I'm afraid we are talking about two different things...
In your example
AA denied access to /boot/initrd.img-2.6.35-23-generic because you explicitly did not allow the application to access that file in its AA profile. This is of course logged.
Dec 2 21:27:21 maverick kernel: [ 693.304375] type=1400 audit(1291350441.726:15): apparmor="DENIED" operation="open" parent=1820 profile="/usr/bin/evince" name="/boot/initrd.img-2.6.35-23-generic" pid=1843 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
But what I'm talking about is this: if I add this line to usr.bin.evince
and then attempt to open the initrd file using evince, the access will be denied AND it will not be logged. BTW the quote you gave ("deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule. ") IMO confirms this.
deny /boot/initrd.img-2.6.35-23-generic r,
My original question was: can this behavior be applied to the network rule as well?