Guest session can't write on /var/run/screen

Subscribing Jamie and Martin who seem to have the most knowledge on the apparmor profiles.

This is a bit of a bikeshedding thing IMHO, but I'm not entirely sure whether it's a good idea for a guest session to start screen sessions. I'll let Jamie/the security team have the decision, though.

But AFAIR lightdm kills all guest session processes at session close anyway, right? Then it's probably harmless to allow this.

Yes, lightdm does (at least attempt to) close everything related to the guest session.

Merge proposal?

This bug was fixed in the package lightdm - 1.17.0-0ubuntu1

---------------
lightdm (1.17.0-0ubuntu1) xenial; urgency=medium

  * New upstream release:
    - Disable log backups - this interferes with logrotate.
    - Support using libaudit to generate audit events.
    - Handle trailing whitespace on boolean values in configuration.
    - Update example configuration to more correctly match allowed options.
    - Fix unnecessary X server from being launched when locking seats.
    - Check the version of the X server we are running so we correctly pass
      -listen tcp when required.
    - Allow reading /proc/<PID>/net/dev from within a guest session.
      (LP: #1442609)
    - Allow guest sessions to write in /{,var/}run/screen folder.
      (LP: #1442611)
    - Update guest-session AppArmor profile to be suitable for openSUSE.
    - Fix apparmor profiles for running Chromium in guest sessions.
      (LP: #1504049, LP: #1464958)
    - Fix configure failing without Vala installed.
  * Build with multi-arch
  * debian/lightdm.logrotate:
    - Use logrotate to handle log files placed in the default system log
      directory (/var/log/lightdm).
  * debian/guest*:
    - Optimize guest account creation, use OverlayFS of AuFS if available.

 -- Robert Ancell <email address hidden> Wed, 28 Oct 2015 15:02:46 +1300