Comment 12 for bug 1373070

Correct.

There are actually several ways to get disconnected paths and this specific one is being caused by the new file ns. The proper fix for this is delegating access to the object that would not normally be accessible, however delegation is not available in the current releases of apparmor and the HACK of attach disconnected is being used to work around this.

As for apparmor not complaining about disconnected path failures, it should be unless attach disconnected is specified. The info field in the apparmor audit message will be
  info="Failed name lookup - disconnected path"