Comment 4 for bug 1749931

I was trying to follow your case, but hit even more:

[2794286.784575] apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/unbound" name="/run/systemd/notify" pid=4938 comm="unbound" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
[2794367.925181] apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/lib/sss/mc/initgroups" pid=5111 comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

That would need:
  /run/systemd/notify w,
  /var/lib/sss/mc/initgroups r,

With that in place I added /etc/unbound/unbound.conf.d/rc.conf as in the report above.
I didn't trigger the mentioned denies, but then maybe one would have to setup unbound a bit more to do so.
If you can share the steps needed to trigger in addition to said config file.

Also if anyone does an upload later I think fixing the two extra rules I outlined should be grouped with the fix.