Comment 6 for bug 1438249

As far as historical context for network-interface-security.conf, it is all about loading the profiles that the symlinks in /etc/apparmor/init/network-interface-security/* point to in time. Looking at a 14.10 system, I see that there are two things there: sbin.dhclient and usr.sbin.ntpd. This suggests to me that Martin's approach of changing the dependencies is best. That said, I'm not yet incredibly familiar with systemd boot ordering-- it sounds like you are saying that ifup@.service will always run before networking comes up or NetworkManager. Therefore if we change ifup@.service to use After=apparmor.service, then this sounds sufficient. In terms of user experience when the cache is invalidated, it only shifts the policy recompilation earlier (ie, the boot speed to login remains the same).