diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index 5a153d2c..7f0b7cad 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -65,7 +65,7 @@
   @{bin}/viewnior               rPUx,
   @{bin}/vlc                    rPUx,
   @{bin}/xarchiver              rPx,
-  @{bin}/xbrlapi 	            rPx,
+  @{bin}/xbrlapi 	              rPx,
   @{bin}/yelp                   rPUx,
   @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
index e6c1bf57..8e5558d3 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
+++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
@@ -22,4 +22,9 @@
        member={RunningApplicationsChanged,WindowsChanged}
        peer=(name=:*, label=gnome-shell),
 
+  dbus receive bus=session path=/org/gnome/Shell/Introspect
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=:*, label=gnome-shell),
+
   include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete
index 801c3702..c11d16d6 100644
--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@@ -3,15 +3,14 @@
 # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  owner @{HOME}/.icons/{,**} r,
-
   @{system_share_dirs}/*ubuntu/applications/{,**} r,
   @{system_share_dirs}/gnome/applications/{,**} r,
   @{system_share_dirs}/xfce4/applications/{,**} r,
-
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /etc/gnome/defaults.list r,
   /etc/xfce4/defaults.list r,  
 
   /var/lib/snapd/desktop/icons/{,**} r,
+
+  owner @{HOME}/.icons/{,**} r,
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index 907996d6..daabe2e0 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -34,6 +34,10 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/Tracker3/{Files,Endpoint,Miner/Extract}
        interface={org.freedesktop.Tracker3.{Miner,Endpoint,Files},org.freedesktop.DBus.{Peer,Properties}}
        peer=(name="{:*,org.freedesktop.Tracker3.Miner.Files,org.freedesktop.DBus}", label=tracker-miner),
+  dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Tracker3.Miner.Files),
 
   dbus send bus=session path=/org/gtk/vfs/metadata
        interface=org.gtk.vfs.Metadata
diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl
index eccb2cc8..f8801cd1 100644
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@@ -20,11 +20,6 @@ profile hostnamectl @{exec_path} {
        member=Set*Hostname
        peer=(name=org.freedesktop.hostname1),
 
-  dbus send bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=org.freedesktop.hostname1),
-
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.hostname1
        member=Set*Hostname
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index c28c7cb2..1b91db40 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -28,15 +28,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   network packet raw,
 
   dbus bind bus=system name=org.freedesktop.network1,
-
-  dbus receive bus=system path=/org/freedesktop/network1
+  dbus (send, receive) bus=system path=/org/freedesktop/network1{,/**}
        interface=org.freedesktop.DBus.Properties
-       member=Get,
-
-  dbus send bus=system path=/org/freedesktop/network1{,/link/*}
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged 
-       peer=(name=org.freedesktop.DBus),
+       peer=(name="{:*,org.freedesktop.DBus}"),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings
index 8f81c72a..19d7e5a6 100644
--- a/apparmor.d/profiles-m-r/pam/mappings
+++ b/apparmor.d/profiles-m-r/pam/mappings
@@ -1,10 +1,10 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-#
+
 # See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example
 
-#
 # This file contains the mappings from users to roles for the binaries
 # confined with AppArmor and configured for use with libpam-apparmor. Users
 # without a mapping will not be able to login.
@@ -15,14 +15,18 @@
 ^DEFAULT {
   include <abstractions/authentication>
   include <abstractions/nameservice>
+
   capability dac_override,
   capability setgid,
   capability setuid,
+
   /etc/default/su r,
   @{etc_ro}/environment r,
-  @{HOMEDIRS}/.xauth@{rand6} w,
-  @{bin}/{,b,d,rb}ash Px -> default_user,
-  @{bin}/{c,k,tc,z}sh Px -> default_user,
+
+  @{bin}/{,b,d,rb}ash rPx -> default_user,
+  @{bin}/{c,k,tc,z}sh rPx -> default_user,
+
+  include if exists <local/pam_default>
 }
 
 # USER is a confined user. The hat contains only the permissions necessary
@@ -37,13 +41,13 @@
   capability setgid,
   capability setuid,
 
-  @{bin}/{,b,d,rb}ash Px -> confined_user,
-  @{bin}/{c,k,tc,z}sh Px -> confined_user,
+  @{bin}/{,b,d,rb}ash rPx -> confined_user,
+  @{bin}/{c,k,tc,z}sh rPx -> confined_user,
 
   /etc/default/su r,
   @{etc_ro}/environment r,
-  @{HOMEDIRS}/.xauth@{rand6} w,
 
+  include if exists <local/pam_user>
 }
 
 # Don't confine members whose primary group is 'admin' who are not specifically
@@ -59,11 +63,11 @@
   capability setgid,
   capability setuid,
 
-  @{bin}/{,b,d,rb}ash Ux,
-  @{bin}/{c,k,tc,z}sh Ux,
+  @{bin}/{,b,d,rb}ash rUx,
+  @{bin}/{c,k,tc,z}sh rUx,
 
   /etc/default/su r,
   @{etc_ro}/environment r,
-  @{HOMEDIRS}/.xauth@{rand6} w,
 
+  include if exists <local/pam_root>
 }
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 7af50169..61db07b4 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -97,6 +97,7 @@ docker-proxy complain
 dockerd attach_disconnected,complain
 dolphin complain
 downloadhelper complain
+dpkg-genbuildinfo complain
 drkonqi complain
 e2fsck complain
 e2scrub_all attach_disconnected,complain
@@ -219,11 +220,13 @@ kwin_wayland_wrapper complain
 kwin_x11 complain
 landscape-sysinfo complain
 landscape-sysinfo.wrapper complain
+language-validate attach_disconnected,complain
 last complain
 lastlog complain
 ldconfig.service complain
 libvirt-dbus complain
 libvirtd attach_disconnected,complain
+lightdm attach_disconnected,complain
 locale-gen complain
 localectl complain
 login attach_disconnected,complain
@@ -323,6 +326,7 @@ systemd-ask-password complain
 systemd-backlight complain
 systemd-battery-check complain
 systemd-binfmt attach_disconnected,complain
+systemd-bsod complain
 systemd-cgls complain
 systemd-cgtop complain
 systemd-coredump attach_disconnected,mediate_deleted,complain
diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service
index b11945a1..fa215b3f 100644
--- a/systemd/full/system/fwupd-refresh.service
+++ b/systemd/full/system/fwupd-refresh.service
@@ -1,3 +1,4 @@
 [Service]
 ProtectKernelModules=no
-RestrictRealtime=no
\ No newline at end of file
+RestrictRealtime=no
+ProtectKernelModules=no