I'm also noticing those on Xenial systems:
audit: type=1400 audit(1485382778.520:28): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/752/status" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=110 audit: type=1400 audit(1485382778.520:29): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
On the affected system, there was no noticeable impact (yet?) other than the denials, so I'd say it's low impact.
On top of the rules mentioned by Kees, adding this one would silence the other denial:
owner @{PROC}/@{pid}/status r,
Once all 3 rules were added to a test system, no more denials were logged.
I'm also noticing those on Xenial systems:
audit: type=1400 audit(148538277 8.520:28) : apparmor="DENIED" operation="open" profile= "/usr/sbin/ mysqld" name="/ proc/752/ status" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=110 8.520:29) : apparmor="DENIED" operation="open" profile= "/usr/sbin/ mysqld" name="/ sys/devices/ system/ node/" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
audit: type=1400 audit(148538277
On the affected system, there was no noticeable impact (yet?) other than the denials, so I'd say it's low impact.
On top of the rules mentioned by Kees, adding this one would silence the other denial:
owner @{PROC} /@{pid} /status r,
Once all 3 rules were added to a test system, no more denials were logged.