Add alternatives to private-etc for profiles in etc/

See discussion in #2399

165 files changed, 166 insertions, 166 deletions

diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index d988fd41a..69dfbecfe 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile
index 1135b850b..f63a8b9ef 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/QOwnNotes.profile
@@ -49,7 +49,7 @@ tracelog
 disable-mnt
 private-bin QOwnNotes,gio
 private-dev
-private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index a95c8989a..d9b7f8c26 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -39,5 +39,5 @@ private
 # private-bin Xephyr,sh,xkbcomp
 # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
-# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
 private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 967946a6c..ed07485d6 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -41,5 +41,5 @@ private
 # private-bin Xvfb,sh,xkbcomp
 # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
 private-dev
-private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
 private-tmp
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 010247c6b..b88d7b5f4 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -14,7 +14,7 @@ whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
 
 # private-etc must first be enabled in firefox-common.profile
-#private-etc abrowser
+#private-etc abrowser, alternatives
 
 
 # Redirect
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 6f2e6b3cc..6cec3befc 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -31,5 +31,5 @@ shell none
 
 # private-bin amarok
 private-dev
-# private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 3c207b5b3..377ce0a2c 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -36,7 +36,7 @@ shell none
 #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
 private-cache
 private-dev
-#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
+#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 3015349b7..56ed081e6 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin aria2c,gzip
 private-cache
 private-dev
-private-etc ca-certificates,ssl
+private-etc alternatives,ca-certificates,ssl
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/ark.profile b/etc/ark.profile
index 37211682c..b60674f95 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -34,7 +34,7 @@ seccomp
 shell none
 
 private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh
-#private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
+#private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
 
 private-dev
 private-tmp
diff --git a/etc/arm.profile b/etc/arm.profile
index 288dd972a..217b61d09 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig
 private-dev
-private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/artha.profile b/etc/artha.profile
index 7b0c6735b..431fc3ed1 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib libnotify.so.*
 private-tmp
 
diff --git a/etc/atool.profile b/etc/atool.profile
index d5daeabbe..c82108cef 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -43,5 +43,5 @@ private-cache
 # private-bin atool
 private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc passwd,group,login.defs
+private-etc alternatives,passwd,group,login.defs
 private-tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index 92fae21d4..aca945ba3 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
-private-etc fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index 9656bb3d7..fc86001be 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -40,7 +40,7 @@ disable-mnt
 # private-bin authenticator
 private-cache
 private-dev
-private-etc fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache
 # private-lib
 private-tmp
 
diff --git a/etc/basilisk.profile b/etc/basilisk.profile
index 5f9fc8ef7..21daebaac 100644
--- a/etc/basilisk.profile
+++ b/etc/basilisk.profile
@@ -20,7 +20,7 @@ seccomp
 
 #private-bin basilisk
 # private-etc must first be enabled in firefox-common.profile
-#private-etc basilisk
+#private-etc alternatives,basilisk
 #private-opt basilisk
 
 # Redirect
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 07cb889e4..6e40054f7 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -44,5 +44,5 @@ shell none
 
 # private-bin bibletime,qt5ct
 private-dev
-private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 46ce0775b..def292118 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin bitcoin-qt
 private-dev
 # Causes problem with loading of libGL.so
-#private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 # Works, but QT complains about OpenSSL a bit.
 #private-lib
 private-tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index cc03107a5..8315f4563 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -35,7 +35,7 @@ shell none
 # private-bin bless,sh,bash,mono
 private-cache
 private-dev
-private-etc fonts,mono
+private-etc alternatives,fonts,mono
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 8ab9472ac..5021db254 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -30,7 +30,7 @@ tracelog
 # private-bin brasero
 private-cache
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index f6864386e..9e45b1fd6 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -37,4 +37,4 @@ tracelog
 # support compressed archives
 private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
diff --git a/etc/caja.profile b/etc/caja.profile
index f938792cd..49516de8c 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -41,5 +41,5 @@ tracelog
 # caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index e863a6a45..d50882c75 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -44,7 +44,7 @@ shell none
 private-bin clawsker,perl
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib girepository-1.*,libgirepository-1.*,perl*
 private-tmp
 
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
index d0b8cc0ef..b1e4ea613 100644
--- a/etc/cliqz.profile
+++ b/etc/cliqz.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz
 
 # private-etc must first be enabled in firefox-common.profile
-#private-etc cliqz
+#private-etc alternatives,cliqz
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/cmus.profile b/etc/cmus.profile
index ee6600b76..e602c4e2a 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 
 private-bin cmus
-private-etc group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/crow.profile b/etc/crow.profile
index c016717be..93f71cef8 100644
--- a/etc/crow.profile
+++ b/etc/crow.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin crow
 private-dev
-private-etc ca-certificates,ssl,machine-id,dconf,nsswitch.conf,resolv.conf,fonts,asound.conf,pulse,pki,crypto-policies
+private-etc alternatives,ca-certificates,ssl,machine-id,dconf,nsswitch.conf,resolv.conf,fonts,asound.conf,pulse,pki,crypto-policies
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/curl.profile b/etc/curl.profile
index d20e00740..1783f1337 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -33,7 +33,7 @@ shell none
 # private-bin curl
 private-cache
 private-dev
-# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index fcb448b30..147791d26 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/8pecxstudios
 
 # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
 # private-etc must first be enabled in firefox-common.profile
-#private-etc cyberfox
+#private-etc alternatives,cyberfox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/default.profile b/etc/default.profile
index 14ea0ae17..917e42287 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -37,7 +37,7 @@ seccomp
 # private-bin program
 # private-cache
 # private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 # private-tmp
 
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index b3558a038..a809bee0c 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-lib gconv
 private-tmp
 
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index 4ab2634e8..d8c10413b 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin devilspie2
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-lib gconv
 private-tmp
 
diff --git a/etc/dig.profile b/etc/dig.profile
index 8a0ba8f09..f5b26c195 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -40,7 +40,7 @@ private
 private-bin sh,bash,dig
 private-cache
 private-dev
-# private-etc resolv.conf
+# private-etc alternatives,resolv.conf
 private-lib
 private-tmp
 
diff --git a/etc/digikam.profile b/etc/digikam.profile
index ccc0a6544..cc0e98ba3 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -37,7 +37,7 @@ shell none
 
 # private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/dino.profile b/etc/dino.profile
index 9844ce81a..76f63fdc8 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private-bin dino
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index 9c6a40e8a..c520454e8 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -27,7 +27,7 @@ seccomp
 
 private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
 private-dev
-private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
+private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/display.profile b/etc/display.profile
index 3182aebbe..7e4263d2e 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -39,5 +39,5 @@ shell none
 
 private-bin display,python*
 private-dev
-# private-etc none - on Debian-based systems display is a symlink in /etc/alternatives
+# private-etc alternatives - on Debian-based systems display is a symlink in /etc/alternatives
 private-tmp
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 31cc48e9f..44156f97e 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -36,7 +36,7 @@ disable-mnt
 private-bin easystroke,bash,sh
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/electrum.profile b/etc/electrum.profile
index d24a31299..a290683de 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin electrum,python*
 private-cache
 private-dev
-private-etc fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 6643c5fda..842a0db04 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -36,5 +36,5 @@ tracelog
 # private-bin elinks
 private-cache
 private-dev
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/enchant.profile b/etc/enchant.profile
index e29e542ab..1d3d33d68 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -35,7 +35,7 @@ tracelog
 # private-bin enchant, enchant-*
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
 
 # memory-deny-write-execute
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index b9f2632c4..670808de2 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -34,7 +34,7 @@ tracelog
 
 # private-bin engrampa
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute
diff --git a/etc/eog.profile b/etc/eog.profile
index 75d343d4e..d448b7c6c 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -39,7 +39,7 @@ shell none
 private-bin eog
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
 
diff --git a/etc/eom.profile b/etc/eom.profile
index 7d84cd3b4..c34331da6 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -39,7 +39,7 @@ tracelog
 
 private-bin eom
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib
 private-tmp
 
diff --git a/etc/etr.profile b/etc/etr.profile
index 6c3db897b..cf13a42de 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -31,5 +31,5 @@ shell none
 
 # private-bin etr
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index b9ff3c121..e9b530ece 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -39,7 +39,7 @@ tracelog
 
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 
 private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
 
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 3eac35bac..37e01f8d3 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -39,5 +39,5 @@ tracelog
 # private-bin exiftool,perl
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
index ddf0fa154..eb6f311bb 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -31,5 +31,5 @@ shell none
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc feh
+private-etc alternatives,feh
 private-tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index d79b4de4b..e4863bfc0 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -34,7 +34,7 @@ tracelog
 
 # private-bin file-roller
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
 
 #memory-deny-write-execute  - breaks on Arch
diff --git a/etc/file.profile b/etc/file.profile
index f2f9f25f9..0769f8887 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -34,7 +34,7 @@ x11 none
 #private-bin file
 private-cache
 private-dev
-private-etc magic.mgc,magic,localtime
+private-etc alternatives,magic.mgc,magic,localtime
 private-lib libarchive.so.*,libfakeroot,libmagic.so.*
 
 memory-deny-write-execute
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc
index 7a0c3e99f..1932b2f1c 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/firefox-common-addons.inc
@@ -61,4 +61,4 @@ noblacklist /usr/lib/python3*
 
 # Flash plugin
 # private-etc must first be enabled in firefox-common.profile and in profiles including it.
-#private-etc adobe
+#private-etc alternatives,adobe
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 7c65be7cb..69920aa5f 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -51,7 +51,7 @@ shell none
 disable-mnt
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+#private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp
 
 # breaks DRM binaries
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 830bbc6a7..2861a91b4 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -17,7 +17,7 @@ whitelist ${HOME}/.mozilla
 # firefox requires a shell to launch on Arch.
 #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
 # private-etc must first be enabled in firefox-common.profile
-#private-etc firefox
+#private-etc alternatives,firefox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index d665d1851..1c5f90f42 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
 
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 3697252e7..ed3b4490f 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -35,5 +35,5 @@ shell none
 disable-mnt
 # private-bin frozen-bubble
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index a957b07b0..efe85f3aa 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -47,7 +47,7 @@ tracelog
 disable-mnt
 private-bin python,python3,sh,gpg,gpg2,gajim,bash,zsh,paplay,gajim-history-manager
 private-dev
-private-etc alsa,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 323c880a8..509d9bd05 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -38,6 +38,6 @@ tracelog
 
 private-bin galculator
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib
 private-tmp
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
index 5aa73b38f..d9df8fd37 100644
--- a/etc/gcloud.profile
+++ b/etc/gcloud.profile
@@ -32,7 +32,7 @@ tracelog
 
 disable-mnt
 private-dev
-private-etc ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
+private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index af0a3da56..a583c534f 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -40,7 +40,7 @@ tracelog
 
 # private-bin gedit
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell
 private-tmp
 
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index a7d82b5fb..adfc3ef1c 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -31,4 +31,4 @@ shell none
 
 # private-bin geeqie
 private-dev
-# private-etc X11
+# private-etc alternatives,X11
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index bdca281ed..11686e0e9 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -52,7 +52,7 @@ tracelog
 #private-bin ghostwriter,pandoc
 private-cache
 private-dev
-private-etc cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id
+private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id
 # Breaks Translation
 #private-lib
 private-tmp
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile
index 9ac212fe8..934ac7c40 100644
--- a/etc/github-desktop.profile
+++ b/etc/github-desktop.profile
@@ -39,7 +39,7 @@ disable-mnt
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/gitter.profile b/etc/gitter.profile
index d8439fa79..d84f01f20 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -35,7 +35,7 @@ shell none
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 9c7aa5700..f119e5b34 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -34,5 +34,5 @@ tracelog
 
 # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index c748cf7e3..b880980bc 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -37,7 +37,7 @@ tracelog
 
 # private-bin gjs gnome-books
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index fbd8c22c0..42aa3ea2c 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -35,7 +35,7 @@ tracelog
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess
 private-dev
-private-etc fonts,gnome-chess
+private-etc alternatives,fonts,gnome-chess
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 54356a1b7..83ece0fce 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -34,7 +34,7 @@ tracelog
 disable-mnt
 # private-bin gnome-clocks
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index f89684219..c429c7697 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin gnome-logs
 private-dev
-private-etc fonts,localtime,machine-id
+private-etc alternatives,fonts,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 2d2f5aa6d..b963c17dd 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -38,7 +38,7 @@ tracelog
 disable-mnt
 # private-bin gjs gnome-maps
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 54e055358..c4dedcf1c 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -40,7 +40,7 @@ tracelog
 
 private-bin gnome-music,python*,env,gio-launch-desktop,yelp
 private-dev
-private-etc fonts,machine-id,pulse,asound.conf
+private-etc alternatives,fonts,machine-id,pulse,asound.conf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 2e3356607..c48ca50a5 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -34,7 +34,7 @@ tracelog
 
 # private-bin gjs gnome-photos
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile
index cef741eb3..01c65a5a4 100644
--- a/etc/gnome-pie.profile
+++ b/etc/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 761c604ff..e516566d7 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -38,7 +38,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc ca-certificates,fonts,ssl,crypto-policies,pki
+private-etc alternatives,ca-certificates,fonts,ssl,crypto-policies,pki
 # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
 # not widely tested though, leaving it to devs discretion to enable it later
 #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 6b5f5480d..baa5d39fd 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -38,7 +38,7 @@ tracelog
 disable-mnt
 # private-bin gjs gnome-weather
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 3cc159eb2..be332665e 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -31,5 +31,5 @@ tracelog
 
 # private-bin goobox
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index d3e1123f3..af9680b49 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -34,6 +34,6 @@ tracelog
 
 private-bin gpicview
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib
 private-tmp
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 76a10f697..38897f184 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -33,7 +33,7 @@ tracelog
 
 private-bin gpredict
 private-dev
-private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gradio.profile b/etc/gradio.profile
index e7f415090..eec7376b4 100644
--- a/etc/gradio.profile
+++ b/etc/gradio.profile
@@ -34,7 +34,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-etc asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index e90578333..790e4920d 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -44,7 +44,7 @@ shell none
 
 private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
 private-dev
-private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 
 # memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/highlight.profile b/etc/highlight.profile
index ae2cce0b4..243643aea 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -34,5 +34,5 @@ tracelog
 private-bin highlight
 private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 660343a29..0dae814c0 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -14,7 +14,7 @@ whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
 
 # private-etc must first be enabled in firefox-common.profile
-#private-etc icecat
+#private-etc alternatives,icecat
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
index 24a2f4cc3..4184b23a7 100644
--- a/etc/iceweasel.profile
+++ b/etc/iceweasel.profile
@@ -6,7 +6,7 @@ include iceweasel.local
 include globals.local
 
 # private-etc must first be enabled in firefox-common.profile
-#private-etc iceweasel
+#private-etc alternatives,iceweasel
 
 # Redirect
 include firefox.profile
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 6f860a3d4..2011759e3 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin img2txt
 private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/kate.profile b/etc/kate.profile
index cce36eacc..4a78d718f 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -42,7 +42,7 @@ tracelog
 
 # private-bin kate,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
 # noexec ${HOME}
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index fc9386618..357eb435d 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 448f5455f..d565373f4 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -42,7 +42,7 @@ shell none
 
 private-bin keepassxc
 private-dev
-private-etc fonts,ld.so.cache,machine-id
+private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
 
 # 2.2.4 crashes on database open
diff --git a/etc/klavaro.profile b/etc/klavaro.profile
index 890cde3db..04b4a5ae5 100644
--- a/etc/klavaro.profile
+++ b/etc/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin klavaro,tclsh,tclsh*,bash
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index 653283150..834f6f2dd 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -37,7 +37,7 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 9922cb0b5..bc4fba97d 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -44,7 +44,7 @@ tracelog
 
 private-bin kwrite,kbuildsycoca4,kdeinit4
 private-dev
-private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 6e53fc62b..047424e5e 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -38,7 +38,7 @@ seccomp
 shell none
 
 private-dev
-private-etc asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/lynx.profile b/etc/lynx.profile
index e8d44823b..2f043c9b9 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin lynx
 private-cache
 private-dev
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index e35ddd2a7..56433df41 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin masterpdfeditor*
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 # private-lib
 private-tmp
 
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index e3220076d..1d3c21e3f 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -39,7 +39,7 @@ shell none
 
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc fonts
+private-etc alternatives,fonts
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 1ba744d5a..a344f70e1 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -34,7 +34,7 @@ shell none
 
 disable-mnt
 private-bin mate-color-select
-private-etc fonts
+private-etc alternatives,fonts
 private-dev
 private-lib
 private-tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index ba179dfdd..196f5b2c3 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -36,7 +36,7 @@ shell none
 
 disable-mnt
 private-bin mate-dictionary
-private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index ea4cb0250..c65a25edc 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -30,4 +30,4 @@ shell none
 
 private-bin mcabber
 private-dev
-private-etc ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 115444e0f..32a269fd3 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -34,5 +34,5 @@ tracelog
 private-bin mediainfo
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/min.profile b/etc/min.profile
index 80baedff7..6101ac2e6 100644
--- a/etc/min.profile
+++ b/etc/min.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-cache
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp
 
 # memory-deny-write-execute
diff --git a/etc/minetest.profile b/etc/minetest.profile
index 17b39f7c6..aa50847ea 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -38,7 +38,7 @@ disable-mnt
 private-bin minetest
 private-dev
 # private-etc needs to be updated, see #1702
-#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+#private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index 6c8cb213f..6334ecd41 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -37,7 +37,7 @@ tracelog
 
 disable-mnt
 private-bin bash,fonts,env,jak,ms-office,python*,sh
-private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
 
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 011e85c0e..59ad36305 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -37,7 +37,7 @@ tracelog
 
 # private-bin mupdf,sh,tempfile,rm
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 
 # mupdf will never write anything
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index d5fde525e..54d9fb16e 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -21,7 +21,7 @@ nodvd
 nogroups
 nonewprivs
 noroot
-nogroups 
+nogroups
 nosound
 notv
 nou2f
@@ -31,7 +31,7 @@ seccomp
 
 disable-mnt
 private-dev
-private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
index acec61816..21fd841cf 100644
--- a/etc/mypaint.profile
+++ b/etc/mypaint.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc fonts,gtk-3.0,dconf
+private-etc alternatives,fonts,gtk-3.0,dconf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 13fe9a9e1..b5e65e3ee 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -42,5 +42,5 @@ tracelog
 # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin nautilus
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index 67c651429..bf8fff7cd 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
 private-cache
 private-dev
-private-etc ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
diff --git a/etc/nyx.profile b/etc/nyx.profile
index 8d41032dd..2a078ef0f 100644
--- a/etc/nyx.profile
+++ b/etc/nyx.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc passwd,tor,fonts
+private-etc alternatives,passwd,tor,fonts
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index 10f3f68a6..4a4fa828d 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin ocenaudio
 private-cache
 private-dev
-private-etc asound.conf,fonts,ld.so.cache,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
 # private-lib
 private-tmp
 
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 3a1369b83..3e1739bf9 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -37,6 +37,6 @@ tracelog
 private-bin odt2txt
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
 read-only ${HOME}
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 108398104..bff42fb19 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -33,5 +33,5 @@ shell none
 
 # private-bin open-invaders
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 11464e6cf..e867006e5 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -19,7 +19,7 @@ seccomp
 
 #private-bin palemoon
 # private-etc must first be enabled in firefox-common.profile
-#private-etc palemoon
+#private-etc alternatives,palemoon
 #private-opt palemoon
 
 # Redirect
diff --git a/etc/parole.profile b/etc/parole.profile
index 9ad59d2e6..69ed5a2ca 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -27,4 +27,4 @@ shell none
 
 private-bin parole,dbus-launch
 private-cache
-private-etc passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index f0db20b74..d9f721578 100644
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
 
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,xdg
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 6b2b0fba5..85e28372e 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -38,5 +38,5 @@ tracelog
 
 private-bin pdftotext
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/ping.profile b/etc/ping.profile
index bdd29c1a1..373b8a918 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -41,7 +41,7 @@ private
 #private-bin has mammoth problems with execvp: "No such file or directory"
 private-dev
 # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
-#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
diff --git a/etc/pingus.profile b/etc/pingus.profile
index f071e664f..6b664248f 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -33,5 +33,5 @@ shell none
 
 # private-bin pingus
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 35b141c1a..79e4b89b3 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -37,7 +37,7 @@ tracelog
 
 private-bin pluma
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-lib pluma
 private-tmp
 
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index fc37e6fd2..0c8bfa770 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -37,7 +37,7 @@ shell none
 
 # private-dev is disabled to allow controller support
 #private-dev
-private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-opt ppsspp
 private-tmp
 
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index c98f34e77..92cae0f97 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -42,7 +42,7 @@ shell none
 disable-mnt
 private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat
 private-dev
-private-etc PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index bb948a971..bfe8b614e 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -32,7 +32,7 @@ novideo
 shell none
 tracelog
 
-# private-etc fonts,passwd - minimal required to run but will probably break
+# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
 # program!
 private-cache
 private-dev
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index b6b94c703..0420d38e9 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -53,7 +53,7 @@ shell none
 
 private-bin qbittorrent,python*
 private-dev
-# private-etc X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-lib - problems on Arch
 private-tmp
 
diff --git a/etc/qtox.profile b/etc/qtox.profile
index b6cb9772a..3dc4c6a30 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -36,7 +36,7 @@ tracelog
 
 disable-mnt
 private-bin qtox
-private-etc fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
+private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
 private-dev
 private-tmp
 
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index ce0816114..e6c441e27 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -47,7 +47,7 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc X11,ssl,pki,ca-certificates,crypto-policies
+# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index efee6ce84..eef0c8fa6 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -34,7 +34,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res
 # tracelog
 
 private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
 
 noexec ${HOME}
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index cbdc28cf6..a67d6b7ca 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private-bin ricochet,tor
 private-dev
-#private-etc fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 8cb291ba6..d92c62a52 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -50,4 +50,4 @@ seccomp
 tracelog
 
 disable-mnt
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/server.profile b/etc/server.profile
index 3526e88ab..8da4853e7 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -43,7 +43,7 @@ private
 # private-bin program
 # private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 85cb00ef1..4ad841880 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -33,5 +33,5 @@ tracelog
 
 # private-bin simple-scan
 # private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index a4e4d892c..c07b1c145 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -33,5 +33,5 @@ shell none
 
 # private-bin simutrans
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/slack.profile b/etc/slack.profile
index 995d49687..841998b0e 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -37,5 +37,5 @@ shell none
 disable-mnt
 private-bin slack,locale
 private-dev
-private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id
 private-tmp
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 14f9f5228..60d15735d 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin spotify,bash,sh,zenity
 private-dev
-private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
 private-tmp
 
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 4486c8869..0a4d38dbe 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
-private-etc ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg
+private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index d3b0b27e3..b0cb52a0f 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
 private-dev
-private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
+private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 775b6c875..9d348347e 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -74,5 +74,5 @@ shell none
 # private-dev should be commented for controllers
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
+private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
 private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index f243606ec..3ef3ffcb1 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -24,7 +24,7 @@ tracelog
 private-bin strings
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-lib
 
 memory-deny-write-execute
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index fc523ce0a..793e4126c 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -34,5 +34,5 @@ shell none
 disable-mnt
 # private-bin supertux2
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 9f65a2fa1..696ac4de0 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin supertuxkart
 private-cache
 private-dev
-private-etc resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux
+private-etc alternatives,resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/surf.profile b/etc/surf.profile
index 3a1b1f383..4fad4a81d 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -32,7 +32,7 @@ tracelog
 disable-mnt
 private-bin ls,surf,sh,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop
 private-dev
-private-etc passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies
+private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tar.profile b/etc/tar.profile
index 9a5f00f65..d228051e8 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -26,7 +26,7 @@ tracelog
 # support compressed archives
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
 private-lib
 
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 22038e0b4..43865b6fb 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -44,7 +44,7 @@ shell none
 
 disable-mnt
 private-dev
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tilp.profile b/etc/tilp.profile
index ecacd1deb..2643c9a84 100644
--- a/etc/tilp.profile
+++ b/etc/tilp.profile
@@ -29,7 +29,7 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tor.profile b/etc/tor.profile
index 04a6c3abb..418352639 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -46,7 +46,7 @@ private
 private-bin tor,bash
 private-cache
 private-dev
-private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index a9244683f..2b1cc6549 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -49,7 +49,7 @@ shell none
 disable-mnt
 private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz
 private-dev
-private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
+private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index 3055ea542..fd473b03c 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -36,7 +36,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 6d86b2951..c1779ae3e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -33,5 +33,5 @@ tracelog
 
 # private-bin tracker
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 81b52ec7c..89b9b21dc 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -33,7 +33,7 @@ tracelog
 
 # private-bin transmission-cli
 private-dev
-private-etc ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 248eb977e..6154ad15b 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -31,5 +31,5 @@ shell none
 tracelog
 
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index f62f018a6..36d1319d1 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -29,5 +29,5 @@ shell none
 
 # private-bin unknown-horizons
 private-dev
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 00fe0887b..bc5fced9f 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -25,7 +25,7 @@ tracelog
 
 private-bin unrar
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
 private-tmp
 
 include default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 8e659c256..1859a2248 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -25,7 +25,7 @@ tracelog
 
 private-bin unzip
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
 
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 3bd0ebe70..9710b1b9f 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -23,6 +23,6 @@ tracelog
 private-bin uudeview
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.preload
 
 include default.profile
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 4c22f8e6f..94b6c2052 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -38,7 +38,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 
 # memory-deny-write-executes breaks on Arch - see issue #1808
diff --git a/etc/w3m.profile b/etc/w3m.profile
index c03df49cd..143ac4f63 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -36,5 +36,5 @@ tracelog
 # private-bin w3m
 private-cache
 private-dev
-private-etc resolv.conf,ssl,pki,ca-certificates,crypto-policies
+private-etc alternatives,resolv.conf,ssl,pki,ca-certificates,crypto-policies
 private-tmp
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 3dc21958d..7875ccb1e 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -22,7 +22,7 @@ whitelist ${HOME}/.waterfox
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
 #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
 # private-etc must first be enabled in firefox-common.profile
-#private-etc waterfox
+#private-etc alternatives,waterfox
 
 # Redirect
 include firefox-common.profile
diff --git a/etc/wget.profile b/etc/wget.profile
index 87c0501da..c0a6f0d21 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -35,7 +35,7 @@ shell none
 
 # private-bin wget
 private-dev
-# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
 
 noexec ${HOME}
diff --git a/etc/whois.profile b/etc/whois.profile
index 78236c02f..0e9eb05a5 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -38,7 +38,7 @@ private
 private-bin sh,bash,whois
 private-cache
 private-dev
-# private-etc hosts,services,whois.conf
+# private-etc alternatives,hosts,services,whois.conf
 private-lib
 private-tmp
 
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index f464a2fb9..e974e4304 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -37,5 +37,5 @@ shell none
 disable-mnt
 private-bin wire-desktop
 private-dev
-private-etc fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 4f1142826..a08b97d05 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -45,7 +45,7 @@ tracelog
 
 # private-bin wireshark
 private-dev
-# private-etc fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xed.profile b/etc/xed.profile
index 7dffae05a..cd565f684 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -42,7 +42,7 @@ tracelog
 
 private-bin xed
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-tmp
 
 # xed uses python plugins, memory-deny-write-execute breaks python
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 3dc525755..1cb7f568a 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -29,5 +29,5 @@ tracelog
 
 # private-bin xfburn
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 6adfcd819..3ad03e2c6 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -38,5 +38,5 @@ tracelog
 
 private-bin xiphos
 private-dev
-private-etc fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile
index 25b2b8c91..99c9676b8 100644
--- a/etc/xmr-stak.profile
+++ b/etc/xmr-stak.profile
@@ -37,7 +37,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 054cf4896..9d422a01e 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
 private-dev
-private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index b8297295a..0df879d7c 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -40,7 +40,7 @@ tracelog
 
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 23f3294bd..2ff6c2a5d 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -52,5 +52,5 @@ shell none
 # older Xpra versions also use Xvfb
 # private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 private-dev
-# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
+# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
 private-tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index a879e8b04..e0a3ddee3 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -38,7 +38,7 @@ tracelog
 
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-etc fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index e6185807e..c73630053 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -38,7 +38,7 @@ tracelog
 
 private-bin xviewer
 private-dev
-#private-etc fonts
+#private-etc alternatives,fonts
 private-lib
 private-tmp
 
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 2eee47fa0..922284353 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -35,7 +35,7 @@ shell none
 private-bin zathura
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 private-tmp
 
 read-only ${HOME}/