> Does your policy grant 'k' permissions to the file in question?
I think it does, as the snap.microk8s.daemon-containerd profile contains these rules:
# Read-only system area for other versions
# bind mount used here (see 'parallel installs', above)
/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/ r,
/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
# Writable system area only for this version
# bind mount used here (see 'parallel installs', above)
/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl,
/var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl,
Also, running this command outside of the snap works:
sudo aa-exec -p snap.microk8s.daemon-containerd \
flock /var/snap/microk8s/common/default-storage/default-test-jb-pvc-aefec156-04d8-4cfe-a661-5df36eeca724/test echo ok
> Does your policy grant 'k' permissions to the file in question?
I think it does, as the snap.microk8s. daemon- containerd profile contains these rules:
# Read-only system area for other versions snap/{@ {SNAP_NAME} ,@{SNAP_ INSTANCE_ NAME}}/ r, snap/{@ {SNAP_NAME} ,@{SNAP_ INSTANCE_ NAME}}/ ** mrkix,
# bind mount used here (see 'parallel installs', above)
/var/
/var/
# Writable system area only for this version snap/{@ {SNAP_NAME} ,@{SNAP_ INSTANCE_ NAME}}/ @{SNAP_ REVISION} /** wl, snap/{@ {SNAP_NAME} ,@{SNAP_ INSTANCE_ NAME}}/ common/ ** wl,
# bind mount used here (see 'parallel installs', above)
/var/
/var/
Also, running this command outside of the snap works:
sudo aa-exec -p snap.microk8s. daemon- containerd \ microk8s/ common/ default- storage/ default- test-jb- pvc-aefec156- 04d8-4cfe- a661-5df36eeca7 24/test echo ok
flock /var/snap/