That being said, I can see at least one more missing rule, this time for the chown capability:
[ 1690.540498] audit: type=1400 audit(1497905549.525:43): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd" pid=9946 comm="sssd" capability=0 capname="chown"
Did you change the apparmor profile to be in enforcing mode? By default it's in complain mode as far as I can see:
lrwxrwxrwx 1 root root 16 Jun 19 20:48 /etc/apparmor. d/force- complain/ usr.sbin. sssd -> ../usr.sbin.sssd
That being said, I can see at least one more missing rule, this time for the chown capability: 9.525:43) : apparmor="ALLOWED" operation="capable" profile= "/usr/sbin/ sssd" pid=9946 comm="sssd" capability=0 capname="chown"
[ 1690.540498] audit: type=1400 audit(149790554