abstractions/nameservice: allow kanidm-unixd

If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.

For example:

```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

profiles/apparmor.d/abstractions/nameservice

@@ -58,6 +58,9 @@
   @{PROC}/@{pid}/net/psched r,
   @{etc_ro}/libnl-*/classid r,
 
+  # user/group resolution through kanidm
+  /etc/kanidm/unixd r,
+
   # nis
   include <abstractions/nis>