@Seth, upstream accepted another patch that will only do the PID chown'ing if the PID is inside the chroot. Since the PID lives outside the chroot on Debian/Ubuntu, the chown/dac_override caps won't be needed when Unbound 1.5.8 will be released.
Until that release happens and reaches Ubuntu, what do you recommend doing with this profile refresh? -- https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230 Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/unbound-refresh into lp:apparmor-profiles. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor