diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 1961f7121..b3ac117d4 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -30,6 +31,14 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-http,
 
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.PackageKit
+       member=StateHasChanged,
+
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
        member=Inhibit,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index d37886954..5509e1d19 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -33,6 +34,20 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
+  dbus (send)
+     bus=session
+     path=/Client0/EntryGroup[0-9]*
+     interface=org.freedesktop.Avahi.EntryGroup
+     member={GetState,AddService,AddServiceSubtype,Commit}
+     peer=(name=org.freedesktop.Avahi),
+
+  dbus (receive)
+     bus=session
+     path=/Client0/EntryGroup[0-9]*
+     interface=org.freedesktop.Avahi.EntryGroup
+     member={StateChanged}
+     peer=(name=org.freedesktop.Avahi),
+
   dbus (send)
      bus=session
      path=/org/freedesktop/DBus
@@ -83,6 +98,34 @@ profile pulseaudio @{exec_path} {
      interface=org.freedesktop.DBus.ObjectManager
      member=GetManagedObjects
      peer=(name=org.bluez),
+  
+  dbus (send)
+     bus=system
+     path=/
+     interface=org.freedesktop.DBus.Peer
+     member=Ping
+     peer=(name=org.freedesktop.Avahi),
+
+  dbus (send)
+     bus=system
+     path=/
+     interface=org.freedesktop.Avahi.Server
+     member={GetAPIVersion,GetState,EntryGroupNew}
+     peer=(name=org.freedesktop.Avahi),
+
+  dbus (receive)
+     bus=system
+     path=/
+     interface=org.freedesktop.Avahi.Server
+     member={StateChanged}
+     peer=(name=org.freedesktop.Avahi),
+
+  dbus (send)
+     bus=system
+     path=/
+     interface=org.freedesktop.hostname[0-9]*
+     member={Get}
+     peer=(name=/org/freedesktop/hostname1[0-9]*,
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index b114eda39..de48f1c71 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -51,6 +52,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged,
 
+  dbus receive bus=system path=/
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
   dbus bind bus=system 
        name=org.freedesktop.login[0-9],
 
diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount
index 9bb767dc4..7432f00a4 100644
--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -26,6 +27,8 @@ profile mount @{exec_path} flags=(complain) {
   network inet stream,
   network inet6 stream,
 
+  ptrace (read) peer=k3s,
+
   signal (receive) set=(term, kill),
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap
index 2da77d9bf..d769bfcc6 100644
--- a/apparmor.d/profiles-m-r/newgidmap
+++ b/apparmor.d/profiles-m-r/newgidmap
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,6 +12,7 @@ profile newgidmap @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_override,
   capability setgid,
   capability sys_admin,
 
diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap
index 88af9bb6b..3ec9d09e9 100644
--- a/apparmor.d/profiles-m-r/newuidmap
+++ b/apparmor.d/profiles-m-r/newuidmap
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,6 +12,7 @@ profile newuidmap @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_override,
   capability setuid,
   capability sys_admin,
 
diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd
index 163d2a20b..2cd837cd3 100644
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@@ -1,12 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/rngd
+@{exec_path} = /{usr/,}{s,}bin/rngd
 profile rngd @{exec_path} {
   include <abstractions/base>
   include <abstractions/devices-usb>
diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd
index a99796c97..ac1aeb0d7 100644
--- a/apparmor.d/profiles-s-z/smartd
+++ b/apparmor.d/profiles-s-z/smartd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,6 +18,7 @@ profile smartd @{exec_path} {
   #  Unable to register SCSI device /dev/disk/by-id/ata-* at line * of file /etc/smartd.conf
   #  Device: /dev/disk/by-id/ata-*, not available
   capability sys_rawio,
+  capability sys_admin,
 
   # Needed?
   deny capability net_admin,
@@ -39,5 +41,7 @@ profile smartd @{exec_path} {
   /dev/ r,
   @{PROC}/devices r,
 
+  /run/systemd/notify rw,
+
   include if exists <local/smartd>
 }
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index a4ed8017a..5bf27dac9 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2015-2020 Mikhail Morfikov
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,9 +10,14 @@ include <tunables/global>
 @{exec_path} = /{usr/,}sbin/thermald
 profile thermald @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
 
   capability sys_boot,
 
+  dbus (bind)
+     bus=system
+     name=org.freedesktop.thermald,
+
   @{exec_path} mr,
 
   owner @{run}/thermald/ rw,
@@ -50,11 +56,11 @@ profile thermald @{exec_path} {
 
   @{sys}/devices/virtual/powercap/intel-rapl/ r,
   @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r,
   @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
   @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
   @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
 
   include if exists <local/thermald>
 }