diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined
new file mode 100644
index 00000000..3cfbe05f
--- /dev/null
+++ b/apparmor.d/groups/children/user_confined
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow confined users to read, write, lock and link to their own files
+# anywhere, and execute from some places.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile user_confined flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/shells>
+
+  deny capability sys_ptrace,
+
+  @{bin}/**  Pixmr,
+
+  owner /** rwkl,
+  owner @{HOMEDIRS}/bin/** ixmr,
+  owner @{user_bin_dirs}/** ixmr,
+
+  @{PROC}/** r,
+
+  include if exists <local/user_confined>
+}
diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default
new file mode 100644
index 00000000..e6f9325f
--- /dev/null
+++ b/apparmor.d/groups/children/user_default
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# By default, allow users to read, lock and link to their own files anywhere,
+# but only write to files in their home directory. Only allow limited execution
+# of files.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile user_default flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/shells>
+
+  deny capability sys_ptrace,
+
+  @{bin}/**  Pixmr,
+
+  owner /** rkl,
+  owner @{HOMEDIRS}/ w,
+  owner @{HOMEDIRS}/** w,
+
+  @{PROC}/** r,
+
+  include if exists <local/user_default>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined
new file mode 100644
index 00000000..15cd913c
--- /dev/null
+++ b/apparmor.d/groups/children/user_unconfined
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile user_unconfined flags=(attach_disconnected,mediate_deleted) {
+
+  capability,
+  network,
+  mount,
+  remount,
+  umount,
+  pivot_root,
+  ptrace,
+  signal,
+  dbus,
+  unix,
+  file,
+
+  include if exists <local/user_unconfined>
+}
diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings
index e6a7ab08..0f9d039f 100644
--- a/apparmor.d/profiles-m-r/pam/mappings
+++ b/apparmor.d/profiles-m-r/pam/mappings
@@ -23,8 +23,7 @@
   /etc/default/su r,
   @{etc_ro}/environment r,
 
-  @{bin}/{,b,d,rb}ash rPx -> default_user,
-  @{bin}/{c,k,tc,z}sh rPx -> default_user,
+  @{shells_path}  rPx -> user_default,
 
   include if exists <local/pam_default>
 }
@@ -41,7 +40,7 @@
   capability setgid,
   capability setuid,
 
-  @{bin}/@{shells}    rPx -> confined_user,
+  @{shells_path}  rPx -> user_confined,
 
   /etc/default/su r,
   @{etc_ro}/environment r,
@@ -62,7 +61,7 @@
   capability setgid,
   capability setuid,
 
-  @{bin}/@{shells}     rUx,
+  @{shells_path}     rUx,
 
   /etc/default/su r,
   @{etc_ro}/environment r,
diff --git a/apparmor.d/profiles-m-r/pam_roles b/apparmor.d/profiles-m-r/pam_roles
deleted file mode 100644
index 5846b09e..00000000
--- a/apparmor.d/profiles-m-r/pam_roles
+++ /dev/null
@@ -1,54 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-#
-# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
-
-#
-# This file contains the roles as referenced by pam/mappings
-#
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-# By default, allow users to read, lock and link to their own files anywhere,
-# but only write to files in their home directory. Only allow limited execution
-# of files.
-profile default_user flags=(complain) {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/shells>
-
-  deny capability sys_ptrace,
-
-  @{bin}/**  Pixmr,
-
-  owner /** rkl,
-  @{PROC}/** r,
-
-  owner @{HOMEDIRS}/ w,
-  owner @{HOMEDIRS}/** w,
-
-}
-
-# Allow confined_users to read, write, lock and link to their own files
-# anywhere, and execute from some places.
-profile confined_user flags=(complain) {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/shells>
-
-  deny capability sys_ptrace,
-
-  @{bin}/**  Pixmr,
-  owner @{HOMEDIRS}/bin/** ixmr,
-  owner @{user_bin_dirs}/** ixmr,
-
-  owner /** rwkl,
-  @{PROC}/** r,
-
-}