diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index 99b79aa67..7a868b11f 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/grub-mkconfig
-profile grub-mkconfig @{exec_path} {
+profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
@@ -44,6 +44,7 @@ profile grub-mkconfig @{exec_path} {
   @{bin}/mktemp               rix,
   @{bin}/mount                rPx,
   @{bin}/mountpoint           rix,
+  @{bin}/mv                   rix,
   @{bin}/os-prober            rPx,
   @{bin}/paste                rix,
   @{bin}/readlink             rix,
@@ -59,6 +60,10 @@ profile grub-mkconfig @{exec_path} {
   @{bin}/which{.debianutils,} rix,
   /etc/grub.d/{**,}           rix,
 
+  @{lib}/gconv/gconv-modules r,
+  @{lib}/gconv/gconv-modules.d/{,gconv-modules-extra.conf} r,
+  @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
+
   /boot/{**,} r,
   /boot/grub/{**,} rw,
 
@@ -67,7 +72,7 @@ profile grub-mkconfig @{exec_path} {
   /etc/default/grub.d/{*,} r,
 
   /usr/share/grub/{**,} r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/{,x/xterm-256color} r,
 
   /.zfs/snapshot/*/boot/ r,
   /.zfs/snapshot/*/etc/{machine-id,} r,
@@ -83,5 +88,9 @@ profile grub-mkconfig @{exec_path} {
 
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
 
+  /dev/pts/@{int} rw,
+  /dev/tty rw,
+  /dev/tty@{int} rw,
+
   include if exists <local/grub-mkconfig>
 }