Comment 6 for bug 1466009

LXC is launching the container under an apparmor profile and all processing within that container end up having the same profile. You currently cannot have separate and distinct host policy and container policy in the form that unity8 lxc is currently looking for. This requires namespace stacking support in AppArmor (and kernel LSMs in general)-- this is being worked on but won't be available for a while. OA could be modified (at least for unity8 lxc) to treat "lxc-container-default-with-nesting" like you do as unconfined. Or unity8 lxc could run under unconfined instead of "lxc-container-default-with-nesting". This would workaround the OA part, but I have little confidence that unity8 lxc would be able to launch and use applications, at least not without changes to UAL to launch everything unconfined (which probably defaults the purposes of testing an app within unity8 lxc).