Comment 2 for bug 1367264

aa_getcon() does use /proc/<pid>/attr/current. The problem is, we can't allow apps to access this file because we cannot currently limit the pid to self. Ie, this is what we want:
  @{PROC}/self/attr/current r,

but this is what we must use now:
  @{PROC}/[0-9]*/attr/current r,

Therefore, if we allowed that ^, an app could easily enumerate what apps are installed on the device, which constitutes an information disclosure issue. That said, I can happily silence the denial with:
  deny @{PROC}/[0-9]*/attr/current r,

if the scopes runner can handle this well. Note, I'm pretty sure we pointed you at aa_getcon(), however we didn't expect it to be run from within a confined scope process.