diff --git a/module-gssapi b/module-gssapi
new file mode 100644
index 0000000..d972f0c
--- /dev/null
+++ b/module-gssapi
@@ -0,0 +1,3 @@
+  # rsyslog-module-gssapi
+  # couldn't test because not kerberos server is available
+  # but it shouldn't require any special permissions anyhow
diff --git a/module-gtls b/module-gtls
new file mode 100644
index 0000000..fc1b855
--- /dev/null
+++ b/module-gtls
@@ -0,0 +1,4 @@
+  # for logging via TLS (rsyslog-module-gtls)
+  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
+  # rsyslog tries to write to the certificates for no reason, so deny this quietly
+  deny /etc/rsyslog.d/* w,
diff --git a/module-mysql b/module-mysql
new file mode 100644
index 0000000..3fd9a78
--- /dev/null
+++ b/module-mysql
@@ -0,0 +1,6 @@
+  # for logging to mysql DB (rsyslog-module-mysql)
+  #include <abstractions/mysql>
+  #include <abstractions/p11-kit>
+  /etc/my.cnf r,
+  /etc/my.cnf.d/ r,
+  /etc/my.cnf.d/default_plugins.cnf r,
diff --git a/module-pgsql b/module-pgsql
new file mode 100644
index 0000000..acc01f1
--- /dev/null
+++ b/module-pgsql
@@ -0,0 +1 @@
+  # for logging to postgresql (rsyslog-module-pgsql)
diff --git a/module-relp b/module-relp
new file mode 100644
index 0000000..58dc544
--- /dev/null
+++ b/module-relp
@@ -0,0 +1 @@
+  # for logging via relp (rsyslog-module-relp)
diff --git a/module-snmp b/module-snmp
new file mode 100644
index 0000000..4156248
--- /dev/null
+++ b/module-snmp
@@ -0,0 +1,7 @@
+  # for logging to (rsyslog-module-snmp)
+  #include <abstractions/wutmp>
+  /proc/uptime r,
+  /usr/share/snmp/mibs/ r,
+  /usr/share/snmp/mibs/*.txt r,
+  /var/lib/net-snmp/mib_indexes/ rw,
+  /var/lib/net-snmp/mib_indexes/* rw,
diff --git a/module-udpspoof b/module-udpspoof
new file mode 100644
index 0000000..891136a
--- /dev/null
+++ b/module-udpspoof
@@ -0,0 +1,3 @@
+  # for logging with omudpspoof (rsyslog-module-udpspoof)
+  capability net_raw,
+  network inet raw,
diff --git a/rsyslog-pid-file.patch b/rsyslog-pid-file.patch
new file mode 100644
index 0000000..f7a55aa
--- /dev/null
+++ b/rsyslog-pid-file.patch
@@ -0,0 +1,27 @@
+Index: rsyslog-8.2.2/tools/syslogd.c
+===================================================================
+--- rsyslog-8.2.2.orig/tools/syslogd.c
++++ rsyslog-8.2.2/tools/syslogd.c
+@@ -133,19 +133,14 @@ rsRetVal rsyslogdInit(void);
+ void rsyslogdDebugSwitch();
+ void rsyslogdDoDie(int sig);
+ 
+-
+-#if defined(SYSLOGD_PIDNAME)
+-#	undef _PATH_LOGPID
+-#	define _PATH_LOGPID "/etc/" SYSLOGD_PIDNAME
+-#else
+-#	ifndef _PATH_LOGPID
+-#		define _PATH_LOGPID "/etc/rsyslogd.pid"
+-#	endif
++#ifndef _PATH_LOGPID                                                                                                              
++# define _PATH_LOGPID "/var/run/rsyslogd.pid"  
+ #endif
+ 
+ #ifndef _PATH_TTY
+ #	define _PATH_TTY	"/dev/tty"
+ #endif
++
+ char	*PidFile = _PATH_LOGPID; /* read-only after startup */
+ 
+ int bHadHUP = 0; 	/* did we have a HUP? */
diff --git a/rsyslog.changes b/rsyslog.changes
index 64b9acc..68f6bc2 100644
--- a/rsyslog.changes
+++ b/rsyslog.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jul 16 15:17:34 UTC 2014 - jsegitz@suse.com
+
+- Preliminary AppArmor support. Since those profiles need to be tested
+  properly they'll live in /etc/apparmor/profiles/extras.
+- Added rsyslog-pid-file.patch to fix a regression that causes the pid
+  file to be created in /etc
+
 -------------------------------------------------------------------
 Wed Jun  4 19:40:26 UTC 2014 - andreas.stieger@gmx.de
 
diff --git a/rsyslog.spec b/rsyslog.spec
index c6bbcfb..e05e502 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -41,7 +41,7 @@ Release:        0
 %else
 %bcond_with     journal
 %endif
-%bcond_with  gssapi
+%bcond_with     gssapi
 %bcond_without  gnutls
 %bcond_without  gcrypt
 %bcond_without  guardtime
@@ -172,8 +172,27 @@ Source1:        rsyslog.sysconfig
 Source2:        rsyslog.conf.in
 Source4:        rsyslog.d.remote.conf.in
 Source5:        rsyslog-service-prepare.in
+Source6:        usr.sbin.rsyslogd
+Source7:        module-gssapi
+Source8:        module-gtls
+Source9:        module-mysql
+Source10:       module-pgsql
+Source11:       module-relp
+Source12:       module-snmp
+Source13:       module-udpspoof
+
 # PATCH-FIX-OPENSUSE rsyslog-unit.patch crrodriguez@opensuse.org Customize upstream systemd unit for openSUSE needs.
 Patch0:         rsyslog-unit.patch
+# PATCH-FIX-UPSTREAM rsyslog-pid-file.patch jsegitz@suse.com Fixes https://github.com/rsyslog/rsyslog/issues/86, can probably be removed after 8.2.2
+Patch1:         rsyslog-pid-file.patch
+
+# this is a dirty hack since % dir does only work for the specified directory and nothing above
+# but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing
+%define APPARMOR_PROFILE_PATH /etc/apparmor/profiles/extras
+%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /etc/apparmor/ \
+                                           %dir /etc/apparmor/profiles \
+                                           %dir /etc/apparmor/profiles/extras \
+                                           %dir /etc/apparmor/profiles/extras/rsyslog.d
 
 %description
 Rsyslog is an enhanced multi-threaded syslogd supporting, among others,
@@ -450,6 +469,7 @@ This module provides support for ZeroMQ.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch0 -p1
+%patch1 -p1
 #
 %if %{with systemd}
 for file in rsyslog-service-prepare; do
@@ -677,6 +697,29 @@ install -m644 plugins/ompgsql/createDB.sql \
 install -d -m0755 %{buildroot}%{rsyslog_rundir}
 touch %{buildroot}%{rsyslog_sockets_cfg}
 chmod 644 %{buildroot}%{rsyslog_sockets_cfg}
+mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/
+%if %{with gssapi}
+  install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with gnutls}
+  install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with mysql}
+  install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with pgsql}
+  install -m0640 %{SOURCE10} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with relp}
+  install -m0640 %{SOURCE11} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with snmp}
+  install -m0640 %{SOURCE12} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with udpspoof}
+  install -m0640 %{SOURCE13} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
 
 %clean
 if [ -n "%{buildroot}" ] && [ "%{buildroot}" != "/" ] ; then
@@ -883,6 +926,8 @@ fi
 %{_unitdir}/rsyslog.service
 %{_sbindir}/rc%{name}
 %endif
+%{APPARMOR_PROFILE_PATH_DIR_COMMANDS}
+%config %{APPARMOR_PROFILE_PATH}/usr.sbin.rsyslogd
 
 %if %{with diagtools}
 
@@ -901,6 +946,7 @@ fi
 %{rsyslog_module_dir_withdeps}/omgssapi.so
 %{rsyslog_module_dir_withdeps}/imgssapi.so
 %{rsyslog_module_dir_withdeps}/lmgssutil.so
+%config  %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gssapi
 %endif
 
 %if %{with mysql}
@@ -909,6 +955,7 @@ fi
 %defattr(-,root,root)
 %doc %{rsyslogdocdir}/mysql-createDB.sql
 %{rsyslog_module_dir_withdeps}/ommysql.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-mysql
 %endif
 
 %if %{with pgsql}
@@ -917,6 +964,7 @@ fi
 %defattr(-,root,root)
 %doc %{rsyslogdocdir}/pgsql-createDB.sql
 %{rsyslog_module_dir_withdeps}/ompgsql.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-pgsql
 %endif
 
 %if %{with dbi}
@@ -932,6 +980,7 @@ fi
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/omsnmp.so
 %{rsyslog_module_dir_nodeps}/mmsnmptrapd.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-snmp
 %endif
 
 %if %{with gnutls}
@@ -939,6 +988,7 @@ fi
 %files module-gtls
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/lmnsd_gtls.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gtls
 %endif
 
 %if %{with relp}
@@ -947,6 +997,7 @@ fi
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/imrelp.so
 %{rsyslog_module_dir_withdeps}/omrelp.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-relp
 %endif
 
 %if %{with mmnormalize}
@@ -963,6 +1014,7 @@ fi
 %files module-udpspoof
 %defattr(-,root,root)
 %{rsyslog_module_dir_nodeps}/omudpspoof.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-udpspoof
 %endif
 
 %if %{with elasticsearch}
diff --git a/usr.sbin.rsyslogd b/usr.sbin.rsyslogd
new file mode 100644
index 0000000..87f9e04
--- /dev/null
+++ b/usr.sbin.rsyslogd
@@ -0,0 +1,45 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2014 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/rsyslogd {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  # general networking is allowed here
+  #include <abstractions/nameservice>
+
+  capability block_suspend,
+  capability dac_override,
+  capability sys_nice,
+  capability sys_tty_config,
+  capability syslog,
+
+  /dev/tty* w,
+  /dev/xconsole rw,
+
+  /etc/rsyslog.conf r,
+  /etc/rsyslog.d/ r,
+  /etc/rsyslog.d/* r,
+
+  /usr/lib{,32,64}/rsyslog/* mr,
+  /usr/sbin/rsyslogd mr,
+
+  /var/log/** rw,
+
+  /proc/kmsg r,
+
+  /{var/,}run/rsyslog/* r,
+  /{var/,}run/rsyslogd.pid rwk,
+  /{var/,}run/systemd/journal/syslog w,
+
+  # include rules for rsyslog-module-* packages
+  #include <rsyslog.d>
+}