Honestly, I would only modify package maintained files from a charm as the very last resort.
Using those paths is not only something strange in the charm. Anyone using ceph rbd would use those paths.
IMO, the question is, should a properly confined qemu allow rbd or not?
This has btw precedence.
/etc/apparmor.d/abstractions/libvirt-qemu
# allow access to charm-specific ceph config and silence spurious
# denials (LP: #1403648).
/var/lib/charm/*/ceph.conf r,
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
Honestly, I would only modify package maintained files from a charm as the very last resort.
Using those paths is not only something strange in the charm. Anyone using ceph rbd would use those paths.
IMO, the question is, should a properly confined qemu allow rbd or not?
This has btw precedence. d/abstractions/ libvirt- qemu lib/charm/ */ceph. conf r,
/etc/apparmor.
# allow access to charm-specific ceph config and silence spurious
# denials (LP: #1403648).
/var/
deny /tmp/{,**} r,
deny /var/tmp/{,**} r,
This was even more charm specific.