Oh it is a silent deny deny capability chown, Yes I see now. Ok so overall:
deny capability chown -> capability chown (can we limit that to a certain scope) > /run/systemd/notify w, The notify problem was taken care of in LP: #1723900 :) I have hit that in Bionic just now.... >> /var/lib/sss/mc/initgroups r, >IMHO, this should be in abstractions/nameservice which is already >included in the Unbound profile. Christian, would you mind opening a bug >about it? I don't have any sssd setup here. Thanks I have no sssd either, that is just a bionic container. Before spreading that out to more bugs I'll subscribe jdstrand here. Maybe he can spot an overall pattern (e.g. on my bionic container) so that this could be "just" the discussion on the capability. Also I'd like to have his opinion on opening up chown cap for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1749931 Title: unbound-control local socket broken by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs