https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-zesty/zesty/amd64/s/snapd/20170323_131353_98370@/log.gz:
[ 1146.168148] audit: type=1400 audit(1490272816.901:880): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=26489 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/cupsd"
[ 1146.168154] audit: type=1400 audit(1490272816.901:881): apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/cupsd" pid=26489 comm="cups-pdf" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/cups/backend/cups-pdf"
[ 1146.190654] audit: type=1400 audit(1490272816.921:882): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/etc/cups/ppd/PDF.ppd" pid=26489 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1146.191113] audit: type=1400 audit(1490272816.921:883): apparmor="DENIED" operation="open" profile="/usr/lib/cups/backend/cups-pdf" name="/etc/cups/ppd/PDF.ppd" pid=26489 comm="cups-pdf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1146.191710] audit: type=1400 audit(1490272816.921:884): apparmor="DENIED" operation="mknod" profile="/usr/lib/cups/backend/cups-pdf" name="/var/log/cups/cups-pdf-PDF_log" pid=26489 comm="cups-pdf" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
From the denials, it seems like adding this to the cups profile:
unix peer=(label= /usr/lib/ cups/backend/ cups-pdf) ,
and this to cups-pdf:
/etc/ cups/ppd/ *.ppd r, log/cups/ cups-pdf- *_log rw, /usr/sbin/ cupsd),
/var/
unix peer=(label=
should fix the issue (untested).