diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index f29e7a5ad818..92f020edce56 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -1,43 +1,61 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 let
+  inherit (lib) mkIf mkOption types concatMapStrings;
   cfg = config.security.apparmor;
 in
+
 {
-  options = {
-    security.apparmor = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Enable the AppArmor Mandatory Access Control system.";
-      };
+   #### interface
+   options = {
 
-      profiles = mkOption {
-        type = types.listOf types.path;
-        default = [];
-        description = "List of files containing AppArmor profiles.";
-      };
-    };
-  };
+     security.apparmor = {
 
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.apparmor ];
-    systemd.services.apparmor = {
-      wantedBy = [ "local-fs.target" ];
-      path     = [ pkgs.apparmor ];
+       enable = mkOption {
+         type = types.bool;
+         default = false;
+         description = "Enable the AppArmor Mandatory Access Control system.";
+       };
 
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = "yes";
-        ExecStart = concatMapStrings (profile:
-          ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
-        ) cfg.profiles;
-        ExecStop = concatMapStrings (profile:
-          ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
-        ) cfg.profiles;
-      };
-    };
-  };
+       profiles = mkOption {
+         type = types.listOf types.path;
+         default = [];
+         description = "List of files containing AppArmor profiles.";
+       };
+
+     };
+
+   };
+
+   #### implementation
+   config = mkIf cfg.enable {
+
+     environment.systemPackages = [
+       pkgs.apparmor-utils
+     ];
+
+     systemd.services.apparmor = {
+       wantedBy = [ "local-fs.target" ];
+
+       serviceConfig = {
+         Type = "oneshot";
+         RemainAfterExit = "yes";
+         ExecStart = concatMapStrings (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
+         ) cfg.profiles;
+         ExecStop = concatMapStrings (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
+         ) cfg.profiles;
+       };
+     };
+
+     security.pam.services.apparmor.text = ''
+       ## The AppArmor service changes hats according to order: first try
+       ## user, then group, and finally fall back to a hat called "DEFAULT"
+       ##
+       ## For now, enable debugging as this is an experimental feature.
+       session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
+     '';
+
+   };
 }
diff --git a/pkgs/os-specific/linux/apparmor/2.9/default.nix b/pkgs/os-specific/linux/apparmor/2.9/default.nix
new file mode 100644
index 000000000000..a8d8b2a9e1ce
--- /dev/null
+++ b/pkgs/os-specific/linux/apparmor/2.9/default.nix
@@ -0,0 +1,196 @@
+{ stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, perl, which
+, glibc, flex, bison, python27, swig, dbus, pam
+}:
+
+let
+  apparmor-series = "2.9";
+  apparmor-patchver = "1";
+  apparmor-version = "${apparmor-series}.${apparmor-patchver}";
+
+  apparmor-meta = component: with stdenv.lib; {
+      homepage = http://apparmor.net/;
+      description = "Linux application security system - ${component}";
+      license = licenses.gpl2;
+      maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
+      platforms = platforms.linux;
+  };
+
+  apparmor-sources = fetchurl {
+    url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
+    sha256 = "a63b8724c36c29ed438c9e3ca403bfeeb6c998a45990e300aa1b10faa23a0a22";
+  };
+
+  libapparmor = stdenv.mkDerivation {
+    name = "libapparmor-${apparmor-version}";
+    src = apparmor-sources;
+
+    buildInputs = [
+      autoconf
+      automake
+      bison
+      flex
+      dbus # requires patch to dbus ...
+      glibc
+      libtool
+      perl
+      pkgconfig
+      python27
+      swig
+      which
+    ];
+
+    prePatch = ''
+      ### common
+      substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
+      substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
+      substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
+
+      ### libapparmor
+      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
+      '';
+
+    buildPhase = ''
+      ### libapparmor
+      cd ./libraries/libapparmor
+      ./autogen.sh
+      ./configure --prefix="$out" --with-python
+      make
+      '';
+
+    installPhase = ''
+      make install
+    '';
+
+    meta = apparmor-meta "library";
+  };
+
+  apparmor-utils = stdenv.mkDerivation {
+    name = "apparmor-utils-${apparmor-version}";
+    src = apparmor-sources;
+
+    buildInputs = [
+      python27
+      libapparmor
+      which
+    ];
+
+    prePatch = ''
+      ### common
+      substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
+      substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
+      substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
+    '';
+
+    buildPhase = ''
+      cd ./utils
+      make LANGS=""
+    '';
+
+    installPhase = ''
+      make install LANGS="" DESTDIR="$out" BINDIR="$out/bin"
+    '';
+
+    meta = apparmor-meta "user-land utilities";
+  };
+
+  apparmor-parser = stdenv.mkDerivation {
+    name = "apparmor-parser-${apparmor-version}";
+    src = apparmor-sources;
+
+    buildInputs = [
+      libapparmor
+      bison
+      flex
+      which
+    ];
+
+    prePatch = ''
+      ### common
+      substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
+      substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
+      substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
+
+      ### apparmor-parser
+      substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison"
+      substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex"
+      substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
+      ## techdoc.pdf still doesn't build ...
+      substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+    '';
+
+    buildPhase = ''
+      cd ./parser
+      make LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include
+    '';
+
+    installPhase = ''
+      make install LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include DESTDIR="$out" DISTRO="unknown"
+    '';
+
+    meta = apparmor-meta "rule parser";
+  };
+
+  apparmor-pam = stdenv.mkDerivation {
+    name = "apparmor-pam-${apparmor-version}";
+    src = apparmor-sources;
+
+    buildInputs = [
+      libapparmor
+      pam
+      pkgconfig
+      which
+    ];
+
+    buildPhase = ''
+      cd ./changehat/pam_apparmor
+      make USE_SYSTEM=1
+    '';
+
+    installPhase = ''
+      make install DESTDIR="$out"
+    '';
+
+    meta = apparmor-meta "PAM service";
+  };
+
+  apparmor-profiles = stdenv.mkDerivation {
+    name = "apparmor-profiles-${apparmor-version}";
+    src = apparmor-sources;
+
+    buildInputs = [
+      which
+    ];
+
+    buildPhase = ''
+      cd ./profiles
+      make
+    '';
+
+    installPhase = ''
+      make install DESTDIR="$out"
+    '';
+
+    meta = apparmor-meta "profiles";
+  };
+
+  apparmor-kernel-patches = stdenv.mkDerivation {
+    name = "apparmor-kernel-patches-${apparmor-version}";
+    src = apparmor-sources;
+
+    phases = ''unpackPhase installPhase'';
+
+    installPhase = ''
+      mkdir "$out"
+      cp -R ./kernel-patches "$out"
+    '';
+
+    meta = apparmor-meta "kernel patches";
+  };
+
+in
+
+{
+  inherit libapparmor apparmor-utils apparmor-parser apparmor-pam
+  apparmor-profiles apparmor-kernel-patches;
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 8180ebd7097f..2170fe62c935 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -8561,6 +8561,13 @@ let
     perl = perl516; # ${perl}/.../CORE/handy.h:124:34: error: 'bool' undeclared
   };
 
+  apparmor_2_9 = callPackage ../os-specific/linux/apparmor/2.9 { };
+  libapparmor = apparmor_2_9.libapparmor;
+  apparmor-pam = apparmor_2_9.apparmor-pam;
+  apparmor-parser = apparmor_2_9.apparmor-parser;
+  apparmor-profiles = apparmor_2_9.apparmor-profiles;
+  apparmor-utils = apparmor_2_9.apparmor-utils;
+
   atop = callPackage ../os-specific/linux/atop { };
 
   audit = callPackage ../os-specific/linux/audit { };