AppArmor needs to provide support for building policy cache on kernel install
Currently policy is not compiled for new kernel installs this is problematic because it means we can reboot into a new kernel without compiled policy, which can slow boot and even worse result in system daemons not being confined.
While ulitmate integration of such a feature is a packaging issue as an upstream we should provide some reference patches for Suse, debian, ubuntu, arch etc.
We could go also integrate this into the userspace daemon (this has been started). It could be configured to use a file watch for new kernel files and build cache files based on those. Obviously it would need some way access feature file info so either kernel packages would need to ship it or we could dev some way to extract it directly from the kernel blob. Even going this route distros may want a kernel integration patch so that they can know that policy successfully compiled and it is safe to reboot.