Comment 7 for bug 445818

Updated test case:
- apt-get install apparmor-profiles dnsmasq
- enable the dnsmasq profile with 'aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq'
- sudo /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d
- sudo /usr/sbin/dnsmasq -x /var/run/nm-dnsmasq.wlan0.pid -u dnsmasq -7 /etc/dnsmasq.d

While the profile addressed the original reporter's claim that /var/run/dsnmasq.wlan0.pid is the pid to look for, looking in the attached dmesg output and doing 'sudo /etc/init.d/dnsmasq start' showed additional locations for pidfiles and config files. The updated profile should have these additions:
  capability dac_override,
  /etc/dnsmasq.d/ r,
  /etc/dnsmasq.d/* r,
  /var/run/*dnsmasq*.pid w,
  /var/run/dnsmasq/ r,
  /var/run/dnsmasq/* rw,

At present, the profile is useless without these additions, as dnsmasq won't even start when the profile is in enforce mode.