http://bugzilla.opensuse.org/show_bug.cgi?id=1069906 http://bugzilla.opensuse.org/show_bug.cgi?id=1069906#c2 --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- This is... interesting ;-) John already explained the reason for the errors. Let me add that running "rcapparmor reload" in the running system (when /var/lib/apparmor/ is writeable) will also update the cache. There are more interesting things: apparmor.service has After=var.mount var-lib.mount so I'd expect it to start late enough. (Note that apparmor.service should start as early as possible - the profiles have to be loaded before the programs they confine start.) I also wonder about a few lines in your log, especially Nov 27 10:11:02 localhost systemd[1]: var-lib-overlay.mount: Unit is bound to inactive unit dev-vda2.device. Stopping, too. Nov 27 10:11:02 localhost systemd[1]: Requested transaction contradicts existing jobs: Transaction is destructive. Nov 27 10:11:02 localhost systemd[1]: var-lib-overlay.mount: Failed to enqueue stop job, ignoring: Transaction is destructive. I don't know what these messages mean exactly, but (assuming/guessing that they refer to an overlay mount for /var/lib/) they could be a part of the puzzle. I never tried Kubic or Caas, therefore I can only guess what happens, and hope that the above hints help you to understand the problem. If you have an idea how to handle this (ideally without delaying loading the profiles), please tell me ;-) -- You are receiving this mail because: You are on the CC list for the bug.