Comment 6 for bug 1794820

Thinking on this, more users clearly don't understand and there is a partial fix we could roll out before the inode labeling lands

Basically we do some dominance analysis in the compile and strip away rename permission from the parent hierarchy. And then have policy have an override to explicitly opt back in. This way the issue is annotated in the policy and there is a bread crumb to documentation about this. I'll raise this option on the apparmor mailing list.