diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates
index e30faa49..4138106c 100644
--- a/apparmor.d/groups/apt/apt-extracttemplates
+++ b/apparmor.d/groups/apt/apt-extracttemplates
@@ -28,6 +28,7 @@ profile apt-extracttemplates @{exec_path} {
   owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   owner /tmp/*.{config,template}.@{rand6} rw,
+  owner /var/cache/debconf/tmp.ci/*.{config,template}.@{rand6} rw,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives
index 92d56011..c76def1a 100644
--- a/apparmor.d/profiles-s-z/update-alternatives
+++ b/apparmor.d/profiles-s-z/update-alternatives
@@ -14,25 +14,21 @@ profile update-alternatives @{exec_path} {
 
   @{exec_path} mr,
 
-  /var/log/alternatives.log w,
+  @{bin}/* w,
+  @{bin}/*.dpkg-tmp rw,
+  @{lib}/firmware/* rw,
 
+  /usr/** rw,
+
+  /etc/**.dpkg-tmp rw,
   /etc/alternatives/* rw,
 
   /var/lib/dpkg/alternatives/ r,
   /var/lib/dpkg/alternatives/* rw,
+  /var/log/alternatives.log w,
 
   owner /var/lib/alternatives/ r,
   owner /var/lib/alternatives/* rw,
 
-  @{bin}/* w,
-  @{bin}/*.dpkg-tmp rw,
-
-  @{bin}/* w,
-  @{bin}/*.dpkg-tmp rw,
-
-  /usr/** rw,
-
-  @{lib}/firmware/* rw,
-
   include if exists <local/update-alternatives>
 }