This branch "fixes" all denials I can see on current sid. I'm not super happy with relaxing the AppArmor confinement but the previous state of things was incompatible with how modern Totem works, and my first rule when writing policy is: don't break things. Let's rely a bit more on Totem's own new sandboxing features.