diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre
index c4e4b894..e07b6dcc 100644
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@@ -15,9 +15,9 @@ include <tunables/global>
 @{exec_path} += @{bin}/web2disk
 profile calibre @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/chromium-common>
   include <abstractions/devices-usb>
diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon
index 695b611f..a5172ac1 100644
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@@ -27,6 +27,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   network bluetooth stream,
   network bluetooth seqpacket,
 
+  signal (receive) set=(cont term) peer=@{systemd_user},
   signal (receive) set=(term hup kill) peer=at-spi-bus-launcher,
   signal (receive) set=(term hup kill) peer=dbus-run-session,
   signal (receive) set=(term hup kill) peer=gdm*,
diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
index 24f25421..c7c3436d 100644
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@@ -55,7 +55,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/@{pid}/cmdline r,
-        @{PROC}/@{pid}/oom_score_adj r,
+        @{PROC}/@{pid}/oom_score_adj rw,
         @{PROC}/@{pids}/mounts r,
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/attr/apparmor/current r,
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index dcf4716d..d0348302 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -42,6 +42,8 @@ profile polkit-agent-helper @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/unix_chkpwd rPx,
+
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 93600815..897b34b9 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -41,11 +41,9 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio1,
-
-  dbus bind bus=session name=org.PulseAudio1,
-
-  dbus bind bus=session name=org.pulseaudio*,
+  # dbus: own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int}
+  # dbus: own bus=session name=org.PulseAudio1
+  # dbus: own bus=session name=org.pulseaudio*
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf
index 37b1c613..3a1a7774 100644
--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@@ -35,8 +35,8 @@ profile subiquity-console-conf @{exec_path} {
   @{bin}/tty         rix,
 
   @{bin}/journalctl                      rCx -> journalctl,
-  @{bin}/ssh-keygen                      rPx, 
-  @{bin}/sshd                            rPx, 
+  @{bin}/ssh-keygen                      rPx,
+  @{bin}/sshd                            rPx,
   @{bin}/snap                           rPUx,
   /usr/lib/snapd/snap-recovery-chooser  rPUx,
   /usr/share/netplan/netplan.script     rPUx, # TODO: rPx,
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 3041cc34..cd1a732e 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -22,23 +22,16 @@ profile update-notifier @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/python>
 
-  dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
-       interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
-       peer=(name=:*, label=gnome-shell),
+  # dbus: talk bus=system name=org.debian.apt label=apt
 
-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.kde.StatusNotifierWatcher
-       member=RegisterStatusNotifierItem
-       peer=(name=:*, label=gnome-shell),
+#   dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
+#        interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
+#        peer=(name=:*, label=gnome-shell),
 
-  dbus send bus=system path=/org/debian/apt
-       interface=org.debian.apt
-       member=GetActiveTransactions
-       peer=(name=:*, label=apt),
-  dbus send bus=system path=/org/debian/apt
+  dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available
        interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=apt),
+       member={Get,GetAll}
+       peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index a5a7457a..738216fd 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -11,6 +11,7 @@ profile file-roller @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck
index cf9b71b1..190322e3 100644
--- a/apparmor.d/profiles-g-l/grpck
+++ b/apparmor.d/profiles-g-l/grpck
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/grpck
-profile grpck @{exec_path} {
+profile grpck @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck
index 7011a01a..051417cf 100644
--- a/apparmor.d/profiles-m-r/pwck
+++ b/apparmor.d/profiles-m-r/pwck
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pwck
-profile pwck @{exec_path} {
+profile pwck @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
index f98abda3..91315af4 100644
--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
@@ -16,6 +16,8 @@ profile snapd-aa-prompt-listener @{exec_path} {
 
   @{lib_dirs}/snapd/info r,
 
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   @{PROC}/cmdline r,
 
   include if exists <local/snapd-aa-prompt-listener>
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index 57d05ade..8a81a90e 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -42,7 +42,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   /etc/pipewire/client.conf r,
 
+  /var/lib/gdm{3,}/.config/pulse/cookie rk,
   /var/lib/gdm{3,}/.config/user-dirs.dirs r,
+
   /var/lib/nscd/passwd r,
 
   owner @{user_config_dirs}/user-dirs.dirs r,