Comment 7 for bug 1844186

In the above regression we have

lxd-ns0_</var/snap/lxd/common/lxd>//&:root//lxd-ns0_<var-snap-lxd-common-lxd>://unconfined

transitioning to

lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd//&:root//lxd-ns0_<var-snap-lxd-common-lxd>:///usr/sbin/nsd

this is not a strict subset of profiles, however the unconfined exception needs to be taken into account when nnp is set.

There is a bug in the subset test, so that the unconfined exception is not being handled correctly. This affects all kernels, though to different degrees.

kernels before the patch for bug 1839037 have this bug, but because of where the unconfined exception is tested (at the profile transition) it happens to work in this case. Other cases can be contrived where the transition will fail.

Reverting the patch in bug 1839037 will fix the regression for this particular case.