I was trying to follow your case, but hit even more:

[2794286.784575] apparmor="DENIED" operation="sendmsg" 
profile="/usr/sbin/unbound" name="/run/systemd/notify" pid=4938 comm="unbound" 
requested_mask="w" denied_mask="w" fsuid=118 ouid=0
[2794367.925181] apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" 
name="/var/lib/sss/mc/initgroups" pid=5111 comm="unbound" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0

That would need:
  /run/systemd/notify w,
  /var/lib/sss/mc/initgroups r,

With that in place I added /etc/unbound/unbound.conf.d/rc.conf as in the report 
I didn't trigger the mentioned denies, but then maybe one would have to setup 
unbound a bit more to do so.
If you can share the steps needed to trigger in addition to said config file.

Also if anyone does an upload later I think fixing the two extra rules I
outlined should be grouped with the fix.

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  unbound-control local socket  broken by apparmor

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to