Cleanup.

apparmor.d/groups/browsers/chrome-gnome-shell

@@ -11,6 +11,7 @@ profile chrome-gnome-shell @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
   include <abstractions/nameservice-strict>
+  include <abstractions/dconf>
   include <abstractions/ssl_certs>
   include <abstractions/openssl>
 
@@ -22,15 +23,8 @@ profile chrome-gnome-shell @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
-  /{usr/,}bin/python3.[0-9]* r,
-  owner @{user_lib_dirs}/python3.9/site-packages/ r,
-
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-  owner @{HOME}/.config/dconf/user r,
-
-  owner @{run}/user/@{pid}/dconf/user rw,
   owner @{PROC}/@{pid}/mounts r,
 
   include if exists <local/chrome-gnome-shell>

apparmor.d/groups/gnome/evolution-alarm-notify

@@ -10,6 +10,7 @@ include <tunables/global>
 profile evolution-alarm-notify @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/freedesktop.org>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/openssl>
   include <abstractions/fonts>
@@ -19,15 +20,11 @@ profile evolution-alarm-notify @{exec_path} {
   
   /etc/fonts/{,**} r,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/mime/mime.cache r,
-  /usr/share/applications/{,**} r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/xkb/**  r,
   /usr/share/fonts/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/X11/xkb/**  r,
 
   owner @{user_config_dirs}/mimeapps.list r,
-  owner @{user_share_dirs}/applications/{,**} r,
 
   include <abstractions/dconf>
   owner @{run}/user/[0-9]*/dconf/ rw,

apparmor.d/groups/gnome/gjs-console

@@ -21,12 +21,12 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/[a-z0-9]* rPix,
   /usr/{lib,libexec}/** rPix,
 
-  /usr/share/gnome-shell/{,**} r,
+  /usr/share/dconf/profile/gdm r,
-  /usr/share/themes/*/gtk-3.0/{,**} r,
   /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/gnome-shell/{,**} r,
+  /usr/share/themes/*/gtk-3.0/{,**} r,
   /usr/share/X11/xkb/** r,
-  /usr/share/dconf/profile/gdm r,
 
   /var/lib/gdm/.config/dconf/user r,
   /var/lib/gdm/.cache/gstreamer-1.0/ rw,

apparmor.d/groups/gnome/gsd-media-keys

@@ -28,7 +28,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_config_dirs}/pulse/client.conf r,
   owner @{user_config_dirs}/pulse/cookie rk,
-  owner @{HOME}/.cache/event-sound-cache.tdb.* rwk,
+  owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
 
   /var/lib/gdm/.config/pulse/client.conf r,
 

apparmor.d/groups/pacman/pacman-key

@@ -12,10 +12,10 @@ profile pacman-key @{exec_path} {
   
   @{exec_path} mr,
 
-  /{usr/,}bin/pacman-conf  rPx,
-  /{usr/,}bin/gpg          rUx,
-  /{usr/,}bin/gettext      rix,
   /{usr/,}bin/basename     rix,
+  /{usr/,}bin/gettext      rix,
+  /{usr/,}bin/gpg          rUx,
+  /{usr/,}bin/pacman-conf  rPx,
   /{usr/,}bin/tput         rix,
 
   /usr/share/makepkg/{,**} r,

apparmor.d/groups/systemd/systemd-sysusers

@@ -24,13 +24,14 @@ profile systemd-sysusers @{exec_path} {
 
   /etc/ r,
   /etc/nsswitch.conf r,
-  /etc/passwd r,
+  /etc/{passwd,shadow} rw,
-  /etc/group rw,
+  /etc/{passwd,shadow}- rw,
-  /etc/group- rw,
+  /etc/{passwd,shadow}+ rw,
-  /etc/gshadow rw,
+  /etc/.#{passwd,shadow}[0-9a-zA-Z]* rw,
-  /etc/gshadow- rw,
+  /etc/{group,gshadow} rw,
-  /etc/.#group* rw,
+  /etc/{group,gshadow}- rw,
-  /etc/.#gshadow* rw,
+  /etc/{group,gshadow}+ rw,
+  /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
   /etc/.pwd.lock rwk,
 
   owner @{PROC}/@{pid}/stat r,