Comment 30 for bug 1951210

Attaching the logs when running chromium. The /usr/share/libreoffice is missing from chromium's mount namespace, and the logs show that an error occurred when creating it:

======
change.go:446: DEBUG: remove "/tmp/.snap/usr/share" (error: <nil>)
change.go:320: DEBUG: mount name:"/var/lib/snapd/hostfs/usr/share/gtk-doc" dir:"/usr/share/gtk-doc" type:"none" opts:MS_BIND|MS_RDONLY unparsed:"" (error: <nil>)
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/libreoffice/help /usr/share/libreoffice/help none bind,ro 0 0): cannot create directory "/usr/share/libreoffice/help": permission denied
======

and indeed there's an AppArmor failure about it:

audit[38124]: AVC apparmor="DENIED" operation="mkdir" profile="snap-update-ns.chromium" name="/usr/share/libreoffice/help/" pid=38124 comm="5" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

It's possible (but I still have to study the code better) that the last parameter of apparmor.GenWritableProfile() needs to be a "2" instead of a "3". But I still have to understand why our integration tests didn't catch this failure, since they are actually verifying that the libreoffice dir is readable.