Adding apparmor since this may be related to libapparmor. zyga will provide more details, but essentially, when userd is not running (ie, dbus activation is used) and a snap tries to use userd to open a url, there is this denial:
even though we have this in the policy:
dbus (send)
bus=session
path=/io/snapcraft/Launcher
interface=io.snapcraft.Launcher
member=OpenURL
peer=(label=unconfined),
Curiously, the above denial lacks a 'peer_label' (an artful, removing the above rule(s), the denial has 'peer_label=unconfined'). This does not happen on artful and the above rule is sufficient for dbus activation or not. On bionic, once userd is running, there is no denial and the browser is launched. If remove 'peer=(label=unconfined)' from the dbus rule, things work (according to zyga).
It isn't clear if this is a bug in libapparmor or dbus-daemon, so adding the apparmor task.
Steps to reproduce:
1. snap install gimp
2. ps auxww|grep userd # if 'snap userd' is running, kill it
3. /snap/bin/gimp
4. Help/Gimp Online/Developer Web Site
Note if adjusting the profile in /var/lib/snapd/apparmor/profiles/snap.gimp.gimp, there are several rules for com.canonical.SafeLauncher (the old service) and io.snapcraft.Launcher (the new service).
Adding apparmor since this may be related to libapparmor. zyga will provide more details, but essentially, when userd is not running (ie, dbus activation is used) and a snap tries to use userd to open a url, there is this denial:
sty 15 15:34:45 kaedwen dbus-daemon[1242]: apparmor="DENIED" operation= "dbus_method_ call" bus="session" path="/ io/snapcraft/ Launcher" interface= "io.snapcraft. Launcher" member="OpenURL" mask="send" name="io. snapcraft. Launcher" pid=5773 label=" snap.gimp. gimp"
even though we have this in the policy: /io/snapcraft/ Launcher io.snapcraft. Launcher (label= unconfined) ,
dbus (send)
bus=session
path=
interface=
member=OpenURL
peer=
Curiously, the above denial lacks a 'peer_label' (an artful, removing the above rule(s), the denial has 'peer_label= unconfined' ). This does not happen on artful and the above rule is sufficient for dbus activation or not. On bionic, once userd is running, there is no denial and the browser is launched. If remove 'peer=( label=unconfine d)' from the dbus rule, things work (according to zyga).
It isn't clear if this is a bug in libapparmor or dbus-daemon, so adding the apparmor task.
Steps to reproduce:
1. snap install gimp
2. ps auxww|grep userd # if 'snap userd' is running, kill it
3. /snap/bin/gimp
4. Help/Gimp Online/Developer Web Site
Note if adjusting the profile in /var/lib/ snapd/apparmor/ profiles/ snap.gimp. gimp, there are several rules for com.canonical. SafeLauncher (the old service) and io.snapcraft. Launcher (the new service).