Comment 1 for bug 1655982

FYI, http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3658 fixes the /run/systemd/journal/stdout denials. It seems like the real cause of this bug is this denial:

[95224.610046] audit: type=1400 audit(1484230178.466:1014): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cups-browsed" name="/usr/sbin/cups-browsed" pid=17765 comm="cups-browsed" requested_mask="rm" denied_mask="rm" fsuid=100000 ouid=100000

Suspecting this had something to do with the flock and mmap mediation fixes, I tried the reproducer with an updated 16.04 kernel (4.4.0-77.98-generic). This fixes the file_mmap denial, but we still have a file_mprotect 'r' denial:

[ 825.339262] audit: type=1400 audit(1493908654.440:86): apparmor="DENIED" operation="file_mprotect" namespace="root//lxd-xen_<var-lib-lxd>" profile="/usr/sbin/cups-browsed" name="/usr/sbin/cups-browsed" pid=14249 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=165536 ouid=165536

I'm not sure if this indicates a bug in the apparmor policy or apparmor itself. If the policy, adjusting /etc/apparmor.d/usr.sbin.cups-browsed to have:

  /usr/sbin/cups-browsed r,

resolves the issue.