diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index 7bf9094c..22d0c786 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -13,6 +13,10 @@
   /usr/local/bin/              r,
   /usr/local/bin/[a-zA-Z0-9]*  rPUx,
 
+  # All apps in opt
+  /opt/*/                 r,
+  /opt/*/[a-zA-Z0-9]*    rPUx,
+
   # Firefox
   /{usr/,}lib/                 r,
   /{usr/,}lib/firefox/         r,
@@ -34,10 +38,4 @@
   /usr/share/discord/        r,
   /usr/share/discord/Discord rPx,
 
-  # FreeTube
-  /opt/FreeTube/                 r,
-  /opt/FreeTube/freetube         rPx,
-  /opt/FreeTube-Vue/             r,
-  /opt/FreeTube-Vue/freetube-vue rPx,
-
   include if exists <abstractions/app-launcher-user.d>
\ No newline at end of file
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 9d96d6b0..96a8e67b 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,8 +10,8 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-open
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
+  include <abstractions/consoles>
 
   @{exec_path} r,
 
@@ -29,27 +30,16 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/gio          rPx,
   #/{usr/,}bin/kde-open5  rPUx,
 
-  # When xdg-open is run as root, it wants to exec dbus-launch, and hence it creates the two
-  # following root processes:
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Xdg-open works fine without this.
-  #/{usr/,}bin/dbus-launch        rCx -> dbus,
-  #/{usr/,}bin/dbus-send          rCx -> dbus,
-  deny /{usr/,}bin/dbus-launch rx,
-  deny /{usr/,}bin/dbus-send   rx,
+  /{usr/,}bin/dbus-launch  rCx -> dbus,
+  /{usr/,}bin/dbus-send    rCx -> dbus,
 
   /usr/share/applications/*.desktop r,
-  owner @{user_share_dirs}/applications/ r,
-
-  owner @{HOME}/.Xauthority r,
 
         /** r,
   owner /** rw,
 
-  # file_inherit
-  /dev/dri/card[0-9]* rw,
+  owner @{user_share_dirs}/applications/ r,
+
   /dev/tty rw,
 
   profile dbus {
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index e28c11b0..22bcffe5 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -9,6 +9,7 @@ include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/gio
 @{exec_path} += /{usr/,}bin/gio-launch-desktop
+@{exec_path} += /{usr/,}lib/gio-launch-desktop
 @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index cfd50ca0..f82dfbb1 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -15,6 +15,9 @@ profile gnome-music @{exec_path} {
   include <abstractions/gstreamer>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/p11-kit>
   include <abstractions/python>
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index a25a92e0..e7472804 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/app-launcher-user>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index ff1aa886..6771e8db 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -20,7 +20,9 @@ profile bootctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less       rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /{boot,efi}/ r,
   /{boot,efi}/EFI/{,**} r,
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index e7841b7d..6cd88e78 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -9,8 +9,19 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/busctl
 profile busctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  ptrace (read),
 
   @{exec_path} mr,
 
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
+
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/stat r,
+
   include if exists <local/busctl>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index 5bf16d3b..9a027e43 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -17,9 +17,9 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
   /{usr/,}bin/gdb   rCx -> gdb,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   owner /tmp/*.coredump w,
   owner /tmp/core.* w,
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index a8527160..772c7c4b 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -23,9 +23,9 @@ profile journalctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl
index 68171dd8..2b3821df 100644
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@@ -13,9 +13,9 @@ profile localectl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /usr/share/kbd/keymaps/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index 7006a77f..7fc78f74 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -31,9 +31,9 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager            rPx -> child-pager,
-  /{usr/,}bin/less             rPx -> child-pager,
-  /{usr/,}bin/more             rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /etc/udev/hwdb.bin r,
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls
index 16aeb189..10b1671f 100644
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@@ -14,9 +14,9 @@ profile systemd-cgls @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager     rPx -> child-pager,
-  /{usr/,}bin/less      rPx -> child-pager,
-  /{usr/,}bin/more      rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop
index 9bfdc413..edb6b844 100644
--- a/apparmor.d/groups/systemd/systemd-cgtop
+++ b/apparmor.d/groups/systemd/systemd-cgtop
@@ -12,9 +12,9 @@ profile systemd-cgtop @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager     rPx -> child-pager,
-  /{usr/,}bin/less      rPx -> child-pager,
-  /{usr/,}bin/more      rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount
index 9ac10bc7..3db96312 100644
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@@ -14,9 +14,9 @@ profile systemd-mount @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent
index 021c1292..339e4b73 100644
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@@ -38,6 +38,9 @@ profile pkttyagent @{exec_path} {
 
   @{exec_path} mr,
 
+  @{libexec}/polkit-agent-helper-[0-9]                rPx,
+  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]  rPx,
+
   owner @{PROC}/@{pids}/stat r,
 
   /dev/tty rw,