Comment 4 for bug 1742687

Adding apparmor since this may be related to libapparmor. zyga will provide more details, but essentially, when userd is not running (ie, dbus activation is used) and a snap tries to use userd to open a url, there is this denial:

sty 15 15:34:45 kaedwen dbus-daemon[1242]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/io/snapcraft/Launcher" interface="io.snapcraft.Launcher" member="OpenURL" mask="send" name="io.snapcraft.Launcher" pid=5773 label="snap.gimp.gimp"

even though we have this in the policy:
dbus (send)
    bus=session
    path=/io/snapcraft/Launcher
    interface=io.snapcraft.Launcher
    member=OpenURL
    peer=(label=unconfined),

Curiously, the above denial lacks a 'peer_label' (an artful, removing the above rule(s), the denial has 'peer_label=unconfined'). This does not happen on artful and the above rule is sufficient for dbus activation or not. On bionic, once userd is running, there is no denial and the browser is launched. If remove 'peer=(label=unconfined)' from the dbus rule, things work (according to zyga).

It isn't clear if this is a bug in libapparmor or dbus-daemon, so adding the apparmor task.

Steps to reproduce:
1. snap install gimp
2. ps auxww|grep userd # if 'snap userd' is running, kill it
3. /snap/bin/gimp
4. Help/Gimp Online/Developer Web Site

Note if adjusting the profile in /var/lib/snapd/apparmor/profiles/snap.gimp.gimp, there are several rules for com.canonical.SafeLauncher (the old service) and io.snapcraft.Launcher (the new service).