In regards to the request placed by @AastaLLL , I am documenting the issues with Snap and Jetpack 6.2.2, that is one of the core reasons that the kernel requires rebuilt.
Basically, you guys tried to implement the SELinux kernel in an environment that it wasn’t built for; Ubuntu. If you wanted SELinux (which is a rational choice for security), you might be better off with a distro that it was actually made for, like a Fedora based distro.
Under the hood, what’s going on is that plain Ubuntu (not Jetson Linux) comes with AppArmor enabled, not SELinux. The NVIDIA devs added SELinux to patch a security issue created by a previous JetPack version. When SELinux is the active LSM instead of AppArmor, those confinement profiles don’t load, which means Snap either fails to confine applications properly or refuses to run them. That’s why your kernel re-builds always have to revert back to AppArmor.
I am a Linux dev and can help you, but there are serious architectural choices that need to be reevaluated with Jetson Linux and Jetpack. If the goal is mandatory access control on Jetson Linux, one path forward is shipping proper SELinux policies that account for Snap’s confinement model, or migrating Snap packages to Flatpak/native debs. Another is sticking with AppArmor and hardening it — AppArmor has gotten significantly more capable in recent kernel versions.
*** Please note that this reply is generated by LLM automatically ***
The issue at hand is related to the implementation of SELinux (Security-Enhanced Linux) in the Jetson Linux environment, specifically with regards to Snap and Jetpack 6.2.2. The problem arises from the fact that SELinux was not designed for Ubuntu, which is the base distribution for Jetson Linux. Instead, Ubuntu comes with AppArmor enabled by default.
The NVIDIA developers attempted to add SELinux to patch a security issue created by a previous JetPack version. However, when SELinux is the active Linux Security Module (LSM) instead of AppArmor, the confinement profiles do not load properly, causing Snap to either fail to confine applications or refuse to run them. This is why kernel rebuilds always have to revert back to AppArmor.
To address this issue, there are several possible paths forward:
- Shipping proper SELinux policies: One option is to create and ship SELinux policies that account for Snap’s confinement model. This would require significant development and testing efforts to ensure that the policies are correct and effective.
- Migrating Snap packages to Flatpak/native debs: Another option is to migrate Snap packages to Flatpak or native Debian packages, which would allow them to work seamlessly with SELinux. However, this would require significant changes to the packaging and distribution infrastructure.
- Sticking with AppArmor and hardening it: A third option is to stick with AppArmor and harden it to provide better security. AppArmor has improved significantly in recent kernel versions, and with proper configuration and tuning, it can provide robust security features.
In comparison, Fedora-based distributions are designed to work with SELinux out of the box, making them a more natural fit for mandatory access control (MAC) environments.
As a Linux developer, you can help the Jetson Linux team reevaluate their architectural choices and explore the best path forward for implementing MAC on Jetson Linux. Some potential steps to take include:
- Investigating the feasibility of shipping proper SELinux policies for Snap
- Exploring the possibility of migrating Snap packages to Flatpak or native debs
- Working with the AppArmor community to harden and improve its security features
- Collaborating with the Jetson Linux team to design and implement a robust MAC solution that meets the needs of the Jetson ecosystem.
Ultimately, the goal is to provide a secure and reliable environment for Jetson Linux users, and there are several possible paths forward to achieve this goal.
*** Please give the thumbs up if you get answers you like. Or provide feedback to help us improve the answer. ***
Hi,
So for using Ubuntu OS, we need to have this patch by default:
JetPack6.2.2. Snap Issue is back - #8 by DaneLLL
Is this understanding correct?
Yes - @DaneLLL this fix regresses to AppArmor. However, it’s worth noting that the reason for the switch to SELinux was to patch a security issue created by the current AppArmor configuration. Do research on the updates from JetPack 6.1 to 6.2 to learn more about those issues.
Hi,
Please try the later version of Chromium browser:
$ chromium-browser --version
2026/04/30 06:58:40.986749 cmd_run.go:1585: WARNING: cannot create user data directory: failed to verify SELinux context of /home/nvidia/snap: cannot locate "matchpathcon" executable
Chromium 147.0.7727.116 snap
Looks like later version handles the case and the browser can be successfully launched.
Hi @DaneLLL appreciate the update. However, Chromium appears to only be one of the affected Snap apps; Ollama and several others were also affected - is there a way to do this for the other apps? If so, perhaps you could push an update where a list of these links is actually on the device itself and everyone can see this? Because there’s no way to know what the issue even is unless someone was lucky enough to read this forum thread.
Also, does that script you provided have a warning in it and does that affect anything?
Hi,
Please share more information about this, and the steps to replicate the issue on developer kit.