Some snaps won't launch, and journal shows apparmor="DENIED"

I have a relatively new/fresh Ubuntu 18.04 installation, and I find that some snaps won’t launch.

For example, both Discord and Wire show the following four similar messages when I try to launch them:

Wire:
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“open” profile=“snap-update-ns.wire” name="/proc/sys/net/core/somaxconn" pid=9321 comm=“4” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.wire” pid=9321 comm=“4” family=“inet” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.wire” pid=9321 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.wire” pid=9321 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”

Discord:
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“open” profile=“snap-update-ns.discord” name="/proc/sys/net/core/somaxconn" pid=9465 comm=“4” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.discord” pid=9465 comm=“4” family=“inet” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.discord” pid=9465 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.discord” pid=9465 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”

As far as I know, I haven’t done anything out of the ordinary with this Ubuntu installation. I do have a number of dev tools installed, but a vast majority of my installations are done with apt.

I find that in cases where an app is available via Apt or Snap, the Apt version will work while the Snap version will (silently) fail. By silently, I mean there’s no user message; one would have to know to look in the journal.

(Is Snap intended to be for regular users, or dev types?)

Can you please paste the output of snap version?

Also, are you using Wayland or an X session?

1 Like

Here’s the output of snap version:
snap 2.37
snapd 2.37
series 16
ubuntu 18.04
kernel 4.15.0-43-generic

And while I can’t find any reliable way to determine if I’m running Xorg or Wayland, I did find this:

echo $XDG_SESSION_TYPE

Ahh, I previously tried that and go no output, but that’s because I was in a root session :). Sorry!

Apparently I am running Wayland.

Ok, I have a workaround which will disable wayland and instead will use XWayland. I’ll implement that, and trigger a build of both those snaps, which will land in the edge channel. Once done I’ll comment here, and if you have some time to test them, I’d appreciate it.

1 Like

Ok, willdo.

Meanwhile, I just disabled Wayland and rebooted, and the apps launch as they should.

I’m not quite sure why I had Wayland when the Ubuntu blog clearly said that 18.04 would ship with Xorg instead… and I’m not sure why I would go back to Wayland if Ubuntu doesn’t feel it’s ready…

1 Like

Pre-Release Development versions of 18.04 did actually default to wayland for a while before it got switched to Xorg. Perhaps you initially installed from such a version ? (i doubt anyone cared for managing this case and forcing you to Xorg in an upgrade from an 18.04 pre-release install, since development releases are exactly that … for development)

I don’t believe this was a pre-release dev version. I downloaded it from the normal ubuntu desktop 18.04 lts page, perhaps one month ago.

1 Like

There’s a new build of discord and wire in the candidate channel. If you have a moment could you logout/login using wayland session and:-

snap refresh discord --candidate
snap refresh wire --candidate

Then report back if they both work now? Thanks in advance.

1 Like

The candidates do work now (in Wayland). :slight_smile:

1 Like

Sweet! Thanks so much for testing and providing feedback. Much appreciated!

1 Like

No problem, and thanks for solving this. I suspect this issue will affect many other apps. I think I’ve already given up on several snap versions because of similar behavior. (I don’t recall which ones…)

Yeah, good point. I’ll see if we can set some time aside to do some testing of a chunk of apps and see which ones work in Wayland.

These denials are just noise. This should be fixed in 2.37.1, which is currently in the beta channel and undergoing QA.

1 Like