diff -Nru unbound-1.6.7/debian/apparmor-profile unbound-1.6.7/debian/apparmor-profile
--- unbound-1.6.7/debian/apparmor-profile	2018-02-22 19:35:20.000000000 +0000
+++ unbound-1.6.7/debian/apparmor-profile	2018-02-28 02:31:49.000000000 +0000
@@ -7,8 +7,14 @@
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
 
-  # needlessly chown'ing the PID
-  deny capability chown,
+  # chown the PID/Unix control socket
+  capability chown,
+  # chmod the Unix control socket
+  capability fowner,
+  capability fsetid,
+
+  # added to abstractions/nameservices in Apparmor 2.12
+  /var/lib/sss/mc/initgroups r,
 
   capability net_bind_service,
   capability setgid,
diff -Nru unbound-1.6.7/debian/changelog unbound-1.6.7/debian/changelog
--- unbound-1.6.7/debian/changelog	2018-02-22 19:35:23.000000000 +0000
+++ unbound-1.6.7/debian/changelog	2018-02-28 02:31:49.000000000 +0000
@@ -1,3 +1,11 @@
+unbound (1.6.7-1ubuntu2) bionic; urgency=medium
+
+  * debian/apparmor-profile: add capabilities to chown/chmod Unix
+    control socket and allow reading /var/lib/sss/mc/initgroups
+    (Closes: #891705, LP: #1749931)
+
+ -- Simon Deziel <simon@sdeziel.info>  Tue, 27 Feb 2018 21:31:49 -0500
+
 unbound (1.6.7-1ubuntu1) bionic; urgency=medium
 
   * debian/apparmor: update to allow writing to /run/systemd/notify