diff --git a/apparmor.changes b/apparmor.changes
index e1cbb70..ef054bd 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:28:52 UTC 2017 - rgoldwyn@suse.com
+
+- profiles-sockets-temporary-fix.patch to cater to nameservices with the
+  new sockets mediation, until unix rules are upstreamed (boo#1061195)
+
 -------------------------------------------------------------------
 Sun Sep 24 09:14:02 UTC 2017 - coolo@suse.com
 
diff --git a/apparmor.spec b/apparmor.spec
index 453d296..b4a88f3 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -88,6 +88,10 @@ Patch13:        apparmor-json-support.patch
 # https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7
 Patch14:        apparmor-fix-podsyntax.patch
 
+# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only)
+# TODO: replace with proper unix rules when Kernel 4.15 arrives
+Patch15:        profiles-sockets-temporary-fix.patch
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -395,6 +399,7 @@ touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
diff --git a/profiles-sockets-temporary-fix.patch b/profiles-sockets-temporary-fix.patch
new file mode 100644
index 0000000..cfd023c
--- /dev/null
+++ b/profiles-sockets-temporary-fix.patch
@@ -0,0 +1,39 @@
+Subject: [PATCH] Temporarily fix socket mediation in nameservice
+References: bsc#1061195
+
+
+As per the conversation on IRC:
+cboltz: ah yes, the upstreamed version fixes a couple
+holes in the old patch suse carried
+
+One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2).
+
+The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules.
+
+Instead, I'll add a temporary patch for abstractions/nameservice that adds
+	network unix dgram,
+	network unix stream,
+
+(including a TODO note to replace it as soon as support for unix rules
+ was upstreamed, probably 4.15). These rules are broader than needed,
+but should avoid user-visible breakage - and at least with 4.14, unix
+rules would get downgraded to network unix anyway ;-)
+
+---
+ profiles/apparmor.d/abstractions/nameservice |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/profiles/apparmor.d/abstractions/nameservice
++++ b/profiles/apparmor.d/abstractions/nameservice
+@@ -92,5 +92,11 @@
+   # Netlink raw needed for nscd
+   network netlink raw,
+ 
++  # This is a temporary fix for nameservices with the new socket
++  # mediations in 4.14-rc2
++  # TODO: To be replaced once unix rules are upstreamed
++  network unix dgram,
++  network unix stream,
++
+   # interface details
+   @{PROC}/@{pid}/net/route r,