Comment 3 for bug 1655982

Host:
$ uname -a
Linux sec-xenial-amd64 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ apparmor_parser -V
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.

Container:
root@xen:~# uname -a
Linux xen 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root@xen:~# apparmor_parser -V
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.

Note, the reproducer is:

1. apt-get install lxd
2. sg lxd
3. lxc launch ubuntu:16.04 xen
4. lxc exec xen -- apt update
5. lxc exec xen -- apt dist-upgrade -y
6. lxc exec xen -- /bin/bash and edit /etc/apparmor.d/abstractions/base to have:
     /run/systemd/journal/stdout rw,
7. lxc exec xen -- apt install cups -y

and get the denial. If add to /etc/apparmor.d/usr.sbin.cups-browsed in the container:

  /usr/sbin/cups-browsed r,

then I can (after reloading the profile):

$ lxc exec xen -- /bin/bash
root@xen:~# service cups-browsed stop
root@xen:~# service cups-browsed start
root@xen:~# systemctl status cups-browsed
● cups-browsed.service - Make remote CUPS printers available locally
   Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor preset:
   Active: active (running) since Thu 2017-05-04 20:06:50 UTC; 10s ago
 Main PID: 11697 (cups-browsed)
    Tasks: 3
   Memory: 2.5M
      CPU: 17ms
   CGroup: /system.slice/cups-browsed.service
           └─11697 /usr/sbin/cups-browsed

May 04 20:06:50 xen systemd[1]: Started Make remote CUPS printers available locally.