diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go
index 8525b2d9..b3d01a70 100644
--- a/pkg/aa/data_test.go
+++ b/pkg/aa/data_test.go
@@ -64,25 +64,37 @@ var (
 		"operation": "mount",
 		"info":      "failed perms check",
 		"error":     "-13",
-		"profile":   "dockerd",
-		"name":      "/var/lib/docker/overlay2/metacopy-check906831159/merged/",
-		"comm":      "dockerd",
-		"fstype":    "overlay",
-		"srcname":   "overlay",
+		"profile":   "loupe",
+		"name":      "/newroot/dev/tty",
+		"comm":      "bwrap",
+		"srcname":   "/oldroot/dev/tty",
+		"flags":     "rw, rbind",
 	}
 	mount1 = &Mount{
 		Qualifier:       Qualifier{Comment: "failed perms check"},
-		MountConditions: MountConditions{FsType: "overlay", Options: []string{}},
+		MountConditions: MountConditions{FsType: "overlay"},
 		Source:          "overlay",
 		MountPoint:      "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/",
 	}
 	mount2 = &Mount{
 		Qualifier:       Qualifier{Comment: "failed perms check"},
-		MountConditions: MountConditions{FsType: "overlay", Options: []string{}},
-		Source:          "overlay",
-		MountPoint:      "/var/lib/docker/overlay2/metacopy-check906831159/merged/",
+		MountConditions: MountConditions{Options: []string{"rw", "rbind"}},
+		Source:          "/oldroot/dev/tty",
+		MountPoint:      "/newroot/dev/tty",
 	}
 
+	// Umount
+	umount1Log    = map[string]string{
+		"apparmor":  "ALLOWED",
+		"class":     "mount",
+		"operation": "umount",
+		"profile":   "systemd",
+		"name":      "/",
+		"comm":      "(ostnamed)",
+	}
+	umount1 = &Umount{MountPoint: "/"}
+	umount2 = &Umount{MountPoint: "/oldroot/"}
+
 	// PivotRoot
 	// pivotroot1LogStr = `apparmor="ALLOWED" operation="pivotroot" class="mount" profile="systemd" name="@{run}/systemd/mount-rootfs/"  comm="(ostnamed)" srcname="@{run}/systemd/mount-rootfs/"`
 	pivotroot1Log = map[string]string{
diff --git a/pkg/aa/rules_test.go b/pkg/aa/rules_test.go
index 1ac83c88..0699f123 100644
--- a/pkg/aa/rules_test.go
+++ b/pkg/aa/rules_test.go
@@ -34,6 +34,12 @@ func TestRule_FromLog(t *testing.T) {
 			log:     mount1Log,
 			want:    mount1,
 		},
+		{
+			name:    "umount",
+			fromLog: UmountFromLog,
+			log:     umount1Log,
+			want:    umount1,
+		},
 		{
 			name:    "pivotroot",
 			fromLog: PivotRootFromLog,
@@ -153,6 +159,12 @@ func TestRule_Less(t *testing.T) {
 			other: mount2,
 			want:  false,
 		},
+		{
+			name:  "umount",
+			rule:  umount1,
+			other: umount2,
+			want:  true,
+		},
 		{
 			name:  "pivot_root1",
 			rule:  pivotroot2,