Additional, after original denies are fixed up, running "ejabberctl help" for
example, net_admin cap is requested:
```
type=AVC msg=audit(1517059122.720:293): apparmor="DENIED" operation="capable" profile="/usr/sbin/ejabberdctl//su"
pid=4820 comm="su" capability=12 capname="net_admin"
type=SYSCALL msg=audit(1517059122.720:293): arch=c000003e syscall=54 success=no exit=-1 a0=4 a1=1 a2=21 a3=7fff43afa580
items=0 ppid=4809 pid=4820 auid=1000 uid=0 gid=131 euid=0 suid=0 fsuid=0 egid=131 sgid=131 fsgid=131 tty=pts4 ses=4
comm="su" exe="/usr/bin/su" key=(null)
```
Seems like it's `setsockopt` with SO_RCVBUFFORCE argument (33 in dec, 21 hex).
This looks like similar issue to
https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649.
I doubt it is critical and will deny it.
Also, pgrep:
```
type=AVC msg=audit(1517059021.694:268): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl"
name="/usr/bin/pgrep" pid=3785 comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1517061569.031:456): apparmor="DENIED" operation="open" profile="/usr/sbin/ejabberdctl"
name="/proc/sys/kernel/osrelease" pid=18373 comm="pgrep" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
type=AVC msg=audit(1517061569.031:457): apparmor="DENIED" operation="open" profile="/usr/sbin/ejabberdctl" name="/proc/"
pid=18373 comm="pgrep" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
```
