{% set os_family = salt['grains.get']('os_family') %}
{% set osmajorrelease = salt['grains.get']('osmajorrelease')|int %}

apparmor:
  pkg.installed:
    - pkgs:
        # SLE <= 12 and openSUSE <= 13.x don't have the separate apparmor-abstractions package
        # so install it everywhere except on those old SLE and openSUSE releases
        {% if os_family != 'Suse' or osmajorrelease >= 15 %}
        - apparmor-abstractions
        {% endif %}
        - apparmor-parser
        {% if salt['pillar.get']('apparmor:defaultprofiles', True) %}
        - apparmor-profiles
        {% endif %}
        - apparmor-utils

  service.running:
    {% if os_family == 'Suse' and osmajorrelease == 11 %}
    # SLE11 only has sysvinit and the boot.apparmor initscript
    - name: boot.apparmor
    {% endif %}
    - enable: True
    # restarting AppArmor means to remove confinement from running processes, so always use reload!
    - reload: True