Comment 9 for bug 1749931

"deny capability chown" was initially added for the PID file, see [1]. Failing to chown the PID or the control socket is only logged at higher log level specifically to not generate noise when the chown capability isn't available, see [2,3]. The "capability fowner" was removed based on [4].

Currently, the unbound control socket is only accessible to root requiring one to use "sudo unbound-control" (aka the bug at hand):

  $ ll /run/unbound.ctl
  srw-rw---- 1 root root 0 Feb 23 18:40 /run/unbound.ctl=

Re-introducing the chown/fowner caps would give us:

  $ ll /run/unbound.ctl
  srw-rw---- 1 unbound unbound 0 Feb 23 18:38 /run/unbound.ctl=

which would fix the bug at the expense of those additional caps.

I'd vote in favor of re-introducing the capability for the sake of not having Apparmor "getting in the way". If that's OK with everyone, I'd send the patch to Debian as well.

1: https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230
2: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
3: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1332
4: https://lists.ubuntu.com/archives/apparmor/2016-January/009278.html