[apparmor] AppArmor and /etc/

[intrigeri]

intrigeri:
> The initscript has this:

>    # Required-Start: $local_fs

> … so I think we should be good when pid 1 == sysvinit as well as long
> as /var is not on a remote FS.

> Then I'm hesitating between:

> a) Assume this very unlikely corner-case simply won't be triggered on
>    real-life Buster or newer systems, and then either leave it at that
>    or document in README.Debian that one must s/local_fs/remote_fs/
>    when using sysvinit + AppArmor + non-local /var.

> b) Replace that stanza with "Required-Start: $remote_fs"

>     - pros: avoids the risk of breaking boot in this (corner) case
>     - cons: some services may be started before AppArmor and thus not
>       get the expected confinement unless they explicitly order
>       themselves after apparmor

> Thoughts, opinions?

FTR I went with (b) in the corresponding merge request [1] but I could
easily be convinced that (a) is better.

[1] https://salsa.debian.org/apparmor-team/apparmor/merge_requests/9

Cheers,
-- 
intrigeri