feat(profile): more kde integration.

fix #442

apparmor.d/abstractions/bash-strict

@@ -24,6 +24,7 @@
 
   owner @{HOME}/.alias r,
   owner @{HOME}/.bash_aliases r,
+  owner @{HOME}/.bash_complete r,
   owner @{HOME}/.bash_history rw,
   owner @{HOME}/.bash_profile r,
   owner @{HOME}/.bashrc r,

apparmor.d/groups/akonadi/akonadi_birthdays_resource

@@ -19,6 +19,7 @@ profile akonadi_birthdays_resource @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner @{user_config_dirs}/akonadi_birthdays_resourcerc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 

apparmor.d/groups/akonadi/akonadi_maildir_resource

@@ -17,6 +17,8 @@ profile akonadi_maildir_resource @{exec_path} {
 
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
 
+  owner @{user_mail_dirs}/{,**} rw,
+
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r,

apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent

@@ -17,6 +17,7 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565
   owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,

apparmor.d/groups/browsers/firefox-kmozillahelper

@@ -47,6 +47,11 @@ profile firefox-kmozillahelper @{exec_path} {
   owner @{user_config_dirs}/kmozillahelperrc r,
   owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
   owner @{user_config_dirs}/kwinrc r,
+  owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
+
+  owner @{user_share_dirs}/kservices5/ r,
+  owner @{user_share_dirs}/kservices5/searchproviders/ r,
 
   owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl,
   owner @{run}/user/@{uid}/xauth_@{rand6} rl,

apparmor.d/groups/display-manager/xdm-xsession

@@ -22,6 +22,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/cat                rix,
   @{bin}/checkproc          rix,
   @{bin}/dirname            rix,
+  @{bin}/fortune           rPUx,
   @{bin}/gpg-agent          rPx,
   @{bin}/gpg-connect-agent  rPx,
   @{bin}/grep               rix,
@@ -36,6 +37,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/tty                rix,
   @{bin}/uname              rix,
   @{bin}/whoami             rix,
+  @{bin}/xmodmap           rPUx,
 
   @{bin}/dbus-update-activation-environment rCx -> dbus,
   @{bin}/flatpak                            rPx,
@@ -53,7 +55,7 @@ profile xdm-xsession @{exec_path} {
   @{etc_ro}/X11/xdm/sys.xsession                    rix,
   @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh  rix,
   @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh    rix,
-  @{HOME}/.xinitrc                                 rPix,
+  @{HOME}/.xinitrc                                 rPix, # TODO: rCx
   @{lib}/xinit/xinitrc                          rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
@@ -73,6 +75,7 @@ profile xdm-xsession @{exec_path} {
   /etc/sysconfig/* r,
 
   owner @{HOME}/ r,
+  owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
 
   owner @{user_share_dirs}/sddm/xorg-session.log rw,
 

apparmor.d/groups/freedesktop/pulseaudio

@@ -78,6 +78,8 @@ profile pulseaudio @{exec_path} {
 
   /etc/pulse/{,**} r,
 
+  / r,
+
   owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
   owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
   owner @{desktop_config_dirs}/dconf/user   r,

apparmor.d/groups/kde/kaccess

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/kaccess
 profile kaccess @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -19,6 +20,8 @@ profile kaccess @{exec_path} {
 
   /usr/share/icons/{,**} r,
 
+  /etc/machine-id r,
+
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/breezerc r,

apparmor.d/groups/kde/kde-powerdevil

@@ -57,14 +57,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{sys}/class/i2c-dev/ r,
   @{sys}/class/usbmisc/ r,
   @{sys}/devices/ r,
+  @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
   @{sys}/devices/@{pci}/card@{int}/*/dpms r,
   @{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
-  @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
   @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
   @{sys}/devices/**/ r,
   @{sys}/devices/i2c-@{int}/name r,
   @{sys}/devices/platform/**/i2c-@{int}/**/name r,

apparmor.d/groups/kde/kded

@@ -12,10 +12,10 @@ profile kded @{exec_path} {
   include <abstractions/audio-client>
   include <abstractions/bus-system>
   include <abstractions/bus/org.bluez>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/bus/org.bluez>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/devices-usb>
   include <abstractions/graphics>
   include <abstractions/gtk>
   include <abstractions/kde-strict>
@@ -31,7 +31,8 @@ profile kded @{exec_path} {
 
   ptrace (read),
 
-  signal (send) set=hup peer=xsettingsd,
+  signal send set=hup peer=xsettingsd,
+  signal send set=term peer=kioworker,
 
   #aa:dbus own bus=system name=com.redhat.NewPrinterNotification
   #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
@@ -54,6 +55,7 @@ profile kded @{exec_path} {
   @{bin}/plasma-welcome    rPUx,
   @{bin}/python3.@{int}     rix,
   @{bin}/setxkbmap          rix,
+  @{bin}/xmodmap           rPUx,
   @{bin}/xrdb               rPx,
   @{bin}/xsetroot           rPx,
   @{bin}/xsettingsd         rPx,
@@ -73,6 +75,7 @@ profile kded @{exec_path} {
 
   /etc/fstab r,
   /etc/xdg/accept-languages.codes r,
+  /etc/xdg/baloofilerc r,
   /etc/xdg/kcminputrc r,
   /etc/xdg/kde* r,
   /etc/xdg/kioslaverc r,
@@ -83,6 +86,7 @@ profile kded @{exec_path} {
 
   / r,
 
+  owner @{HOME}/ r,
   owner @{HOME}/.gtkrc-2.0 rw,
 
         @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
@@ -94,6 +98,7 @@ profile kded @{exec_path} {
         @{user_config_dirs}/kcookiejarrc.lock rwk,
         @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
   owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/breezerc r,
@@ -125,20 +130,22 @@ profile kded @{exec_path} {
   owner @{user_config_dirs}/networkmanagement.notifyrc r,
   owner @{user_config_dirs}/plasma* r,
   owner @{user_config_dirs}/touchpadrc r,
+  owner @{user_config_dirs}/trashrc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
   owner @{user_config_dirs}/xsettingsd/{,**} rw,
 
-  owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
   owner @{user_share_dirs}/icc/{,edid-*} r,
   owner @{user_share_dirs}/kcookiejar/#@{int} rw,
   owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
+  owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
   owner @{user_share_dirs}/kded{5,6}/{,**} rw,
   owner @{user_share_dirs}/kscreen/{,**} rwl,
   owner @{user_share_dirs}/kservices{5,6}/{,**} r,
   owner @{user_share_dirs}/ktp/cache.db rwk,
   owner @{user_share_dirs}/remoteview/ r,
   owner @{user_share_dirs}/services5/{,**} r,
+  owner @{user_share_dirs}/user-places.xbel r,
 
         @{run}/mount/utab r,
         @{run}/udev/data/c189:@{int} r,                # for /dev/bus/usb/**

apparmor.d/groups/kde/konsole

@@ -64,6 +64,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/konsole/** rwlk,
   owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r,
 
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/konsolestaterc rw,
+  owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int},
+  owner @{user_state_dirs}/konsolestaterc.lock rwk,
+
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/konsole.@{rand6} rw,
 

apparmor.d/groups/kde/ksmserver

@@ -16,11 +16,11 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
 
-  signal (send) set=(usr1,term) peer=kscreenlocker-greet,
+  signal send set=(usr1,term) peer=kscreenlocker_greet,
 
   ptrace (read) peer=kbuildsycoca5,
 
-  unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),
+  unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none),
 
   @{exec_path} mr,
 

apparmor.d/groups/kde/kwin_x11

@@ -50,7 +50,7 @@ profile kwin_x11 @{exec_path} {
 
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
-  owner @{user_config_dirs}/kwinoutputconfig.json r,
+  owner @{user_config_dirs}/kwinoutputconfig.json rw,
   owner @{user_config_dirs}/kwinrc.lock rwk,
   owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
   owner @{user_config_dirs}/kwinrulesrc r,

apparmor.d/groups/kde/okular

@@ -11,27 +11,47 @@ include <tunables/global>
 profile okular @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/devices-usb>
   include <abstractions/graphics>
+  include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
+  network netlink raw,
+
+  signal send set=term peer=kioworker,
+
   @{exec_path} mr,
 
   @{bin}/ps2pdf   rPUx,
 
   @{bin}/gpg{,2}  rCx -> gpg,
-  @{bin}/gpgcon   rCx -> gpg,
+  @{bin}/gpgconf  rCx -> gpg,
   @{bin}/gpgsm    rCx -> gpg,
 
   @{open_path}    rPx -> child-open,
+  #aa:exec kioworker
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/okular/{,**} r,
   /usr/share/poppler/{,**} r,
 
+  /etc/fstab r,
+  /etc/xdg/baloofilerc r,
+  /etc/xdg/dolphinrc r,
+  /etc/xdg/menus/ r,
+  /etc/xdg/menus/applications-merged/ r,
+
+  / r,
+  @{MOUNTS}/ r,
+
+  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
+  owner @{user_cache_dirs}/okular/{,**} rw,
+
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/okularpartrc rw,
   owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
@@ -39,22 +59,52 @@ profile okular @{exec_path} {
   owner @{user_config_dirs}/okularrc rw,
   owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/okularrc.lock rwk,
+  owner @{user_config_dirs}/baloofilerc r,
+  owner @{user_config_dirs}/dolphinrc r,
+  owner @{user_config_dirs}/okular-generator-popplerrc r,
+  owner @{user_config_dirs}/KDE/*.conf r,
+  owner @{user_config_dirs}/kioslaverc r,
+  owner @{user_config_dirs}/kservicemenurc r,
+  owner @{user_config_dirs}/kwalletrc r,
+  owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
+  owner @{user_config_dirs}/trashrc r,
 
+  owner @{user_share_dirs}/#@{int} rw,
+  owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r,
   owner @{user_share_dirs}/okular/ rw,
   owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**,
+  owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int},
+  owner @{user_share_dirs}/recently-used.xbel.lock rk,
+  owner @{user_share_dirs}/user-places.xbel r,
 
-  owner @{user_cache_dirs}/okular/{,**} rw,
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/okularstaterc rw,
+  owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int},
+  owner @{user_state_dirs}/okularstaterc.lock rwk,
 
   owner @{tmp}/#@{int} rw,
+  owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int},
   owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
+  owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, 
+
+  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+  owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
   profile gpg {
     include <abstractions/base>
+    include <abstractions/consoles>
 
     @{bin}/gpg{,2}  mr,
     @{bin}/gpgcon   mr,
     @{bin}/gpgsm    mr,
 
+    owner @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
     owner @{run}/user/@{uid}/ r,
     owner @{run}/user/@{uid}/gnupg/ r,
 

apparmor.d/groups/kde/plasmashell

@@ -90,6 +90,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
 
   /var/lib/AccountsService/icons/* r,
 
+  @{MOUNTS}/ r,
+
         @{HOME}/ r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
@@ -197,6 +199,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
 
         @{PROC}/ r,
+        @{PROC}/@{pid}/stat r,
         @{PROC}/cmdline r,
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,

apparmor.d/groups/kde/sddm-greeter

@@ -49,7 +49,7 @@ profile sddm-greeter @{exec_path} {
   owner @{SDDM_HOME}/#@{int} mrw,
   owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
 
-  owner @{HOME}/.face.icon r,
+  @{HOME}/.face.icon r,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,

apparmor.d/groups/network/nm-dispatcher

@@ -31,20 +31,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sh_path}                rix,
-  @{bin}/python3.@{int}     rix,
   @{bin}/basename           rix,
   @{bin}/cat                rix,
-  @{bin}/chronyc           rPUx,
   @{bin}/chown              rix,
+  @{bin}/chronyc           rPUx,
   @{bin}/date               rix,
   @{bin}/gawk               rix,
   @{bin}/grep               rix,
   @{bin}/id                 rix,
   @{bin}/invoke-rc.d        rCx -> invoke-rc,
+  @{bin}/logger             rix,
   @{bin}/mkdir              rix,
   @{bin}/mktemp             rix,
   @{bin}/netconfig         rPUx,
   @{bin}/nmcli              rix,
+  @{bin}/python3.@{int}     rix,
   @{bin}/readlink           rix,
   @{bin}/rm                 rix,
   @{bin}/run-parts          rCx -> run-parts,

apparmor.d/groups/systemd/systemd-udevd

@@ -89,15 +89,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/network/ r,
   /etc/systemd/network/@{int2}-*.link r,
 
-  @{run}/udev/ rw,
-  @{run}/udev/** rwk,
-
   @{run}/credentials/systemd-udev-load-credentials.service/ r,
+  @{run}/modprobe.d/ r,
   @{run}/systemd/network/ r,
   @{run}/systemd/network/*.link rw,
   @{run}/systemd/notify rw,
   @{run}/systemd/seats/seat@{int} r,
 
+  @{run}/udev/ rw,
+  @{run}/udev/** rwk,
+
   @{sys}/** rw,
 
         @{PROC}/@{pid}/mountinfo r,

apparmor.d/profiles-a-f/btrfs

@@ -24,9 +24,15 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
   /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,
 
   / r,
-  /boot/ r,
-  /home/ r,
   /.snapshots/ r,
+  /boot/ r,
+  /boot/**/ r,
+  /home/ r,
+  /opt/ r,
+  /root/ r,
+  /srv/ r,
+  /usr/local/ r,
+  /var/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/ext2_saved/ rw,
   @{MOUNTS}/ext2_saved/image rw,
@@ -44,10 +50,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
   @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
   @{run}/snapper-tools-*/ r,
   @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r,
-  
-  @{sys}/fs/btrfs/@{uuid}/exclusive_operation r,
-  @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r,
-  @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r,
+
+  @{sys}/fs/btrfs/@{uuid}/** r,
 
         @{PROC}/partitions r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-g-l/issue-generator

@@ -13,6 +13,7 @@ profile issue-generator @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path}       r,
   @{bin}/basename  rix,
   @{bin}/cat       rix,
   @{bin}/cmp       rix,

apparmor.d/profiles-m-r/pass

@@ -74,16 +74,10 @@ profile pass @{exec_path} {
 
   profile pkill {
     include <abstractions/base>
-
-    capability sys_ptrace,
-
-    ptrace read,
+    include <abstractions/app/pgrep>
 
     @{bin}/pkill mr,
 
-    @{PROC}/@{pid}/cgroup r,
-    @{PROC}/tty/drivers r,
-
     include if exists <local/pass_pkill>
   }
 

apparmor.d/profiles-m-r/pinentry-qt

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pinentry-qt
 profile pinentry-qt @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>

apparmor.d/profiles-s-z/su

@@ -28,6 +28,8 @@ profile su @{exec_path} {
 
   @{etc_ro}/default/su r,
 
+  @{HOME}/.xauth@{rand6} rw,
+
   include if exists <local/su>
 }
 

apparmor.d/profiles-s-z/xauth

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xauth
 profile xauth @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,

apparmor.d/profiles-s-z/xclip

@@ -10,14 +10,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/xclip
 profile xclip @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/X-strict>
 
   network unix stream,
 
   @{exec_path} mr,
 
-  deny /dev/tty rw,
-
   include if exists <local/xclip>
 }