diff --git a/profiles/apparmor.d/tunables/etc b/profiles/apparmor.d/tunables/etc
index c144621df..142874af8 100644
--- a/profiles/apparmor.d/tunables/etc
+++ b/profiles/apparmor.d/tunables/etc
@@ -13,11 +13,15 @@
 # with the goal of having only user-modified config files in /etc/, directories
 # like /usr/etc/ get introduced for storing the default config.
 
-# @{etc_ro} contains read-only directories with configuration files.
+# @{etc_ro} contains directories with configuration files, including read-only directories.
 # Do not use @{etc_ro} in rules that allow write access.
 @{etc_ro}=/etc/ /usr/etc/
 
 # @{etc_rw} contains directories where writing to configuration files is allowed.
+# @{etc_rw} should always be a subset of @{etc_ro}.
+#
+# Only use @{etc_rw} if the profile allows writing to a configuration file.
+# For rules that only allows read access, use @{etc_ro}.
 @{etc_rw}=/etc/
 
 # Also, include files in tunables/etc.d/ for site-specific adjustments to