diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate
index 60ec7656f..64f8399e1 100644
--- a/apparmor.d/groups/network/netplan-generate
+++ b/apparmor.d/groups/network/netplan-generate
@@ -21,9 +21,11 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
 
   /etc/netplan/{,*} r,
 
+  @{run}/NetworkManager/ rw,
+  @{run}/NetworkManager/conf.d/ rw,
   @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw,
   @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw,
-  @{run}/NetworkManager/system-connections/ r,
+  @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/* rw,
 
   @{run}/systemd/generator/multi-user.target.wants/ w,
@@ -43,13 +45,13 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/rules.d/ rw,
   @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
 
-  @{sys}/devices/**/net/*/address r,
-
   @{run}/netplan/ r,
 
   @{run}/udev/rules.d/ r,
   @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
 
+  @{sys}/devices/**/net/*/address r,
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>