Make stop/disable of apparmor work on all SLE systems

The existing code to disable apparmor on SUSE systems only worked for
recent openSUSE / SLE releases.  On SLE12 (at least), aa-enabled and
aa-teardown are not available, so instead use systemd's interface for
stop/disable.  However on newer releases, systemctl stop apparmor is a
no-op:

    https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15/#fate-325343
    https://gitlab.com/apparmor/apparmor/merge_requests/81
    https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2/apparmor/apparmor.service?expand=1

So we still need to call aa-teardown if it's available.

Change-Id: I8d99c8d743cc1935324e2e4fcb67efaa5241199e

tools/fixup_stuff.sh

@@ -230,12 +230,24 @@ function fixup_suse {
         return
     fi
 
-    # Disable apparmor profiles in openSUSE distros
-    # to avoid issues with haproxy and dnsmasq
-    if [ -x /usr/sbin/aa-enabled ] && sudo /usr/sbin/aa-enabled -q; then
-        sudo systemctl disable apparmor
+    # Deactivate and disable apparmor profiles in openSUSE and SLE
+    # distros to avoid issues with haproxy and dnsmasq.  In newer
+    # releases, systemctl stop apparmor is actually a no-op, so we
+    # have to use aa-teardown to make sure we've deactivated the
+    # profiles:
+    #
+    # https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15/#fate-325343
+    # https://gitlab.com/apparmor/apparmor/merge_requests/81
+    # https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2/apparmor/apparmor.service?expand=1
+    if sudo systemctl is-active -q apparmor; then
+        sudo systemctl stop apparmor
+    fi
+    if [ -x /usr/sbin/aa-teardown ]; then
         sudo /usr/sbin/aa-teardown
     fi
+    if sudo systemctl is-enabled -q apparmor; then
+        sudo systemctl disable apparmor
+    fi
 
     # Since pip10, pip will refuse to uninstall files from packages
     # that were created with distutils (rather than more modern