Basically you are right, bug I'd prefer not to add dependencies unless needed to make sure the package gets installed as early as possible (which also means AppArmor protection can be enabled early). The 'rm' call is there to clear the content of /var/cache/apparmor/ - and if rm is not installed yet, it's highly unlikely that the cache dir contains something we'd need to delete ;-) - therefore I tend to use 2>/dev/null in this case.