Comment # 6 on bug 991901 from Christian Boltz

This is an interesting[tm] topic.

I discussed this with the upstream AppArmor developers, and they didn't like
the idea to deny a capability because systemd is doing silly things (I have to
admit that this summary is slightly exaggerated ;-)) So if we include this
patch, it will most probably be a non-upstreamable patch forever.

The main problem is: If one day samba really needs the net_admin capability, we
will get reports about strange failures without any log entry (because "deny"
silences the logging) and, worse, angry users ;-)

The correct fix here is to fix systemd so that it does not accidently cause a
request for capability sys_admin (see comment #2 for details) for lots of
daemons. Note that I've noticed similar capability requests for other daemons,
for example apache.