Comment 4 for bug 139105

Hm, that is indeed the case. I already have

  /usr/lib/cups/** ixr,

and some specialized rules like

  /usr/lib/cups/backend/cups-pdf Px.

so that

  /usr/lib/cups/filter/* Ux,

is a subset of the first rule. It seems that apparmor does not have a concept of "prefer more special rules", which would allow that, and other useful constructions like generally permit reading of /etc/** but do not permit reading of /etc/shadow.

Thanks for pointing me at it. I'll reformulate the first /usr/lib/** rule.