Comment 7 for bug 1305108

Some thoughts for the discussion:
The attached v1 job does need to load profiles in /var. Looking at the cookbook, seems we might want to have 'start on stopped apparmor' (since it is a task) in at least lightdm. I'm not sure we need anything new for the networking bit since we already have a mechanism for this with symlinks /etc/apparmor/init/network-interface-security/ (ie, like how we do with dhclient). System jobs can use the apparmor stanza or older 'pre-start script /lib/init/apparmor-profile-load endscript' technique to make sure the policy is loaded.