AppArmor profile improvements for Fibre Channel

Add various AppArmor rules required to support FibreChannel disk
attachments, specifically tested against the HP 3Par driver but should
work generically.

/dev/sd* is required as nova code checks if the device is readable
(os-brick/os_brick/initiator/connectors/base.py:check_valid_device)

Change-Id: I943fa27e033884d9ab88a510424debc15e27c207

templates/usr.bin.nova-compute

@@ -32,6 +32,7 @@
   /dev/nbd* rw,
   /dev/tty rw,
   /dev/pts/* r,
+  /dev/sd* r,
   /etc/default/locale r,
   /etc/environment r,
   /etc/iscsi/initiatorname.iscsi r,
@@ -56,6 +57,7 @@
   /run/lock/nova/nova-iptables wk,
   /run/lock/qemu-nbd-nbd* w,
   /run/openvswitch/db.sock rw,
+  /sbin/blockdev rix,
   /sbin/brctl rix,
   /sbin/ldconfig rix,
   /sbin/ldconfig.real rix,
@@ -64,14 +66,19 @@
   /sbin/hdparm rix,
   /sbin/xtables-multi rix,
   /sys/block/ r,
+  /sys/class/fc_host/{,**} r,
+  /sys/devices/pci*/** r,
+  /sys/devices/pci/** r,
+  /sys/devices/pci*/**/scan rw,
+  /sys/devices/pci*/**/delete rw,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/** r,
   /sys/devices/system/node/ r,
   /sys/devices/system/node/** r,
   /sys/devices/virtual/block/nbd*/ r,
   /sys/devices/virtual/net/** w,
-  /sys/class/fc_host/** r,
   /tmp/{,**} rw,
+  /{usr/,}lib/udev/scsi_id PUx,
   /usr/bin/ r,
   /usr/bin/* rix,
   /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix,