To start, the process of writing a profile is quite simple. For control-port-filter-python, run;
sudo aa-genprof /usr/sbin/cpfpd
Press (F)inish at the prompt, (S)can does nothing. A profile template is created in /etc/apparmor.d. It's nearly empty at this stage, and the tedious work begins.
Monitor the apparmor messages with
sudo tail -f /var/log/kern.log
Restart the application, modify the profile, adding permission for the denied files, reload the profile in the kernel,
sudo apparmor_parser -r /etc/appamor.d/usr.sbin/cpfpd
Restart the application... and so on, until no denied message are shown, and the application is running.
Sounds easy, but generally, you'll find some obstacles. Just done cpfpd. The profile is quite short, the daemon is running in enforced mode, but there is an - unknown until now - denied message left, that apparently cannot be fixed the usual way.
Looking into it, but if this indroduction makes sense, please feel free to give it a try.