lxc-container-default-with-mounting profile systemd permission denied

On a fresh install of Xenial just install lxc. Run typical lxc init setup. lxc-create any Ubuntu version (Trusty/Wily/Xenial tested) container and configure it to use the lxc-container-default-with-mounting. No further configuration needed. Start the container. You will find in dmesg errors concerning problems mounting things in /sys/...

[10870.395952] audit: type=1400 audit(1469484639.890:94): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-with-mounting" name="/sys/fs/cgroup/systemd/" pid=14796 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

The container will appear start and you can attach, but its broken. Things like networking won't work. You cannot lxc-stop the container without -k.

Starting the container in foreground mode leads to the following error.

Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission Denied
[!!!!!] Failed to mount API fileysystems, freezing.
Freezing execution.

I found defect https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1347020 concerning Trusty. The issue seems similar but not specially calling out the aa profile. Also, I cannot actually recreate this problem in Trusty.

(UPDATE: Forgot to mention I have 2 additional conf lines as follows)
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm