tasks: lxc_install_zypper: Relax apparmor restrictions for dnsmasq

The default apparmor profile does not allow dnsmasq to read from
/etc/neutron or /var/log/neutron as we see from the following entry
in the audit.log file:

type=AVC msg=audit(1500476274.931:179617): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq"
name="/etc/neutron/dnsmasq-neutron.conf" pid=27503 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

However, having such access is essential for neutron to work otherwise
dnsmasq fails to start and the VMs have all sorts of network problems.
As such, we create a local profile with the neutron allowances.

Change-Id: I11b1c777fc738f319e0d1c875390522468504050

tasks/lxc_install_zypper.yml

@@ -24,6 +24,23 @@
   tags:
     - lxc-packages
 
+# NOTE(hwoarang) default dnsmasq profile is too restrictive so we
+# need to adjust it for neutron.
+- name: Relax dnsmasq apparmor profile
+  blockinfile:
+    path: "/etc/apparmor.d/local/usr.sbin.dnsmasq"
+    block: |-
+      /etc/neutron/* r,
+      /var/log/neutron/* rw,
+    marker: "# {mark} ANSIBLE MANAGED BLOCK"
+  notify:
+    - Start apparmor
+    - Reload apparmor
+  tags:
+    - lxc-files
+    - lxc-apparmor
+    - lxc_hosts-config
+
 - name: Drop lxc-openstack apparmor profile
   template:
     src: "lxc-openstack.apparmor.j2"