Adjust apparmor configuration for rsyslog (#4)

* Adjust apparmor configuration for rsyslog

Modify rsyslog profile in apparmor so it can read papertrail PEM file

defaults/main.yml

@@ -10,3 +10,7 @@ papertrail_remote_syslog_config_paths:
   systemd:
     path: /lib/systemd/system/remote_syslog.service
 papertrail_remote_user: "papertrail"
+
+# Apparmor
+apparmor_rsyslogd_profile_path: /etc/apparmor.d/usr.sbin.rsyslogd
+apparmor_rsyslogd_local_profile_path: /etc/apparmor.d/local/usr.sbin.rsyslogd

handlers/main.yml

@@ -1,4 +1,7 @@
 ---
+- name: Reload apparmor
+  service: name=apparmor state=reloaded
+
 - name: Restart remote_syslog
   service: name=remote_syslog state=restarted
 

tasks/configure-apparmor.yml

@@ -0,0 +1,13 @@
+---
+- name: Import local rsyslogd profile to apparmor
+  ansible.builtin.lineinfile:
+    path: "{{ apparmor_rsyslogd_profile_path }}"
+    search_string: '#include <local/usr.sbin.rsyslogd>'
+    line: '  include <local/usr.sbin.rsyslogd>'
+
+- name: Allow rsyslogd read Papertrail PEM in apparmor profile
+  ansible.builtin.lineinfile:
+    path: "{{ apparmor_rsyslogd_local_profile_path }}"
+    line: "{{ papertrail_pem_path }} r,"
+    state: present
+  notify: Reload apparmor

tasks/main.yml

@@ -11,6 +11,11 @@
            dest="/etc/papertrail-bundle.pem"
            mode=0644
 
+- include_tasks: configure-apparmor.yml
+  vars:
+    papertrail_pem_path: /etc/papertrail-bundle.pem
+  when: ansible_facts['distribution_major_version'] == "24"
+
 - include_tasks: rsyslogtls-RedHat.yml
   when:
     - ansible_os_family == 'RedHat'
@@ -19,7 +24,6 @@
   when:
     - ansible_os_family == 'Debian'
 
-
 - name: Download remote_syslog
   get_url: url="https://github.com/papertrail/remote_syslog2/releases/download/v{{ papertrail_version }}/remote_syslog_linux_amd64.tar.gz"
            dest="/usr/local/src/remote_syslog_{{ papertrail_version }}_linux_amd64.tar.gz"