Comment 5 for bug 1779674

Honestly, I would only modify package maintained files from a charm as the very last resort.
Using those paths is not only something strange in the charm. Anyone using ceph rbd would use those paths.

IMO, the question is, should a properly confined qemu allow rbd or not?

This has btw precedence.
/etc/apparmor.d/abstractions/libvirt-qemu
  # allow access to charm-specific ceph config and silence spurious
  # denials (LP: #1403648).
  /var/lib/charm/*/ceph.conf r,
  deny /tmp/{,**} r,
  deny /var/tmp/{,**} r,

This was even more charm specific.