Reinstalling snap does not update the profile

Didier Roche didrocks at
Tue May 17 14:15:57 UTC 2016

Le 17/05/2016 08:59, Patrick Boettcher a écrit :
> Hi list,

Hey Patrick,
> I'm facing an issue with apparmor profiles which are not updated when
> over-installing a new version (or existing version) or a snap.

Yeah, I think you are not the first to encounter such a situation, I've
been bitten myself as well, especially when you iterate locally and
install, reinstall the same snap multiple times (this was with either
the snappy command but still valid since the snap/snapd transition).

Talking last week with Michael and it doesn't seem to be an unknown
issue. Jamie, Michael, is that Do you
have this on your roadmap?

The easy workaround for now is to snap remove <package_name>; snap
install <package_name>. For me, that always rebuilt the profiles.


> I'm creating a snap from binaries I built without using snapcraft (I
> generated a rootfs in which I created meta/snap.yaml on which I did
> "snapcraft snap .") . My snap.yaml:
>   name: libshdata
>   version: 1.6
>   summary: none
>   description: none
>   architectures: [armhf]
>   apps:
>       test:
>           command: usr/bin/program
>           plugs: [network]
> When now 'snap install'ing this snap the first time, it created the
> 000001-dir and the current-link and everything works fine.
> Just re-installing the same snap gives me an apparmor-error saying that
> the wrapper cannot open the binary. We also regenerated the snap
> incrementing to the version 1.7 . 
> AppArmor cries out like this:
> type=1400 audit(1463491905.860:297): apparmor="DENIED" operation="open"
> profile="snap.libshdata.test"name="/snap/libshdata/100002/usr/bin/program"
> pid=1877 comm="program" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> I then checked
>   /writable/system-data/var/lib/snapd/apparmor/profiles/snap.libshdata.program
> and saw that 
>   @{SNAP_REVISION}="100001"
> had not been updated.
> My platform is Raspi2:
> canonical-pi2        3.2                               canonical
> canonical-pi2-linux  4.4.0-1009-raspi2+20160421.13-36  canonical
> ubuntu-core          16.04+20160420.05-14              canonical
> Is this a bug or a mistake on my side?
> regards,
> --
> Patrick.

More information about the snappy-devel mailing list