diff --git a/docker.changes b/docker.changes
index 786cb18..e09bab6 100644
--- a/docker.changes
+++ b/docker.changes
@@ -31,6 +31,8 @@ https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/C
       Thus, we need to workaround the workaround in tumbleweed
     netlink_gcc_go.patch: add constants for syscalls TUNSETIFF and TUNSETPERSIST to fix a gcc issue.
       This is a workaround for bnc#964468: gcc-go can no longer compile Docker.
+    fix-apparmor.patch: fix https://github.com/docker/docker/issues/20269 . It affects SLE12 which has apparmor
+      version 2.8 and not openSUSE which has version 2.9.
 
 - reviewed patches:
     ignore-dockerinit-checksum.patch: review context in patch
diff --git a/docker.spec b/docker.spec
index 1ebb846..2593d7f 100644
--- a/docker.spec
+++ b/docker.spec
@@ -44,6 +44,7 @@ Source100:      sysconfig.docker.ppc64le
 Patch0:         fix_platform_type_arm.patch
 Patch1:         gcc5_socket_workaround.patch
 Patch2:         fix-docker-init.patch
+Patch3:         fix-apparmor.patch
 # Required to overcome some limitations of gcc-go: https://groups.google.com/forum/#!msg/golang-nuts/SlGCPYkjxo4/4DjcjXRCqAkJ
 # Right now docker passes the sha1sum of the dockerinit binary to the docker binary at build time
 # We cannot do that, right now a quick and really dirty way to get it running is
@@ -157,6 +158,7 @@ Test package for docker. It contains the source code and the tests.
 %patch1 -p1
 %endif
 %patch2 -p1
+%patch3 -p1
 %ifnarch %go_arches
 %patch101 -p1
 %patch108 -p1
diff --git a/fix-apparmor.patch b/fix-apparmor.patch
new file mode 100644
index 0000000..d3cc839
--- /dev/null
+++ b/fix-apparmor.patch
@@ -0,0 +1,110 @@
+diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
+index 25f6e8c..2b15e1d 100644
+--- a/contrib/apparmor/main.go
++++ b/contrib/apparmor/main.go
+@@ -13,6 +13,7 @@ import (
+ type profileData struct {
+ 	MajorVersion int
+ 	MinorVersion int
++	PatchLevel   int
+ }
+ 
+ func main() {
+@@ -23,13 +24,14 @@ func main() {
+ 	// parse the arg
+ 	apparmorProfilePath := os.Args[1]
+ 
+-	majorVersion, minorVersion, err := aaparser.GetVersion()
++	majorVersion, minorVersion, patchLevel, err := aaparser.GetVersion()
+ 	if err != nil {
+ 		log.Fatal(err)
+ 	}
+ 	data := profileData{
+ 		MajorVersion: majorVersion,
+ 		MinorVersion: minorVersion,
++		PatchLevel:   patchLevel,
+ 	}
+ 	fmt.Printf("apparmor_parser is of version %+v\n", data)
+ 
+diff --git a/daemon/execdriver/native/apparmor.go b/daemon/execdriver/native/apparmor.go
+index 5bbfef6..33859fd 100644
+--- a/daemon/execdriver/native/apparmor.go
++++ b/daemon/execdriver/native/apparmor.go
+@@ -27,6 +27,7 @@ type data struct {
+ 	InnerImports []string
+ 	MajorVersion int
+ 	MinorVersion int
++	PatchLevel   int
+ }
+ 
+ const baseTemplate = `
+@@ -64,10 +65,13 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+   deny /sys/firmware/efi/efivars/** rwklx,
+   deny /sys/kernel/security/** rwklx,
+ 
+-{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}
++{{if ge .MajorVersion 2}}{{if ge .MinorVersion 8}}{{if ge .PatchLevel 95}}
++  # apparmor-2.8.95 is Ubuntu 14.04 LTS (Trusty Tahr)
++	# apparmor-2.8.95 is apparmor-2.9 beta, which supports ptrace rule
++	# other apparmor-2.8 versions do not support this rule
+   # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+   ptrace (trace,read) peer=docker-default,
+-{{end}}{{end}}
++{{end}}{{end}}{{end}}
+ {{if ge .MajorVersion 2}}{{if ge .MinorVersion 9}}
+   # docker daemon confinement requires explict allow rule for signal
+   signal (receive) set=(kill,term) peer={{.ExecPath}},
+@@ -91,7 +95,7 @@ func generateProfile(out io.Writer) error {
+ 	if abstractionsExists() {
+ 		data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
+ 	}
+-	data.MajorVersion, data.MinorVersion, err = aaparser.GetVersion()
++	data.MajorVersion, data.MinorVersion, data.PatchLevel, err = aaparser.GetVersion()
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
+index 23dda99..a2f2f58 100644
+--- a/pkg/aaparser/aaparser.go
++++ b/pkg/aaparser/aaparser.go
+@@ -8,8 +8,8 @@ import (
+ 	"strings"
+ )
+ 
+-// GetVersion returns the major and minor version of apparmor_parser
+-func GetVersion() (int, int, error) {
++// GetVersion returns the major, minor and patch level version of apparmor_parser
++func GetVersion() (int, int, int, error) {
+ 	// get the apparmor_version version
+ 	cmd := exec.Command("apparmor_parser", "--version")
+ 
+@@ -29,17 +29,25 @@ func GetVersion() (int, int, error) {
+ 	// split by major minor version
+ 	v := strings.Split(version, ".")
+ 	if len(v) < 2 {
+-		return -1, -1, fmt.Errorf("parsing major minor version failed for %q", version)
++		return -1, -1, -1, fmt.Errorf("parsing major minor and patch level version failed for %q", version)
+ 	}
+ 
+ 	majorVersion, err := strconv.Atoi(v[0])
+ 	if err != nil {
+-		return -1, -1, err
++		return -1, -1, -1, err
+ 	}
+ 	minorVersion, err := strconv.Atoi(v[1])
+ 	if err != nil {
+-		return -1, -1, err
++		return -1, -1, -1, err
+ 	}
+ 
+-	return majorVersion, minorVersion, nil
++	patchLevel := 0
++
++	if len(v) == 3 {
++		patchLevel, err = strconv.Atoi(v[2])
++		if err != nil {
++			return -1, -1, -1, err
++		}
++	}
++	return majorVersion, minorVersion, patchLevel, nil
+ }