I was trying to follow your case, but hit even more: [2794286.784575] apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/unbound" name="/run/systemd/notify" pid=4938 comm="unbound" requested_mask="w" denied_mask="w" fsuid=118 ouid=0 [2794367.925181] apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111 comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
That would need: /run/systemd/notify w, /var/lib/sss/mc/initgroups r, With that in place I added /etc/unbound/unbound.conf.d/rc.conf as in the report above. I didn't trigger the mentioned denies, but then maybe one would have to setup unbound a bit more to do so. If you can share the steps needed to trigger in addition to said config file. Also if anyone does an upload later I think fixing the two extra rules I outlined should be grouped with the fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1749931 Title: unbound-control local socket broken by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs