Comment 0 for bug 978038

When a task is confined by an apparmor profile and specifies a change to "unconfined" by name the transition fails even though it is allowed by policy. The failure can be replicated by using any of the following mechanisms,

  self directed transitions using change_profile, change_onexec with the correct change_profile rule
    change_profile -> unconfined,

  px, cx named profile transitions
     /example px -> unconfined,

  This is particularly problematic for transitions to a new namespace.
    /example px -> :new_ns:unconfined,