Package: apparmor
Version: 4.1.0~beta5-2
Severity: important

When upgrading apparmor (and libapparmor1) to 4.1.0~beta5-2, multiple
services spawned by systemd in lxc containers fail to start, with denied
permissions errors.

Errors similar to the following ones can be found in the kernel logs:

apparmor="DENIED" operation="userns_create" class="namespace" profile="lxc-fediverse_</srv/containers>" pid=1215864 comm="(snac)" requested="userns_create" denied="userns_create"

apparmor="DENIED" operation="userns_create" class="namespace" profile="lxc-forge_</srv/containers>" pid=1203690 comm="(s-server)" requested="userns_create" denied="userns_create"
("s-server" here is "redis-server")

Downgrading to apparmor + libapparmor1 3.1.7-4 gets rid of these
problems.

Such errors are not triggered in lxc containers that use OpenRC as the
init system, only the ones using systemd are impacted.

-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.12-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled