Comment 7 for bug 2057937

So it depends on what you mean by enabled. The standard check to see if apparmor is enabled is to check the kernel for its presence, and if the kernel module reports that it is enabled. This is a separate state from if policy is loaded.

The apparmor library generally provides the check, but it can statically linked in, or even hard coded. Systemd statically links the library so it is only a build dependency not a run time.

In the systemd case if the module is enabled in the kernel /sys/module/apparmor/parameters/enabled == Y and securityfs is mounted, then apparmor is considered enabled, and ready to accept policy.

As for the default policy, that will depend. Generally you are only looking at unconfined. But it is possible to load policy in early boot (either initrd, or systemd vis /etc/apparmor/earlypolicy). It is even possible to compile policy into the kernel. So technically in these cases you do not actually need the apparmor userspace package installed.