Notify the user when AppArmor blocks anything

Frontdesk sees a lot of user despair that’s possibly related to AppArmor, and most importantly, to the fact that no notification tells users that AppArmor is blocking things. A first step to mitigate this would be to notify users when AppArmor blocks stuff, so that:

• users understand a bit better what’s going on, and report more useful bugs, and (for advanced users) workaround the problem locally via /etc/apparmor.d/local/;
• users and frontdesk can sort apart what’s caused by AppArmor, and what’s not (since apparently, the messages in logs included in Whisperback bug reports are not enough for some unclear reason).

Hopefully this will lead to more actionable tickets being filed :)

The apparmor-notify package could probably be used to achieve this result.

Implementation notes:

• it may not be in fully-working shape in Wheezy and Jessie, at least without tweaking;
• it implies to give the amnesia user access to some logs it currently cannot read;
• it implies to polish a bit our AppArmor policy so that expected denials are silenced.

Feature Branch: feature/9337-apparmor-notify

Subtasks

• #13183 (closed)

Related issues

• Related to #9813 (closed)
• Related to #15678
• Blocked by #9756 (closed)

Original created by @intrigeri on 9337 (Redmine)