snaps do not start - cannot change mount namespace / cannot create writable mimic on openSUSE Tumbleweed

Full description:
- https://forums.opensuse.org/t/snap-applications-stopped-to-work-after-zypper-dup/166681
- https://forum.snapcraft.io/t/snap-applications-stopped-to-work-after-zypper-dup/35467
- https://forum.snapcraft.io/t/apparmor-issue/35461

Can confirm the same issue after latest dup (VERSION_ID="20230603")

stratos@teras:~> winbox
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_bdlKDD: Permission denied
stratos@teras:~> authy
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_nz6fZ2: Permission denied

AppArmor 3.1.4 fixed a bug in mount rules - before they allowed things that the profile didn't really allow, and now they allow exactly what is specified in the profile. See https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.4 and https://gitlab.com/apparmor/apparmor/-/commit/aff29ef0ee88e18db74a364e7dca1b4c0fa95e47 for details.

This also means that profiles that "somehow worked" before now cause denials because they don't have the mount rules they really need.

https://forum.snapcraft.io/t/apparmor-issue/35461 shows the following line from /var/log/audit/audit.log:

type=AVC msg=audit(1685879595.481:528): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_uAIbsj/" pid=13661 comm="snap-confine" fstype="tmpfs" srcname="none"

Can you please confirm that you get a similar line in your audit.log when snap fails?

If I got the log message right, adding the following rule to the snap-confine profile should fix the problem:

mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,

That all said, I'll hand over the bug to the (system:snappy/snapd) maintainer - AFAIK the snap profiles are shipped as part of the snapd package.

(In reply to Christian Boltz from comment #2)
> https://forum.snapcraft.io/t/apparmor-issue/35461 shows the following line
> from /var/log/audit/audit.log:
>
> type=AVC msg=audit(1685879595.481:528): apparmor="DENIED" operation="mount"
> class="mount" info="failed perms check" error=-13
> profile="/usr/lib/snapd/snap-confine" name="/tmp/snap.rootfs_uAIbsj/"
> pid=13661 comm="snap-confine" fstype="tmpfs" srcname="none"
>
> Can you please confirm that you get a similar line in your audit.log when
> snap fails?

Yes, have the same:

> telegram-desktop
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_Z2gZo7: Permission denied

> And in the log:
type=AVC msg=audit(1685966246.468:373): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/usr/libexec/snapd/snap-confine" name="/tmp/snap.rootfs_Z2gZo7/" pid=28351 comm="snap-confine" fstype="tmpfs" srcname="none"

>
> If I got the log message right, adding the following rule to the
> snap-confine profile should fix the problem:
>
> mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,

Where to add this?

(In reply to Christian Boltz from comment #2)
> Can you please confirm that you get a similar line in your audit.log when
> snap fails?

Can confirm the same message in audit.log:

type=AVC msg=audit(1685967805.185:497): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="/usr/libexec/snapd/snap-confine" name="/tmp/snap.rootfs_ou5oN6/" pid=13580 comm="snap-confine" fstype="tmpfs" srcname="none"
type=BPF msg=audit(1685967805.225:498): prog-id=66 op=UNLOAD

> If I got the log message right, adding the following rule to the
> snap-confine profile should fix the problem:
>
> mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,

Yes it resolves the issue. I have added it in /etc/apparmor.d/usr.libexec.snapd.snap-confine

Thank you for the workaround.

(In reply to Stratos Zolotas from comment #4)
> (In reply to Christian Boltz from comment #2)

> > If I got the log message right, adding the following rule to the
> > snap-confine profile should fix the problem:
> >
> > mount fstype=tmpfs -> /tmp/snap.rootfs_??????/,
>
> Yes it resolves the issue. I have added it in
> /etc/apparmor.d/usr.libexec.snapd.snap-confine

Helped me as well - thank You all!

This PR has been opened to fix the issue https://github.com/snapcore/snapd/pull/12845

I'll cherry pick this patch for the upcoming 2.59.5 update.

Fun, the package status did not propagate to boo. Anyway, snapd 2.59.5 was pushed to the repository with the cherry pick included. If it's fixed for folks then fell free to close the bug.

Can confirm the fix after latest update.

I am facing again the same issue with all snaps (possibly not exactly the same problem but similar).

cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20230612"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20230612"

stratos@teras:~> winbox
update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.winbox /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): permission denied

stratos@teras:~> authy
update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.authy /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): permission denied

(In reply to Stratos Zolotas from comment #10)
> I am facing again the same issue with all snaps (possibly not exactly the
> same problem but similar).

Yes, I have exactly the same today!

(In reply to Aleksey Kontsevich from comment #11)
> (In reply to Stratos Zolotas from comment #10)
> > I am facing again the same issue with all snaps (possibly not exactly the
> > same problem but similar).
>
> Yes, I have exactly the same today!

I don't think it's the same problem.

What I see is:

time->Wed Jun 14 13:18:59 2023
type=AVC msg=audit(1686741539.855:777): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.ohmygiraffe" name="/tmp/.snap/snap/ohmygiraffe/28/data-dir/themes/" pid=7298 comm="5" srcname="/snap/ohmygiraffe/28/data-dir/themes/" flags="rw, rbind"

while there is exactly a rule allowing this in /var/lib/snapd/apparmor/profiles/snap-update-ns.ohmygiraffe:

  mount options=(rbind, rw) "/snap/ohmygiraffe/28/data-dir/themes/" -> "/tmp/.snap/snap/ohmygiraffe/28/data-dir/themes/",

AFAICT the profile is loaded:

maciek@sloop:~ sudo aa-status|grep ohmygira
   snap-update-ns.ohmygiraffe
   snap.ohmygiraffe.hook.configure
   snap.ohmygiraffe.ohmygiraffe

Just to be extra sure I reloaded it again myself, and the effect is the same. I'm afraid someone with a deeper knowledge of apparmor is needed here.

Upstream AppArmor is aware of the new issue. If everything works out as planned, I'll get a patch and can offer a test package tomorrow.

Hmmm... I have this error only for telegram, acestream works fine!

Unfortunately the issue turned out to be more complicated - and, worse, hard to reproduce. Therefore I'll forward a request from
https://bugs.launchpad.net/bugs/2023814

    what is the kernel version, and can you attach the full profile.

Therefore: Please attach the full profile of a snap that causes the mount denial, ideally both
- the profile file itsself, and
- the full profile with all includes inlined, which you can get with

    /sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/PROFILE_FILE > \
    /tmp/profile_with_includes

(replace PROFILE_FILE with the actual filename)

Please also include your kernel version ("uname -a" output).

> uname -a
Linux Aleksey 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

Created attachment 867626
snap.telegram-desktop.telegram-desktop Profile

This one causes problems

Created attachment 867627
snap.acestreamplayer.engine Profile

this one works fine

(In reply to Aleksey Kontsevich from comment #17)
> Created attachment 867626 [details]
> snap.telegram-desktop.telegram-desktop Profile
>
> This one causes problems

This profile does not contain any mount rules, and hence does not allow mount operations. The issue here is different than in #12, this one is snap not giving/generating the permission that is being denied.

(In reply to Aleksey Kontsevich from comment #17)
> Created attachment 867626 [details]
> snap.telegram-desktop.telegram-desktop Profile
>
> This one causes problems

Can you provide the denial messages, this one is causing?

(In reply to Aleksey Kontsevich from comment #18)
> Created attachment 867627 [details]
> snap.acestreamplayer.engine Profile
>
> this one works fine

Interestingly this one doesn't have any mount rules either. Which makes seeing the errors for the telegram profile in comment #17 even more important to try and figure out your issue.

(In reply to John Johansen from comment #19)
> (In reply to Aleksey Kontsevich from comment #17)
> > Created attachment 867626 [details]
> > snap.telegram-desktop.telegram-desktop Profile
> >
> > This one causes problems
>
> This profile does not contain any mount rules, and hence does not allow
> mount operations. The issue here is different than in #12, this one is snap
> not giving/generating the permission that is being denied.

> ls /var/lib/snapd/apparmor/profiles/ -1
snap.acestreamplayer.acestreamplayer
snap.acestreamplayer.engine
snap.acestreamplayer.mpv
snap-confine.snapd.19122
snap-confine.snapd.19361
snap.telegram-desktop.hook.configure
snap.telegram-desktop.telegram-desktop
snap-update-ns.acestreamplayer
snap-update-ns.telegram-desktop

Which one do You need?

(In reply to John Johansen from comment #20)
> (In reply to Aleksey Kontsevich from comment #17)
> > Created attachment 867626 [details]
> > snap.telegram-desktop.telegram-desktop Profile
> >
> > This one causes problems
>
> Can you provide the denial messages, this one is causing?

> telegram-desktop
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/tmp/.X11-unix /tmp/.X11-unix none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Adwaita /snap/telegram-desktop/4806/data-dir/icons/Adwaita none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Ambiant-MATE /snap/telegram-desktop/4806/data-dir/icons/Ambiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Breeze_Snow /snap/telegram-desktop/4806/data-dir/icons/Breeze_Snow none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/DMZ-Black /snap/telegram-desktop/4806/data-dir/icons/DMZ-Black none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/DMZ-White /snap/telegram-desktop/4806/data-dir/icons/DMZ-White none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/HighContrast /snap/telegram-desktop/4806/data-dir/icons/HighContrast none bind,ro 0 0): cannot create writable mimic over "/snap/telegram-desktop/4806": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/H...

Created attachment 867630
snap-update-ns.telegram-desktop profile

Created attachment 867631
snap-update-ns.acestreamplayer profile

This issue is happening with Spotify and Brave as well.

Created attachment 867632
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap.chromium.hook.configure

> uname -a
Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

On above system with apparmor 3.1.5-1.2, trying to install chromium as below fails.

> snap install chromium --channel=latest/candidate/hwacc
2023-06-16T19:12:57-04:00 INFO Waiting for automatic snapd restart...
error: cannot perform the following tasks:
- Run configure hook of "chromium" snap if present (run hook "configure":
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied
cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied
snap-update-ns failed with code 1
-----)

On a related system with the same uname -a output, but with apparmoer 3.1.4-2.1 chromium installs and works fine. The attachment snap.chromium.hook.configure_profile_with_includes is from that system.

Thanks Aleksey, can you also include kernel log info. I don't need everything just grep for DENIED

you should see some messages that look similar to

[ 1095.589947] audit: type=1400 audit(1686889086.956:71): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="test" name="/tmp/.snap/etc/" pid=1472 comm="mount" srcname="/etc/" flags="rw, bind"

Created attachment 867633
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.spotify

> uname -a

Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

> spotify

type=AVC msg=audit(1686976996.738:744): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.spotify" name="/tmp/.snap/snap/spotify/67/data-dir/themes/" pid=20340 comm="5" srcname="/snap/spotify/67/data-dir/themes/" flags="rw, rbind"
type=AVC msg=audit(1686976996.730:676): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.spotify" name="/tmp/.snap/snap/spotify/67/data-dir/icons/" pid=20340 comm="5" srcname="/snap/spotify/67/data-dir/icons/" flags="rw, rbind"
type=AVC msg=audit(1686976996.734:690): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.spotify" name="/tmp/.snap/snap/spotify/67/data-dir/sounds/" pid=20340 comm="5" srcname="/snap/spotify/67/data-dir/sounds/" flags="rw, rbind"

Created attachment 867634
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.brave

> uname -a

Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

> brave

type=AVC msg=audit(1686977332.616:755): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.brave" name="/usr/share/fonts/" pid=22926 comm="5" srcname="/var/lib/snapd/hostfs/usr/share/fonts/" flags="rw, bind"
type=AVC msg=audit(1686977332.616:756): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.brave" name="/tmp/.snap/snap/brave/236/" pid=22926 comm="5" srcname="/snap/brave/236/" flags="rw, rbind"

Created attachment 867635
/sbin/apparmor_parser -pq /var/lib/snapd/apparmor/profiles/snap-update-ns.authy

> uname -a

Linux localhost.localdomain 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

> authy

type=AVC msg=audit(1686977968.403:869): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/tmp/.snap/snap/authy/19/data-dir/themes/" pid=26702 comm="5" srcname="/snap/authy/19/data-dir/themes/" flags="rw, rbind"
type=AVC msg=audit(1686977968.403:815): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/tmp/.snap/snap/authy/19/data-dir/sounds/" pid=26702 comm="5" srcname="/snap/authy/19/data-dir/sounds/" flags="rw, rbind"
type=AVC msg=audit(1686977968.403:813): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/tmp/.snap/snap/authy/19/data-dir/icons/" pid=26702 comm="5" srcname="/snap/authy/19/data-dir/icons/" flags="rw, rbind"
type=AVC msg=audit(1686977968.403:870): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/tmp/.X11-unix/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/tmp/.X11-unix/" flags="rw, bind"
type=AVC msg=audit(1686977968.419:871): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.authy" name="/run/user/1000/doc/" pid=26711 comm="5" srcname="/run/user/1000/doc/by-app/snap.authy/" flags="rw, bind"
type=AVC msg=audit(1686977968.399:761): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/snap/authy/19/gnome-pla
tform/" pid=26702 comm="5" srcname="/snap/gnome-3-28-1804/198/" flags="rw, bind"
type=AVC msg=audit(1686977968.399:762): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/usr/share/fonts/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/usr/share/fonts/" flags="rw, bind"
type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind"

(In reply to John Johansen from comment #27)
> Thanks Aleksey, can you also include kernel log info.

Command or path?

>I don't need everything just grep for DENIED

(In reply to Aleksey Kontsevich from comment #31)
> (In reply to John Johansen from comment #27)
> > Thanks Aleksey, can you also include kernel log info.
>
> Command or path?

grep DENIED /var/log/audit/audit.log
(if you don't have auditd running, grep DENIED /var/log/messages or the journalctl -b output)

Created attachment 867652
kernel.log

(In reply to Christian Boltz from comment #32)
> grep DENIED /var/log/audit/audit.log

This one attached.

Same problem here with Authy and scrcpy.
openSuse Tumbleweed.

cris@polaris:~> uname -a
Linux polarisuse 6.3.7-1-default #1 SMP PREEMPT_DYNAMIC Mon Jun 12 05:01:32 UTC 2023 (b5f9ff5) x86_64 x86_64 x86_64 GNU/Linux

Cris

Packages with the proposed upstream patch just finished building in my home repo. To get them, you can either add the repo
    http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/
or you can download the package x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm and only install that ("zypper in ./apparmor-parser-3.1.5-947.1.x86_64.rpm")

(Only the apparmor-parser package changed, there's no need to install other packages from my home repo.)

After installling the (hopefully) fixed apparmor-parser package from home:cboltz, please test if snap now works, and report back.
(If you still notice failures, please attach the profile and the audit.log.)

(In reply to Christian Boltz from comment #36)
> Packages with the proposed upstream patch just finished building in my home
> repo. To get them, you can either add the repo
> http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/
> or you can download the package
> x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm and only install that ("zypper
> in ./apparmor-parser-3.1.5-947.1.x86_64.rpm")

Shorter variant:

sudo zypper in http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm

> After installling the (hopefully) fixed apparmor-parser package from
> home:cboltz, please test if snap now works, and report back.
> (If you still notice failures, please attach the profile and the audit.log.)

Not fixed, same errors for telegram.

(In reply to Aleksey Kontsevich from comment #37)
> (In reply to Christian Boltz from comment #36)

> > After installling the (hopefully) fixed apparmor-parser package from
> > home:cboltz, please test if snap now works, and report back.
> > (If you still notice failures, please attach the profile and the audit.log.)
>
> Not fixed, same errors for telegram.

Sorry, telegram works now:

> sudo systemctl restart apparmor.service

did not helped for some reason, so forced to restart PC.

(In reply to Aleksey Kontsevich from comment #38)
> > sudo systemctl restart apparmor.service
>
> did not helped for some reason, so forced to restart PC.

Wild guess: The snap profiles live in /var/lib/snapd/apparmor/profiles/, right?

"systemctl restart apparmor" will only reload the profiles in /etc/apparmor.d/, so you'll need to somehow force snap to reload the profile. Of course, rebooting is a way to do this, but maybe
    apparmor_parser -r /var/lib/snapd/apparmor/profiles/
is less annoying ;-)
(I don't use snap, therefore i don't know if there is a more "official" method to force a reload of its AppArmor profiles.)

Thank you @ChristianBoltz, with your fixed package my snaps are working now.
As Aleksey told, `systemctl restart apparmor.service` did not help.
I also tried the command you suggested (apparmor_parser -r /var/lib/snapd/apparmor/profiles/), but it didn't work either.
After a reboot everything is working smoothly.

> After installling the (hopefully) fixed apparmor-parser package from home:cboltz, please test if snap now works, and report back.

Brave, Spotify, Authy, VSCode, Opera and Slack are working with your package. Thanks for your effort to find a solution!

(In reply to Christian Boltz from comment #36)
> Packages with the proposed upstream patch just finished building in my home
> repo. To get them, you can either add the repo
> http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/
> or you can download the package
> x86_64/apparmor-parser-3.1.5-947.1.x86_64.rpm and only install that ("zypper
> in ./apparmor-parser-3.1.5-947.1.x86_64.rpm")
>
> (Only the apparmor-parser package changed, there's no need to install other
> packages from my home repo.)
>
> After installling the (hopefully) fixed apparmor-parser package from
> home:cboltz, please test if snap now works, and report back.
> (If you still notice failures, please attach the profile and the audit.log.)

confirming that the apparmor-parser package from home:cboltz makes chromium from snap work again.

(In reply to Cristiano Guadagnino from comment #40)
> Thank you @ChristianBoltz, with your fixed package my snaps are working now.
> As Aleksey told, `systemctl restart apparmor.service` did not help.
> I also tried the command you suggested (apparmor_parser -r
> /var/lib/snapd/apparmor/profiles/), but it didn't work either.
> After a reboot everything is working smoothly.

sorry, you would have needed to use

  apparmor_parser -rT /var/lib/snapd/apparmor/profiles/

the -T will cause apparmor to skip reading from the cache, forcing it to recompile the profiles. Since the neither the profile files nor the includes files were changed, apparmor will think the already compiled policy in the cache is still valid and load that.

(In reply to Christian Boltz from comment #39)
> (In reply to Aleksey Kontsevich from comment #38)
> > > sudo systemctl restart apparmor.service
> >
> > did not helped for some reason, so forced to restart PC.
>
> Wild guess: The snap profiles live in /var/lib/snapd/apparmor/profiles/,
> right?
>
> "systemctl restart apparmor" will only reload the profiles in
> /etc/apparmor.d/, so you'll need to somehow force snap to reload the
> profile. Of course, rebooting is a way to do this, but maybe
> apparmor_parser -r /var/lib/snapd/apparmor/profiles/
> is less annoying ;-)
> (I don't use snap, therefore i don't know if there is a more "official"
> method to force a reload of its AppArmor profiles.)

there isn't because an official way, ideally users shouldn't be tweaking/changing the snap generated profiles. You can try restarting the snapd.apparmor.service but afaik that will still run into the cached profiles (ie. not rebuilding the cache, and just using that instead) problem.

That could be worked around by manually deleting the profile cache, and then restarting the service.

With the newest versions of snapd vendoring apparmor, it might even be required to use the snapd.apparmor service because snap profiles might have policy rules that the system parser doesn't understand.

Thanks for all the verifications. Upstream apparmor will roll a 3.1.6 release with the fix, so cboltz can get it released asap.

AppArmor 3.1.6 has been released upstream. Thanks everyone for the reports and testing

https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6

This is an autogenerated message for OBS integration:
This bug (1211989) was mentioned in
https://build.opensuse.org/request/show/1094655 Factory / apparmor

The SR with AppArmor 3.1.6 was accepted and will be part of one of the next Tumbleweed snapshots.

For those who tested the apparmor-parser package from my home repo, please don't forget to switch back to the Tumbleweed package (as soon as 3.1.6 is available there).

(In reply to John Johansen from comment #46)
> AppArmor 3.1.6 has been released upstream. Thanks everyone for the reports
> and testing

Works fine! Thanks to all!!!