update

apparmor.d/profiles-s-z/su

@@ -19,6 +19,9 @@ profile su @{exec_path} {
   capability setgid,
   capability setuid,
   capability dac_read_search,
+  capability sys_resource,
+  # No clear purpose, deny until needed
+  deny capability net_admin,
   #audit deny capability net_bind_service,
 
   signal (send)    set=(term,kill),
@@ -51,11 +54,6 @@ profile su @{exec_path} {
   @{PROC}/cmdline r,
   @{sys}/devices/virtual/tty/console/active r,
 
-  # Upstreaming
-  capability sys_resource,
-  # No clear purpose, deny until needed
-  deny capability net_admin,
-
   # pseudo-terminal
   capability chown,