This is not actually a container problem but an apparmor3 problem. You can reproduce it by using aa-exec on the host (with any profile) starting with commit b3c3d641f1de (UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot) of the wily kernel: see https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/wily/log/security/apparmor
Also if I change my postfix service files on my host to use aa-exec so they're even in the same profile and then run mailq with aa-exec, or even just socat on that socket, the connect() will succeed, the read() will EACCESS.
We also managed to hit the case described in 1390223 where executing mailq in a loop will *sometimes* succeed (though I could not myself reproduce this on my host machine.)
We do have a server where it fails in only *some* containers (the only significant difference between them is that one set is 32 bit and one is 64 bit, but I couldn't reproduce that by simply running 32 bit postfix binaries on the host, so the differences might go beyond that).

Here's an example session with the wily kernel and postfix on a host modified to spawn with aa-exec:

# ps aux |grep postfix
root       556  0.0  0.5 108108  5124 ?        Ss   10:21   0:00 /usr/lib/postfix/bin/master -w
postfix    557  0.0  0.6 110176  6868 ?        S    10:21   0:00 pickup -l -t unix -u
postfix    558  0.0  0.6 110224  6768 ?        S    10:21   0:00 qmgr -l -t unix -u
postfix    560  0.0  0.6 110176  6808 ?        S    10:21   0:00 showq -t unix -u
# aa-status  |grep -A5 'processes are in enforce mode.' 
4 processes are in enforce mode.
   lxc-container-default (556) 
   lxc-container-default (557) 
   lxc-container-default (558) 
   lxc-container-default (560) 
0 processes are in complain mode.
# lsof -n |grep showq                                  
master    556                 root   61u     unix 0xffff88003c99e000      0t0      12486 public/showq type=STREAM
# aa-exec -p lxc-container-default -- mailq                                       
postqueue: warning: close: Permission denied
# aa-exec -p lxc-container-default -- socat UNIX:/var/spool/postfix/public/showq -
2015/11/03 10:23:48 socat[597] E read(5, 0x2103a00, 8192): Permission denied
# strace -f -- aa-exec -p lxc-container-default -- mailq
(...)
socket(PF_LOCAL, SOCK_STREAM, 0)        = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR)               = 0
connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, 0x5606d5407f00, 4096)           = -1 EACCES (Permission denied)


log:
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: AVC apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="public/showq" pid=643 comm="postqueue" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 03 10:25:08 akern audit[643]: SYSCALL arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=55bdbc538f00 a2=1000 a3=3dc items=0 ppid=433 pid=643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=75 sgid=75 fsgid=75 tty=pts3 ses=3 comm="postqueue" exe="/usr/bin/postqueue" key=(null)
Nov 03 10:25:08 akern audit: PROCTITLE proctitle=706F73747175657565002D70
Nov 03 10:25:08 akern postfix/postqueue[643]: warning: close: Permission denied