The initial apparmor.service assumed the profile cache is in
/var/lib/apparmor/ which was an openSUSE-specific path that was chosen
for historical reasons, but was far from perfect.
In the meantime, the profile cache moved to /var/cache/apparmor/ and the
read-only/packaged version was added in /usr/share/apparmor/cache/
This commit adjusts apparmor.service to use these paths.
... and the apparmor.systemd wrapper.
Also add a new 'install-systemd' target to the Makefile to install these
systemd-related files on (open)SUSE by default. Other distributions can
follow by adding a dependency on 'install-systemd' on their
'install-$DISTRO' target.
Note that apparmor.service has ExecStop=/bin/true to avoid that running
processes get unconfined if someone accidently types
systemctl restart apparmor (instead of using "reload")
Use aa-teardown if you really want to unload all profiles.
The files in this commit are used in openSUSE since a while, and also in
Arch Linux.
BTW: The condition on var-lib.mount is because openSUSE uses
/var/lib/apparmor/cache/ - but with the changed btrfs layout on
openSUSE, maybe I'll change that to /var/cache/apparmor/ which is
a) used by Debian and b) more sane
