OK I got it. I didn't think that the host was using apparmor, but it actually does.

So it must be started using --cap-add sys_admin --security-opt apparmor:unconfined

Now it works.