Comment 4 for bug 1503762

@seth-arnold ,

I would probably use /etc/default/apparmor in more debian/ubuntu style.

But, what happens if apparmor_parser is invoked with an empty $APPARMOR_SEARCH_LIST (in the service you posted that would translate into no parameter being passed)? If that should not happen, then the EnvironmentFile should probably not have a - prefixed so that the unit fails when the file is missing.

In the more general case, systemd service files are configuration files themselves, so there is no need to introduce a new one: just set the default APPARMOR_SEARCH_LIST with an Environment key, that can be overriden via a drop-in in either /lib (by distro) or in /etc (by admin):

[Service]
Type=oneshot
Environment=APPARMOR_SEARCH_LIST=/etc/apparmor.d
ExecStart=/usr/sbin/apparmor_parser -r $APPAMOR_SEARCH_LIST
ExecStop=/usr/sbin/apparmor_parser -R $APPAMOR_SEARCH_LIST
ExecReload=/usr/sbin/apparmor_parser --reload $APPAMOR_SEARCH_LIST
RemainAfterExit=yes

And it could be overriden with a simple snippet (eg, in /lib/systemd/system/apparmor.service.d/50-click-search-list.conf):

[Service]
# Im a phone
Environment="APPARMOR_SEARCH_LIST=/etc/apparmor.d /var/foo/click/apparmor.d"