App denied access to /lib and crashes

Jamie Strandboge jamie at
Tue Jun 28 13:21:38 UTC 2016

On Tue, 2016-06-28 at 10:44 +0200, Pawel Stolowski wrote:
> Hi,
> I've been trying to create a snap package for Scid-vs-PC (and old-style 
> TCL/TK based app) but have only been able to get it working in devmode.
> In the strict mode it crashes in and the segfault appears 
> right after a denied access to read "/lib", in dmesg which makes me 
> think that tcl/tk doesn't handle such (unexpected) scenario very well.
> When running in the devmode I get:
> [ 4039.752903] audit: type=1400 audit(1467102032.459:56): 
> apparmor="ALLOWED" operation="open" profile="snap.scid-vs-pc.scidvspc" 
> name="/lib/" pid=18523 comm="tkscid" requested_mask="r" denied_mask="r" 
> fsuid=1000 ouid=0
> (and the app runs fine).
> I suspect that just making "/lib" readable to my snap would make that 
> app happy, so a couple of questions:
> - can I somehow expose "/lib" in read-only mode to my snap under 
> "strict" confinement?
> - or can I somehow simulate the presence of "/lib" (and let it be empty)?

Can you file a bug and add the 'snapd-interface' tag? For now you can workaround
this in strict mode by adding to /var/lib/snapd/apparmor/profiles/snap.scid-vs-

  /lib/ r, # trailing '/' is important

then do:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.scid-vs-

Then try again. Depending on what the program does, you might have to add
'/usr/lib/', '/usr/local/lib/', etc. Please report all the accesses needed in
the bug and I can get this fixed up.

Jamie Strandboge             |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Snapcraft mailing list