diff --git a/buildroot-external/board/arm-uefi/generic-aarch64/grub.cfg b/buildroot-external/board/arm-uefi/generic-aarch64/grub.cfg
index c98b304b0..5733f4c27 100644
--- a/buildroot-external/board/arm-uefi/generic-aarch64/grub.cfg
+++ b/buildroot-external/board/arm-uefi/generic-aarch64/grub.cfg
@@ -56,7 +56,7 @@ fi
 
 save_env A_TRY A_OK B_TRY B_OK ORDER MACHINE_ID
 
-default_cmdline="rootwait zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=$MACHINE_ID fsck.repair=yes"
+default_cmdline="rootwait zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=$MACHINE_ID fsck.repair=yes"
 file_env -f ($root)/cmdline.txt cmdline
 
 # root is a full HDD/partition definition in GRUB format like hd0,gpt1
diff --git a/buildroot-external/board/asus/tinker/uboot-boot.ush b/buildroot-external/board/asus/tinker/uboot-boot.ush
index 25de19f01..7de8871d9 100644
--- a/buildroot-external/board/asus/tinker/uboot-boot.ush
+++ b/buildroot-external/board/asus/tinker/uboot-boot.ush
@@ -17,7 +17,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=8d3d53e3-6d49-4c38-8349-aff6859e82fd rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/hardkernel/odroid-c2/uboot-boot.ush b/buildroot-external/board/hardkernel/odroid-c2/uboot-boot.ush
index caf8e8e0b..886a888b6 100644
--- a/buildroot-external/board/hardkernel/odroid-c2/uboot-boot.ush
+++ b/buildroot-external/board/hardkernel/odroid-c2/uboot-boot.ush
@@ -19,7 +19,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=48617373-06 rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/hardkernel/odroid-c4/uboot-boot.ush b/buildroot-external/board/hardkernel/odroid-c4/uboot-boot.ush
index 06be33502..37280feac 100644
--- a/buildroot-external/board/hardkernel/odroid-c4/uboot-boot.ush
+++ b/buildroot-external/board/hardkernel/odroid-c4/uboot-boot.ush
@@ -19,7 +19,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} clk_ignore_unused usb-storage.quirks=0x2537:0x1066:u,0x2537:0x1068:u"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} clk_ignore_unused usb-storage.quirks=0x2537:0x1066:u,0x2537:0x1068:u"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=48617373-06 rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/hardkernel/odroid-m1/uboot-boot.ush b/buildroot-external/board/hardkernel/odroid-m1/uboot-boot.ush
index 8e6a75b50..e4a130e92 100644
--- a/buildroot-external/board/hardkernel/odroid-m1/uboot-boot.ush
+++ b/buildroot-external/board/hardkernel/odroid-m1/uboot-boot.ush
@@ -17,7 +17,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=8d3d53e3-6d49-4c38-8349-aff6859e82fd rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/hardkernel/odroid-n2/uboot-boot.ush b/buildroot-external/board/hardkernel/odroid-n2/uboot-boot.ush
index 889ac727e..6549772c4 100644
--- a/buildroot-external/board/hardkernel/odroid-n2/uboot-boot.ush
+++ b/buildroot-external/board/hardkernel/odroid-n2/uboot-boot.ush
@@ -19,7 +19,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=48617373-06 rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/hardkernel/odroid-xu4/uboot-boot.ush b/buildroot-external/board/hardkernel/odroid-xu4/uboot-boot.ush
index 67f560f2e..99ad60f06 100644
--- a/buildroot-external/board/hardkernel/odroid-xu4/uboot-boot.ush
+++ b/buildroot-external/board/hardkernel/odroid-xu4/uboot-boot.ush
@@ -21,7 +21,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=48617373-06 rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/khadas/vim3/uboot-boot.ush b/buildroot-external/board/khadas/vim3/uboot-boot.ush
index 74cdcb9b9..345c9f76c 100644
--- a/buildroot-external/board/khadas/vim3/uboot-boot.ush
+++ b/buildroot-external/board/khadas/vim3/uboot-boot.ush
@@ -19,7 +19,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=48617373-06 rootfstype=squashfs ro rootwait"
diff --git a/buildroot-external/board/pc/grub.cfg b/buildroot-external/board/pc/grub.cfg
index 8fe951503..eef33c5d4 100644
--- a/buildroot-external/board/pc/grub.cfg
+++ b/buildroot-external/board/pc/grub.cfg
@@ -56,7 +56,7 @@ fi
 
 save_env A_TRY A_OK B_TRY B_OK ORDER MACHINE_ID
 
-default_cmdline="rootwait zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor net.naming-scheme=v250 systemd.machine_id=$MACHINE_ID fsck.repair=yes"
+default_cmdline="rootwait zram.enabled=1 zram.num_devices=3 net.naming-scheme=v250 systemd.machine_id=$MACHINE_ID fsck.repair=yes"
 file_env -f ($root)/cmdline.txt cmdline
 
 # root is a full HDD/partition definition in GRUB format like hd0,gpt1
diff --git a/buildroot-external/board/raspberrypi/uboot-boot.ush b/buildroot-external/board/raspberrypi/uboot-boot.ush
index a35b2189b..b56741b5f 100644
--- a/buildroot-external/board/raspberrypi/uboot-boot.ush
+++ b/buildroot-external/board/raspberrypi/uboot-boot.ush
@@ -18,7 +18,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor rootwait net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} cgroup_enable=memory fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 rootwait net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} cgroup_enable=memory fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=8d3d53e3-6d49-4c38-8349-aff6859e82fd rootfstype=squashfs ro"
diff --git a/buildroot-external/board/raspberrypi/uboot-boot64.ush b/buildroot-external/board/raspberrypi/uboot-boot64.ush
index dd10b1d40..84515b2bf 100644
--- a/buildroot-external/board/raspberrypi/uboot-boot64.ush
+++ b/buildroot-external/board/raspberrypi/uboot-boot64.ush
@@ -18,7 +18,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor rootwait net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} cgroup_enable=memory fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 rootwait net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} cgroup_enable=memory fsck.repair=yes"
 
 # HassOS system A/B
 setenv bootargs_a "root=PARTUUID=8d3d53e3-6d49-4c38-8349-aff6859e82fd rootfstype=squashfs ro"
diff --git a/buildroot-external/board/raspberrypi/yellow/uboot-boot64.ush b/buildroot-external/board/raspberrypi/yellow/uboot-boot64.ush
index 90d70e88e..0230a731a 100644
--- a/buildroot-external/board/raspberrypi/yellow/uboot-boot64.ush
+++ b/buildroot-external/board/raspberrypi/yellow/uboot-boot64.ush
@@ -18,7 +18,7 @@ test -n "${BOOT_A_LEFT}" || setenv BOOT_A_LEFT 3
 test -n "${BOOT_B_LEFT}" || setenv BOOT_B_LEFT 3
 
 # HassOS bootargs
-setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 apparmor=1 security=apparmor rootwait net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} cgroup_enable=memory fsck.repair=yes"
+setenv bootargs_hassos "zram.enabled=1 zram.num_devices=3 rootwait net.naming-scheme=v250 systemd.machine_id=${MACHINE_ID} cgroup_enable=memory fsck.repair=yes"
 
 # Red Button pressed?
 if gpio input GPIO27; then
diff --git a/buildroot-external/kernel/hassos.config b/buildroot-external/kernel/hassos.config
index 09e59a11c..31e076ef7 100644
--- a/buildroot-external/kernel/hassos.config
+++ b/buildroot-external/kernel/hassos.config
@@ -31,6 +31,8 @@ CONFIG_SECCOMP_FILTER=y
 CONFIG_AUDIT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITY_APPARMOR=y
+# CONFIG_SECURITY_SELINUX is not set
+CONFIG_LSM="apparmor"
 
 CONFIG_CRYPTO=y
 CONFIG_CRYPTO_LZ4=y