diff --git a/apparmor-lessopen-nfs-workaround.diff b/apparmor-lessopen-nfs-workaround.diff
new file mode 100644
index 0000000..783f991
--- /dev/null
+++ b/apparmor-lessopen-nfs-workaround.diff
@@ -0,0 +1,15 @@
+Index: profiles/apparmor.d/usr.bin.lessopen.sh
+===================================================================
+--- profiles/apparmor.d/usr.bin.lessopen.sh.orig	2019-01-06 20:05:38.582356924 +0100
++++ profiles/apparmor.d/usr.bin.lessopen.sh	2019-01-06 20:08:26.885706133 +0100
+@@ -10,6 +10,10 @@
+   capability dac_override,
+   capability dac_read_search,
+ 
++  # workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1119937 / https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
++  network inet stream,
++  network inet6 stream,
++
+   /** rk,
+   /bin/bash mrix,
+   /{usr/,}bin/rpm mrix,
diff --git a/apparmor.changes b/apparmor.changes
index 4600fc7..02c6353 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sun Jan  6 19:10:58 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- add apparmor-lessopen-nfs-workaround.diff: allow network access in
+  lessopen.sh for reading files on NFS (workaround for boo#1119937 /
+  lp#1784499)
+
 -------------------------------------------------------------------
 Wed Jan  2 19:11:16 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
 
diff --git a/apparmor.spec b/apparmor.spec
index d15b595..f2504ab 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -69,6 +69,9 @@ Patch8:         apparmor-nameservice-resolv-conf-link.patch
 # submitted upstream 2019-01-02 - https://gitlab.com/apparmor/apparmor/merge_requests/296 (master + 2.13) and https://gitlab.com/apparmor/apparmor/merge_requests/297 (2.12)
 Patch9:         profile_filename_cornercase.diff
 
+# workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
+Patch10:        apparmor-lessopen-nfs-workaround.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -358,6 +361,7 @@ SubDomain.
 %patch7
 %patch8 -p1
 %patch9 -p1
+%patch10
 
 %build
 export SUSE_ASNEEDED=0