When the 'profile' keyword is used at the beginning of a profile declaration, namespace creation is not handled properly. Instead of :namespace:p being split into 'namespace' for the name of the namespace and 'p' for the name of the profile, a profile called ':namespace:p' is created.
$ echo "profile :namespace:p {}" | sudo apparmor_parser -qr
$ stat /sys/kernel/security/apparmor/policy/namespaces/namespace
stat: cannot stat ‘/sys/kernel/security/apparmor/policy/namespaces/namespace’: No such file or directory
$ stat /sys/kernel/security/apparmor/policy/profiles/namespacep*
File: ‘/sys/kernel/security/apparmor/policy/profiles/namespacep.26’
Size: 0 Blocks: 0 IO Block: 4096 directory
Device: ch/12d Inode: 18374 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-02-10 20:19:47.296817210 -0600
Modify: 2016-02-10 20:20:06.336742155 -0600
Change: 2016-02-10 20:19:47.296817210 -0600
Birth: -
Dropping the 'profile' keyword results in the namespace being properly created:
$ echo ":namespace:p {}" | sudo apparmor_parser -qr
$ stat /sys/kernel/security/apparmor/policy/namespaces/namespace
File: ‘/sys/kernel/security/apparmor/policy/namespaces/namespace’
Size: 0 Blocks: 0 IO Block: 4096 directory
Device: ch/12d Inode: 18716 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-02-10 20:24:20.271897231 -0600
Modify: 2016-02-10 20:24:20.271897231 -0600
Change: 2016-02-10 20:24:20.271897231 -0600
Birth: -
https:/