diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 00000000..4043c1f1
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,37 @@
+name: Ubuntu
+
+on: [push, pull_request, workflow_dispatch]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Check out repository code
+        uses: actions/checkout@v2
+
+      - name: Install Build dependencies 
+        run: |
+          sudo apt-get update -q
+          sudo apt-get install -y \
+            devscripts debhelper config-package-dev \
+            auditd apparmor-profiles
+
+      - name: Build the apparmor.d package
+        run: dpkg-buildpackage -b -d --no-sign
+
+      - name: Install apparmor.d
+        run: sudo dpkg --install ../apparmor.d_*_all.deb
+
+      - name: Reload AppArmor
+        run: | 
+          sudo systemctl restart apparmor.service || true
+          sudo systemctl status apparmor.service
+
+      - name: Show AppArmor log
+        run: sudo aa-log
+
+      - name: Verify apparmor status
+        run: |
+          aa-status
+          sudo aa-status
diff --git a/apparmor.d/abstractions/dbus-network-manager-strict b/apparmor.d/abstractions/dbus-network-manager-strict
new file mode 100644
index 00000000..9930c80d
--- /dev/null
+++ b/apparmor.d/abstractions/dbus-network-manager-strict
@@ -0,0 +1,47 @@
+# vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member={GetDevices,ListConnections}
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(name=org.freedesktop.NetworkManager),
+
+  include if exists <abstractions/dbus-network-manager-strict.d>
diff --git a/apparmor.d/abstractions/exo-open b/apparmor.d/abstractions/exo-open
new file mode 100644
index 00000000..d92ea371
--- /dev/null
+++ b/apparmor.d/abstractions/exo-open
@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+
+  abi <abi/3.0>,
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via exo-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/exo-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/exo-open rPx -> foo//exo-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//exo-open {
+#   include <abstractions/exo-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # Add if accesibility access is considered as required
+#   # (for message boxe in case exo-open fails)
+#   include <abstractions/dbus-accessibility>
+#
+#   # < add additional allowed applications here >
+# }
+
+  include <abstractions/X>
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/gnome>
+
+  # Main executables
+
+  /usr/bin/exo-open rix,
+  /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
+
+  # Other executables
+
+  /{,usr/}bin/which rix,
+
+  # Deny DBus
+
+  # for GTK error message dialog, not required exo-open to work.
+  deny dbus send
+    bus=session
+    path=/org/gtk/vfs/mounttracker,
+
+  # System files
+
+  /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
+  /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
+  /usr/share/sounds/freedesktop/** r, # for message box alert sound
+  /usr/share/xfce4/helpers/*.desktop r,
+  /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
+
+  # User files
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{HOME}/.config/xfce4/helpers.rc r,
+  owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/exo-open.d>
\ No newline at end of file
diff --git a/apparmor.d/abstractions/gio-open b/apparmor.d/abstractions/gio-open
new file mode 100644
index 00000000..3c85a57e
--- /dev/null
+++ b/apparmor.d/abstractions/gio-open
@@ -0,0 +1,57 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gio helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gio directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gio rPx -> foo//gio-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gio-open {
+#   include <abstractions/gio-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+
+  # Main executables
+
+  /usr/bin/gio rix,
+  /usr/bin/gio-launch-desktop ix, # for OpenSUSE
+  /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
+
+  # System files
+
+  /etc/gnome/defaults.list r,
+  /usr/share/mime/* r,
+  /usr/share/{,*/}applications/{,**} r,
+  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
+  /var/lib/snapd/desktop/applications/{,**} r,
+
+  # User files
+
+  owner @{HOME}/.config/mimeapps.list r,
+  owner @{HOME}/.local/share/applications/{,*.desktop} r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gio-open.d>
diff --git a/apparmor.d/abstractions/gvfs-open b/apparmor.d/abstractions/gvfs-open
new file mode 100644
index 00000000..14a50825
--- /dev/null
+++ b/apparmor.d/abstractions/gvfs-open
@@ -0,0 +1,46 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via gvfs-open helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/gvfs-open directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//gvfs-open {
+#   include <abstractions/gvfs-open>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+# ```
+
+  include <abstractions/base>
+
+  # gvfs-open is deprecated, it launches gio open <uri>
+  include <abstractions/gio-open>
+
+  # Main executables
+
+  /usr/bin/gvfs-open r,
+  /{,usr/}bin/dash mr,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gvfs-open.d>
+
diff --git a/apparmor.d/abstractions/kde-open5 b/apparmor.d/abstractions/kde-open5
new file mode 100644
index 00000000..f72d2f88
--- /dev/null
+++ b/apparmor.d/abstractions/kde-open5
@@ -0,0 +1,104 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via kde-open5 helper.
+#
+# NOTE: most likely you want to use xdg-open abstraction instead for better
+# portability across desktop environments, unless you are sure that confined
+# application only uses /usr/bin/kde-open5 directly.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/kde-open5 rPx -> foo//kde-open5,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//kde-open5 {
+#   include <abstractions/kde-open5>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # Add if accesibility access is considered as required
+#   # (for message boxe in case exo-open fails)
+#   include <abstractions/dbus-accessibility>
+#
+#   # Add if audio support for message box is
+#   # considered as required.
+#   include if exists <abstractions/gstreamer>
+#
+#   # < add additional allowed applications here >
+# }
+# ```
+
+  include <abstractions/audio> # for alert messages
+  include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/kde-icon-cache-write>
+  include <abstractions/kde>
+  include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+  include <abstractions/openssl>
+  include <abstractions/qt5>
+  include <abstractions/recent-documents-write>
+  include <abstractions/X>
+
+  # Main executables
+
+  /usr/bin/kde-open5 rix,
+  /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
+
+  # DBus
+
+  dbus
+      bus=session
+      interface=org.kde.KLauncher
+      member=start_service_by_desktop_path
+      peer=(name=org.kde.klauncher5),
+
+  # Denied system files
+
+  deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9]*[0-9] m,
+
+  # System files
+
+  /dev/tty r,
+  /etc/xdg/accept-languages.codes r,
+  /etc/xdg/menus/{,*/} r,
+  /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
+  /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
+  /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
+  /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
+  /usr/share/mime/ r,
+  /usr/share/mime/generic-icons r,
+  /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+  /usr/share/sounds/ r,
+  @{PROC}/sys/kernel/core_pattern r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  # User files
+
+  owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
+  owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
+  owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
+  owner @{HOME}/.cache/kio_http/ rw,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/kde-open5.d>
diff --git a/apparmor.d/abstractions/xdg-open b/apparmor.d/abstractions/xdg-open
new file mode 100644
index 00000000..3885dc0e
--- /dev/null
+++ b/apparmor.d/abstractions/xdg-open
@@ -0,0 +1,84 @@
+# vim:syntax=apparmor
+
+# This abstraction is designed to be used in a child profile to limit what
+# confined application can invoke via xdg-open helper. xdg-open abstraction
+# will allow to use gio-open, kde-open5 and other helpers of the different
+# desktop environments.
+#
+# Usage example:
+#
+# ```
+# profile foo /usr/bin/foo {
+# ...
+# /usr/bin/xdg-open rPx -> foo//xdg-open,
+# ...
+# } # end of main profile
+#
+# # out-of-line child profile
+# profile foo//xdg-open {
+#   include <abstractions/xdg-open>
+#
+#   # Enable a11y support if considered required by
+#   # profile author for (rare) error message boxes.
+#   include <abstractions/dbus-accessibility>
+#
+#   # Enable gstreamer support if considered required by
+#   # profile author for (rare) error message boxes.
+#   include if exists <abstractions/gstreamer>
+#
+#   # needed for ubuntu-* abstractions
+#   include <abstractions/ubuntu-helpers>
+#
+#   # Only allow to handle http[s]: and mailto: links
+#   include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-email>
+#
+#   # < add additional allowed applications here >
+# }
+# ```
+
+  include <abstractions/base>
+
+  # for openin with `exo-open`
+  include <abstractions/exo-open>
+
+  # for opening with `gio open <uri>`
+  include <abstractions/gio-open>
+
+  # for opening with gvfs-open (deprecated)
+  include <abstractions/gvfs-open>
+
+  # for opening with kde-open5
+  include <abstractions/kde-open5>
+
+  # Main executables
+
+  /{,usr/}bin/{b,d}ash mr,
+  /usr/bin/xdg-open r,
+
+  # Additional executables
+
+  /usr/bin/xdg-mime rix,
+  /{,usr/}bin/cut rix, # for xdg-mime
+  /{,usr/}bin/head rix, # for xdg-mime
+  /{,usr/}bin/sed rix, # for xdg-open
+  /{,usr/}bin/tr rix, # for xdg-mime
+  /{,usr/}bin/which rix, # for xdg-open
+  /{,usr/}bin/{grep,egrep} rix, # for xdg-open
+
+  # System files
+
+  /dev/pts/[0-9]* rw,
+  /dev/tty w,
+  /etc/gnome/defaults.list r, # for grep
+  /usr/share/applications/mimeinfo.cache r, # for grep
+  /usr/share/terminfo/s/screen r, # for bash on openSUSE
+  /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
+  /var/lib/menu-xdg/applications/ r, # for xdg-mime
+
+  # Usr files
+
+  owner @{HOME}/.local/share/applications/{,*.desktop} r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/xdg-open.d>
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd
index 45e3947e..297d3f54 100644
--- a/apparmor.d/profiles-a-f/apparmor.systemd
+++ b/apparmor.d/profiles-a-f/apparmor.systemd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
-profile apparmor.systemd @{exec_path} {
+profile apparmor.systemd @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
@@ -15,7 +15,7 @@ profile apparmor.systemd @{exec_path} {
 
   /{usr/,}bin/{,ba,da}sh           rix,
   /{usr/,}bin/getconf              rix,
-  /{usr/,}bin/grep                 rix,
+  /{usr/,}bin/{,e}grep             rix,
   /{usr/,}bin/ls                   rix,
   /{usr/,}bin/xargs                rix,
   /{usr/,}{s,}bin/aa-status        rPx,
diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend
index 5383b711..b7abc97b 100644
--- a/apparmor.d/tunables/extend
+++ b/apparmor.d/tunables/extend
@@ -10,6 +10,7 @@
 @{MOUNTS}=/media/ @{run}/media /mnt
 
 # Libexec path. Different in some distribution
-@{libexec}=/usr/lib
+@{libexec}=/usr/lib      # Archlinux
+@{libexec}=/usr/libexec  # Debian/Ubuntu
 
 include if exists  <tunables/extend.d>
\ No newline at end of file
diff --git a/configure b/configure
index e4a38d01..9aacd5b5 100755
--- a/configure
+++ b/configure
@@ -5,17 +5,9 @@
 
 readonly ROOT=.build
 
-_die()  { printf '%s\n' "$*" >&2 && exit 1; }
+_die()  { printf 'Error: %s\n' "$*" >&2 && exit 1; }
 _warning() { printf '  Warning: %s\n' "$*" >&2; }
 
-has_option() {
-    local item option="$1";
-    for item in "${OPTIONS[@]}"; do
-       [[ "$item" == "$option" ]] && return 0
-    done
-    return 1
-}
-
 # Displace files in the package sources
 # $@ List of files to displace
 _displace_files() {
@@ -24,15 +16,13 @@ _displace_files() {
 	done
 }
 
-# Initialise a new clean apparmor.d build directory
-initialise() {
+# Initialize a new clean apparmor.d build directory
+initialize() {
 	rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"
 }
 
-# Set the distribution specificities
-configure() {
-	echo "Set the configuration for $DISTRIBUTION."
-
+# Ignore profiles in profiles.ignore
+ignore() {
 	echo "  Ignore profiles in profiles.ignore."
     while read -r profile; do
 		[[ "$profile" =~ ^\# ]] && continue
@@ -42,14 +32,21 @@ configure() {
 			find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
 		fi
     done <profiles.ignore
+}
 
+# Set the distribution specificities
+configure() {
 	case "$DISTRIBUTION" in
 		archlinux)
 			echo "  Ignore non Archlinux profiles."
 			rm -rf \
 				"${ROOT:?}"/apparmor.d/abstractions/apt-common \
 				"${ROOT:?}"/apparmor.d/groups/apt \
-				"${ROOT:?}"/apparmor.d/groups/cron
+				"${ROOT:?}"/apparmor.d/groups/cron \
+				"${ROOT:?}"/root/etc/initramfs-tools
+
+			echo "  Configure libexec."
+			sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend"
 
 			;;
 
@@ -59,8 +56,11 @@ configure() {
 				"${ROOT:?}"/apparmor.d/groups/pacman \
 				"${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook
 
+			echo "  Configure libexec."
+			sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend"
+
 			echo "  Debian does not support abi 3.0 yet."
-			find "$ROOT/apparmor.d" -type f  -exec sed -e '/abi /d' -i {} \;
+			find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \;
 
 			echo "  Debian does not have etc tunable."
 			sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global"
@@ -68,6 +68,13 @@ configure() {
 			echo "  Displace overwritten files."
 			_displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs
 
+			if [[ "$(lsb_release -is)" == "Ubuntu" ]]; then
+				echo "  Ubuntu LTS compatibility."
+				echo "@{run}=/run/ /var/run/" > "$ROOT/apparmor.d/tunables/run"
+				sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \
+					"$ROOT/apparmor.d/groups/virt/libvirtd"
+			fi
+
 			;;
 
 		*)  _die "$DISTRIBUTION is not a supported distribution." ;;
@@ -109,13 +116,15 @@ setflags() {
 
     done <profiles.flags
 
-	if has_option complain; then
-		setflag_complain
-	fi
+}
+
+# Set AppArmor for full system policy
+full() {
+	echo WIP
 }
 
 # Set complain flag on all profile (Dev only)
-setflag_complain() {
+complain() {
 	echo "Set complain flag on all profile"
 	for path in "${ROOT:?}/apparmor.d/"*; do
 		[[ -d "$path" ]] && continue
@@ -135,34 +144,35 @@ cmd_help() {
 	./configure [options] - Configure the apparmor.d package
 
 	Options:
-	    --distribution=DIST Set the target Linux distribution: archlinux, debian
-	    --options=OPT       Set prefefined build options.
-	    --help              Print this help message and exit.
+	    -d DIST, --dist=DIST Set the target Linux distribution: archlinux, debian
+		-f, --full           Set AppArmor for full system policy
+	    -c, --complain       Set complain flag on all profiles
+	    -h, --help           Print this help message and exit
 	_EOF
 }
 
 main() {
-	local opts err
-	opts="$(getopt -o h -l distribution:,options:,help -n "$PROGRAM" -- "$@")"
+	local opts err full=0 complain=0
+	small_arg="d:cfh"
+	long_arg="dist:,complain,full,help"
+	opts="$(getopt -o $small_arg -l $long_arg -n "$PROGRAM" -- "$@")"
 	err=$?
 	eval set -- "$opts"
 	while true; do case $1 in
-		--distribution) DISTRIBUTION="$2"; shift 2 ;;
-		--options) 
-			# shellcheck disable=SC2206
-			OPTIONS=(${2//,/ }); shift 2 ;;
+		-d|--dist) DISTRIBUTION="$2"; shift 2 ;;
+		-f|--full) full=1; shift ;; 
+		-c|--complain) complain=1; shift ;;
 		-h|--help) shift; cmd_help; exit 0 ;;
 		--) shift; break ;;
 	esac done
-
 	[[ $err -ne 0 ]] && { cmd_help; exit 1; }
 
-	initialise
-	configure
-	synchronise
-	setflags
-
-	exit 0
+	echo "Set the configuration for $DISTRIBUTION."
+	initialize || _die "initializing build directory"
+	ignore || _die "removing ignored profiles"
+	configure || _die "configuring distributaion"
+	synchronise || _die "merging profiles"
+	setflags || _die "settings flags"
 }
 
 main "$@"
diff --git a/debian/control b/debian/control
index 2c155558..bc12c096 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,12 @@ Source: apparmor.d
 Section: admin
 Priority: optional
 Maintainer: Alexandre Pujol <alexandre@pujol.io>
-Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, curl
+Build-Depends: debhelper (>= 13.4),
+               debhelper-compat (= 13),
+               golang-any,
+               lsb-release,
+               config-package-dev,
+               rsync,
 Homepage: https://github.com/roddhjav/apparmor.d
 Vcs-Browser: https://github.com/roddhjav/apparmor.d
 Vcs-Git: https://github.com/roddhjav/apparmor.d.git
diff --git a/debian/rules b/debian/rules
index dce32152..1eb47790 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,16 +3,21 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 #
 
-DH_OPTIONS ?= 
-
 %:
 	dh $@ --with=config-package
 
 override_dh_auto_configure:
-	./configure --distribution=debian --options=$(DH_OPTIONS)
+	./configure --dist=debian
+	export CGO_CPPFLAGS="${CPPFLAGS}"
+	export CGO_CFLAGS="${CFLAGS}"
+	export CGO_CXXFLAGS="${CXXFLAGS}"
+	export CGO_LDFLAGS="${LDFLAGS}"
+	export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
+	go build -o .build/ ./cmd/aa-log
 
 override_dh_install:
 	mv systemd system
 	find system -type f -exec \
 		install -Dm0644 {} $$(pwd)/debian/apparmor.d/usr/lib/systemd/{}.d/apparmor.conf \; 
+	install -Dm755 .build/aa-log $$(pwd)/debian/apparmor.d/usr/bin/aa-log
 	dh_install
diff --git a/profiles.flags b/profiles.flags
index fcdeb552..650f127c 100644
--- a/profiles.flags
+++ b/profiles.flags
@@ -1,5 +1,6 @@
 acpid attach_disconnected,complain
 adb complain
+aa-status
 agetty complain
 arch-audit complain
 at-spi-bus-launcher attach_disconnected
diff --git a/profiles.ignore b/profiles.ignore
index 1e24c6de..06706c7a 100644
--- a/profiles.ignore
+++ b/profiles.ignore
@@ -1,5 +1,6 @@
 anki
 apps/
+apparmor.systemd
 torbrowser.Browser.firefox
 torbrowser.Browser.plugin-container
 torbrowser.Tor.tor