diff --git a/apparmor.d/abstractions/systemctl b/apparmor.d/abstractions/systemctl
index 2fb161d79..a6ffa5ae0 100644
--- a/apparmor.d/abstractions/systemctl
+++ b/apparmor.d/abstractions/systemctl
@@ -12,6 +12,7 @@
 
   owner @{run}/systemd/private rw,
 
+  @{PROC}/@{pid}/comm r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index fa8007418..5cf330c64 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -30,7 +30,7 @@ profile dpkg @{exec_path} {
   @{bin}/dpkg-deb    rpx,
   @{bin}/dpkg-query  rpx,
   @{bin}/dpkg-split  rPx,
-  @{bin}/systemctl   rPx -> child-systemctl,
+  @{bin}/systemctl   rCx -> systemctl,
   @{lib}/needrestart/dpkg-status rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
@@ -76,5 +76,12 @@ profile dpkg @{exec_path} {
 
   owner /dev/tty@{int} rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/dpkg_systemctl>
+  }
+
   include if exists <local/dpkg>
 }
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index f3f42649f..7f6b07bb6 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -45,7 +45,7 @@ profile gdm-xsession @{exec_path} {
   @{bin}/gpgconf                               rPx,
   @{bin}/gsettings                             rPx,
   @{bin}/im-launch                             rPx,
-  @{bin}/systemctl                             rPx -> child-systemctl,
+  @{bin}/systemctl                             rCx -> systemctl,
   @{bin}/xbrlapi                               rPx,
   @{bin}/xhost                                 rPx,
   @{bin}/xrdb                                  rPx,
@@ -83,5 +83,12 @@ profile gdm-xsession @{exec_path} {
     include if exists <local/gdm-xsession_dbus>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/gdm-xsession_systemctl>
+  }
+
   include if exists <local/gdm-xsession>
 }
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 6d1fec3fb..84d87f090 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -94,7 +94,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{bin}/kmod                                                rPx,
   @{bin}/netconfig                                          rPUx,
   @{bin}/resolvconf                                          rPx,
-  @{bin}/systemctl                                           rPx -> child-systemctl,
+  @{bin}/systemctl                                           rCx -> systemctl,
   @{lib}/{,NetworkManager/}nm-daemon-helper                  rPx,
   @{lib}/{,NetworkManager/}nm-dhcp-helper                    rPx,
   @{lib}/{,NetworkManager/}nm-dispatcher                     rPx,
@@ -153,5 +153,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   /dev/rfkill rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/NetworkManager_systemctl>
+  }
+
   include if exists <local/NetworkManager>
 }
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index 51bec315c..762749e8a 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -49,14 +49,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
 
   profile systemctl {
     include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/systemctl>
 
     capability net_admin,
 
-    @{bin}/systemctl mr,
-
-    owner @{run}/systemd/private rw,
-
     include if exists <local/netplan.script_systemctl>
   }
 
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 24687a8ee..6cb3ed79c 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -104,7 +104,7 @@ profile pacman @{exec_path} {
   @{bin}/setfacl                     rix,
   @{bin}/sync                        rix,
   @{bin}/sysctl                      rPx,
-  @{bin}/systemctl                   rPx -> child-systemctl,
+  @{bin}/systemctl                   rCx -> systemctl,
   @{bin}/systemd-*                   rPx,
   @{bin}/touch                       rix,
   @{bin}/tput                        rix,
@@ -203,6 +203,15 @@ profile pacman @{exec_path} {
     include if exists <local/pacman_gpg>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/pacman_systemctl>
+  }
+
   include if exists <usr/pacman.d>
   include if exists <local/pacman>
 }
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index f3ffddde6..6d33ddcdf 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -19,7 +19,7 @@ profile pacman-hook-systemd @{exec_path} {
   @{bin}/touch rix,
 
   @{bin}/journalctl             rPx,
-  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
   @{bin}/systemd-hwdb           rPx,
   @{bin}/systemd-sysusers       rPx,
@@ -38,5 +38,14 @@ profile pacman-hook-systemd @{exec_path} {
   deny network inet6 stream,
   deny network inet stream,
 
+  profile systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/pacman-hook-systemd_systemctl>
+  }
+
   include if exists <local/pacman-hook-systemd>
 }
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index cbc011e12..99905c455 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -131,14 +131,12 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   profile systemctl flags=(attach_disconnected,complain) {
     include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/systemctl>
 
     capability net_admin,
     capability sys_ptrace,
 
-    @{bin}/systemctl mr,
-  
-    / r,
+    # / r,
 
     @{PROC}/sys/kernel/cap_last_cap r,
 
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 75f6825b3..c226b7a15 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} {
   @{bin}/lsb_release            rPx -> lsb_release,
   @{bin}/md5sum                 rix,
   @{bin}/pkexec                 rPx, # TODO: rCx or something
-  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/systemctl              rCx -> systemctl,
   @{bin}/which{,.debianutils}   rix,
   @{lib}/{,colord/}colord-sane  rPx,
   @{lib}/@{multiarch}/ld*.so*   rix,
@@ -121,6 +121,14 @@ profile apport-gtk @{exec_path} {
 
     @{PROC}/@{pids}/fd/ r,
 
+    include if exists <local/apport-gtk_gdb>
+  }
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/apport-gtk_systemctl>
   }
 
   include if exists <local/apport-gtk>
diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
index 8a1c4d4c4..574782b89 100644
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@@ -31,7 +31,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{bin}/python3.@{int}                    rix,
   @{bin}/sed                               rix,
   @{bin}/stty                              rix,
-  @{bin}/systemctl                         rPx -> child-systemctl,
+  @{bin}/systemctl                         rCx -> systemctl,
   @{bin}/systemd-detect-virt               rPx,
   @{bin}/udevadm                           rPx,
   @{bin}/unix_chkpwd                       rPx,
@@ -72,5 +72,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   /dev/ r,
   /dev/**/ r,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/needrestart_systemctl>
+  }
+
   include if exists <local/needrestart>
 }
diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect
index f8d47afbb..9ea6e2bfa 100644
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@@ -18,7 +18,7 @@ profile sensors-detect @{exec_path} {
  
   @{bin}/kmod       rCx -> kmod,
   @{bin}/perl         r,
-  @{bin}/systemctl  rPx -> child-systemctl,
+  @{bin}/systemctl  rCx -> systemctl,
   @{bin}/udevadm    rCx -> udevadm,
   @{bin}/uname      rix,
 
@@ -65,5 +65,12 @@ profile sensors-detect @{exec_path} {
     include if exists <local/sensors-detect_udevadm>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/sensors-detect_systemctl>
+  }
+
   include if exists <local/sensors-detect>
 }