Thunderbird: policy breaks generation of a revocation certificate with Enigmail key management

As reported to Tails (https://labs.riseup.net/code/issues/15551) the Enigmail wizard is able to save a revokation certificate to the default location (e.g. ~/test@boum.org (0x815EBDF9A8A8A268DDDDA8D2AAEA1140B21F1077) rev.asc) but attempting to do so after the fact, via "Enigmail>Key Management, select you key pair and open Generate>Revocation Certificate", fails:

apparmor="DENIED" operation="mknod" profile="thunderbird//gpg"
name=2F686F6D652F616D6E657369612F7465737432207465737440626F756D2E6F7267202830784141454131313430423231463130373729207265762E617363
pid=7847 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I don't recall what name="long hexadecimal string" means and how to fix that. Can someone please enlighten me?