Comment 2 for bug 400349

I took a look at this and it is behaving correctly, though I haven't established whether it is due to a deviation in AppArmor's behavior, the scripts or both. The executable /sbin/dhclient3 does a Px transition (as specified in its profile) to /sbin/dhclient-script.

  /sbin/dhclient-script Pxr,

The transition can be seen by putting the /sbin/dhclient3 profile into audit mode
type=APPARMOR_AUDIT msg=audit(1247815097.686:61): operation="exec" pid=4152 comm="dhclient3" parent=4151 profile="/sbin/dhclient3" requested_mask="x::" fsuid=0 ouid=0 name="/sbin/dhclient-script"

The /sbin/dhclient-script then attempts to open the following 2 files without doing an exec to bash
type=APPARMOR_DENIED msg=audit(1247815097.690:62): operation="open" pid=4152 comm="dhclient-script" parent=4151 profile="/sbin/dhclient-script" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/ld.so.cache"
type=APPARMOR_DENIED msg=audit(1247816247.944:89): operation="open" pid=4400 comm="dhclient-script" parent=4399 profile="/sbin/dhclient-script" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/lib/libncurses.so.5.7"

putting the /sbin/dhclient-script into audit mode doesn't show up any more accesses. I through in some debugging to verify the reported behavior matches what is going on internally and it does.

AppArmor's behavior for scripts, is that it will attach the profile to the script if it is directly invoked. In this case invoking /sbin/dhclient-script will cause dhclient-script to be confined by AppArmor even though it is a bash script. If the script is indirectly invoked through bash then, the bash profile (if it exists) would be used.