Comment 4 for bug 1376445

@cwayne18: all plugins based on our OAuth code already add "unconfined" to the ACL. So the problem is probably different, in that case.

As @jdstrand suggested in the ML, your scopes are not running under the "unconfined" profile (even though they are practically unconfined), so we need to figure out why they are not in the ACL, and how to add them.

As suggested by Rodney, I'll also hack "unconfined" into the signon-apparmor plugin to let processes carrying that profile to access any account. But please remember that this is a temporary hack which I'd eventually like to remove, so please update the U1 plugin anyway.