I looked at the status of this on buster: uname -a Linux localhost.localdomain 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1 (2019-01-17) x86_64 GNU/Linux
and the issue still can be reproduced (in the sense that telnet.netkit network access will not be blocked after enforcing the rule). Except it is worse because this command: sudo apparmor_parser -vr /etc/apparmor.d/usr.bin.telnet.netkit does not show anymore the message "network rules not enforced". Should this be documented in /usr/share/doc/apparmor/README.Debian ? This currently refers to: https://wiki.debian.org/AppArmor but there is no mention of this limitation in there. Paolo