diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index b7706ccf4..b34d18c00 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
-  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
+  owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns
index 157651ac3..98ee0e5e7 100644
--- a/apparmor.d/groups/snap/snap-update-ns
+++ b/apparmor.d/groups/snap/snap-update-ns
@@ -40,11 +40,16 @@ profile snap-update-ns @{exec_path} {
 
   / r,
   /tmp/ r,
+  @{lib}/ r,
   /usr/ r,
   /usr/local/ r,
   /usr/local/share/ r,
   /usr/local/share/doc/ rw,
   /usr/local/share/fonts/ rw,
+  /usr/share/ r,
+  /usr/share/drirc.d w,
+  /usr/share/X11/ r,
+  /usr/share/X11/XErrorDB w,
 
   owner /snap/{,**} rw,
 
diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd
index 7e2c288b6..06de56063 100644
--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@@ -99,7 +99,8 @@ profile snapd @{exec_path} {
   /usr/share/bash-completion/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} rw,
   /usr/share/dbus-1/services/*snap* r,
-  /usr/share/polkit-1/actions/{,**/} r,
+  /usr/share/polkit-1/actions/{,**} r,
+  /usr/share/polkit-1/actions/snap.*.policy r,
 
   @{etc_ro}/environment r,
   /etc/apparmor.d/*snapd.snap* r,
@@ -147,6 +148,7 @@ profile snapd @{exec_path} {
 
   @{run}/user/ r,
   @{run}/user/@{uid}/ r,
+  @{run}/user/@{uid}/snap.*/{,**} rw,
   @{run}/user/@{uid}/snapd-session-agent.socket rw,
   @{run}/user/snap.*/{,**} rw,
 
@@ -227,6 +229,9 @@ profile snapd @{exec_path} {
     include <abstractions/base>
 
     @{sbin}/runuser mr,
+    @{bin}/tar ix,
+
+    owner @{HOME}/snap/*/common/.cache/{,**} r,
 
     include if exists <local/snapd_runuser>
   }