According to upstream, this is for selinux and pax detection. This permission problem doesn't affect anything, except for apparmor logs since we have neither and they wouldn't co-exist with apparmor if a user had switched to them.
The detection process opens /proc/pid/status and if it can't be opened, it assumes no pax. Then it opens /proc/filesystems and if it can't open it then it tries /proc/selinux/enforce and if that can't be opened either it assumes no selinux.
I suspect it's probably better to allow these checks because other people will see this in their logs and file bugs. Additionally, I don't like the idea of leaving a profile in place that interferes with upstream functionality even though it happens to produce the same result at the moment.
According to upstream, this is for selinux and pax detection. This permission problem doesn't affect anything, except for apparmor logs since we have neither and they wouldn't co-exist with apparmor if a user had switched to them.
The detection process opens /proc/pid/status and if it can't be opened, it assumes no pax. Then it opens /proc/filesystems and if it can't open it then it tries /proc/selinux/ enforce and if that can't be opened either it assumes no selinux.
I suspect it's probably better to allow these checks because other people will see this in their logs and file bugs. Additionally, I don't like the idea of leaving a profile in place that interferes with upstream functionality even though it happens to produce the same result at the moment.