diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index fc31d6fb..2f395e4e 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -23,14 +23,18 @@ profile systemd-sysusers @{exec_path} {
   /run/{,**} rw,
 
   /etc/ r,
+  /etc/nsswitch.conf r,
   /etc/passwd r,
-  /etc/group r,
-  /etc/gshadow r,
+  /etc/group rw,
+  /etc/group- rw,
+  /etc/gshadow rw,
+  /etc/gshadow- rw,
   /etc/.#group* rw,
   /etc/.#gshadow* rw,
   /etc/.pwd.lock rwk,
 
   owner @{PROC}/@{pid}/stat r,
+        @{PROC}/sys/kernel/random/boot_id r,
 
   include if exists <local/systemd-sysusers>
 }
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 775cc877..e52b2b09 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -52,6 +52,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
 
   /etc/console-setup/*.sh       rPUx,
 
+  /etc/machine-id r,
+
   /etc/default/* r,
 
   /etc/udev/ r,