AppArmor fails to load policy with newer network rules
If newer userspace tools are used to load policy on an older kernel, the policy load can fail if the tools were built against a release that has information about newer networking protocols. This occurs because the tools create extra rules in the policy to handle the newer networking protocols, but the older kernel doesn't accept the larger networking tables containing the extra rules.
This is a problem in two cases, upgrades and a user dual booting newer and older kernels (eg. Maverick on Lucid). For upgrades the newer userspace tools will be installed and load policy before the user reboots to the new kernel, resulting in failure messages and new policy not being loaded (which could lead to any upgraded applications failing as old policy is not removed and is still enforced). For the dual boot case the newer AppArmor compiler is required to support the newer kernel, but it is subject to the same problems as the upgrade case except that policy may not load on boot resulting in no AppArmor protection.