@@ -230,12 +230,24 @@ function fixup_suse {

         return

     fi

-    # Disable apparmor profiles in openSUSE distros

-    # to avoid issues with haproxy and dnsmasq

-    if [ -x /usr/sbin/aa-enabled ] && sudo /usr/sbin/aa-enabled -q; then

-        sudo systemctl disable apparmor

+    # Deactivate and disable apparmor profiles in openSUSE and SLE

+    # distros to avoid issues with haproxy and dnsmasq.  In newer

+    # releases, systemctl stop apparmor is actually a no-op, so we

+    # have to use aa-teardown to make sure we've deactivated the

+    # profiles:

+    #

+    # https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15/#fate-325343

+    # https://gitlab.com/apparmor/apparmor/merge_requests/81

+    # https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2/apparmor/apparmor.service?expand=1

+    if sudo systemctl is-active -q apparmor; then

+        sudo systemctl stop apparmor

+    fi

+    if [ -x /usr/sbin/aa-teardown ]; then

         sudo /usr/sbin/aa-teardown

     fi

+    if sudo systemctl is-enabled -q apparmor; then

+        sudo systemctl disable apparmor

+    fi

     # Since pip10, pip will refuse to uninstall files from packages

     # that were created with distutils (rather than more modern