Comment 3 for bug 1749931

My config is:

remote-control:
 control-enable: yes
 control-interface: /var/run/unbound.ctl

The socket created, but then, unbound can't properly change the owner to unbound:unbound.

Feb 21 13:08:21 linux-agent systemd[1]: Starting Unbound DNS server...
Feb 21 13:08:22 linux-agent unbound[6486]: [1519214902] unbound[6486:0] error: cannot chown 114.125 /var/run/unbound.ctl: Operation not permitted

If the apparmor profile is changed to allow chown, it raise a second issue which is that unbound can't properly set permissions on the socket:

Feb 21 13:10:37 linux-agent audit[6788]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/unbound" pid=6788 comm="unbound" capability=3 capname="fowner"