snapctl moved from /usr/bin to /usr/lib/snapd/ recently … apparmor profiles were updated for this …
but after an ubuntu core image running the edge channel updated the core snap, all of a sudden i see snapctl permission denied
errors when calling any configure hooks …
checking the apparmor profile of the respective app shows:
# snapctl and its requirements
/usr/bin/snapctl ixr,
/usr/lib/snapd/snapctl ixr,
and calling apparmor_parser -r
on this profile file, makes the configure hook work again …
after a reboot the problem is back.
@zyga-snapd nailed it down to the apparmor cache having a wrong timestamp …
there is an issue between our fixrtc script that sets the clock to the last mount time and the snapd shutdown helper that shuts down the system in a way that the superblock of /writable does not get updated (which indeed makes the filesystem not update last mount time and last write time).