Fix apparmor issues for Xen
    
    In order for apparmor to work properly in Xen environments, the following
    access rights need to be allowed:
    
     - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
       Broadcom cards by writting to the PCI config space
    
     - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
       this setting, an error 'Resource temporarily unavailable' can be seen
       while attempting to mmap memory. At the same time, the following
       apparmor message is seen:
    
       apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
       pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
       capname="ipc_lock"
    
     - Allow access to distribution specific directories:
         /usr/{lib,lib64}/xen/bin