diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go
index 7d202af9a..5957198db 100644
--- a/pkg/aa/capability.go
+++ b/pkg/aa/capability.go
@@ -9,9 +9,9 @@ type Capability struct {
 	Name string
 }
 
-func CapabilityFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func CapabilityFromLog(log map[string]string) ApparmorRule {
 	return &Capability{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Name:      log["capname"],
 	}
 }
diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go
index b0f1f708d..82ebb9736 100644
--- a/pkg/aa/change_profile.go
+++ b/pkg/aa/change_profile.go
@@ -10,7 +10,7 @@ type ChangeProfile struct {
 	ProfileName string
 }
 
-func ChangeProfileFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func ChangeProfileFromLog(log map[string]string) ApparmorRule {
 	return &ChangeProfile{
 		ExecMode:    log["mode"],
 		Exec:        log["exec"],
diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go
index 2745723e2..e269bfc92 100644
--- a/pkg/aa/dbus.go
+++ b/pkg/aa/dbus.go
@@ -15,9 +15,9 @@ type Dbus struct {
 	Label     string
 }
 
-func DbusFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func DbusFromLog(log map[string]string) ApparmorRule {
 	return &Dbus{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Access:    log["mask"],
 		Bus:       log["bus"],
 		Name:      log["name"],
diff --git a/pkg/aa/file.go b/pkg/aa/file.go
index 2d00a4f73..e14674cf5 100644
--- a/pkg/aa/file.go
+++ b/pkg/aa/file.go
@@ -11,13 +11,9 @@ type File struct {
 	Target string
 }
 
-func FileFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
-	owner := false
-	if log["fsuid"] == log["ouid"] && log["OUID"] != "root" {
-		owner = true
-	}
+func FileFromLog(log map[string]string) ApparmorRule {
 	return &File{
-		Qualifier: NewQualifier(owner, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Path:      log["name"],
 		Access:    maskToAccess[log["requested_mask"]],
 		Target:    log["target"],
diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go
index f0bad6dd7..42fc44393 100644
--- a/pkg/aa/mount.go
+++ b/pkg/aa/mount.go
@@ -38,9 +38,9 @@ type Mount struct {
 	MountPoint string
 }
 
-func MountFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func MountFromLog(log map[string]string) ApparmorRule {
 	return &Mount{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		MountConditions: MountConditions{
 			Fs:      "",
 			Op:      "",
@@ -79,9 +79,9 @@ type Umount struct {
 	MountPoint string
 }
 
-func UmountFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func UmountFromLog(log map[string]string) ApparmorRule {
 	return &Umount{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		MountConditions: MountConditions{
 			Fs:      "",
 			Op:      "",
@@ -116,9 +116,9 @@ type Remount struct {
 	MountPoint string
 }
 
-func RemountFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func RemountFromLog(log map[string]string) ApparmorRule {
 	return &Remount{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		MountConditions: MountConditions{
 			Fs:      "",
 			Op:      "",
diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go
index e9f06b4ee..df2c1c9e1 100644
--- a/pkg/aa/mqueue.go
+++ b/pkg/aa/mqueue.go
@@ -11,9 +11,9 @@ type Mqueue struct {
 	Label  string
 }
 
-func MqueueFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func MqueueFromLog(log map[string]string) ApparmorRule {
 	return &Mqueue{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Access:    maskToAccess[log["requested_mask"]],
 		Type:      log["type"],
 		Label:     log["label"],
diff --git a/pkg/aa/network.go b/pkg/aa/network.go
index 00a983787..5888dd2ad 100644
--- a/pkg/aa/network.go
+++ b/pkg/aa/network.go
@@ -33,9 +33,9 @@ type Network struct {
 	AddressExpr
 }
 
-func NetworkFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func NetworkFromLog(log map[string]string) ApparmorRule {
 	return &Network{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		AddressExpr: AddressExpr{
 			Source:      log["laddr"],
 			Destination: log["faddr"],
diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go
index 2c0f5c639..72a6eae8d 100644
--- a/pkg/aa/pivot_root.go
+++ b/pkg/aa/pivot_root.go
@@ -11,9 +11,9 @@ type PivotRoot struct {
 	TargetProfile string
 }
 
-func PivotRootFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func PivotRootFromLog(log map[string]string) ApparmorRule {
 	return &PivotRoot{
-		Qualifier:     NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier:     NewQualifierFromLog(log),
 		OldRoot:       log["oldroot"],
 		NewRoot:       log["root"],
 		TargetProfile: log["name"],
diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go
index 714fbecd8..98a41cfd5 100644
--- a/pkg/aa/profile.go
+++ b/pkg/aa/profile.go
@@ -66,15 +66,7 @@ func (p *AppArmorProfile) String() string {
 
 // AddRule adds a new rule to the profile from a log map
 func (p *AppArmorProfile) AddRule(log map[string]string) {
-	noNewPrivs := false
-	fileInherit := false
-	if log["operation"] == "file_inherit" {
-		fileInherit = true
-	}
-
 	switch log["error"] {
-	case "-1":
-		noNewPrivs = true
 	case "-2":
 		if !slices.Contains(p.Flags, "mediate_deleted") {
 			p.Flags = append(p.Flags, "mediate_deleted")
@@ -90,36 +82,36 @@ func (p *AppArmorProfile) AddRule(log map[string]string) {
 
 	switch log["class"] {
 	case "cap":
-		p.Rules = append(p.Rules, CapabilityFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, CapabilityFromLog(log))
 	case "net":
-		p.Rules = append(p.Rules, NetworkFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, NetworkFromLog(log))
 	case "mount":
-		p.Rules = append(p.Rules, MountFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, MountFromLog(log))
 	case "remount":
-		p.Rules = append(p.Rules, RemountFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, RemountFromLog(log))
 	case "umount":
-		p.Rules = append(p.Rules, UmountFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, UmountFromLog(log))
 	case "pivot_root":
-		p.Rules = append(p.Rules, PivotRootFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, PivotRootFromLog(log))
 	case "change_profile":
-		p.Rules = append(p.Rules, RemountFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, RemountFromLog(log))
 	case "mqueue":
-		p.Rules = append(p.Rules, MqueueFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, MqueueFromLog(log))
 	case "signal":
-		p.Rules = append(p.Rules, SignalFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, SignalFromLog(log))
 	case "ptrace":
-		p.Rules = append(p.Rules, PtraceFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, PtraceFromLog(log))
 	case "namespace":
-		p.Rules = append(p.Rules, UsernsFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, UsernsFromLog(log))
 	case "unix":
-		p.Rules = append(p.Rules, UnixFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, UnixFromLog(log))
 	case "file":
-		p.Rules = append(p.Rules, FileFromLog(log, noNewPrivs, fileInherit))
+		p.Rules = append(p.Rules, FileFromLog(log))
 	default:
 		if strings.Contains(log["operation"], "dbus") {
-			p.Rules = append(p.Rules, DbusFromLog(log, noNewPrivs, fileInherit))
+			p.Rules = append(p.Rules, DbusFromLog(log))
 		} else if log["family"] == "unix" {
-			p.Rules = append(p.Rules, UnixFromLog(log, noNewPrivs, fileInherit))
+			p.Rules = append(p.Rules, UnixFromLog(log))
 		}
 	}
 }
diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go
index 05f94320a..db348d166 100644
--- a/pkg/aa/ptrace.go
+++ b/pkg/aa/ptrace.go
@@ -10,9 +10,9 @@ type Ptrace struct {
 	Peer   string
 }
 
-func PtraceFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func PtraceFromLog(log map[string]string) ApparmorRule {
 	return &Ptrace{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Access:    maskToAccess[log["requested_mask"]],
 		Peer:      log["peer"],
 	}
diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go
index 0f0be834c..927e75d7c 100644
--- a/pkg/aa/rules.go
+++ b/pkg/aa/rules.go
@@ -13,7 +13,24 @@ type Qualifier struct {
 	FileInherit bool
 }
 
-func NewQualifier(owner, noNewPrivs, fileInherit bool) Qualifier {
+func NewQualifierFromLog(log map[string]string) Qualifier {
+	owner := false
+	fsuid, hasFsUID := log["fsuid"]
+	ouid, hasOuUID := log["ouid"]
+	OUID, hasOUID := log["OUID"]
+	isDbus := strings.Contains(log["operation"], "dbus")
+	if hasFsUID && hasOuUID && hasOUID && fsuid == ouid && OUID != "root" && !isDbus {
+		owner = true
+	}
+
+	fileInherit := false
+	if log["operation"] == "file_inherit" {
+		fileInherit = true
+	}
+	noNewPrivs := false
+	if log["error"] == "-1" {
+		noNewPrivs = true
+	}
 	return Qualifier{
 		Audit:       false,
 		AccessType:  "",
diff --git a/pkg/aa/rules_test.go b/pkg/aa/rules_test.go
index 60cb8fe95..a55f36e7d 100644
--- a/pkg/aa/rules_test.go
+++ b/pkg/aa/rules_test.go
@@ -12,7 +12,7 @@ import (
 func TestRule_FromLog(t *testing.T) {
 	tests := []struct {
 		name    string
-		fromLog func(map[string]string, bool, bool) ApparmorRule
+		fromLog func(map[string]string) ApparmorRule
 		log     map[string]string
 		want    ApparmorRule
 	}{
@@ -73,7 +73,7 @@ func TestRule_FromLog(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := tt.fromLog(tt.log, false, false); !reflect.DeepEqual(got, tt.want) {
+			if got := tt.fromLog(tt.log); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("RuleFromLog() = %v, want %v", got, tt.want)
 			}
 		})
diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go
index 0c8841887..d23739fb4 100644
--- a/pkg/aa/signal.go
+++ b/pkg/aa/signal.go
@@ -11,9 +11,9 @@ type Signal struct {
 	Peer   string
 }
 
-func SignalFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func SignalFromLog(log map[string]string) ApparmorRule {
 	return &Signal{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Access:    maskToAccess[log["requested_mask"]],
 		Set:       log["signal"],
 		Peer:      log["peer"],
diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go
index f7a970895..c092985d3 100644
--- a/pkg/aa/unix.go
+++ b/pkg/aa/unix.go
@@ -17,9 +17,9 @@ type Unix struct {
 	PeerAddr string
 }
 
-func UnixFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func UnixFromLog(log map[string]string) ApparmorRule {
 	return &Unix{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Access:    maskToAccess[log["requested_mask"]],
 		Type:      log["sock_type"],
 		Protocol:  log["protocol"],
diff --git a/pkg/aa/userns.go b/pkg/aa/userns.go
index a97cfa079..982ac7b94 100644
--- a/pkg/aa/userns.go
+++ b/pkg/aa/userns.go
@@ -9,9 +9,9 @@ type Userns struct {
 	Create bool
 }
 
-func UsernsFromLog(log map[string]string, noNewPrivs, fileInherit bool) ApparmorRule {
+func UsernsFromLog(log map[string]string) ApparmorRule {
 	return &Userns{
-		Qualifier: NewQualifier(false, noNewPrivs, fileInherit),
+		Qualifier: NewQualifierFromLog(log),
 		Create:    true,
 	}
 }