docs: configuring Apparmor

[themr0c]

          @chanchalbose  - thanks, this hint help to solve it to for me

CRC 1.32.0 / OCP 4.17.8
Linux Debian 12 bookworm

On Debian i had to modify two different profiles to got it working and reload he profiles afterwards:

/etc/apparmor.d/libvirt/TEMPLATE.qemu as you have written:

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
@{HOME}/.crc/cache/*/crc.qcow2 rk,
}

and /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper for file /home/user/.crc/machines/crc/crc.qcow2 - here it was a bit more tricky as default rules for "virt-aa-helper" deny access to all hidden files in the user home directory:

audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,

Therefor just adding an allow rule for the crc.qcow2 file does not work. These deny rules must be changed to allow reading from ~/.crc/ directory...

@cfergeau @gbraad
I think it would be really helpful to have a note in the installation instructions for all Debian/Ubuntu based distributions to check current AppArmor profiles and system log messages for DENIED entries in case "crc start" does not work. For me it needed a long time to find the problem and this issue to solve the generic Access Denied error message on startup.

Originally posted by @sseide in #1776 (comment)

[gbraad]

I am OK to have this included in the documentation, however... where? This feels more like an advanced topic or FAQ, as none of these targets are tested by us.

As mentioned here, start with a wiki entry?