I have verified the fix according to the test plan above, using 255.4-1ubuntu8.1 from noble-proposed. Note, as I mentioned in an earlier comment, this fix is NOT available on Desktop with TPM FDE until the appropriate snap is rebuilt. I have previously prepared a noble VM, and installed dracut for generating the initrd, which means running systemd in the initrd. Currently, I can see the AppArmor denials for rsyslog: ubuntu@ubuntu:~$ sudo dmesg | grep rsyslog [ 2.816998] systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/rsyslog.service [ 5.588869] audit: type=1400 audit(1716388183.334:149): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="rsyslogd" pid=993 comm="apparmor_parser" [ 5.676353] audit: type=1400 audit(1716388183.422:150): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/notify" pid=1055 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 5.676388] audit: type=1400 audit(1716388183.422:151): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 5.676407] audit: type=1400 audit(1716388183.422:152): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 5.676425] audit: type=1400 audit(1716388183.422:153): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 5.676440] audit: type=1400 audit(1716388183.422:154): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 95.610731] audit: type=1400 audit(1716388273.356:166): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 95.974029] audit: type=1400 audit(1716388273.719:167): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="rsyslogd" pid=2072 comm="apparmor_parser" [ 96.010658] audit: type=1400 audit(1716388273.756:168): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/notify" pid=2073 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 96.010664] audit: type=1400 audit(1716388273.756:169): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 96.010666] audit: type=1400 audit(1716388273.756:170): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 96.010669] audit: type=1400 audit(1716388273.756:171): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 [ 96.010670] audit: type=1400 audit(1716388273.756:172): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0 ubuntu@ubuntu:~$ apt policy systemd systemd: Installed: 255.4-1ubuntu8 Candidate: 255.4-1ubuntu8 Version table: 255.4-1ubuntu8.1 100 100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages *** 255.4-1ubuntu8 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages 100 /var/lib/dpkg/status Now, I install systemd from noble-proposed, and then re-generate the initrd so that the patched systemd is in the initrd: ubuntu@ubuntu:~$ sudo apt install systemd -y -t noble-proposed [ ... ] ubuntu@ubuntu:~$ sudo dracut --force dracut[I]: Executing: /usr/bin/dracut --force dracut[I]: Module 'mksh' will not be installed, because command 'mksh' could not be found! dracut[I]: Module 'warpclock' will not be installed, because command 'hwclock' could not be found! dracut[I]: Module 'systemd-pcrphase' will not be installed, because command '/usr/lib/systemd/systemd-pcrphase' could not be found! dracut[I]: Module 'systemd-timesyncd' will not be installed, because command '/usr/lib/systemd/systemd-timesyncd' could not be found! dracut[I]: Module 'modsign' will not be installed, because command 'keyctl' could not be found! dracut[I]: Module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found! dracut[I]: Module 'rngd' will not be installed, because command 'rngd' could not be found! dracut[I]: Module 'plymouth' will not be installed, because command 'plymouth-set-default-theme' could not be found! dracut[I]: Module 'btrfs' will not be installed, because command 'btrfs' could not be found! dracut[I]: Module 'dmraid' will not be installed, because command 'dmraid' could not be found! dracut[I]: Module 'multipath' will not be installed, because command 'multipath' could not be found! dracut[I]: Module 'pcsc' will not be installed, because command 'pcscd' could not be found! dracut[I]: Module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found! dracut[I]: Module 'nvmf' will not be installed, because command 'nvme' could not be found! dracut[I]: Module 'biosdevname' will not be installed, because command 'biosdevname' could not be found! dracut[I]: Module 'memstrack' will not be installed, because command 'memstrack' could not be found! dracut[I]: memstrack is not available dracut[I]: If you need to use rd.memdebug>=4, please install memstrack and procps-ng dracut[I]: *** Including module: systemd *** dracut[I]: *** Including module: systemd-initrd *** dracut[I]: *** Including module: console-setup *** dracut[I]: *** Including module: i18n *** dracut[I]: *** Including module: crypt *** dracut[I]: *** Including module: dm *** dracut[I]: *** Including module: kernel-modules *** dracut[I]: *** Including module: kernel-modules-extra *** dracut[I]: *** Including module: lvm *** dracut[I]: *** Including module: mdraid *** dracut[I]: *** Including module: nvdimm *** dracut[I]: *** Including module: overlay-root *** dracut[I]: *** Including module: qemu *** dracut[I]: *** Including module: lunmask *** dracut[I]: *** Including module: resume *** dracut[I]: *** Including module: rootfs-block *** dracut[I]: *** Including module: terminfo *** dracut[I]: *** Including module: udev-rules *** dracut[I]: *** Including module: virtfs *** dracut[I]: *** Including module: virtiofs *** dracut[I]: *** Including module: dracut-systemd *** dracut[I]: *** Including module: usrmount *** dracut[I]: *** Including module: base *** dracut[I]: *** Including module: fs-lib *** dracut[I]: *** Including module: shutdown *** dracut[I]: *** Including modules done *** dracut[I]: *** Installing kernel module dependencies *** dracut[I]: *** Installing kernel module dependencies done *** dracut[I]: *** Resolving executable dependencies *** dracut[I]: *** Resolving executable dependencies done *** dracut[I]: *** Hardlinking files *** dracut[I]: *** Hardlinking files done *** dracut[I]: *** Generating early-microcode cpio image *** dracut[I]: *** Constructing AuthenticAMD.bin *** dracut[I]: *** Constructing GenuineIntel.bin *** dracut[I]: *** Store current command line parameters *** dracut[I]: *** Stripping files *** dracut[I]: *** Stripping files done *** dracut[I]: *** Creating image file '/boot/initrd.img-6.8.0-31-generic' *** dracut[I]: Using auto-determined compression method 'pigz' dracut[I]: *** Creating initramfs image file '/boot/initrd.img-6.8.0-31-generic' done *** ubuntu@ubuntu:~$ sudo reboot After the reboot: ubuntu@ubuntu:~$ journalctl -b --grep "Switching root" May 22 10:33:50 localhost @ystemctl[467]: Switching root - root: /sysroot; init: n/a May 22 10:33:50 localhost systemd[1]: Switching root. ubuntu@ubuntu:~$ sudo dmesg | grep rsyslog [sudo] password for ubuntu: [ 2.278177] systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/rsyslog.service ubuntu@ubuntu:~$ systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled) Active: active (running) since Wed 2024-05-22 10:33:53 EDT; 59s ago TriggeredBy: ● syslog.socket Docs: man:rsyslogd(8) man:rsyslog.conf(5) https://www.rsyslog.com/doc/ Main PID: 1055 (rsyslogd) Tasks: 4 (limit: 4608) Memory: 6.7M (peak: 7.0M) CPU: 513ms CGroup: /system.slice/rsyslog.service └─1055 /usr/sbin/rsyslogd -n -iNONE May 22 10:33:53 ubuntu rsyslogd[1055]: rsyslogd's groupid changed to 102 May 22 10:33:53 ubuntu rsyslogd[1055]: rsyslogd's userid changed to 102 May 22 10:33:53 ubuntu rsyslogd[1055]: [origin software="rsyslogd" swVersion="8.2312.0" x-pid="1055" x-info="https://> May 22 10:33:53 ubuntu systemd[1]: rsyslog.service: Got notification message from PID 1055 (READY=1) May 22 10:33:53 ubuntu systemd[1]: rsyslog.service: Changed start -> running May 22 10:33:53 ubuntu systemd[1]: rsyslog.service: Job 290 rsyslog.service/start finished, result=done May 22 10:33:53 ubuntu systemd[1]: Started rsyslog.service - System Logging Service. May 22 10:33:54 ubuntu systemd[1]: rsyslog.service: System call riscv_hwprobe is not known, ignoring. May 22 10:33:54 ubuntu systemd[1]: /usr/lib/systemd/system/rsyslog.service:21: System call riscv_hwprobe is not known> May 22 10:33:54 ubuntu systemd[1]: rsyslog.service: Changed dead -> running ubuntu@ubuntu:~$ apt policy systemd systemd: Installed: 255.4-1ubuntu8.1 Candidate: 255.4-1ubuntu8.1 Version table: *** 255.4-1ubuntu8.1 100 100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status 255.4-1ubuntu8 500 500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages Hence, with the patched systemd in the initrd, we no longer see the AppArmor denials, and rsyslog starts normally.