We have discovered this is due to the fact the command being run is writing to a file directly and strict confinement of snaps not able to write the file is the problem. We were able to reproduce the problem with the following python snippet
from subprocess import Popen, PIPE, STDOUT command = ['timeout', '300s', 'maas', 'status'] file = open("my_file", mode="w+") p = Popen(command,shell=False,stdout=file,stderr=STDOUT,bufsize=-1,close_fds=True) p.wait(300) print(p.returncode) print(file.readlines()) file.close()
logs from the reporter
Jun 20 17:54:39 cyberfarm kernel: [1077437.438930] audit: type=1400 audit(1718895279.617:227878): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-maas_<var-snap-lxd-common-lxd>" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" name="/tmp/sos/my_file" pid=3168174 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1000000 Jun 20 17:54:39 cyberfarm kernel: [1077437.438938] audit: type=1400 audit(1718895279.617:227879): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-maas_<var-snap-lxd-common-lxd>" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" name="/tmp/sos/my_file" pid=3168174 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1000000
We have discovered this is due to the fact the command being run is writing to a file directly and strict confinement of snaps not able to write the file is the problem. We were able to reproduce the problem with the following python snippet
from subprocess import Popen, PIPE, STDOUT shell=False, stdout= file,stderr= STDOUT, bufsize= -1,close_ fds=True) readlines( ))
command = ['timeout', '300s', 'maas', 'status']
file = open("my_file", mode="w+")
p = Popen(command,
p.wait(300)
print(p.returncode)
print(file.
file.close()
logs from the reporter
Jun 20 17:54:39 cyberfarm kernel: [1077437.438930] audit: type=1400 audit(171889527 9.617:227878) : apparmor="DENIED" operation= "file_inherit" class="file" namespace= "root// lxd-maas_ <var-snap- lxd-common- lxd>" profile= "/snap/ snapd/21759/ usr/lib/ snapd/snap- confine" name="/ tmp/sos/ my_file" pid=3168174 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1000000 9.617:227879) : apparmor="DENIED" operation= "file_inherit" class="file" namespace= "root// lxd-maas_ <var-snap- lxd-common- lxd>" profile= "/snap/ snapd/21759/ usr/lib/ snapd/snap- confine" name="/ tmp/sos/ my_file" pid=3168174 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=1000000
Jun 20 17:54:39 cyberfarm kernel: [1077437.438938] audit: type=1400 audit(171889527