That would need:
/run/systemd/notify w,
/var/lib/sss/mc/initgroups r,
With that in place I added /etc/unbound/unbound.conf.d/rc.conf as in the report above.
I didn't trigger the mentioned denies, but then maybe one would have to setup unbound a bit more to do so.
If you can share the steps needed to trigger in addition to said config file.
Also if anyone does an upload later I think fixing the two extra rules I outlined should be grouped with the fix.
I was trying to follow your case, but hit even more:
[2794286.784575] apparmor="DENIED" operation="sendmsg" profile= "/usr/sbin/ unbound" name="/ run/systemd/ notify" pid=4938 comm="unbound" requested_mask="w" denied_mask="w" fsuid=118 ouid=0 "/usr/sbin/ unbound" name="/ var/lib/ sss/mc/ initgroups" pid=5111 comm="unbound" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2794367.925181] apparmor="DENIED" operation="open" profile=
That would need: systemd/ notify w, lib/sss/ mc/initgroups r,
/run/
/var/
With that in place I added /etc/unbound/ unbound. conf.d/ rc.conf as in the report above.
I didn't trigger the mentioned denies, but then maybe one would have to setup unbound a bit more to do so.
If you can share the steps needed to trigger in addition to said config file.
Also if anyone does an upload later I think fixing the two extra rules I outlined should be grouped with the fix.