Some snaps won't launch, and journal shows apparmor="DENIED"


#1

I have a relatively new/fresh Ubuntu 18.04 installation, and I find that some snaps won’t launch.

For example, both Discord and Wire show the following four similar messages when I try to launch them:

Wire:
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“open” profile=“snap-update-ns.wire” name="/proc/sys/net/core/somaxconn" pid=9321 comm=“4” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.wire” pid=9321 comm=“4” family=“inet” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.wire” pid=9321 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.wire” pid=9321 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”

Discord:
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“open” profile=“snap-update-ns.discord” name="/proc/sys/net/core/somaxconn" pid=9465 comm=“4” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.discord” pid=9465 comm=“4” family=“inet” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.discord” pid=9465 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”
audit: type=1400 audit(snip): apparmor=“DENIED” operation=“create” profile=“snap-update-ns.discord” pid=9465 comm=“4” family=“inet6” sock_type=“stream” protocol=6 requested_mask=“create” denied_mask=“create”

As far as I know, I haven’t done anything out of the ordinary with this Ubuntu installation. I do have a number of dev tools installed, but a vast majority of my installations are done with apt.

I find that in cases where an app is available via Apt or Snap, the Apt version will work while the Snap version will (silently) fail. By silently, I mean there’s no user message; one would have to know to look in the journal.

(Is Snap intended to be for regular users, or dev types?)


#2

Can you please paste the output of snap version?

Also, are you using Wayland or an X session?


#3

Here’s the output of snap version:
snap 2.37
snapd 2.37
series 16
ubuntu 18.04
kernel 4.15.0-43-generic

And while I can’t find any reliable way to determine if I’m running Xorg or Wayland, I did find this:


#4

echo $XDG_SESSION_TYPE


#5

Ahh, I previously tried that and go no output, but that’s because I was in a root session :). Sorry!

Apparently I am running Wayland.


#6

Ok, I have a workaround which will disable wayland and instead will use XWayland. I’ll implement that, and trigger a build of both those snaps, which will land in the edge channel. Once done I’ll comment here, and if you have some time to test them, I’d appreciate it.


#7

Ok, willdo.

Meanwhile, I just disabled Wayland and rebooted, and the apps launch as they should.

I’m not quite sure why I had Wayland when the Ubuntu blog clearly said that 18.04 would ship with Xorg instead… and I’m not sure why I would go back to Wayland if Ubuntu doesn’t feel it’s ready…


#8

Pre-Release Development versions of 18.04 did actually default to wayland for a while before it got switched to Xorg. Perhaps you initially installed from such a version ? (i doubt anyone cared for managing this case and forcing you to Xorg in an upgrade from an 18.04 pre-release install, since development releases are exactly that … for development)


#9

I don’t believe this was a pre-release dev version. I downloaded it from the normal ubuntu desktop 18.04 lts page, perhaps one month ago.


#10

There’s a new build of discord and wire in the candidate channel. If you have a moment could you logout/login using wayland session and:-

snap refresh discord --candidate
snap refresh wire --candidate

Then report back if they both work now? Thanks in advance.


#11

The candidates do work now (in Wayland). :slight_smile:


#12

Sweet! Thanks so much for testing and providing feedback. Much appreciated!


#13

No problem, and thanks for solving this. I suspect this issue will affect many other apps. I think I’ve already given up on several snap versions because of similar behavior. (I don’t recall which ones…)


#14

Yeah, good point. I’ll see if we can set some time aside to do some testing of a chunk of apps and see which ones work in Wayland.


#15

These denials are just noise. This should be fixed in 2.37.1, which is currently in the beta channel and undergoing QA.