http://bugzilla.opensuse.org/show_bug.cgi?id=506704 http://bugzilla.opensuse.org/show_bug.cgi?id=506704#c4 --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> --- Sorry, this bug was mis-assigned years ago and then lost/ignored :-( On the positive side - at least parts of your idea can easily be implemented nowadays. You can specify AppArmorProfile=... in a *.service file. Systemd will then enforce usage of that profile, and refuse to start the service if the profile isn't loaded. In theory you can also keep the network down this way by enforcing a (to-be-created) profile on wickedd and wickedd-*. You can easily add AppArmorProfile=... on your system by creating a plug-in sniplet for your *.service files as /etc/systemd/system/whatever.service.d/*.conf, which means you can keep the official *.service files and only have to maintain the plug-in yourself. Nowadays there's even systemctl edit whatever.service which will automatically create such a plug-in file. I'm not sure if we want to ship *.service files that enforce AppArmor by default - while I personally like the idea, it would also make disabling AppArmor too hard. Oh, BTW: The Ubuntu people are working hard on upstreaming all the AppArmor features, and they hope to have everything (including the "new" features only Ubuntu shipped for some years) in upstream kernel 4.14. If you have an idea how we can implement this in a way that makes everybody happy (including those who for whatever reason want to disable AppArmor), please tell me ;-) -- You are receiving this mail because: You are on the CC list for the bug.