openstack-ansible-security/doc/source/developer-notes/V-51337.rst

Opt-in required

The tasks in the security role can enable the Linux Security Module (LSM) that is appropriate for the Linux distribution in use. For Ubuntu, the default LSM is AppArmor. Refer to Ubuntu's AppArmor documentation for more details on how AppArmor works.

Deployers can opt in for this change by setting the following Ansible variable:

security_enable_linux_security_module: yes

Setting the variable to yes will run the tasks that enable AppArmor.