Tunables polishing (#281)

* adjust xorg display number * remove wildcard from python version * python wildcard #2 * unconventional tails * Delete apparmor.d/groups/apps/android-studio --------- Co-authored-by: nobody43 <nobody43@users.noreply.github.com>
2025-01-18 00:48:10 +01:00 · 2024-01-25 12:44:47 +00:00 · 2024-01-25 12:44:47 +00:00 · b376e9fade
commit b376e9fade
parent 765fa1bdb8
69 changed files with 88 additions and 88 deletions
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -17,7 +17,7 @@
  owner @{HOME}/.Xauthority r,  # Xauthority files required for X connections, per user
 
        /tmp/.ICE-unix/* rw,
-        /tmp/.X{0,1}-lock rw,
+        /tmp/.X@{int}-lock rw,
        /tmp/.X11-unix/* rw,
  owner /tmp/xauth_@{rand6} rl -> /tmp/#@{int},

--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -50,7 +50,7 @@ profile calibre @{exec_path} {
  unix (bind)          type=stream addr="@calibre-*",

  @{exec_path} mrix,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ldconfig{,.real} rix,
  @{bin}/{,ba,da}sh       rix,
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/groups/apps/discord
@ -143,7 +143,7 @@ profile discord @{exec_path} {
    signal (receive) set=(kill, term) peer=discord,

    @{bin}/lsb_release r,
-    @{bin}/python3.[0-9]* r,
+    @{bin}/python3.@{int} r,

    @{bin}/ r,
    @{bin}/apt-cache rPx,
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/groups/apps/dropbox
@ -29,7 +29,7 @@ profile dropbox @{exec_path} {
  @{exec_path} r,

  @{bin}/ r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  # Dropbox home files
  owner @{HOME}/ r,
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@ -16,7 +16,7 @@ profile apt-listchanges @{exec_path} {
  #capability sys_tty_config,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/{,ba,da}sh     rix,
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@ -18,7 +18,7 @@ profile command-not-found @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/lsb_release rPx -> lsb_release,
  @{bin}/snap rPUx,
--- a/apparmor.d/groups/apt/debsecan
+++ b/apparmor.d/groups/apt/debsecan
@ -21,7 +21,7 @@ profile debsecan @{exec_path} {
  network inet6 stream,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/           r,
  @{bin}/{,ba,da}sh rix,
--- a/apparmor.d/groups/apt/debtags
+++ b/apparmor.d/groups/apt/debtags
@ -16,7 +16,7 @@ profile debtags @{exec_path} {
  #capability sys_tty_config,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/dpkg rPx -> child-dpkg,
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@ -26,7 +26,7 @@ profile querybts @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/{,ba,da}sh rix,
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -31,7 +31,7 @@ profile reportbug @{exec_path} {
  @{exec_path} r,

  @{bin}/ r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ldconfig         rix,
  @{bin}/selinuxenabled   rix,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -42,7 +42,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  @{bin}/echo                     rix,
  @{bin}/gdbus                    rix,
  @{bin}/ischroot                 rix,
-  @{bin}/python3.[0-9]*           rix,
+  @{bin}/python3.@{int}           rix,
  @{bin}/test                     rix,
  @{bin}/touch                    rix,
  @{bin}/uname                    rix,
--- a/apparmor.d/groups/apt/update-apt-xapian-index
+++ b/apparmor.d/groups/apt/update-apt-xapian-index
@ -13,7 +13,7 @@ profile update-apt-xapian-index @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/dpkg rPx -> child-dpkg,
--- a/apparmor.d/groups/bus/ibus-engine-table
+++ b/apparmor.d/groups/bus/ibus-engine-table
@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} {
  @{exec_path} mr,

  @{bin}/{,ba,da}sh      rix,
-  @{bin}/python3.[0-9]*  rix,
+  @{bin}/python3.@{int}  rix,

  /usr/share/ibus-table/engine/{,**} r,
  /usr/share/ibus-table/tables/ r,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -65,15 +65,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.xsession-errors w,

  owner @{user_share_dirs}/xorg/ rw,
-  owner @{user_share_dirs}/xorg/Xorg.[0-9].log{,.old} rw,
+  owner @{user_share_dirs}/xorg/Xorg.@{int}.log{,.old} rw,
  owner @{user_share_dirs}/xorg/Xorg.pid-@{pid}.log{,.old} rw,

  owner /var/log/lightdm/x-*.log* rw,
-  owner /var/log/Xorg.[0-9].log{,.old} rw,
+  owner /var/log/Xorg.@{int}.log{,.old} rw,
  owner /var/log/Xorg.pid-@{pid}.log{,.old} rw,

  /var/lib/gdm{3,}/.local/share/xorg/ rw,
-  /var/lib/gdm{3,}/.local/share/xorg/Xorg.[0-9].log{,.old} rw,
+  /var/lib/gdm{3,}/.local/share/xorg/Xorg.@{int}.log{,.old} rw,
  /var/lib/gdm{3,}/.local/share/xorg/Xorg.pid-@{pid}.log{,.old} rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,

@ -82,9 +82,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  @{run}/lightdm/{,**} rw,

        /tmp/ r,
-        /tmp/server-[0-9].xkm rw,
-  owner /tmp/.tX[0-9]-lock rwk,
-  owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock,
+        /tmp/server-@{int}.xkm rw,
+  owner /tmp/.tX@{int}-lock rwk,
+  owner /tmp/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock,
  owner /tmp/server-* rwk,
  owner /tmp/serverauth.* r,

--- a/apparmor.d/groups/gnome/gnome-browser-connector-host
+++ b/apparmor.d/groups/gnome/gnome-browser-connector-host
@ -15,9 +15,9 @@ profile gnome-browser-connector-host @{exec_path} {
  @{exec_path} mr,

  @{bin}/env             rix,
-  @{bin}/python3.[0-9]*  rix,
+  @{bin}/python3.@{int}  rix,

-  @{lib}/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
+  @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -28,8 +28,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,
  @{bin}/ r,
-  @{bin}/python3.[0-9]* rix,
-  @{lib}/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw,
+  @{bin}/python3.@{int} rix,
+  @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,

  /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
  /usr/share/org.gnome.Music/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -18,9 +18,9 @@ profile gnome-tweaks @{exec_path} {

  @{bin}/ r,
  @{bin}/ps rPx,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

-  @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
+  @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,

  /usr/share/gnome-tweaks/{,**} r,

--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -27,7 +27,7 @@ profile kconf_update @{exec_path} {

  @{bin}/{,ba,da}sh                      rix,
  @{bin}/{,p}grep                        rix,
-  @{bin}/python3.[0-9]*                  rix,
+  @{bin}/python3.@{int}                  rix,
  @{bin}/qtpaths                         rix,
  @{bin}/sed                             rix,

--- a/apparmor.d/groups/kde/kwin_wayland_wrapper
+++ b/apparmor.d/groups/kde/kwin_wayland_wrapper
@ -21,7 +21,7 @@ profile kwin_wayland_wrapper @{exec_path} {
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/xauth_@{rand6} w,

-  owner /tmp/.X1-lock rw,
+  owner /tmp/.X@{int}-lock rw,

  include if exists <local/kwin_wayland_wrapper>
 }
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@ -16,7 +16,7 @@ profile pacman-hook-code @{exec_path} {
  @{exec_path} mr,

  @{bin}/env r,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  @{lib}/code/product.json rw,

--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@ -15,7 +15,7 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected)  {

  @{exec_path} mr,

-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -28,7 +28,7 @@ profile software-properties-dbus @{exec_path} {

  @{exec_path} mr,

-  @{bin}/python3.[0-9]*  rix,
+  @{bin}/python3.@{int}  rix,
  @{bin}/env             rix,
  @{bin}/apt-key         rPx,  # Changing trusted keys
  @{bin}/lsb_release     rPx -> lsb_release,
@ -40,7 +40,7 @@ profile software-properties-dbus @{exec_path} {
  /usr/share/distro-info/*.csv r,
  /usr/share/xml/iso-codes/{,**} r,

-  owner /tmp/???????? rw,
+  owner /tmp/???????? rw,  # unconventional '_' tail
  owner /tmp/tmp????????/ w, # change to 'c'
  owner /tmp/tmp????????/apt.conf w,

--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -48,7 +48,7 @@ profile software-properties-gtk @{exec_path} {

  @{bin}/ r,

-  @{bin}/python3.[0-9]*           r,
+  @{bin}/python3.@{int}           r,
  @{bin}/{,da,ba}sh               rix,
  @{bin}/aplay                    rPx,
  @{bin}/apt-key                  rPx,
--- a/apparmor.d/groups/ubuntu/update-motd-updates-available
+++ b/apparmor.d/groups/ubuntu/update-motd-updates-available
@ -19,7 +19,7 @@ profile update-motd-updates-available @{exec_path} {

  @{exec_path} mr,

-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/{,ba,da}sh                    rix,
  @{bin}/apt-config                    rPx,
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -62,7 +62,7 @@ profile update-notifier @{exec_path} {
  /usr/share/apport/apport-checkreports          rPx,
  /usr/share/apport/apport-gtk                   rPx,

-  @{lib}/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
+  @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,

  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,
--- a/apparmor.d/profiles-a-f/arandr
+++ b/apparmor.d/profiles-a-f/arandr
@ -18,7 +18,7 @@ profile arandr @{exec_path} {
  include <abstractions/nameservice-strict>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/xrandr rPx,
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@ -29,7 +29,7 @@ profile borg @{exec_path} {
  @{exec_path} r,

  @{bin}/ r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/{,@{multiarch}-}ld.bfd rix,
  @{bin}/cat                    rix,
--- a/apparmor.d/profiles-a-f/convertall
+++ b/apparmor.d/profiles-a-f/convertall
@ -23,7 +23,7 @@ profile convertall @{exec_path} {
  @{exec_path} r,
  @{bin}/{,ba,da}sh     rix,

-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  owner @{HOME}/.convertall rw,

--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@ -56,7 +56,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  @{bin}/ippfind             rix,
  @{bin}/mktemp              rix,
  @{bin}/printenv            rix,
-  @{bin}/python3.[0-9]*      rix,
+  @{bin}/python3.@{int}      rix,
  @{bin}/rm                  rix,
  @{bin}/sed                 rix,
  @{bin}/smbspool            rPx,
--- a/apparmor.d/profiles-a-f/execute-dcut
+++ b/apparmor.d/profiles-a-f/execute-dcut
@ -12,7 +12,7 @@ profile execute-dcut @{exec_path} flags=(complain) {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  include if exists <local/execute-dcut>
 }
--- a/apparmor.d/profiles-a-f/execute-dput
+++ b/apparmor.d/profiles-a-f/execute-dput
@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) {

  @{exec_path} r,

-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/{,ba,da}sh rix,
  @{bin}/dpkg       rPx -> child-dpkg,
--- a/apparmor.d/profiles-a-f/fail2ban-client
+++ b/apparmor.d/profiles-a-f/fail2ban-client
@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{bin}/ r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /etc/fail2ban/{,**} r,

--- a/apparmor.d/profiles-a-f/fail2ban-server
+++ b/apparmor.d/profiles-a-f/fail2ban-server
@ -25,7 +25,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) {
  @{bin}/iptables           rix,

  @{bin}/ r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /etc/fail2ban/{,**} r,

--- a/apparmor.d/profiles-g-l/ganyremote
+++ b/apparmor.d/profiles-g-l/ganyremote
@ -23,7 +23,7 @@ profile ganyremote @{exec_path} {
  network inet6 stream,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/            r,
  @{bin}/{,ba,da}sh  rix,
--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@ -22,7 +22,7 @@ profile gpo @{exec_path} {
  network inet6 stream,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/{,ba,da}sh rix,
--- a/apparmor.d/profiles-g-l/gpodder
+++ b/apparmor.d/profiles-g-l/gpodder
@ -26,7 +26,7 @@ profile gpodder @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/           r,
  @{bin}/{,ba,da}sh rix,
--- a/apparmor.d/profiles-g-l/gpodder-migrate2tres
+++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres
@ -12,7 +12,7 @@ profile gpodder-migrate2tres @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/           r,
  @{bin}/{,ba,da}sh rix,
--- a/apparmor.d/profiles-g-l/hardinfo
+++ b/apparmor.d/profiles-g-l/hardinfo
@ -40,7 +40,7 @@ profile hardinfo @{exec_path} {
  @{bin}/make            rix,
  @{bin}/perl            rix,
  @{bin}/python2.[0-9]*  rix,
-  @{bin}/python3.[0-9]*  rix,
+  @{bin}/python3.@{int}  rix,
  @{bin}/route           rix,
  @{bin}/ruby[0-9].@{int} rix,
  @{bin}/strace          rix,
--- a/apparmor.d/profiles-g-l/hypnotix
+++ b/apparmor.d/profiles-g-l/hypnotix
@ -36,7 +36,7 @@ profile hypnotix @{exec_path} {
  network netlink raw,

  @{exec_path} rix,
-  @{bin}/python3.[0-9]*  r,
+  @{bin}/python3.@{int}  r,

  @{bin}/{,ba,da}sh      rix,
  @{bin}/ldconfig        rix,
--- a/apparmor.d/profiles-g-l/install-printerdriver
+++ b/apparmor.d/profiles-g-l/install-printerdriver
@ -15,7 +15,7 @@ profile install-printerdriver @{exec_path} flags=(complain) {
  @{exec_path} mrix,

  @{bin}/{,ba,da}sh     rix,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /usr/share/system-config-printer/{,**} r,

--- a/apparmor.d/profiles-g-l/iotop
+++ b/apparmor.d/profiles-g-l/iotop
@ -19,7 +19,7 @@ profile iotop @{exec_path} {
  capability sys_nice,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/file rix,

--- a/apparmor.d/profiles-g-l/kconfig-hardened-check
+++ b/apparmor.d/profiles-g-l/kconfig-hardened-check
@ -12,7 +12,7 @@ profile kconfig-hardened-check @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,

--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@ -60,9 +60,9 @@ profile labwc @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/fd/ r,

-  owner /tmp/.X[0-9]*-lock rw,
+  owner /tmp/.X@{int}-lock rw,
  owner /tmp/.X11-unix/ rw,
-  owner /tmp/.X11-unix/X[0-9]* rw,
+  owner /tmp/.X11-unix/X@{int} rw,

  include if exists <local/labwc>
 }
--- a/apparmor.d/profiles-m-r/mpsyt
+++ b/apparmor.d/profiles-m-r/mpsyt
@ -24,7 +24,7 @@ profile mpsyt @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/ldconfig  rix,
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -28,7 +28,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
  @{bin}/dpkg-query                        rpx,
  @{bin}/fail2ban-server                   rPx,
  @{bin}/locale                            rix,
-  @{bin}/python3.[0-9]*                    rix,
+  @{bin}/python3.@{int}                    rix,
  @{bin}/sed                               rix,
  @{bin}/stty                              rix,
  @{bin}/systemctl                         rPx -> child-systemctl,
--- a/apparmor.d/profiles-m-r/obamenu
+++ b/apparmor.d/profiles-m-r/obamenu
@ -12,7 +12,7 @@ profile obamenu @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  @{bin}/ r,

--- a/apparmor.d/profiles-m-r/pass-import
+++ b/apparmor.d/profiles-m-r/pass-import
@ -25,10 +25,10 @@ profile pass-import @{exec_path} {
  @{bin}/ld               rix,
  @{bin}/ldconfig         rix,
  @{bin}/pass             rPx,
-  @{bin}/python3.[0-9]*   rix,
+  @{bin}/python3.@{int}   rix,
  @{lib}/gcc/**/collect2  rix,

-  @{lib}/python{2.[4-7],3,3.[0-9]*}/** w, # TODO: Test deny
+  @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny

  /usr/share/file/misc/magic.mgc r,

@ -39,4 +39,4 @@ profile pass-import @{exec_path} {
  @{PROC}/@{pids}/fd/ r,

  include if exists <local/pass-import>
-}
+}
--- a/apparmor.d/profiles-m-r/ps-mem
+++ b/apparmor.d/profiles-m-r/ps-mem
@ -16,7 +16,7 @@ profile ps-mem @{exec_path} {
  ptrace (read),

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,

--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -79,7 +79,7 @@ profile qbittorrent @{exec_path} {
  @{exec_path} mr,

  @{open_path}           rPx -> child-open,
-  @{bin}/python3.[0-9]*  rCx -> python, # For "search engine"
+  @{bin}/python3.@{int}  rCx -> python, # For "search engine"

  # Allowed apps to open
  @{bin}/spacefm         rPx,
@ -147,13 +147,13 @@ profile qbittorrent @{exec_path} {
    network inet6 stream,
    network netlink raw,

-    @{bin}/python3.[0-9]* r,
+    @{bin}/python3.@{int} r,

    owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw,

    owner @{user_torrents_dirs}/** r,

-    owner /dev/shm/sem.mp-* rwl -> /dev/shm/@{int},
+    owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int},  # unconventional '_' tail
    owner /dev/shm/* rw,

    owner /tmp/@{int} rw,
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@ -23,7 +23,7 @@ profile repo @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  @{bin}/               r,
  @{bin}/env            rix,
@ -57,7 +57,7 @@ profile repo @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,

  owner /dev/shm/* rw,
-  owner /dev/shm/sem.mp* rwl -> /dev/shm/*,
+  owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*,  # unconventional '_' tail

  # Silencer
  deny /etc/.repo_gitconfig.json w,
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@ -37,7 +37,7 @@ profile rustdesk @{exec_path} {
  @{bin}/curl     rix,
  @{bin}/ls       rix,

-  @{bin}/python3.[0-9]* rPx -> rustdesk_python,
+  @{bin}/python3.@{int} rPx -> rustdesk_python,
  @{bin}/{,ba,da}sh     rPx -> rustdesk_shell,

  /etc/gdm{,3}/custom.conf r,
@ -141,7 +141,7 @@ profile rustdesk @{exec_path} {
    owner @{PROC}/@{pid}/fd/ r,

    /{,usr/}{,local/}bin/rustdesk rPx,
-    @{bin}/python3.[0-9]*    rPx -> rustdesk_python,
+    @{bin}/python3.@{int}    rPx -> rustdesk_python,

    include if exists <local/rustdesk_sudo>
  }
@ -165,14 +165,14 @@ profile rustdesk_python {
  capability dac_read_search,
  capability dac_override,

-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/{,ba,da}sh rix,
  @{bin}/chmod rix,
  @{bin}/uname rPx,
  /usr/share/rustdesk/files/pynput_service.py rPx,

-  /usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r,
+  /usr/local/lib/python3.@{int}/dist-packages/pynput/{,**} r,
  /usr/share/[rR]ust[dD]esk/files/{,**} r,
  /tmp/[rR]ust[dD]esk/ w,
  /tmp/[rR]ust[dD]esk/pynput_service rw,
--- a/apparmor.d/profiles-s-z/speedtest
+++ b/apparmor.d/profiles-s-z/speedtest
@ -20,7 +20,7 @@ profile speedtest @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/file  rix,
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -66,7 +66,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  @{bin}/getopt                              rix,
  @{bin}/gzip                                rix,
  @{bin}/localedef                           rix,
-  @{bin}/python3.[0-9]*                      rix,
+  @{bin}/python3.@{int}                      rix,
  @{bin}/readlink                            rix,
  @{bin}/steam-runtime-launcher-interface-*  rix,
  @{bin}/steam-runtime-system-info           rix,
--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@ -32,7 +32,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
  @{exec_path} mrix,

  @{bin}/{,ba,da}sh           rix,
-  @{bin}/python3.[0-9]*         r,
+  @{bin}/python3.@{int}         r,
  @{lib}/cups/*/*            rPUx,
  /usr/share/hplip/query.py  rPUx,

--- a/apparmor.d/profiles-s-z/system-config-printer-applet
+++ b/apparmor.d/profiles-s-z/system-config-printer-applet
@ -19,7 +19,7 @@ profile system-config-printer-applet @{exec_path} {
  @{exec_path} mrix,

  @{bin}/{,ba,da}sh     rix,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /usr/share/system-config-printer/{,**} r,

--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@ -26,7 +26,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{bin}/ r,
-  @{bin}/python3.[0-9]* rix,
+  @{bin}/python3.@{int} rix,

  # The shell is not confined on purpose.
  @{bin}/{,b,d,rb}ash         rUx,
--- a/apparmor.d/profiles-s-z/udiskie
+++ b/apparmor.d/profiles-s-z/udiskie
@ -22,7 +22,7 @@ profile udiskie @{exec_path} {
  include <abstractions/dri-enumerate>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/xdg-open rCx -> open,
--- a/apparmor.d/profiles-s-z/udiskie-info
+++ b/apparmor.d/profiles-s-z/udiskie-info
@ -12,7 +12,7 @@ profile udiskie-info @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /usr/bin/ r,

--- a/apparmor.d/profiles-s-z/udiskie-mount
+++ b/apparmor.d/profiles-s-z/udiskie-mount
@ -12,7 +12,7 @@ profile udiskie-mount @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /usr/bin/ r,

--- a/apparmor.d/profiles-s-z/udiskie-umount
+++ b/apparmor.d/profiles-s-z/udiskie-umount
@ -12,7 +12,7 @@ profile udiskie-umount @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  /usr/bin/ r,

--- a/apparmor.d/profiles-s-z/update-command-not-found
+++ b/apparmor.d/profiles-s-z/update-command-not-found
@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} {

  @{exec_path} r,

-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,
  @{lib}/ r,

  @{bin}/dpkg            rPx -> child-dpkg,
--- a/apparmor.d/profiles-s-z/vcsi
+++ b/apparmor.d/profiles-s-z/vcsi
@ -15,7 +15,7 @@ profile vcsi @{exec_path} {
  include <abstractions/python>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/ffmpeg  rPx,
--- a/apparmor.d/profiles-s-z/vidcutter
+++ b/apparmor.d/profiles-s-z/vidcutter
@ -29,7 +29,7 @@ profile vidcutter @{exec_path} {
  include <abstractions/X>

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/ldconfig  rix,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -32,8 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  @{exec_path} rix,

  @{bin}/{,ba,da}sh rix,
-  @{bin}/python3.[0-9]* r,
-  @{lib}/python3.[0-9]*/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w,
+  @{bin}/python3.@{int} r,
+  @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w,

  @{bin}/ r,
  @{bin}/env       rix,
--- a/apparmor.d/profiles-s-z/youtube-dl
+++ b/apparmor.d/profiles-s-z/youtube-dl
@ -31,7 +31,7 @@ profile youtube-dl @{exec_path} {
  signal (receive) set=(term, kill),

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ffmpeg  rPx,
  @{bin}/ffprobe rPx,
--- a/apparmor.d/profiles-s-z/yt-dlp
+++ b/apparmor.d/profiles-s-z/yt-dlp
@ -25,7 +25,7 @@ profile yt-dlp @{exec_path} {
  network netlink raw,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/file    rix,
--- a/apparmor.d/profiles-s-z/ytdl
+++ b/apparmor.d/profiles-s-z/ytdl
@ -25,7 +25,7 @@ profile ytdl @{exec_path} {
  signal (receive) set=(term, kill),

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/ r,
  @{bin}/ldconfig  rix,
--- a/apparmor.d/profiles-s-z/zenmap
+++ b/apparmor.d/profiles-s-z/zenmap
@ -19,7 +19,7 @@ profile zenmap @{exec_path} {
  signal (send) set=(term, kill) peer=nmap,

  @{exec_path} r,
-  @{bin}/python3.[0-9]* r,
+  @{bin}/python3.@{int} r,

  @{bin}/nmap rPx,

--- a/docs/install.md
+++ b/docs/install.md
@ -93,7 +93,7 @@ sudo make profile-names...
    Warning: profile dependencies fallback to unconfined.
    @{bin}/wl-{copy,paste} rPx,
    @{bin}/xclip           rPx,
-    @{bin}/python3.[0-9]* rPx -> pass-import,  # pass-import
+    @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
        @{bin}/pager         rPx -> child-pager,
        @{bin}/less          rPx -> child-pager,
        @{bin}/more          rPx -> child-pager,