diff --git a/debian/apparmor.d/usr.libexec.geoclue b/debian/apparmor.d/usr.libexec.geoclue
new file mode 100644
index 0000000000000000000000000000000000000000..871ab42329f12f6061e08d010415aa82c329a4a0
--- /dev/null
+++ b/debian/apparmor.d/usr.libexec.geoclue
@@ -0,0 +1,31 @@
+#include <tunables/global>
+
+/usr/libexec/geoclue {
+  #include <abstractions/chaiwala-base>
+  #include <abstractions/dbus-strict>
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus),
+  dbus bind bus=system name=org.freedesktop.GeoClue2,
+  dbus (send, receive) bus=system peer=(label=unconfined),
+  dbus (send, receive) bus=system peer=(label=avahi-daemon),
+
+  network netlink,
+  network inet,
+  network inet6,
+
+  /etc/gai.conf            r,
+  /etc/geoclue/            r,
+  /etc/geoclue/**          r,
+  /etc/hosts               r,
+  /etc/host.conf           r,
+  /etc/nsswitch.conf       r,
+  /etc/ssl/openssl.cnf     r,
+  /run/connman/resolv.conf r,
+
+  @{PROC}/@{pid}/cgroup    r,
+}
diff --git a/debian/geoclue-2.0.install b/debian/geoclue-2.0.install
index a0b40fec254defd6dcc1e48f978938c2d0c6dff1..cb8bd44a6aecaff2c7f6892076ee516aae28e742 100644
--- a/debian/geoclue-2.0.install
+++ b/debian/geoclue-2.0.install
@@ -1,3 +1,4 @@
+debian/apparmor.d/* /etc/apparmor.d/
 debian/local/geoclue-2.0.pkla var/lib/polkit-1/localauthority/10-vendor.d/
 debian/local/geoclue-2.0.rules usr/share/polkit-1/rules.d/
 etc/dbus-1/system.d/