This also affects unbound: the name resolution service didn't start (it was possible to start unbound outside of service management, because it doesn't look for /run/systemd/notify in that case). I do use dracut.
Upgrading systemd and related packages to 255.4-1ubuntu8.1 (upgrading udev regenerates the initramfs) fixes it. Before that, errors looked like: journalctl -k -b-1 --grep 'apparmor.*unbound' mai 27 10:02:22 host kernel: audit: type=1400 audit(1716796942.487:146): apparmor="DENIED" operation="sendmsg" class="file" profile="unbound" name="/systemd/journal/dev-log" pid=1175 comm="unbound" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 mai 27 10:02:22 host kernel: audit: type=1400 audit(1716796942.487:147): apparmor="DENIED" operation="connect" class="file" profile="unbound" name="/systemd/userdb/io.systemd.DynamicUser" pid=1175 comm="unbound" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 mai 27 10:02:22 host kernel: audit: type=1400 audit(1716796942.542:153): apparmor="DENIED" operation="sendmsg" class="file" profile="unbound" name="/systemd/notify" pid=1175 comm="unbound" requested_mask="w" denied_mask="w" fsuid=126 ouid=0 ** Also affects: unbound (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064096 Title: Services fail to start in noble deployed with TPM+FDE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs