I'm not really happy with this solution (and an upstream discussion came to the same conclusion), but I also understand why it makes sense for Kubic.

TL;DR: I'll accept it as temporary solution and only for Kubic.

For the long version, let me explain a bit more:

The ideal solution would be to ship an AppArmor features file and to pre-build the profile cache on package installation. A features file is basically a list of rule types etc. a kernel supports, so this even works in the installation chroot and independent of the running kernel version.

There is ongoing work upstream to allow precompiling the profiles for multiple kernels / feature files which will probably land in the next AppArmor release. I'd like to delay using a features file until then.

That said - here's a proposal: I'll accept the added service and timer as a temporary solution until AppArmor has support for multiple caches. I'd also like to have it only in Kubic, so please move apparmor_prefill_service.service and apparmor_prefill_cache.timer to a subpackage that only gets installed on Kubic, maybe with "Supplements: packageand(apparmor-parser:openSUSE-Tumbleweed-Kubic-release)".

I'd also recommend not to create the rcapparmor_rebuild_cache symlink to keep this temporary solution less visible - average users can simply use "rcapparmor reload" which also rebuilds the cache if needed.

Oh, another detail - I assume replacing /sbin/ with %{sbindir} effectively means moving rcapparmor to /usr/sbin/. I'm not against this, but please put a compability symlink in /sbin/ for people who have that path hardcoded in some scripts.

(trying CC @cboltz - let's see if this gives me a mail copy of this comment ;-)

@cboltz: review reminder