I’m trying to copy a file from $SNAP
to $SNAP_USER_DATA
. When running in strict confinement, this fails and I get operation not permitted
in my logs:
Oct 13, 2021 18:57:32.017 [0x7f710b7fe700] ERROR - Couldn't copy file "/snap/plex/x1/resources/com.plexapp.plugins.library.db" to "/home/tamas/snap/plex/x1/Plex Media Server/Plug-in Support/Databases/com.plexapp.plugins.library.db": Operation not permitted
But this works in devmode, so it must be the confinement:
Oct 13, 2021 18:51:25.296 [0x7fea98ecb700] DEBUG - Installing Library Database from ["/snap/plex/x1/resources/com.plexapp.plugins.library.db"] to ["/home/tamas/snap/plex/x1/Plex Media Server/Plug-in Support/Databases/com.plexapp.plugins.library.db"]
I was under the impression that $SNAP_USER_DATA
is writable by the snap, and I am indeed able to see files being written there. But not this one. How can I debug what’s going on here?
I’m getting the following denials from apparmor:
Oct 13 19:01:59 mamut audit[705432]: AVC apparmor="DENIED" operation="open" profile="snap.plex.plex" name="/home/tamas/Documents/" pid=705432 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Oct 13 19:01:59 mamut kernel: audit: type=1400 audit(1634144519.898:40955): apparmor="DENIED" operation="open" profile="snap.plex.plex" name="/home/tamas/Documents/" pid=705432 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Oct 13 19:02:00 mamut audit[705478]: AVC apparmor="DENIED" operation="open" profile="snap.plex.plex" name="/proc/705478/setgroups" pid=705478 comm="Plex" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Oct 13 19:02:00 mamut kernel: audit: type=1400 audit(1634144520.346:40956): apparmor="DENIED" operation="open" profile="snap.plex.plex" name="/proc/705478/setgroups" pid=705478 comm="Plex" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000