine from write access on the directory /. For complete SELinux messages run: sealert -l 6dd1f1f8-d935-4e13-9efb-48be7f57a7b6
Apr 05 15:26:20 work-21 python[4846]: SELinux is preventing /usr/libexec/snapd/snap-confine from write access on the directory /.

                                                                     *****  Plugin catchall (100. confidence) suggests   **************************

                                                                     If you believe that snap-confine should be allowed write access on the  directory by default.
                                                                     Then you should report this as a bug.
                                                                     You can generate a local policy module to allow this access.
                                                                     Do
                                                                     allow this access for now by executing:
                                                                     # ausearch -c 'snap-confine' --raw | audit2allow -M my-snapconfine
                                                                     # semodule -i my-snapconfine.pp

So I used audit2allow to generate the following two policy files.

(1/2)

# cat my-snapconfine.te

module my-snapconfine 1.0;

require {
        type tmpfs_t;
        type snappy_confine_t;
        class lnk_file create;
        class dir { add_name create read write };
        class filesystem { mount remount };
}

#============= snappy_confine_t ==============
allow snappy_confine_t tmpfs_t:dir { add_name create read write };
allow snappy_confine_t tmpfs_t:filesystem { mount remount };
allow snappy_confine_t tmpfs_t:lnk_file create;

(2/2)

# cat my-snapupdatens.te

module my-snapupdatens 1.0;

require {
        type cert_t;
        type net_conf_t;
        type snappy_mount_t;
        type exports_t;
        type rsync_etc_t;
        type abrt_etc_t;
        type mcelog_etc_t;
        type ipsec_conf_file_t;
        type krb5_keytab_t;
        type gconf_etc_t;
        type ipsec_key_file_t;
        type xdm_etc_t;
        type modules_conf_t;
        type etc_t;
        type krb5_conf_t;
        type container_config_t;
        type rhsmcertd_config_t;
        type kdump_etc_t;
        type bluetooth_conf_t;
        type cupsd_rw_etc_t;
        type vmtools_unconfined_exec_t;
        type tuned_etc_t;
        type auditd_etc_t;
        type postfix_etc_t;
        type NetworkManager_etc_t;
        type chronyd_keys_t;
        type system_cron_spool_t;
        type pppd_etc_t;
        type virt_etc_t;
        type cupsd_etc_t;
        type named_conf_t;
        type passwd_file_t;
        type mysqld_etc_t;
        type dbusd_etc_t;
        type sssd_conf_t;
        type shadow_t;
        type samba_etc_t;
        type syslog_conf_t;
        type hostname_etc_t;
        type lvm_etc_t;
        type etc_aliases_t;
        type dhcp_etc_t;
        type lvm_metadata_t;
        type dnsmasq_etc_t;
        type snappy_var_lib_t;
        type firewalld_etc_rw_t;
        type adjtime_t;
        type radvd_etc_t;
        class file getattr;
        class dir { add_name create getattr mounton remove_name rmdir setattr write };
}

#============= snappy_mount_t ==============
allow snappy_mount_t NetworkManager_etc_t:dir { getattr mounton };
allow snappy_mount_t abrt_etc_t:dir { getattr mounton };
allow snappy_mount_t adjtime_t:file getattr;
allow snappy_mount_t auditd_etc_t:dir { getattr mounton };
allow snappy_mount_t bluetooth_conf_t:dir { getattr mounton };
allow snappy_mount_t cert_t:dir getattr;
allow snappy_mount_t chronyd_keys_t:file getattr;
allow snappy_mount_t container_config_t:dir { getattr mounton };
allow snappy_mount_t cupsd_etc_t:dir { getattr mounton };
allow snappy_mount_t cupsd_rw_etc_t:file getattr;
allow snappy_mount_t dbusd_etc_t:dir { getattr mounton };
allow snappy_mount_t dhcp_etc_t:dir { getattr mounton };
allow snappy_mount_t dnsmasq_etc_t:dir { getattr mounton };
allow snappy_mount_t dnsmasq_etc_t:file getattr;
allow snappy_mount_t etc_aliases_t:file getattr;

#!!!! WARNING: 'etc_t' is a base type.
allow snappy_mount_t etc_t:dir mounton;
allow snappy_mount_t exports_t:file getattr;
allow snappy_mount_t firewalld_etc_rw_t:dir { getattr mounton };
allow snappy_mount_t gconf_etc_t:dir { getattr mounton };
allow snappy_mount_t hostname_etc_t:file getattr;
allow snappy_mount_t ipsec_conf_file_t:file getattr;
allow snappy_mount_t ipsec_key_file_t:dir { getattr mounton };
allow snappy_mount_t ipsec_key_file_t:file getattr;
allow snappy_mount_t kdump_etc_t:file getattr;
allow snappy_mount_t krb5_conf_t:file getattr;
allow snappy_mount_t krb5_keytab_t:file getattr;
allow snappy_mount_t lvm_etc_t:dir { getattr mounton };
allow snappy_mount_t lvm_metadata_t:dir { getattr mounton };
allow snappy_mount_t mcelog_etc_t:dir { getattr mounton };
allow snappy_mount_t modules_conf_t:dir { getattr mounton };
allow snappy_mount_t mysqld_etc_t:dir { getattr mounton };
allow snappy_mount_t mysqld_etc_t:file getattr;
allow snappy_mount_t named_conf_t:dir getattr;
allow snappy_mount_t net_conf_t:file getattr;
allow snappy_mount_t passwd_file_t:file getattr;
allow snappy_mount_t postfix_etc_t:dir getattr;
allow snappy_mount_t pppd_etc_t:dir getattr;
allow snappy_mount_t radvd_etc_t:file getattr;
allow snappy_mount_t rhsmcertd_config_t:dir getattr;
allow snappy_mount_t rsync_etc_t:file getattr;
allow snappy_mount_t samba_etc_t:dir getattr;
allow snappy_mount_t shadow_t:file getattr;
allow snappy_mount_t snappy_var_lib_t:dir { add_name create mounton remove_name rmdir setattr write };
allow snappy_mount_t sssd_conf_t:dir getattr;
allow snappy_mount_t syslog_conf_t:dir getattr;
allow snappy_mount_t syslog_conf_t:file getattr;
allow snappy_mount_t system_cron_spool_t:dir { getattr mounton };
allow snappy_mount_t system_cron_spool_t:file getattr;
allow snappy_mount_t tuned_etc_t:dir getattr;
allow snappy_mount_t virt_etc_t:dir { getattr mounton };
allow snappy_mount_t vmtools_unconfined_exec_t:dir getattr;
allow snappy_mount_t xdm_etc_t:dir { getattr mounton };

Permissions on /etc/passwd:

# stat /etc/passwd
  File: '/etc/passwd'
  Size: 2369            Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 2103009     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:passwd_file_t:s0
Access: 2022-04-06 09:30:01.402488912 +1000
Modify: 2021-12-08 00:40:46.595313934 +1100
Change: 2021-12-08 00:40:46.598313693 +1100
 Birth: -

Bit of extra information, on some of my other systems, I noticed that they were on version 60 of Slack and weren’t having trouble. So I copied the slack_60.snap from one of those to this system and did sudo snap install /tmp/slack_60.snap --dangerous and it seems to install just fine.

@mborzecki any other ideas?

I had a very similar issue to this, on Ubuntu, using the slack snap.

I was experimenting with ro bind mounting /etc/resolv.conf from /run/systemd/resolve/stub-resolv.conf instead of symlinking, because I want to prevent any undesired modification to the file by various vpn clients.

However, with the mount in place:

mount -o ro,bind /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

I got the following error when I tried to launch the snap.

cannot update snap namespace: cannot create writable mimic over "/etc": no such file or directory
snap-update-ns failed with code 1

The snap itself has a few bind mounts from /etc, but nothing about /etc/resolv.conf specifically.

Is this potentially a snapd bug, or something else ?

Cheers, Just