Snapd installation problems on vanilla Debian

I wanted to install the snapd certbot app on a newly minted Debian bookworm system on a small amd64 machine acting as my input router.

So I carefully followed the instructions on https://snapcraft.io/docs/installing-snap-on-debian. Snapd installed with no problems, and the snap core installed fine. So I continued the instructions, and installed hello-world which appeared to install correctly.

However when running it I got:

user@debian:~$ /snap/bin/hello-world
2025/01/30 19:35:33.446626 cmd_run.go:1070: WARNING: cannot create 
user data directory: failed to verify SELinux context of 
/home/user/snap: exec: "matchpathcon": executable file 
not found in $PATH
Hello World!

Not sure why I didn’t get paths set up so I could use hello-world from the shell.

I’ve added a newline or two into the output above. This error message persisted when I tried to install certbot, so I backed everything out and used the somewhat deprecated pip installation method to get my certificate.

It did manage to create /home/user/hello-world, not sure why I need this. Later, I removed the hello-world snap and I tried to install it with the --classic argument, but snap complains about this.

It seems that matchpathcon is part of SELinux, which now doesn’t come as a standard part of Debian, and also will probably be deleted if SELinux is removed from a system. Surely snap should be checking for this binary before trying to use it? For the record, my system disables apparmor too, so doesn’t need any ‘stuff’ that may be installed for that as part of an application.

I have snapd’s certbot installed on a much older machine, although the snap install was inherited when I updated the Debian system from the previous bullseye release.

I guess I am concerned because this impacts hugely on the ability to install certbot simply, the snapd version is much much easier - can something be done to fix this?

After some assistance from the snapd bug reporter system. I found a workaround.

The solution was to ensure that selinux was not present in /proc/self/mountinfo.

I installed: selinux-utils and selinux-policy-default which I don’t really want. Previously only the file semanage.conf was present in /etc/selinux. Now I could edit /etc/selinux/config to set the SELINUX variable to ‘disabled’. This is supposed to be deprecated according to the selinux(8) manual page is this seems to be not really that true - to turn things off you need the config file.

Then I ensured that /etc/default/grub has selinux=0 (and apparmor=0) in the kernel command line, and ran update-grub.

After a reboot the selinux filesystem was gone - and now snapd’s hello-world installs and runs without trying to find matchpathcon.

I still think that it would be a cheap and a good engineering change to snapd to add a test to look for /sbin/matchpathcon before trying to invoke it. Had that been there, none of this would have happened.