apparmor.service fails to start when apt install/remove snapd due to snapd profile error

Hello

Is this bug reproducible? I'm running cosmic and I'm not seeing this at all.

The error would happen when the directory /var/lib/snapd/apparmor/snap-confine is absent but said directory is a part of the package *and* is created by snapd on demand.

Hi,

I could reproduce it by creating a new Cosmic VM using autopkgtest-buildvm-ubuntu-cloud. I first spotted this issue on ADT tests, so it might be related to how the packages are installed/updated.

I can reproduce this on cosmic, installing snapd and removing (but not purging) snapd gives me this error. It seems like removing removes the /var/lib/snapd/apparmor/snap-confine dir but keeps the /etc/apparmor.d/...snap-confine conf file in place (oh the joy of conffiles).

To reproduce:
1. apt update
2. apt install snapd
3. apt remove snapd
4. reboot
5. systemctl status apparmor

This also appears to be happening on 18.04 with the latest apparmor version available for 18.04. So we need to look into this.

Closing the cosmic task as its EOL but keeping the other tasks open.

We discussed this issue on IRC and we believe to understand the cause.

One way to solve it would be to move all snapd apparmor profiles to /var, so that they are not regarded as conf-files simply because they are stored in /etc. This would also allow us to remove the silly .real suffix from snap-confine apparmor profile.

We need to look at the details of how this would interplay with rollbacks though.

I just discovered this on my system (Lubuntu 20.04.3) and doing ```sudo apt get remove --purge snapd``` removed the boot-time error message "Failed to start Load AppArmor profiles"