Just confirm it not apparmor related. In our installation, policy is in complain mode. See:
root@xxx-xxxxxx:~# aa-status apparmor module is loaded. 63 profiles are loaded. 43 profiles are in enforce mode. /snap/snapd/17029/usr/lib/snapd/snap-confine /snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17336/usr/lib/snapd/snap-confine /snap/snapd/17336/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17576/usr/lib/snapd/snap-confine /snap/snapd/17576/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17883/usr/lib/snapd/snap-confine /snap/snapd/17883/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17950/usr/lib/snapd/snap-confine /snap/snapd/17950/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/18357/usr/lib/snapd/snap-confine /snap/snapd/18357/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/18596/usr/lib/snapd/snap-confine /snap/snapd/18596/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/sbin/tcpdump /{,usr/}sbin/dhclient chromium_browser//browser_java chromium_browser//browser_openjdk chromium_browser//sanitized_helper lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate 20 profiles are in complain mode. /usr/sbin/dnsmasq /usr/sbin/dnsmasq//libvirt_leaseshelper avahi-daemon chromium_browser chromium_browser//chromium_browser_sandbox chromium_browser//lsb_release chromium_browser//xdgsettings identd klogd mdnsd nmbd nscd ping smbd smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd traceroute 6 processes have profiles defined. 0 processes are in enforce mode. 6 processes are in complain mode. /usr/sbin/nmbd (2967123) nmbd /usr/sbin/smbd (2508135) smbd /usr/sbin/smbd (2967228) smbd /usr/sbin/smbd (2967230) smbd /usr/sbin/smbd (2967231) smbd /usr/sbin/smbd (2967232) smbd 0 processes are unconfined but have a profile defined.
Also, at /var/log/audit/audit.log no "denied" notification was reported. All allowed.
In any case, we tried Disabling or uninstalling AppArmor but did not make any difference. Downgrading did.
Just confirm it not apparmor related. In our installation, policy is in complain mode. See:
root@xxx-xxxxxx:~# aa-status snapd/17029/ usr/lib/ snapd/snap- confine snapd/17029/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snapd/17336/ usr/lib/ snapd/snap- confine snapd/17336/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snapd/17576/ usr/lib/ snapd/snap- confine snapd/17576/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snapd/17883/ usr/lib/ snapd/snap- confine snapd/17883/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snapd/17950/ usr/lib/ snapd/snap- confine snapd/17950/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snapd/18357/ usr/lib/ snapd/snap- confine snapd/18357/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper snapd/18596/ usr/lib/ snapd/snap- confine snapd/18596/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper lib/NetworkMana ger/nm- dhcp-client. action lib/NetworkMana ger/nm- dhcp-helper lib/connman/ scripts/ dhclient- script lib/snapd/ snap-confine lib/snapd/ snap-confine/ /mount- namespace- capture- helper sbin/tcpdump }sbin/dhclient browser/ /browser_ java browser/ /browser_ openjdk browser/ /sanitized_ helper modprobe/ /kmod update- ns.lxd lxd.activate lxd.benchmark lxd.check- kernel lxd.hook. configure lxd.hook. install lxd.hook. remove lxd.lxc- to-lxd sbin/dnsmasq sbin/dnsmasq/ /libvirt_ leaseshelper browser/ /chromium_ browser_ sandbox browser/ /lsb_release browser/ /xdgsettings /null-/ usr/lib/ x86_64- linux-gnu/ samba/samba- bgqd useradd/ //etc/init. d/nscd
apparmor module is loaded.
63 profiles are loaded.
43 profiles are in enforce mode.
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/snap/
/usr/bin/man
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/{,usr/
chromium_
chromium_
chromium_
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_
snap-
snap.
snap.
snap.lxd.buginfo
snap.
snap.lxd.daemon
snap.
snap.
snap.
snap.lxd.lxc
snap.
snap.lxd.lxd
snap.lxd.migrate
20 profiles are in complain mode.
/usr/
/usr/
avahi-daemon
chromium_browser
chromium_
chromium_
chromium_
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbd/
smbldap-useradd
smbldap-
syslog-ng
syslogd
traceroute
6 processes have profiles defined.
0 processes are in enforce mode.
6 processes are in complain mode.
/usr/sbin/nmbd (2967123) nmbd
/usr/sbin/smbd (2508135) smbd
/usr/sbin/smbd (2967228) smbd
/usr/sbin/smbd (2967230) smbd
/usr/sbin/smbd (2967231) smbd
/usr/sbin/smbd (2967232) smbd
0 processes are unconfined but have a profile defined.
Also, at /var/log/ audit/audit. log no "denied" notification was reported. All allowed.
In any case, we tried Disabling or uninstalling AppArmor but did not make any difference. Downgrading did.