diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index f4c9367cd..ad4eb57c5 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -41,7 +41,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
 
               / r,
         @{att}/ r,
-  owner @{att}// r,
   owner @{att}/.flatpak-info r,
 
   owner @{user_config_dirs}/pipewire/{,**} r,
diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization
new file mode 100644
index 000000000..ff5b72f71
--- /dev/null
+++ b/apparmor.d/groups/freedesktop/pkla-check-authorization
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pkla-check-authorization
+profile pkla-check-authorization @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/pkla-check-authorization>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index a8244bce9..4061af4c8 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -13,6 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.bluez>
   include <abstractions/bus/org.freedesktop.login1>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/devices-usb>
 
   network netlink raw,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index ae20e3751..59a24a3b3 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-open>
-  include <abstractions/consoles>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -18,6 +17,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/devices-usb-read>
   include <abstractions/freedesktop.org>
@@ -73,6 +74,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_config_dirs}/user-dirs.dirs r,
 
+  # The portal can receive any user file as it is a file chooser for UI app.
+  owner @{HOME}/** r,
+
         @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/xdg-desktop-portal/* r,
   owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
index cff06d867..ff4a6730a 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@@ -32,8 +32,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
   signal receive set=term peer=gdm,
   signal receive set=hup  peer=gdm-session-worker,
 
-  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
-
   #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
@@ -58,7 +56,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/gdm/greeter-dconf-defaults r,
 
-  / r,
+              / r,
+  owner @{att}/ r,
 
   owner /var/lib/xkb/server-@{int}.xkm rw,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index c56729248..91a203d3a 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -9,10 +9,11 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-document-portal
 profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
+  include <abstractions/consoles>
   include <abstractions/deny-sensitive-home>
+  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
 
   capability sys_admin,
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
index 8892bd1ce..224bc2337 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@@ -9,6 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dirs-gtk-update
 profile xdg-user-dirs-gtk-update @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/dbus-accessibility>
+  include <abstractions/dbus-session>
   include <abstractions/gtk>
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper
index 7f5ecd107..e663c299e 100644
--- a/apparmor.d/groups/polkit/polkit-agent-helper
+++ b/apparmor.d/groups/polkit/polkit-agent-helper
@@ -25,10 +25,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  signal (receive) set=(term, kill) peer=gnome-shell,
-  signal (receive) set=(term, kill) peer=pkexec,
-  signal (receive) set=(term, kill) peer=pkttyagent,
-  signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
+  signal receive set=(term kill) peer=gnome-shell,
+  signal receive set=(term kill) peer=pkexec,
+  signal receive set=(term kill) peer=pkttyagent,
+  signal receive set=(term kill) peer=polkit-*-authentication-agent,
+
+  unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system,
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Properties
diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd
index 38f05275b..46d7adc60 100644
--- a/apparmor.d/groups/polkit/polkitd
+++ b/apparmor.d/groups/polkit/polkitd
@@ -11,6 +11,7 @@ include <tunables/global>
 profile polkitd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/nameservice-strict>
 
   capability setgid,
@@ -25,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/pkla-check-authorization rPUx,
+  @{bin}/pkla-check-authorization  rPx,
   @{bin}/pkla-admin-identities     rPx,
 
   /etc/machine-id r,
@@ -68,9 +69,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
 
-  # Silencer
-  deny /.cache/ rw,
-
   include if exists <local/polkitd>
 }
 
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index e57be4377..2d1f96c1f 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -258,8 +258,9 @@ os-prober attach_disconnected,complain
 pam_kwallet_init complain
 pam-tmpdir-helper complain
 passimd attach_disconnected,complain
-pkttyagent complain
 pkla-admin-identities complain
+pkla-check-authorization complain
+pkttyagent complain
 plank complain
 plasma_waitforname complain
 plasma-browser-integration-host complain