Comment 13 for bug 1612412

same scenario ( create new xenial container as base and clone ( copy) ) on empty xenial vm was finished without errors. looks like it is probably not upstream specific around xenial-overlayfs:lxc-apparmor(unconfined) but some specific related with set of configurations for osa( aio) ?

logs from /var/log/audit/audit.log:
------
type=AVC msg=audit(1472586116.191:962154): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/{usr/,}bin/ping" name="source-xenial-amd64/rootfs/etc/ld.so.cache" pid=26478 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1472586116.191:962154): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7ffd5814fc00 a2=7ffd5814fc00 a3=7f0bf6109480 items=0 ppid=26460 pid=26478 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=9279 comm="ping" exe="/bin/ping" key=(null)
type=AVC msg=audit(1472586116.191:962155): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/{usr/,}bin/ping" name="source-xenial-amd64/rootfs/lib/x86_64-linux-gnu/libcap.so.2.24" pid=26478 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1472586116.191:962155): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7ffd5814fc50 a2=7ffd5814fc50 a3=2e6f732e70616362 items=0 ppid=26460 pid=26478 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=9279 comm="ping" exe="/bin/ping" key=(null)
------

I can see that it was classified as "ALLOWED" by apparmor. Maybe some specific security settings are transform this "warning" "info="Failed name lookup - disconnected path" to "error while loading shared libraries: libcap.so.2: cannot stat shared object: Permission denied" ?