Hello, Disclaimer: I never wrote an AppArmor profile
>From what I understand, unless you specify a deny rule, when you switch an >AppArmor profile to complain mode, it complains but does not confine, so you >would probably switch your AppArmor profile to enforce mode instead. And I suspect that on a default Debian installation (Systemd instead of SysVinit), restarting unit or relading configuration by a /etc/init.d command instead of systemctl might have undesired effects. https://wiki.debian.org/AppArmor/HowToUse https://linuxhint.com/apparmor-profiles-ubuntu/
