Fix apparmor rule for datastores path

[mkutouski]

Description OpenNebula document states an AppArmor rule for /var/lib/one/datastores dir should be in the /etc/apparmor.d/abstractions/libvirt-qemu file whereas according to the information in the Profile customisation paragraph in AppArmor documentation a proper place for AppArmor profiles customization is /etc/apparmor.d/local/ i.e. in case of libvirt-qemu it is /etc/apparmor.d/local/abstractions/libvirt-qemu. The reasons for that are listed in the referred AppArmor document and quoted below:

Profiles are meant to provide security and so can’t be too permissive. But often, a very special setup would work with a profile if it wold just allow this one extra access. To handle that situation, there are three options:

• Modify the profile itself: Always works, but has the drawback that profiles are in /etc and considered conffiles. So after modification on a related package update you might get a conffile prompt. Worst case; depending on configuration, automatic updates might even override it and your custom rule is gone.
• Use tunables: These provide variables that can be used in templates, for example if you want a custom dir considered as it would be a home directory. You could modify /etc/apparmor.d/tunables/home, which defines the base path rules used for home directories. By design, these variables will only influence profiles that use them.
• Modify a local override: To mitigate the drawbacks of above approaches, local includes were introduced, adding the ability to write arbitrary rules that not run into issues during upgrades that modify the packaged rule. The files can be found in /etc/apparmor.d/local/ and exist for the packages that are known to sometimes need slight tweaks for special setups.

Progress Status

• [ ] Code committed
• [ ] Testing - QA
• [ ] Documentation (Release notes - resolved issues, compatibility, known issues)