This is due to the system having a previos AppArmor profile, that is still enforced.
I don't know if it can be fixed. Maybe the preinstall script should deactivate the profile? AppArmor causes a lot of weird errors when it stops the mysqld from working as expected, and the code inside mysqld does not know how to fall back from a suddend denial of access. Therefore the profile we ship has been empty for a few years already to make sure AppArmor would not confine anything (https://salsa.debian.org/mariadb-team/mariadb-10.1/blob/master/debian/apparmor-profile). We need an AppArmor expert in the packaging team to write a good profile and actively maintain it. Any attempt to do a 99% good profile that fails 1% of the time would sum up to cause too much trouble.

