diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict
index 7c6f49e3d..a0306e009 100644
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@@ -1,24 +1,30 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/3.0>,
 
-  /etc/hosts r,
-  /etc/host.conf r,
-  /etc/resolv.conf r,
+  @{etc_ro}/default/nss r,
+  @{etc_ro}/gai.conf r,
+  @{etc_ro}/group r,
+  @{etc_ro}/host.conf r,
+  @{etc_ro}/hosts r,
+  @{etc_ro}/nsswitch.conf r,
+  @{etc_ro}/passwd r,
+  @{etc_ro}/protocols r,
+  @{etc_ro}/resolv.conf r,
+  @{etc_ro}/services r,
+
   @{run}/systemd/resolve/stub-resolv.conf r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/gai.conf r,
-  /etc/group r,
-  /etc/protocols r,
-  /etc/default/nss r,
-  /etc/services r,
 
   # NSS records from systemd-userdbd.service
   @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
+  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
+  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
+  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
   @{PROC}/sys/kernel/random/boot_id r,
 
   include if exists <abstractions/nameservice-strict.d>
diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon
index 2069e71cf..fae30c409 100644
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@@ -74,8 +74,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/dbus-1/services/ rw,
         @{run}/systemd/inhibit/[0-9]*.ref rw,
         @{run}/systemd/sessions/*.ref rw,
-        @{run}/systemd/userdb/io.systemd.DynamicUser  w,
-        @{run}/systemd/userdb/io.systemd.Machine     rw,
         @{run}/systemd/users/@{uid} r,
 
   @{sys}/kernel/security/apparmor/.access rw,
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index 4e9e67fe8..e4d804aad 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -35,7 +35,6 @@ profile polkit-agent-helper @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
 
   include if exists <local/polkit-agent-helper>
 }
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 289496ba3..c6da6e1f9 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -52,7 +52,6 @@ profile polkitd @{exec_path} {
 
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
 
   # Silencer
   deny /.cache/ rw,
diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
index 9bfac45cb..dcfb51822 100644
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@@ -46,7 +46,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/seats/seat[0-9]* r,
   @{run}/systemd/sessions/*     r,
   @{run}/systemd/sessions/*.ref r,
-  @{run}/systemd/userdb/ r,
   @{run}/systemd/users/@{uid} r,
   @{run}/udev/tags/master-of-seat/ r,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 16a887a82..d5ebffde0 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -46,7 +46,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/dconf/user rw,
 
   @{run}/mount/utab r,
-  @{run}/systemd/userdb/ r,
 
   @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
   @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent
index a245dcfeb..072e6be00 100644
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@@ -31,7 +31,6 @@ profile gvfsd-recent @{exec_path} {
   
   owner @{PROC}/@{pid}/mountinfo r,
 
-  @{run}/systemd/userdb/ r,
   @{run}/mount/utab r,
 
   include if exists <local/gvfsd-recent>
diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service
index 5c799a41a..3676d6434 100644
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@@ -24,7 +24,6 @@ profile nm-openvpn-service @{exec_path} {
   /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
   /{usr/,}bin/kmod rPx,
 
-  @{run}/systemd/userdb/ r,
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
 
   /dev/net/tun rw,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 908504768..a306815ae 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -26,8 +26,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{exec_path} mr,
 
   /etc/machine-id r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
   /etc/systemd/logind.conf r,
   /etc/systemd/sleep.conf r,
 
@@ -67,9 +65,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{run}/systemd/seats/seat[0-9]* rw,
   @{run}/systemd/sessions/{,*}  rw,
   @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
-  @{run}/systemd/userdb/io.systemd.Machine     rw,
   @{run}/systemd/users/ rw,
   @{run}/systemd/users/.#* rw,
   @{run}/systemd/users/@{uid} rw,
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index 07f1a181c..4356579fc 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -46,7 +46,6 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   /usr/{,**} rw,
   /var/{,**} rwk,
 
-  @{run}/systemd/userdb/ r,
   @{sys}/devices/system/cpu/microcode/reload w,
 
   @{PROC}/@{pid}/net/unix r,
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index 084115314..caaee986e 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -18,12 +18,9 @@ profile userdbctl @{exec_path} {
   
   /{usr/,}bin/less rPx -> child-pager,
 
-  /etc/group r,
   /etc/shadow r,
   /etc/gshadow r,
 
-  @{run}/systemd/userdb/ r,
-
   @{PROC}/@{pid}/cgroup r,
 
   include if exists <local/userdbctl>
diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report
index a6b6447d2..f7348d1a1 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@@ -17,8 +17,6 @@ profile ubuntu-report @{exec_path} {
 
   owner @{user_cache_dirs}/ubuntu-report/{,*} r,
 
-  @{run}/systemd/resolve/stub-resolv.conf r,
-
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   include if exists <local/ubuntu-report>
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 081391664..ed52d32fa 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -52,12 +52,8 @@ profile update-notifier @{exec_path} {
 
   owner /tmp/#[0-9]* rw,
 
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-  @{run}/systemd/userdb/ r,
-
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/mountinfo r,
-        @{PROC}/sys/kernel/random/boot_id r,
 
   include if exists <local/update-notifier>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index 9b4b840e7..f3367b5e1 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -39,7 +39,6 @@ profile cockpit-bridge @{exec_path} {
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
 
-  @{run}/systemd/userdb/ r,
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
   @{run}/utmp r,
 
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index b91630d09..5601ea916 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -33,7 +33,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
   @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
   @{run}/utmp rwk,
 
   /var/log/btmp rw,
diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd
index 81074daa5..a9158b760 100644
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@@ -30,7 +30,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
         @{run}/systemd/journal/dev-log w,
-        @{run}/systemd/userdb/ r,
 
   owner @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog
index f15340027..3bfc4a63a 100644
--- a/apparmor.d/profiles-g-l/lastlog
+++ b/apparmor.d/profiles-g-l/lastlog
@@ -19,7 +19,5 @@ profile lastlog @{exec_path} {
   /var/log/lastlog r,
   /etc/login.defs r,
 
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-
   include if exists <local/lastlog>
 }
diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login
index 83e984ce4..ffcf468df 100644
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@@ -41,8 +41,6 @@ profile login @{exec_path} {
   /var/log/btmp{,.[0-9]*} r,
 
   @{run}/faillock/root rwk,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
   @{run}/dbus/system_bus_socket rw,
   @{run}/motd.dynamic{,.new} rw,
   @{run}/systemd/sessions/*.ref rw,
diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck
index 34780b697..f6d1e7c58 100644
--- a/apparmor.d/profiles-m-r/pwck
+++ b/apparmor.d/profiles-m-r/pwck
@@ -24,7 +24,5 @@ profile pwck @{exec_path} {
   /etc/shadow.[0-9]* rw,
   /etc/shadow.lock wl,
 
-  @{run}/systemd/userdb/ r,
-
   include if exists <local/pwck>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd
index 77fe8d1ef..65616a182 100644
--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@@ -60,7 +60,6 @@ profile rsyslogd @{exec_path} {
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 
-  @{run}/systemd/userdb/io.systemd.Machine rw,
   @{run}/systemd/notify w,
 
   include if exists <local/rsyslogd>
diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su
index 19d1ec1c3..24654d781 100644
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@@ -60,9 +60,6 @@ profile su @{exec_path} {
   /dev/{,pts/}ptmx rw,
 
   @{run}/dbus/system_bus_socket rw,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.Machine rw,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
 
   dbus (send)
      bus=system
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index c5a7aed5a..a72ee3640 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -77,8 +77,6 @@ profile sudo @{exec_path} {
 
   owner @{HOME}/.sudo_as_admin_successful rw,
 
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
   @{run}/resolvconf/resolv.conf r,
 
   /dev/ r,    # interactive login