Add AppArmor Rule for keepalived

A patch was introduced [0] "..which sets the backup gateway
device link down by default. When the VRRP sets the master state in
one host, the L3 agent state change procedure will
do link up action for the gate$way device.".

This change causes an issue when using keepalived 2.X (focal+) which
is fixed by patch [1] which adds a new 'no_track' option to all VIPs
and routes in keepalived's config file.

Patch [1] which fixed keepalived 2.X broke keepalived 1.X (<focal).
So patch [2] was added which adds a keepalived_use_no_track config
option which is set to True control whether the 'no_track' option
is added to the keepalived config.

Finally, patchset [3] introduces automatic detection of the
keepalived version by adding a call to `keepalived --version`
but this is denied by the packages apparmor rules.

[0] https://review.opendev.org/c/openstack/neutron/+/707406
[1] https://review.opendev.org/c/openstack/neutron/+/721799
[2] https://review.opendev.org/c/openstack/neutron/+/745641
[3] https://review.opendev.org/c/openstack/neutron/+/757620

Change-Id: I3eb1ef3fe29a8c4e5e26953844f303c8e985248a

templates/usr.bin.neutron-l3-agent

@@ -10,6 +10,8 @@
 
   /usr/bin/neutron-l3-agent r,
 
+  /usr/sbin/keepalived rix,
+
   /sbin/ldconfig* rix,
 
   /{,usr/}bin/ r,