V-51739: LSM device labeling exception

Implements: blueprint security-hardening

Change-Id: Iad9f2e4e98815794e3ec84cb5f4b7194512d666f

doc/source/developer-notes/V-51379.rst

@@ -0,0 +1,7 @@
+**Exception**
+
+Although SELinux works through a labeling system where every file (including
+devices) receive a label, AppArmor works purely through policies without
+labels. However, openstack-ansible does configure several AppArmor policies
+to reduce the chances and impact of LXC container breakouts on OpenStack
+hosts.