diff --git a/profiles/apparmor/profiles/extras/unshare-userns-restrict b/profiles/apparmor/profiles/extras/unshare-userns-restrict
index 9d9777ca3..ea19c05f8 100644
--- a/profiles/apparmor/profiles/extras/unshare-userns-restrict
+++ b/profiles/apparmor/profiles/extras/unshare-userns-restrict
@@ -17,7 +17,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+profile unshare /usr/bin/unshare flags=(attach_disconnected mediate_deleted) {
   # not allow all, to allow for cix transition
   # and to limit executable mapping to just unshare
   allow capability,
@@ -43,7 +43,7 @@ profile unshare /usr/bin/unshare flags=(attach_disconnected) {
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/unshare-userns-restrict>
 
-  profile unpriv flags=(attach_disconnected) {
+  profile unpriv flags=(attach_disconnected mediate_deleted) {
     # not allow all, to allow for pix stack
     allow file rwlkm /{**,},
     allow network,