diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups
index e4da11c12..b7c74d74f 100644
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/groups
 profile groups @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last
index 04926ce2d..3ddb573b5 100644
--- a/apparmor.d/profiles-g-l/last
+++ b/apparmor.d/profiles-g-l/last
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/last{,b}
 profile last @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
@@ -21,5 +22,8 @@ profile last @{exec_path} {
 
   @{PROC}/@{pids}/loginuid r,
 
+  /var/log/wtmp r,
+  /var/log/btmp{,.[0-9]*} r,
+
   include if exists <local/last>
 }
diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog
index bf32a3793..f15340027 100644
--- a/apparmor.d/profiles-g-l/lastlog
+++ b/apparmor.d/profiles-g-l/lastlog
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/lastlog
 profile lastlog @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   network netlink raw,
@@ -18,5 +19,7 @@ profile lastlog @{exec_path} {
   /var/log/lastlog r,
   /etc/login.defs r,
 
+  @{run}/systemd/userdb/io.systemd.DynamicUser w,
+
   include if exists <local/lastlog>
 }
diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu
index 48f0532d2..16dee098c 100644
--- a/apparmor.d/profiles-g-l/lscpu
+++ b/apparmor.d/profiles-g-l/lscpu
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/lscpu
 profile lscpu @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd
index 44e9dea5e..9b9663e3e 100644
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top
index d31f30dda..0b403aed3 100644
--- a/apparmor.d/profiles-s-z/top
+++ b/apparmor.d/profiles-s-z/top
@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/top
 profile top @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/wutmp>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime
index 2ce034b79..32e1915a8 100644
--- a/apparmor.d/profiles-s-z/uptime
+++ b/apparmor.d/profiles-s-z/uptime
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/uptime
 profile uptime @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/wutmp>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices
index 7b12a9726..271ebfb98 100644
--- a/apparmor.d/profiles-s-z/usb-devices
+++ b/apparmor.d/profiles-s-z/usb-devices
@@ -9,8 +9,12 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/usb-devices
 profile usb-devices @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/devices-usb>
 
+       capability dac_read_search,
+  deny capability dac_override,
+
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w
index 230c7d65a..9c12e5cf5 100644
--- a/apparmor.d/profiles-s-z/w
+++ b/apparmor.d/profiles-s-z/w
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/w
 profile w @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>