For those unfamiliar, Ubuntu 24.04 made changes to AppArmor and are “enforcing” it by default with Rsyslog / rsyslogd. For those of us who are using LibreNMS’s “syslog integration,” this new AppArmor change makes it so rsyslogd is not able to run the provided LibreNMS php script (/opt/librenms/syslog.php) to dump log data into LibreNMS.
I wanted to thank other users of the forum for posting, because I was able to get my system temporarily functional again by completely bypassing AppArmor for rsyslogd as documented in this other thread. Worth mentioning - my system did not have “aa-utilities” installed by default, so I had to use apt to put them on before I had access to aa-disable.
However, the changes to AppArmor in Ubuntu 24.04 were surely done for a good reason (presumably security-related), and I don’t like disabling AppArmor for rsyslog, especially when it is consuming foreign input.
Has anybody figured out the magical AppArmor incantations to allow it to work with the LibreNMS integration without requiring it to be fully disabled for rsyslog?
This was the hole I started digging down, but got frustrated when it didn’t seem to be helping. The whole “Ux / Px / ix” thing was a stumbling block and I didn’t dig deeper to see wtf the difference is (I assume something related to which user/UID the profile allows to eXecute…)
Interesting that the Ubuntu mailing list explanation initially was only going to make the change on new installs and not upgrades… but then another developer told the Rsyslog maintainer to make it change (break) upgrades as well.
I suspect that I’m going to need to add an exclusion to the actual LNMS syslog.php file, but then also allow (at least) read access to anything that CLI PHP needs in order to start as well…
Setting it to aa-complain mode is basically the same as aa-disable, the only real difference is that in complain it spams all of the “access denied” messages to syslog without actually denying access.
complain is what I plan to use to try to write the proper AppArmor policy to “correctly” fix this, the problem is finding the time to research/learn AppArmor well enough to do it. I was hoping maybe someone else had already done the legwork, but apparently not…
Whenever I get around to it, I will definitely document it here, and possibly try to edit the install guide page if I can figure that out (I believe it’s on github).
