diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate
index 738fbeb8f..283a79248 100644
--- a/apparmor.d/groups/network/netplan-generate
+++ b/apparmor.d/groups/network/netplan-generate
@@ -17,6 +17,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/systemctl         rCx -> systemctl,
+
   /etc/netplan/{,*} r,
 
   @{run}/systemd/generator/multi-user.target.wants/ w,
@@ -38,10 +40,22 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/**/net/*/address r,
 
+  @{run}/netplan/ r,
 
   @{run}/udev/rules.d/ r,
   @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+
+    @{att}/@{run}/systemd/private rw,
+
+    include if exists <local/netplan-generate_systemctl>
+  }
+
   include if exists <local/netplan-generate>
 }
 
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index 15aae42d7..66994569d 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -15,7 +15,6 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
 
   @{lib}/netplan/generate  rPx,
   @{bin}/udevadm           rCx -> udevadm,
-  @{bin}/systemctl         rCx -> systemctl,
 
   /usr/share/netplan/{,**} r,
 
@@ -35,17 +34,6 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
     include if exists <local/netplan.script_udevadm>
   }
 
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    capability net_admin,
-
-    @{att}/@{run}/systemd/private rw,
-
-    include if exists <local/netplan.script_systemctl>
-  }
-
   include if exists <local/netplan.script>
 }