diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider
index e66450d09..2168382e0 100644
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@@ -29,6 +29,7 @@ profile epiphany-search-provider @{exec_path} {
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
 
   owner @{user_cache_dirs}/epiphany/{,**} rwk,
+  owner @{user_config_dirs}/epiphany/{,**} rw,
   owner @{user_share_dirs}/epiphany/{,**} rwk,
 
   owner @{tmp}/ContentRuleList-@{rand6} rw,
diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect
index 104d95fb3..7cb982ca7 100644
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@@ -16,6 +16,7 @@ profile gnome-extension-gsconnect @{exec_path} {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
@@ -29,6 +30,8 @@ profile gnome-extension-gsconnect @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect
+
   @{exec_path} mr,
 
   @{sh_path}          rix,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index e977af95e..acae2d601 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -173,6 +173,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/sensors                rPx,
   @{bin}/tecla                  rPx,
   @{bin}/Xwayland               rPx,
+  @{bin}/nvidia-smi             rPx, # FIXME; for extension only
+  @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx,
   @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
   @{lib}/mutter-x11-frames      rPx,
   #aa:exec polkit-agent-helper
@@ -227,6 +229,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
   owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
   owner @{gdm_cache_dirs}/libgweather/ r,
+  owner @{gdm_cache_dirs}/nvidia/GLCache/ rw,
+  owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk,
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_config_dirs}/ibus/ rw,
   owner @{gdm_config_dirs}/ibus/bus/ rw,
@@ -234,11 +238,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{gdm_config_dirs}/pulse/ rw,
   owner @{gdm_config_dirs}/pulse/client.conf r,
   owner @{gdm_config_dirs}/pulse/cookie rwk,
+  owner @{gdm_local_dirs}/ w,
+  owner @{gdm_share_dirs}/ w,
   owner @{gdm_share_dirs}/applications/{,**} r,
   owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
   owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
   owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
 
   owner @{HOME}/.face r,
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
@@ -263,7 +269,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{user_share_dirs}/backgrounds/{,**} rw,
   owner @{user_share_dirs}/dbus-1/services/ r,
-  owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw,
+  owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw,
   owner @{user_share_dirs}/desktop-directories/{,**} r,
   owner @{user_share_dirs}/gnome-shell/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
@@ -271,7 +277,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
-  owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w,
+  owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w,
 
   owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
   owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor
index 22823753b..c399eadc7 100644
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} {
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
+  #aa:dbus own bus=session name=org.gnome.TextEditor
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index 83bf18b9b..e8612f7b6 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -70,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/media@{int} r,