Comment 1 for bug 1383703

This is because the default container AA profile prevents reading under /sys/kernel/security/**. Changing the profile to allow reading makes aa-status work but it shows the list of profiles from the host.

This makes me wonder why https://wiki.ubuntu.com/LxcSecurity has this entry:

  * apparmor policy stacking allows containers to use apparmor themselves even while
     they apparmor-confined by the host