Comment 5 for bug 2004525

From IRC here the content of Pauls file - it has all we'd expect:

# grep 'run.*/chrony' /etc/apparmor.d/usr.sbin.chronyd
  # For /run/chrony to be created
  @{run}/chrony/{,*} rw,
  @{run}/chrony-dhcp/{,*} r,
  # Example gpsd socket is outside @{run}/chrony/
  @{run}/chrony.tty{,*}.sock rw,
  @{run}/timemaster/chrony.conf r,

Sadly, even on his system it is now no more reproducible (when removing the rule he added it still works).
Looking for the original denial showed no denial in Pauls logs.
So it seems the "apparmor fix" was a red-herring and just fixed by the restart.

Theory: maybe the profile wasn't reloaded on upgrade?
But then it would show a denial and it didn't.

Also chrony has the common reload in postinst:
$ grep appa /var/lib/dpkg/info/chro*postinst
/var/lib/dpkg/info/chrony.postinst:# Automatically added by dh_apparmor/3.0.3-0ubuntu6
/var/lib/dpkg/info/chrony.postinst: APP_PROFILE="/etc/apparmor.d/usr.sbin.chronyd"
/var/lib/dpkg/info/chrony.postinst: LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.sbin.chronyd"
/var/lib/dpkg/info/chrony.postinst: apparmor_parser -r -T -W "$APP_PROFILE" || true