832 files changed, 6690 insertions, 5247 deletions
diff --git a/.gitignore b/.gitignore
index ea053b503..ace86f218 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,12 +22,13 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
-jailcheck.5
+jailcheck.1
 mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
+src/fids/fids
 src/tags
 src/faudit/faudit
 src/fnet/fnet
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 688101d13..0f868d6c4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -34,6 +34,13 @@ If you want to write a new profile, the easiest way to do this is to use the
 [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
 If you have already written a profile, please make sure it follows the rules described in the template.
+If you add a new command, here's the checklist:
+ - [ ] Update manpages: firejail(1) and firejail-profile(5)
+ - [ ] Update shell completions
+ - [ ] Update vim syntax files
+ - [ ] Update --help
 # Editing the wiki
 You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/Makefile.in b/Makefile.in
index 17bd76464..c94d8c7a4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -26,7 +26,7 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 .PHONY: all
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
-SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
@@ -135,7 +135,7 @@ endif
        install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
        # profiles and settings
        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
+        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 ifeq ($(BUSYBOX_WORKAROUND),yes)
        ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
diff --git a/README.md b/README.md
index c635bf811..98968a606 100644
--- a/README.md
+++ b/README.md
@@ -202,6 +202,36 @@ The old whitelist/blacklist will remain as aliasses for the next one or two rele
 in order to give users a chance to switch their local profiles.
 The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
+### Intrusion Detection System ###
+We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config),
+and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids.
+The program runs as regular user, each user has his own file in /var/lib/firejail.
+Initialize the database:
+`````
+$ firejail --ids-init
+Loading /etc/firejail/ids.config config file
+500 1000 1500 2000
+2457 files scanned
+IDS database initialized
+`````
+Later, we check it:
+`````
+$ firejail --ids-check
+Loading /etc/firejail/ids.config config file
+500 1000 1500
+Warning: modified /home/netblue/.bashrc
+2000
+2457 files scanned: modified 1, permissions 0, new 0, removed 0
+`````
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
 ### Profile Statistics
 A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
@@ -236,3 +266,5 @@ $ ./profstats *.profile
 ```
 ### New profiles:
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2
diff --git a/RELNOTES b/RELNOTES
index 905c25096..405888cc4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,8 @@ firejail (0.9.67) baseline; urgency=low
  * work in progress
  * deprecated --disable-whitelist at compile time
  * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
+  * new profiles: io.github.lainsce.Notejot, rednotebook
 -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
 firejail (0.9.66) baseline; urgency=low
diff --git a/configure b/configure
index 9e883191a..f78bbaded 100755
--- a/configure
+++ b/configure
@@ -4350,7 +4350,7 @@ fi
 ac_config_files="$ac_config_files mkdeb.sh"
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5084,6 +5084,7 @@ do
    "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
    "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
    "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
+    "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
diff --git a/configure.ac b/configure.ac
index 1f8e802b5..7879a5239 100644
--- a/configure.ac
+++ b/configure.ac
@@ -300,7 +300,7 @@ AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile])
+src/jailcheck/Makefile src/fids/Makefile])
 AC_OUTPUT
 cat <<EOF
diff --git a/etc/ids.config b/etc/ids.config
new file mode 100644
index 000000000..09b0ae912
--- /dev/null
+++ b/etc/ids.config
@@ -0,0 +1,142 @@
+# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
+# This config file is overwritten when a new version of Firejail is installed.
+# For global customization use /etc/firejail/ids.config.local.
+include ids.config.local
+#
+# Each line is a file or directory name such as
+#       /usr/bin
+# or
+#       ${HOME}/Desktop/*.desktop
+#
+# ${HOME} is expanded to the user's home directory, and * is the regular
+# globbing match for zero or more characters.
+#
+# File or directory names starting with ! are not scanned. For example
+#        !${HOME}/.ssh/known_hosts
+#        ${HOME}/.ssh
+# will scan all files in ~/.ssh directory with the exception of known_hosts
+### system executables ###
+/bin
+/sbin
+/usr/bin
+/usr/games
+/usr/libexec
+/usr/sbin
+### user executables ###
+#/opt
+#/usr/local
+### system libraries ###
+#/lib
+#/usr/lib
+#/usr/lib32
+#/usr/lib64
+#/usr/libx32
+### shells local ###
+# bash
+${HOME}/.bash_login
+${HOME}/.bash_logout
+${HOME}/.bash_profile
+${HOME}/.bashrc
+# fish
+${HOME}/.config/fish/config.fish
+# others
+${HOME}/.cshrc
+${HOME}/.kshrc
+${HOME}/.login
+${HOME}/.logout
+${HOME}/.profile
+${HOME}/.tcshrc
+# zsh
+${HOME}/.zlogin
+${HOME}/.zlogout
+${HOME}/.zshenv
+${HOME}/.zshprofile
+${HOME}/.zshrc
+### shells global ###
+# all
+/etc/dircolors
+/etc/environment
+/etc/profile
+/etc/profile.d
+/etc/shells
+/etc/skel
+# bash
+/etc/bash_completion*
+/etc/bash.bashrc
+/etc/bashrc
+# fish
+/etc/fish
+# ksh
+/etc/ksh.kshrc
+# tcsh
+/etc/complete.tcsh
+/etc/csh.cshrc
+/etc/csh.login
+/etc/csh.logout
+# zsh
+/etc/zlogin
+/etc/zlogout
+/etc/zprofile
+/etc/zshenv
+/etc/zshrc
+### X11 ###
+/etc/X11
+${HOME}/.xinitrc
+${HOME}/.xmodmaprc
+${HOME}/.xprofile
+${HOME}/.Xresources
+${HOME}/.xserverrc
+${HOME}/.Xsession
+${HOME}/.xsession
+${HOME}/.xsessionrc
+### window/desktop manager ###
+${HOME}/Desktop/*.desktop
+${HOME}/.config/autostart
+${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.gnomerc
+${HOME}/.gtkrc
+${HOME}/.kderc
+### security ###
+/etc/aide
+/etc/apparmor*
+/etc/chkrootkit.conf
+/etc/cracklib
+/etc/libaudit.conf
+/etc/group*
+/etc/gshadow*
+/etc/pam.*
+/etc/passwd*
+/etc/rkhunter*
+/etc/securetty
+/etc/security
+/etc/selinux
+/etc/shadow*
+/etc/sudoers*
+/etc/tripwire
+${HOME}/.config/firejail
+${HOME}/.gnupg
+### network security ###
+/etc/ca-certificates*
+/etc/hosts.*
+/etc/services
+/etc/snort
+/etc/ssh
+/etc/ssl
+/etc/wireshark
+!${HOME}/.ssh/known_hosts # excluding
+${HOME}/.ssh
+/usr/share/ca-certificates
+### system config ###
+/etc/cron.*
+/etc/crontab
+/etc/default
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc
index 59cd40878..d6c295414 100644
--- a/etc/inc/allow-bin-sh.inc
+++ b/etc/inc/allow-bin-sh.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-bin-sh.local
-nodeny  ${PATH}/bash
+noblacklist ${PATH}/bash
-nodeny  ${PATH}/dash
+noblacklist ${PATH}/dash
-nodeny  ${PATH}/sh
+noblacklist ${PATH}/sh
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 71b1483cd..011bbe226 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -3,29 +3,29 @@
 include allow-common-devel.local
 # Git
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
 # Java
-nodeny  ${HOME}/.gradle
+noblacklist ${HOME}/.gradle
-nodeny  ${HOME}/.java
+noblacklist ${HOME}/.java
 # Node.js
-nodeny  ${HOME}/.node-gyp
+noblacklist ${HOME}/.node-gyp
-nodeny  ${HOME}/.npm
+noblacklist ${HOME}/.npm
-nodeny  ${HOME}/.npmrc
+noblacklist ${HOME}/.npmrc
-nodeny  ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
-nodeny  ${HOME}/.yarn
+noblacklist ${HOME}/.yarn
-nodeny  ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarn-config
-nodeny  ${HOME}/.yarncache
+noblacklist ${HOME}/.yarncache
-nodeny  ${HOME}/.yarnrc
+noblacklist ${HOME}/.yarnrc
 # Python
-nodeny  ${HOME}/.pylint.d
+noblacklist ${HOME}/.pylint.d
-nodeny  ${HOME}/.python-history
+noblacklist ${HOME}/.python-history
-nodeny  ${HOME}/.python_history
+noblacklist ${HOME}/.python_history
-nodeny  ${HOME}/.pythonhist
+noblacklist ${HOME}/.pythonhist
 # Rust
-nodeny  ${HOME}/.cargo/*
+noblacklist ${HOME}/.cargo/*
diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc
index 2e2490079..c1366e093 100644
--- a/etc/inc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-gjs.local
-nodeny  ${PATH}/gjs
+noblacklist ${PATH}/gjs
-nodeny  ${PATH}/gjs-console
+noblacklist ${PATH}/gjs-console
-nodeny  /usr/lib/gjs
+noblacklist /usr/lib/gjs
-nodeny  /usr/lib/libgjs*
+noblacklist /usr/lib/libgjs*
-nodeny  /usr/lib/libmozjs-*
+noblacklist /usr/lib/libmozjs-*
-nodeny  /usr/lib64/gjs
+noblacklist /usr/lib64/gjs
-nodeny  /usr/lib64/libgjs*
+noblacklist /usr/lib64/libgjs*
-nodeny  /usr/lib64/libmozjs-*
+noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/inc/allow-java.inc b/etc/inc/allow-java.inc
index af44f3664..24d18fb77 100644
--- a/etc/inc/allow-java.inc
+++ b/etc/inc/allow-java.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-java.local
-nodeny  ${HOME}/.java
+noblacklist ${HOME}/.java
-nodeny  ${PATH}/java
+noblacklist ${PATH}/java
-nodeny  /etc/java
+noblacklist /etc/java
-nodeny  /usr/lib/java
+noblacklist /usr/lib/java
-nodeny  /usr/share/java
+noblacklist /usr/share/java
diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc
index 3d0a1997b..9c47e7a3b 100644
--- a/etc/inc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-lua.local
-nodeny  ${PATH}/lua*
+noblacklist ${PATH}/lua*
-nodeny  /usr/include
+noblacklist /usr/include
-nodeny  /usr/lib/liblua*
+noblacklist /usr/lib/liblua*
-nodeny  /usr/lib/lua
+noblacklist /usr/lib/lua
-nodeny  /usr/lib64/liblua*
+noblacklist /usr/lib64/liblua*
-nodeny  /usr/lib64/lua
+noblacklist /usr/lib64/lua
-nodeny  /usr/share/lua
+noblacklist /usr/share/lua
-nodeny  /usr/share/lua*
+noblacklist /usr/share/lua*
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index e915b3866..351c94ab8 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
-nodeny  ${PATH}/node
+noblacklist ${PATH}/node
-nodeny  /usr/include/node
+noblacklist /usr/include/node
 # Allow python for node-gyp (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
index 00e35e983..5d2d6c5c1 100644
--- a/etc/inc/allow-opengl-game.inc
+++ b/etc/inc/allow-opengl-game.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-opengl-game.local
-nodeny  ${PATH}/bash
+noblacklist ${PATH}/bash
-allow  /usr/share/opengl-games-utils/opengl-game-functions.sh
+whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
 private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index 134d27239..5a1952c94 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-perl.local
-nodeny  ${PATH}/core_perl
+noblacklist ${PATH}/core_perl
-nodeny  ${PATH}/cpan*
+noblacklist ${PATH}/cpan*
-nodeny  ${PATH}/perl
+noblacklist ${PATH}/perl
-nodeny  ${PATH}/site_perl
+noblacklist ${PATH}/site_perl
-nodeny  ${PATH}/vendor_perl
+noblacklist ${PATH}/vendor_perl
-nodeny  /usr/lib/perl*
+noblacklist /usr/lib/perl*
-nodeny  /usr/lib64/perl*
+noblacklist /usr/lib64/perl*
-nodeny  /usr/share/perl*
+noblacklist /usr/share/perl*
diff --git a/etc/inc/allow-php.inc b/etc/inc/allow-php.inc
index 520c2019e..a0950dc26 100644
--- a/etc/inc/allow-php.inc
+++ b/etc/inc/allow-php.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-php.local
-nodeny  ${PATH}/php*
+noblacklist ${PATH}/php*
-nodeny  /usr/lib/php*
+noblacklist /usr/lib/php*
-nodeny  /usr/share/php*
+noblacklist /usr/share/php*
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
index f1830043a..b0525e2e1 100644
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
-nodeny  ${PATH}/python2*
+noblacklist ${PATH}/python2*
-nodeny  /usr/include/python2*
+noblacklist /usr/include/python2*
-nodeny  /usr/lib/python2*
+noblacklist /usr/lib/python2*
-nodeny  /usr/local/lib/python2*
+noblacklist /usr/local/lib/python2*
-nodeny  /usr/share/python2*
+noblacklist /usr/share/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
index e4b6ed1a9..d968886b0 100644
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@@ -2,9 +2,9 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
-nodeny  ${PATH}/python3*
+noblacklist ${PATH}/python3*
-nodeny  /usr/include/python3*
+noblacklist /usr/include/python3*
-nodeny  /usr/lib/python3*
+noblacklist /usr/lib/python3*
-nodeny  /usr/lib64/python3*
+noblacklist /usr/lib64/python3*
-nodeny  /usr/local/lib/python3*
+noblacklist /usr/local/lib/python3*
-nodeny  /usr/share/python3*
+noblacklist /usr/share/python3*
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index d949bbc84..a8c701219 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -2,5 +2,5 @@
 # Persistent customizations should go in a .local file.
 include allow-ruby.local
-nodeny  ${PATH}/ruby
+noblacklist ${PATH}/ruby
-nodeny  /usr/lib/ruby
+noblacklist /usr/lib/ruby
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 44957bf32..67c78a483 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-ssh.local
-nodeny  ${HOME}/.ssh
+noblacklist ${HOME}/.ssh
-nodeny  /etc/ssh
+noblacklist /etc/ssh
-nodeny  /etc/ssh/ssh_config
+noblacklist /etc/ssh/ssh_config
-nodeny  /tmp/ssh-*
+noblacklist /tmp/ssh-*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 1283a3a3d..6df0c4990 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -5,63 +5,63 @@ include disable-common.local
 # The following block breaks trash functionality in file managers
 #read-only ${HOME}/.local
 #read-write ${HOME}/.local/share
-deny  ${HOME}/.local/share/Trash
+blacklist ${HOME}/.local/share/Trash
 # History files in $HOME and clipboard managers
-deny-nolog  ${HOME}/.*_history
+blacklist-nolog ${HOME}/.*_history
-deny-nolog  ${HOME}/.adobe
+blacklist-nolog ${HOME}/.adobe
-deny-nolog  ${HOME}/.cache/greenclip*
+blacklist-nolog ${HOME}/.cache/greenclip*
-deny-nolog  ${HOME}/.histfile
+blacklist-nolog ${HOME}/.histfile
-deny-nolog  ${HOME}/.history
+blacklist-nolog ${HOME}/.history
-deny-nolog  ${HOME}/.kde/share/apps/klipper
+blacklist-nolog ${HOME}/.kde/share/apps/klipper
-deny-nolog  ${HOME}/.kde4/share/apps/klipper
+blacklist-nolog ${HOME}/.kde4/share/apps/klipper
-deny-nolog  ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/fish/fish_history
-deny-nolog  ${HOME}/.local/share/klipper
+blacklist-nolog ${HOME}/.local/share/klipper
-deny-nolog  ${HOME}/.macromedia
+blacklist-nolog ${HOME}/.macromedia
-deny-nolog  ${HOME}/.mupdf.history
+blacklist-nolog ${HOME}/.mupdf.history
-deny-nolog  ${HOME}/.python-history
+blacklist-nolog ${HOME}/.python-history
-deny-nolog  ${HOME}/.python_history
+blacklist-nolog ${HOME}/.python_history
-deny-nolog  ${HOME}/.pythonhist
+blacklist-nolog ${HOME}/.pythonhist
-deny-nolog  ${HOME}/.lesshst
+blacklist-nolog ${HOME}/.lesshst
-deny-nolog  ${HOME}/.viminfo
+blacklist-nolog ${HOME}/.viminfo
-deny-nolog  /tmp/clipmenu*
+blacklist-nolog /tmp/clipmenu*
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
-deny  ${HOME}/.Xsession
+blacklist ${HOME}/.Xsession
-deny  ${HOME}/.blackbox
+blacklist ${HOME}/.blackbox
-deny  ${HOME}/.config/autostart
+blacklist ${HOME}/.config/autostart
-deny  ${HOME}/.config/autostart-scripts
+blacklist ${HOME}/.config/autostart-scripts
-deny  ${HOME}/.config/awesome
+blacklist ${HOME}/.config/awesome
-deny  ${HOME}/.config/i3
+blacklist ${HOME}/.config/i3
-deny  ${HOME}/.config/sway
+blacklist ${HOME}/.config/sway
-deny  ${HOME}/.config/lxsession/LXDE/autostart
+blacklist ${HOME}/.config/lxsession/LXDE/autostart
-deny  ${HOME}/.config/openbox
+blacklist ${HOME}/.config/openbox
-deny  ${HOME}/.config/plasma-workspace
+blacklist ${HOME}/.config/plasma-workspace
-deny  ${HOME}/.config/startupconfig
+blacklist ${HOME}/.config/startupconfig
-deny  ${HOME}/.config/startupconfigkeys
+blacklist ${HOME}/.config/startupconfigkeys
-deny  ${HOME}/.fluxbox
+blacklist ${HOME}/.fluxbox
-deny  ${HOME}/.gnomerc
+blacklist ${HOME}/.gnomerc
-deny  ${HOME}/.kde/Autostart
+blacklist ${HOME}/.kde/Autostart
-deny  ${HOME}/.kde/env
+blacklist ${HOME}/.kde/env
-deny  ${HOME}/.kde/share/autostart
+blacklist ${HOME}/.kde/share/autostart
-deny  ${HOME}/.kde/share/config/startupconfig
+blacklist ${HOME}/.kde/share/config/startupconfig
-deny  ${HOME}/.kde/share/config/startupconfigkeys
+blacklist ${HOME}/.kde/share/config/startupconfigkeys
-deny  ${HOME}/.kde/shutdown
+blacklist ${HOME}/.kde/shutdown
-deny  ${HOME}/.kde4/env
+blacklist ${HOME}/.kde4/env
-deny  ${HOME}/.kde4/Autostart
+blacklist ${HOME}/.kde4/Autostart
-deny  ${HOME}/.kde4/share/autostart
+blacklist ${HOME}/.kde4/share/autostart
-deny  ${HOME}/.kde4/shutdown
+blacklist ${HOME}/.kde4/shutdown
-deny  ${HOME}/.kde4/share/config/startupconfig
+blacklist ${HOME}/.kde4/share/config/startupconfig
-deny  ${HOME}/.kde4/share/config/startupconfigkeys
+blacklist ${HOME}/.kde4/share/config/startupconfigkeys
-deny  ${HOME}/.local/share/autostart
+blacklist ${HOME}/.local/share/autostart
-deny  ${HOME}/.xinitrc
+blacklist ${HOME}/.xinitrc
-deny  ${HOME}/.xprofile
+blacklist ${HOME}/.xprofile
-deny  ${HOME}/.xserverrc
+blacklist ${HOME}/.xserverrc
-deny  ${HOME}/.xsession
+blacklist ${HOME}/.xsession
-deny  ${HOME}/.xsessionrc
+blacklist ${HOME}/.xsessionrc
-deny  /etc/X11/Xsession.d
+blacklist /etc/X11/Xsession.d
-deny  /etc/xdg/autostart
+blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
 # Session manager
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
 #?HAS_X11: blacklist /tmp/.ICE-unix
 # KDE config
-deny  ${HOME}/.cache/konsole
+blacklist ${HOME}/.cache/konsole
-deny  ${HOME}/.config/khotkeysrc
+blacklist ${HOME}/.config/khotkeysrc
-deny  ${HOME}/.config/krunnerrc
+blacklist ${HOME}/.config/krunnerrc
-deny  ${HOME}/.config/kscreenlockerrc
+blacklist ${HOME}/.config/kscreenlockerrc
-deny  ${HOME}/.config/ksslcertificatemanager
+blacklist ${HOME}/.config/ksslcertificatemanager
-deny  ${HOME}/.config/kwalletrc
+blacklist ${HOME}/.config/kwalletrc
-deny  ${HOME}/.config/kwinrc
+blacklist ${HOME}/.config/kwinrc
-deny  ${HOME}/.config/kwinrulesrc
+blacklist ${HOME}/.config/kwinrulesrc
-deny  ${HOME}/.config/plasma-locale-settings.sh
+blacklist ${HOME}/.config/plasma-locale-settings.sh
-deny  ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
+blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
-deny  ${HOME}/.config/plasmashellrc
+blacklist ${HOME}/.config/plasmashellrc
-deny  ${HOME}/.config/plasmavaultrc
+blacklist ${HOME}/.config/plasmavaultrc
-deny  ${HOME}/.kde/share/apps/kwin
+blacklist ${HOME}/.kde/share/apps/kwin
-deny  ${HOME}/.kde/share/apps/plasma
+blacklist ${HOME}/.kde/share/apps/plasma
-deny  ${HOME}/.kde/share/apps/solid
+blacklist ${HOME}/.kde/share/apps/solid
-deny  ${HOME}/.kde/share/config/khotkeysrc
+blacklist ${HOME}/.kde/share/config/khotkeysrc
-deny  ${HOME}/.kde/share/config/krunnerrc
+blacklist ${HOME}/.kde/share/config/krunnerrc
-deny  ${HOME}/.kde/share/config/kscreensaverrc
+blacklist ${HOME}/.kde/share/config/kscreensaverrc
-deny  ${HOME}/.kde/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
-deny  ${HOME}/.kde/share/config/kwalletrc
+blacklist ${HOME}/.kde/share/config/kwalletrc
-deny  ${HOME}/.kde/share/config/kwinrc
+blacklist ${HOME}/.kde/share/config/kwinrc
-deny  ${HOME}/.kde/share/config/kwinrulesrc
+blacklist ${HOME}/.kde/share/config/kwinrulesrc
-deny  ${HOME}/.kde/share/config/plasma-desktop-appletsrc
+blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
-deny  ${HOME}/.kde4/share/apps/kwin
+blacklist ${HOME}/.kde4/share/apps/kwin
-deny  ${HOME}/.kde4/share/apps/plasma
+blacklist ${HOME}/.kde4/share/apps/plasma
-deny  ${HOME}/.kde4/share/apps/solid
+blacklist ${HOME}/.kde4/share/apps/solid
-deny  ${HOME}/.kde4/share/config/khotkeysrc
+blacklist ${HOME}/.kde4/share/config/khotkeysrc
-deny  ${HOME}/.kde4/share/config/krunnerrc
+blacklist ${HOME}/.kde4/share/config/krunnerrc
-deny  ${HOME}/.kde4/share/config/kscreensaverrc
+blacklist ${HOME}/.kde4/share/config/kscreensaverrc
-deny  ${HOME}/.kde4/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
-deny  ${HOME}/.kde4/share/config/kwalletrc
+blacklist ${HOME}/.kde4/share/config/kwalletrc
-deny  ${HOME}/.kde4/share/config/kwinrc
+blacklist ${HOME}/.kde4/share/config/kwinrc
-deny  ${HOME}/.kde4/share/config/kwinrulesrc
+blacklist ${HOME}/.kde4/share/config/kwinrulesrc
-deny  ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
+blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
-deny  ${HOME}/.local/share/kglobalaccel
+blacklist ${HOME}/.local/share/kglobalaccel
-deny  ${HOME}/.local/share/kwin
+blacklist ${HOME}/.local/share/kwin
-deny  ${HOME}/.local/share/plasma
+blacklist ${HOME}/.local/share/plasma
-deny  ${HOME}/.local/share/plasmashell
+blacklist ${HOME}/.local/share/plasmashell
-deny  ${HOME}/.local/share/solid
+blacklist ${HOME}/.local/share/solid
-deny  /tmp/konsole-*.history
+blacklist /tmp/konsole-*.history
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
@@ -138,139 +138,139 @@ read-only ${HOME}/.local/share/kservices5
 read-only ${HOME}/.local/share/kssl
 # KDE sockets
-deny  ${RUNUSER}/*.slave-socket
+blacklist ${RUNUSER}/*.slave-socket
-deny  ${RUNUSER}/kdeinit5__*
+blacklist ${RUNUSER}/kdeinit5__*
-deny  ${RUNUSER}/kdesud_*
+blacklist ${RUNUSER}/kdesud_*
 # see #3358
 #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
 #?HAS_NODBUS: blacklist /tmp/ksocket-*
 # gnome
 # contains extensions, last used times of applications, and notifications
-deny  ${HOME}/.local/share/gnome-shell
+blacklist ${HOME}/.local/share/gnome-shell
 # contains recently used files and serials of static/removable storage
-deny  ${HOME}/.local/share/gvfs-metadata
+blacklist ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
-deny  ${RUNUSER}/gnome-session-leader-fifo
+blacklist ${RUNUSER}/gnome-session-leader-fifo
-deny  ${RUNUSER}/gnome-shell
+blacklist ${RUNUSER}/gnome-shell
-deny  ${RUNUSER}/gsconnect
+blacklist ${RUNUSER}/gsconnect
 # systemd
-deny  ${HOME}/.config/systemd
+blacklist ${HOME}/.config/systemd
-deny  ${HOME}/.local/share/systemd
+blacklist ${HOME}/.local/share/systemd
-deny  /var/lib/systemd
+blacklist /var/lib/systemd
-deny  ${PATH}/systemd-run
+blacklist ${PATH}/systemd-run
-deny  ${RUNUSER}/systemd
+blacklist ${RUNUSER}/systemd
-deny  ${PATH}/systemctl
+blacklist ${PATH}/systemctl
-deny  /etc/systemd/system
+blacklist /etc/systemd/system
-deny  /etc/systemd/network
+blacklist /etc/systemd/network
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 # openrc
-deny  /etc/runlevels/
+blacklist /etc/runlevels/
-deny  /etc/init.d/
+blacklist /etc/init.d/
-deny  /etc/rc.conf
+blacklist /etc/rc.conf
 # VirtualBox
-deny  ${HOME}/.VirtualBox
+blacklist ${HOME}/.VirtualBox
-deny  ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.config/VirtualBox
-deny  ${HOME}/VirtualBox VMs
+blacklist ${HOME}/VirtualBox VMs
 # GNOME Boxes
-deny  ${HOME}/.config/gnome-boxes
+blacklist ${HOME}/.config/gnome-boxes
-deny  ${HOME}/.local/share/gnome-boxes
+blacklist ${HOME}/.local/share/gnome-boxes
 # libvirt
-deny  ${HOME}/.cache/libvirt
+blacklist ${HOME}/.cache/libvirt
-deny  ${HOME}/.config/libvirt
+blacklist ${HOME}/.config/libvirt
-deny  ${RUNUSER}/libvirt
+blacklist ${RUNUSER}/libvirt
-deny  /var/cache/libvirt
+blacklist /var/cache/libvirt
-deny  /var/lib/libvirt
+blacklist /var/lib/libvirt
-deny  /var/log/libvirt
+blacklist /var/log/libvirt
 # OCI-Containers / Podman
-deny  ${RUNUSER}/containers
+blacklist ${RUNUSER}/containers
-deny  ${RUNUSER}/crun
+blacklist ${RUNUSER}/crun
-deny  ${RUNUSER}/libpod
+blacklist ${RUNUSER}/libpod
-deny  ${RUNUSER}/runc
+blacklist ${RUNUSER}/runc
-deny  ${RUNUSER}/toolbox
+blacklist ${RUNUSER}/toolbox
 # VeraCrypt
-deny  ${HOME}/.VeraCrypt
+blacklist ${HOME}/.VeraCrypt
-deny  ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt
-deny  ${PATH}/veracrypt-uninstall.sh
+blacklist ${PATH}/veracrypt-uninstall.sh
-deny  /usr/share/applications/veracrypt.*
+blacklist /usr/share/applications/veracrypt.*
-deny  /usr/share/pixmaps/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
-deny  /usr/share/veracrypt
+blacklist /usr/share/veracrypt
 # TrueCrypt
-deny  ${HOME}/.TrueCrypt
+blacklist ${HOME}/.TrueCrypt
-deny  ${PATH}/truecrypt
+blacklist ${PATH}/truecrypt
-deny  ${PATH}/truecrypt-uninstall.sh
+blacklist ${PATH}/truecrypt-uninstall.sh
-deny  /usr/share/applications/truecrypt.*
+blacklist /usr/share/applications/truecrypt.*
-deny  /usr/share/pixmaps/truecrypt.*
+blacklist /usr/share/pixmaps/truecrypt.*
-deny  /usr/share/truecrypt
+blacklist /usr/share/truecrypt
 # zuluCrypt
-deny  ${HOME}/.zuluCrypt
+blacklist ${HOME}/.zuluCrypt
-deny  ${HOME}/.zuluCrypt-socket
+blacklist ${HOME}/.zuluCrypt-socket
-deny  ${PATH}/zuluCrypt-cli
+blacklist ${PATH}/zuluCrypt-cli
-deny  ${PATH}/zuluMount-cli
+blacklist ${PATH}/zuluMount-cli
 # var
-deny  /var/cache/apt
+blacklist /var/cache/apt
-deny  /var/cache/pacman
+blacklist /var/cache/pacman
-deny  /var/lib/apt
+blacklist /var/lib/apt
-deny  /var/lib/clamav
+blacklist /var/lib/clamav
-deny  /var/lib/dkms
+blacklist /var/lib/dkms
-deny  /var/lib/mysql/mysql.sock
+blacklist /var/lib/mysql/mysql.sock
-deny  /var/lib/mysqld/mysql.sock
+blacklist /var/lib/mysqld/mysql.sock
-deny  /var/lib/pacman
+blacklist /var/lib/pacman
-deny  /var/lib/upower
+blacklist /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
 # every sandbox, unless --writable-var-log switch is activated
-deny  /var/mail
+blacklist /var/mail
-deny  /var/opt
+blacklist /var/opt
-deny  /var/run/acpid.socket
+blacklist /var/run/acpid.socket
-deny  /var/run/docker.sock
+blacklist /var/run/docker.sock
-deny  /var/run/minissdpd.sock
+blacklist /var/run/minissdpd.sock
-deny  /var/run/mysql/mysqld.sock
+blacklist /var/run/mysql/mysqld.sock
-deny  /var/run/mysqld/mysqld.sock
+blacklist /var/run/mysqld/mysqld.sock
-deny  /var/run/rpcbind.sock
+blacklist /var/run/rpcbind.sock
-deny  /var/run/screens
+blacklist /var/run/screens
-deny  /var/spool/anacron
+blacklist /var/spool/anacron
-deny  /var/spool/cron
+blacklist /var/spool/cron
-deny  /var/spool/mail
+blacklist /var/spool/mail
 # etc
-deny  /etc/anacrontab
+blacklist /etc/anacrontab
-deny  /etc/cron*
+blacklist /etc/cron*
-deny  /etc/profile.d
+blacklist /etc/profile.d
-deny  /etc/rc.local
+blacklist /etc/rc.local
 # rc1.d, rc2.d, ...
-deny  /etc/rc?.d
+blacklist /etc/rc?.d
-deny  /etc/kernel*
+blacklist /etc/kernel*
-deny  /etc/grub*
+blacklist /etc/grub*
-deny  /etc/dkms
+blacklist /etc/dkms
-deny  /etc/apparmor*
+blacklist /etc/apparmor*
-deny  /etc/selinux
+blacklist /etc/selinux
-deny  /etc/modules*
+blacklist /etc/modules*
-deny  /etc/logrotate*
+blacklist /etc/logrotate*
-deny  /etc/adduser.conf
+blacklist /etc/adduser.conf
 # hide config for various intrusion detection systems
-deny  /etc/rkhunter.conf
+blacklist /etc/rkhunter.conf
-deny  /var/lib/rkhunter
+blacklist /var/lib/rkhunter
-deny  /etc/chkrootkit.conf
+blacklist /etc/chkrootkit.conf
-deny  /etc/lynis
+blacklist /etc/lynis
-deny  /etc/aide
+blacklist /etc/aide
-deny  /etc/logcheck
+blacklist /etc/logcheck
-deny  /etc/tripwire
+blacklist /etc/tripwire
-deny  /etc/snort
+blacklist /etc/snort
-deny  /etc/fail2ban.conf
+blacklist /etc/fail2ban.conf
-deny  /etc/suricata
+blacklist /etc/suricata
 # Startup files
 read-only ${HOME}/.antigen
@@ -307,13 +307,13 @@ read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 # Remote access
-deny  ${HOME}/.rhosts
+blacklist ${HOME}/.rhosts
-deny  ${HOME}/.shosts
+blacklist ${HOME}/.shosts
-deny  ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.ssh/authorized_keys
-deny  ${HOME}/.ssh/authorized_keys2
+blacklist ${HOME}/.ssh/authorized_keys2
-deny  ${HOME}/.ssh/environment
+blacklist ${HOME}/.ssh/environment
-deny  ${HOME}/.ssh/rc
+blacklist ${HOME}/.ssh/rc
-deny  /etc/hosts.equiv
+blacklist /etc/hosts.equiv
 read-only ${HOME}/.ssh/config
 read-only ${HOME}/.ssh/config.d
@@ -374,200 +374,200 @@ read-only ${HOME}/.local/share/mime
 read-only ${HOME}/.local/share/thumbnailers
 # prevent access to ssh-agent
-deny  /tmp/ssh-*
+blacklist /tmp/ssh-*
 # top secret
-deny  ${HOME}/*.kdb
+blacklist ${HOME}/*.kdb
-deny  ${HOME}/*.kdbx
+blacklist ${HOME}/*.kdbx
-deny  ${HOME}/*.key
+blacklist ${HOME}/*.key
-deny  ${HOME}/.Private
+blacklist ${HOME}/.Private
-deny  ${HOME}/.caff
+blacklist ${HOME}/.caff
-deny  ${HOME}/.cargo/credentials
+blacklist ${HOME}/.cargo/credentials
-deny  ${HOME}/.cargo/credentials.toml
+blacklist ${HOME}/.cargo/credentials.toml
-deny  ${HOME}/.cert
+blacklist ${HOME}/.cert
-deny  ${HOME}/.config/keybase
+blacklist ${HOME}/.config/keybase
-deny  ${HOME}/.davfs2/secrets
+blacklist ${HOME}/.davfs2/secrets
-deny  ${HOME}/.ecryptfs
+blacklist ${HOME}/.ecryptfs
-deny  ${HOME}/.fetchmailrc
+blacklist ${HOME}/.fetchmailrc
-deny  ${HOME}/.fscrypt
+blacklist ${HOME}/.fscrypt
-deny  ${HOME}/.git-credential-cache
+blacklist ${HOME}/.git-credential-cache
-deny  ${HOME}/.git-credentials
+blacklist ${HOME}/.git-credentials
-deny  ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/.gnome2/keyrings
-deny  ${HOME}/.gnupg
+blacklist ${HOME}/.gnupg
-deny  ${HOME}/.config/hub
+blacklist ${HOME}/.config/hub
-deny  ${HOME}/.kde/share/apps/kwallet
+blacklist ${HOME}/.kde/share/apps/kwallet
-deny  ${HOME}/.kde4/share/apps/kwallet
+blacklist ${HOME}/.kde4/share/apps/kwallet
-deny  ${HOME}/.local/share/keyrings
+blacklist ${HOME}/.local/share/keyrings
-deny  ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.local/share/kwalletd
-deny  ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.local/share/plasma-vault
-deny  ${HOME}/.msmtprc
+blacklist ${HOME}/.msmtprc
-deny  ${HOME}/.mutt
+blacklist ${HOME}/.mutt
-deny  ${HOME}/.muttrc
+blacklist ${HOME}/.muttrc
-deny  ${HOME}/.netrc
+blacklist ${HOME}/.netrc
-deny  ${HOME}/.nyx
+blacklist ${HOME}/.nyx
-deny  ${HOME}/.pki
+blacklist ${HOME}/.pki
-deny  ${HOME}/.local/share/pki
+blacklist ${HOME}/.local/share/pki
-deny  ${HOME}/.smbcredentials
+blacklist ${HOME}/.smbcredentials
-deny  ${HOME}/.ssh
+blacklist ${HOME}/.ssh
-deny  ${HOME}/.vaults
+blacklist ${HOME}/.vaults
-deny  /.fscrypt
+blacklist /.fscrypt
-deny  /etc/davfs2/secrets
+blacklist /etc/davfs2/secrets
-deny  /etc/group+
+blacklist /etc/group+
-deny  /etc/group-
+blacklist /etc/group-
-deny  /etc/gshadow
+blacklist /etc/gshadow
-deny  /etc/gshadow+
+blacklist /etc/gshadow+
-deny  /etc/gshadow-
+blacklist /etc/gshadow-
-deny  /etc/passwd+
+blacklist /etc/passwd+
-deny  /etc/passwd-
+blacklist /etc/passwd-
-deny  /etc/shadow
+blacklist /etc/shadow
-deny  /etc/shadow+
+blacklist /etc/shadow+
-deny  /etc/shadow-
+blacklist /etc/shadow-
-deny  /etc/ssh
+blacklist /etc/ssh
-deny  /etc/ssh/*
+blacklist /etc/ssh/*
-deny  /home/.ecryptfs
+blacklist /home/.ecryptfs
-deny  /home/.fscrypt
+blacklist /home/.fscrypt
-deny  /var/backup
+blacklist /var/backup
 # cloud provider configuration
-deny  ${HOME}/.aws
+blacklist ${HOME}/.aws
-deny  ${HOME}/.boto
+blacklist ${HOME}/.boto
-deny  ${HOME}/.config/gcloud
+blacklist ${HOME}/.config/gcloud
-deny  ${HOME}/.kube
+blacklist ${HOME}/.kube
-deny  ${HOME}/.passwd-s3fs
+blacklist ${HOME}/.passwd-s3fs
-deny  ${HOME}/.s3cmd
+blacklist ${HOME}/.s3cmd
-deny  /etc/boto.cfg
+blacklist /etc/boto.cfg
 # system directories
-deny  /sbin
+blacklist /sbin
-deny  /usr/local/sbin
+blacklist /usr/local/sbin
-deny  /usr/sbin
+blacklist /usr/sbin
 # system management
-deny  ${PATH}/at
+blacklist ${PATH}/at
-deny  ${PATH}/busybox
+blacklist ${PATH}/busybox
-deny  ${PATH}/chage
+blacklist ${PATH}/chage
-deny  ${PATH}/chfn
+blacklist ${PATH}/chfn
-deny  ${PATH}/chsh
+blacklist ${PATH}/chsh
-deny  ${PATH}/crontab
+blacklist ${PATH}/crontab
-deny  ${PATH}/evtest
+blacklist ${PATH}/evtest
-deny  ${PATH}/expiry
+blacklist ${PATH}/expiry
-deny  ${PATH}/fusermount
+blacklist ${PATH}/fusermount
-deny  ${PATH}/gksu
+blacklist ${PATH}/gksu
-deny  ${PATH}/gksudo
+blacklist ${PATH}/gksudo
-deny  ${PATH}/gpasswd
+blacklist ${PATH}/gpasswd
-deny  ${PATH}/kdesudo
+blacklist ${PATH}/kdesudo
-deny  ${PATH}/ksu
+blacklist ${PATH}/ksu
-deny  ${PATH}/mount
+blacklist ${PATH}/mount
-deny  ${PATH}/mount.ecryptfs_private
+blacklist ${PATH}/mount.ecryptfs_private
-deny  ${PATH}/nc
+blacklist ${PATH}/nc
-deny  ${PATH}/ncat
+blacklist ${PATH}/ncat
-deny  ${PATH}/nmap
+blacklist ${PATH}/nmap
-deny  ${PATH}/newgidmap
+blacklist ${PATH}/newgidmap
-deny  ${PATH}/newgrp
+blacklist ${PATH}/newgrp
-deny  ${PATH}/newuidmap
+blacklist ${PATH}/newuidmap
-deny  ${PATH}/ntfs-3g
+blacklist ${PATH}/ntfs-3g
-deny  ${PATH}/pkexec
+blacklist ${PATH}/pkexec
-deny  ${PATH}/procmail
+blacklist ${PATH}/procmail
-deny  ${PATH}/sg
+blacklist ${PATH}/sg
-deny  ${PATH}/strace
+blacklist ${PATH}/strace
-deny  ${PATH}/su
+blacklist ${PATH}/su
-deny  ${PATH}/sudo
+blacklist ${PATH}/sudo
-deny  ${PATH}/tcpdump
+blacklist ${PATH}/tcpdump
-deny  ${PATH}/umount
+blacklist ${PATH}/umount
-deny  ${PATH}/unix_chkpwd
+blacklist ${PATH}/unix_chkpwd
-deny  ${PATH}/xev
+blacklist ${PATH}/xev
-deny  ${PATH}/xinput
+blacklist ${PATH}/xinput
 # other SUID binaries
-deny  /usr/lib/virtualbox
+blacklist /usr/lib/virtualbox
-deny  /usr/lib64/virtualbox
+blacklist /usr/lib64/virtualbox
 # prevent lxterminal connecting to an existing lxterminal session
-deny  /tmp/.lxterminal-socket*
+blacklist /tmp/.lxterminal-socket*
 # prevent tmux connecting to an existing session
-deny  /tmp/tmux-*
+blacklist /tmp/tmux-*
 # disable terminals running as server resulting in sandbox escape
-deny  ${PATH}/lxterminal
+blacklist ${PATH}/lxterminal
-deny  ${PATH}/gnome-terminal
+blacklist ${PATH}/gnome-terminal
-deny  ${PATH}/gnome-terminal.wrapper
+blacklist ${PATH}/gnome-terminal.wrapper
-deny  ${PATH}/lilyterm
+blacklist ${PATH}/lilyterm
-deny  ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal
-deny  ${PATH}/mate-terminal.wrapper
+blacklist ${PATH}/mate-terminal.wrapper
-deny  ${PATH}/pantheon-terminal
+blacklist ${PATH}/pantheon-terminal
-deny  ${PATH}/roxterm
+blacklist ${PATH}/roxterm
-deny  ${PATH}/roxterm-config
+blacklist ${PATH}/roxterm-config
-deny  ${PATH}/terminix
+blacklist ${PATH}/terminix
-deny  ${PATH}/tilix
+blacklist ${PATH}/tilix
-deny  ${PATH}/urxvtc
+blacklist ${PATH}/urxvtc
-deny  ${PATH}/urxvtcd
+blacklist ${PATH}/urxvtcd
-deny  ${PATH}/xfce4-terminal
+blacklist ${PATH}/xfce4-terminal
-deny  ${PATH}/xfce4-terminal.wrapper
+blacklist ${PATH}/xfce4-terminal.wrapper
 # blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 # kernel files
-deny  /initrd*
+blacklist /initrd*
-deny  /vmlinuz*
+blacklist /vmlinuz*
 # snapshot files
-deny  /.snapshots
+blacklist /.snapshots
 # flatpak
-deny  ${HOME}/.cache/flatpak
+blacklist ${HOME}/.cache/flatpak
-deny  ${HOME}/.config/flatpak
+blacklist ${HOME}/.config/flatpak
-nodeny  ${HOME}/.local/share/flatpak/exports
+noblacklist ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
-deny  ${HOME}/.local/share/flatpak/*
+blacklist ${HOME}/.local/share/flatpak/*
-deny  ${HOME}/.var
+blacklist ${HOME}/.var
-deny  ${RUNUSER}/app
+blacklist ${RUNUSER}/app
-deny  ${RUNUSER}/doc
+blacklist ${RUNUSER}/doc
-deny  ${RUNUSER}/.dbus-proxy
+blacklist ${RUNUSER}/.dbus-proxy
-deny  ${RUNUSER}/.flatpak
+blacklist ${RUNUSER}/.flatpak
-deny  ${RUNUSER}/.flatpak-cache
+blacklist ${RUNUSER}/.flatpak-cache
-deny  ${RUNUSER}/.flatpak-helper
+blacklist ${RUNUSER}/.flatpak-helper
-deny  /usr/share/flatpak
+blacklist /usr/share/flatpak
-nodeny  /var/lib/flatpak/exports
+noblacklist /var/lib/flatpak/exports
-deny  /var/lib/flatpak/*
+blacklist /var/lib/flatpak/*
 # most of the time bwrap is SUID binary
-deny  ${PATH}/bwrap
+blacklist ${PATH}/bwrap
 # snap
-deny  ${RUNUSER}/snapd-session-agent.socket
+blacklist ${RUNUSER}/snapd-session-agent.socket
 # mail directories used by mutt
-deny  ${HOME}/.Mail
+blacklist ${HOME}/.Mail
-deny  ${HOME}/.mail
+blacklist ${HOME}/.mail
-deny  ${HOME}/.signature
+blacklist ${HOME}/.signature
-deny  ${HOME}/Mail
+blacklist ${HOME}/Mail
-deny  ${HOME}/mail
+blacklist ${HOME}/mail
-deny  ${HOME}/postponed
+blacklist ${HOME}/postponed
-deny  ${HOME}/sent
+blacklist ${HOME}/sent
 # kernel configuration
-deny  /proc/config.gz
+blacklist /proc/config.gz
 # prevent DNS malware attempting to communicate with the server
 # using regular DNS tools
-deny  ${PATH}/dig
+blacklist ${PATH}/dig
-deny  ${PATH}/dlint
+blacklist ${PATH}/dlint
-deny  ${PATH}/dns2tcp
+blacklist ${PATH}/dns2tcp
-deny  ${PATH}/dnssec-*
+blacklist ${PATH}/dnssec-*
-deny  ${PATH}/dnswalk
+blacklist ${PATH}/dnswalk
-deny  ${PATH}/drill
+blacklist ${PATH}/drill
-deny  ${PATH}/host
+blacklist ${PATH}/host
-deny  ${PATH}/iodine
+blacklist ${PATH}/iodine
-deny  ${PATH}/kdig
+blacklist ${PATH}/kdig
-deny  ${PATH}/khost
+blacklist ${PATH}/khost
-deny  ${PATH}/knsupdate
+blacklist ${PATH}/knsupdate
-deny  ${PATH}/ldns-*
+blacklist ${PATH}/ldns-*
-deny  ${PATH}/ldnsd
+blacklist ${PATH}/ldnsd
-deny  ${PATH}/nslookup
+blacklist ${PATH}/nslookup
-deny  ${PATH}/resolvectl
+blacklist ${PATH}/resolvectl
-deny  ${PATH}/unbound-host
+blacklist ${PATH}/unbound-host
 # rest of ${RUNUSER}
-deny  ${RUNUSER}/*.lock
+blacklist ${RUNUSER}/*.lock
-deny  ${RUNUSER}/inaccessible
+blacklist ${RUNUSER}/inaccessible
-deny  ${RUNUSER}/pk-debconf-socket
+blacklist ${RUNUSER}/pk-debconf-socket
-deny  ${RUNUSER}/update-notifier.pid
+blacklist ${RUNUSER}/update-notifier.pid
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index a893eb3f3..e74b1b40b 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -5,65 +5,65 @@ include disable-devel.local
 # development tools
 # clang/llvm
-deny  ${PATH}/clang*
+blacklist ${PATH}/clang*
-deny  ${PATH}/lldb*
+blacklist ${PATH}/lldb*
-deny  ${PATH}/llvm*
+blacklist ${PATH}/llvm*
 # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
 # blacklist /usr/lib/llvm*
 # GCC
-deny  ${PATH}/as
+blacklist ${PATH}/as
-deny  ${PATH}/cc
+blacklist ${PATH}/cc
-deny  ${PATH}/c++*
+blacklist ${PATH}/c++*
-deny  ${PATH}/c8*
+blacklist ${PATH}/c8*
-deny  ${PATH}/c9*
+blacklist ${PATH}/c9*
-deny  ${PATH}/cpp*
+blacklist ${PATH}/cpp*
-deny  ${PATH}/g++*
+blacklist ${PATH}/g++*
-deny  ${PATH}/gcc*
+blacklist ${PATH}/gcc*
-deny  ${PATH}/gdb
+blacklist ${PATH}/gdb
-deny  ${PATH}/ld
+blacklist ${PATH}/ld
-deny  ${PATH}/*-gcc*
+blacklist ${PATH}/*-gcc*
-deny  ${PATH}/*-g++*
+blacklist ${PATH}/*-g++*
-deny  ${PATH}/*-gcc*
+blacklist ${PATH}/*-gcc*
-deny  ${PATH}/*-g++*
+blacklist ${PATH}/*-g++*
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 #Go
-deny  ${PATH}/gccgo
+blacklist ${PATH}/gccgo
-deny  ${PATH}/go
+blacklist ${PATH}/go
-deny  ${PATH}/gofmt
+blacklist ${PATH}/gofmt
 # Java
-deny  ${PATH}/java
+blacklist ${PATH}/java
-deny  ${PATH}/javac
+blacklist ${PATH}/javac
-deny  /etc/java
+blacklist /etc/java
-deny  /usr/lib/java
+blacklist /usr/lib/java
-deny  /usr/share/java
+blacklist /usr/share/java
 #OpenSSL
-deny  ${PATH}/openssl
+blacklist ${PATH}/openssl
-deny  ${PATH}/openssl-1.0
+blacklist ${PATH}/openssl-1.0
 #Rust
-deny  ${PATH}/rust-gdb
+blacklist ${PATH}/rust-gdb
-deny  ${PATH}/rust-lldb
+blacklist ${PATH}/rust-lldb
-deny  ${PATH}/rustc
+blacklist ${PATH}/rustc
-deny  ${HOME}/.rustup
+blacklist ${HOME}/.rustup
 # tcc - Tiny C Compiler
-deny  ${PATH}/tcc
+blacklist ${PATH}/tcc
-deny  ${PATH}/x86_64-tcc
+blacklist ${PATH}/x86_64-tcc
-deny  /usr/lib/tcc
+blacklist /usr/lib/tcc
 # Valgrind
-deny  ${PATH}/valgrind*
+blacklist ${PATH}/valgrind*
-deny  /usr/lib/valgrind
+blacklist /usr/lib/valgrind
 # Source-Code
-deny  /usr/src
+blacklist /usr/src
-deny  /usr/local/src
+blacklist /usr/local/src
-deny  /usr/include
+blacklist /usr/include
-deny  /usr/local/include
+blacklist /usr/local/include
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index c77d9a490..5d8a236fb 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -3,66 +3,66 @@
 include disable-interpreters.local
 # gjs
-deny  ${PATH}/gjs
+blacklist ${PATH}/gjs
-deny  ${PATH}/gjs-console
+blacklist ${PATH}/gjs-console
-deny  /usr/lib/gjs
+blacklist /usr/lib/gjs
-deny  /usr/lib/libgjs*
+blacklist /usr/lib/libgjs*
-deny  /usr/lib64/gjs
+blacklist /usr/lib64/gjs
-deny  /usr/lib64/libgjs*
+blacklist /usr/lib64/libgjs*
 # Lua
-deny  ${PATH}/lua*
+blacklist ${PATH}/lua*
-deny  /usr/include/lua*
+blacklist /usr/include/lua*
-deny  /usr/lib/liblua*
+blacklist /usr/lib/liblua*
-deny  /usr/lib/lua
+blacklist /usr/lib/lua
-deny  /usr/lib64/liblua*
+blacklist /usr/lib64/liblua*
-deny  /usr/lib64/lua
+blacklist /usr/lib64/lua
-deny  /usr/share/lua*
+blacklist /usr/share/lua*
 # mozjs
-deny  /usr/lib/libmozjs-*
+blacklist /usr/lib/libmozjs-*
-deny  /usr/lib64/libmozjs-*
+blacklist /usr/lib64/libmozjs-*
 # Node.js
-deny  ${PATH}/node
+blacklist ${PATH}/node
-deny  /usr/include/node
+blacklist /usr/include/node
 # nvm
-deny  ${HOME}/.nvm
+blacklist ${HOME}/.nvm
 # Perl
-deny  ${PATH}/core_perl
+blacklist ${PATH}/core_perl
-deny  ${PATH}/cpan*
+blacklist ${PATH}/cpan*
-deny  ${PATH}/perl
+blacklist ${PATH}/perl
-deny  ${PATH}/site_perl
+blacklist ${PATH}/site_perl
-deny  ${PATH}/vendor_perl
+blacklist ${PATH}/vendor_perl
-deny  /usr/lib/perl*
+blacklist /usr/lib/perl*
-deny  /usr/lib64/perl*
+blacklist /usr/lib64/perl*
-deny  /usr/share/perl*
+blacklist /usr/share/perl*
 # PHP
-deny  ${PATH}/php*
+blacklist ${PATH}/php*
-deny  /usr/lib/php*
+blacklist /usr/lib/php*
-deny  /usr/share/php*
+blacklist /usr/share/php*
 # Ruby
-deny  ${PATH}/ruby
+blacklist ${PATH}/ruby
-deny  /usr/lib/ruby
+blacklist /usr/lib/ruby
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
-deny  ${PATH}/python2*
+blacklist ${PATH}/python2*
-deny  /usr/include/python2*
+blacklist /usr/include/python2*
-deny  /usr/lib/python2*
+blacklist /usr/lib/python2*
-deny  /usr/local/lib/python2*
+blacklist /usr/local/lib/python2*
-deny  /usr/share/python2*
+blacklist /usr/share/python2*
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 # Python 3
-deny  ${PATH}/python3*
+blacklist ${PATH}/python3*
-deny  /usr/include/python3*
+blacklist /usr/include/python3*
-deny  /usr/lib/python3*
+blacklist /usr/lib/python3*
-deny  /usr/lib64/python3*
+blacklist /usr/lib64/python3*
-deny  /usr/local/lib/python3*
+blacklist /usr/local/lib/python3*
-deny  /usr/share/python3*
+blacklist /usr/share/python3*
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 0a61bc46f..3ed9a1b14 100644
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@@ -2,18 +2,18 @@
 # Persistent customizations should go in a .local file.
 include disable-passwdmgr.local
-deny  ${HOME}/.config/Bitwarden
+blacklist ${HOME}/.config/Bitwarden
-deny  ${HOME}/.config/KeePass
+blacklist ${HOME}/.config/KeePass
-deny  ${HOME}/.config/keepass
+blacklist ${HOME}/.config/keepass
-deny  ${HOME}/.config/keepassx
+blacklist ${HOME}/.config/keepassx
-deny  ${HOME}/.config/keepassxc
+blacklist ${HOME}/.config/keepassxc
-deny  ${HOME}/.config/KeePassXCrc
+blacklist ${HOME}/.config/KeePassXCrc
-deny  ${HOME}/.config/Sinew Software Systems
+blacklist ${HOME}/.config/Sinew Software Systems
-deny  ${HOME}/.fpm
+blacklist ${HOME}/.fpm
-deny  ${HOME}/.keepass
+blacklist ${HOME}/.keepass
-deny  ${HOME}/.keepassx
+blacklist ${HOME}/.keepassx
-deny  ${HOME}/.keepassxc
+blacklist ${HOME}/.keepassxc
-deny  ${HOME}/.lastpass
+blacklist ${HOME}/.lastpass
-deny  ${HOME}/.local/share/KeePass
+blacklist ${HOME}/.local/share/KeePass
-deny  ${HOME}/.local/share/keepass
+blacklist ${HOME}/.local/share/keepass
-deny  ${HOME}/.password-store
+blacklist ${HOME}/.password-store
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index c87948b27..7da2f276c 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -2,1098 +2,1106 @@
 # Persistent customizations should go in a .local file.
 include disable-programs.local
-deny  ${HOME}/.*coin
+blacklist ${HOME}/.*coin
-deny  ${HOME}/.8pecxstudios
+blacklist ${HOME}/.8pecxstudios
-deny  ${HOME}/.AndroidStudio*
+blacklist ${HOME}/.AndroidStudio*
-deny  ${HOME}/.Atom
+blacklist ${HOME}/.Atom
-deny  ${HOME}/.CLion*
+blacklist ${HOME}/.CLion*
-deny  ${HOME}/.FBReader
+blacklist ${HOME}/.FBReader
-deny  ${HOME}/.FontForge
+blacklist ${HOME}/.FontForge
-deny  ${HOME}/.IdeaIC*
+blacklist ${HOME}/.IdeaIC*
-deny  ${HOME}/.LuminanceHDR
+blacklist ${HOME}/.LuminanceHDR
-deny  ${HOME}/.Mathematica
+blacklist ${HOME}/.Mathematica
-deny  ${HOME}/.Natron
+blacklist ${HOME}/.Natron
-deny  ${HOME}/.PlayOnLinux
+blacklist ${HOME}/.PlayOnLinux
-deny  ${HOME}/.PyCharm*
+blacklist ${HOME}/.PyCharm*
-deny  ${HOME}/.Sayonara
+blacklist ${HOME}/.Sayonara
-deny  ${HOME}/.Steam
+blacklist ${HOME}/.Steam
-deny  ${HOME}/.Steampath
+blacklist ${HOME}/.Steampath
-deny  ${HOME}/.Steampid
+blacklist ${HOME}/.Steampid
-deny  ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.TelegramDesktop
-deny  ${HOME}/.VSCodium
+blacklist ${HOME}/.VSCodium
-deny  ${HOME}/.ViberPC
+blacklist ${HOME}/.ViberPC
-deny  ${HOME}/.VirtualBox
+blacklist ${HOME}/.VirtualBox
-deny  ${HOME}/.WebStorm*
+blacklist ${HOME}/.WebStorm*
-deny  ${HOME}/.Wolfram Research
+blacklist ${HOME}/.Wolfram Research
-deny  ${HOME}/.ZAP
+blacklist ${HOME}/.ZAP
-deny  ${HOME}/.aMule
+blacklist ${HOME}/.aMule
-deny  ${HOME}/.abook
+blacklist ${HOME}/.abook
-deny  ${HOME}/.addressbook
+blacklist ${HOME}/.addressbook
-deny  ${HOME}/.alpine-smime
+blacklist ${HOME}/.alpine-smime
-deny  ${HOME}/.android
+blacklist ${HOME}/.android
-deny  ${HOME}/.anydesk
+blacklist ${HOME}/.anydesk
-deny  ${HOME}/.arduino15
+blacklist ${HOME}/.arduino15
-deny  ${HOME}/.aria2
+blacklist ${HOME}/.aria2
-deny  ${HOME}/.arm
+blacklist ${HOME}/.arm
-deny  ${HOME}/.asunder_album_artist
+blacklist ${HOME}/.asunder_album_artist
-deny  ${HOME}/.asunder_album_genre
+blacklist ${HOME}/.asunder_album_genre
-deny  ${HOME}/.asunder_album_title
+blacklist ${HOME}/.asunder_album_title
-deny  ${HOME}/.atom
+blacklist ${HOME}/.atom
-deny  ${HOME}/.attic
+blacklist ${HOME}/.attic
-deny  ${HOME}/.audacity-data
+blacklist ${HOME}/.audacity-data
-deny  ${HOME}/.avidemux6
+blacklist ${HOME}/.avidemux6
-deny  ${HOME}/.ballbuster.hs
+blacklist ${HOME}/.ballbuster.hs
-deny  ${HOME}/.balsa
+blacklist ${HOME}/.balsa
-deny  ${HOME}/.bcast5
+blacklist ${HOME}/.bcast5
-deny  ${HOME}/.bibletime
+blacklist ${HOME}/.bibletime
-deny  ${HOME}/.bitcoin
+blacklist ${HOME}/.bitcoin
-deny  ${HOME}/.blobby
+blacklist ${HOME}/.blobby
-deny  ${HOME}/.bogofilter
+blacklist ${HOME}/.bogofilter
-deny  ${HOME}/.bzf
+blacklist ${HOME}/.bzf
-deny  ${HOME}/.cargo/*
+blacklist ${HOME}/.cargo/*
-deny  ${HOME}/.claws-mail
+blacklist ${HOME}/.claws-mail
-deny  ${HOME}/.cliqz
+blacklist ${HOME}/.cliqz
-deny  ${HOME}/.clion*
+blacklist ${HOME}/.clion*
-deny  ${HOME}/.clonk
+blacklist ${HOME}/.clonk
-deny  ${HOME}/.config/0ad
+blacklist ${HOME}/.config/0ad
-deny  ${HOME}/.config/2048-qt
+blacklist ${HOME}/.config/2048-qt
-deny  ${HOME}/.config/Atom
+blacklist ${HOME}/.config/Atom
-deny  ${HOME}/.config/Audaciousrc
+blacklist ${HOME}/.config/Audaciousrc
-deny  ${HOME}/.config/Authenticator
+blacklist ${HOME}/.config/Authenticator
-deny  ${HOME}/.config/Beaker Browser
+blacklist ${HOME}/.config/Beaker Browser
-deny  ${HOME}/.config/Bitcoin
+blacklist ${HOME}/.config/Bitcoin
-deny  ${HOME}/.config/Bitwarden
+blacklist ${HOME}/.config/Bitwarden
-deny  ${HOME}/.config/Brackets
+blacklist ${HOME}/.config/Brackets
-deny  ${HOME}/.config/BraveSoftware
+blacklist ${HOME}/.config/BraveSoftware
-deny  ${HOME}/.config/Clementine
+blacklist ${HOME}/.config/Clementine
-deny  ${HOME}/.config/Code
+blacklist ${HOME}/.config/Code
-deny  ${HOME}/.config/Code - OSS
+blacklist ${HOME}/.config/Code - OSS
-deny  ${HOME}/.config/Code Industry
+blacklist ${HOME}/.config/Code Industry
-deny  ${HOME}/.config/Cryptocat
+blacklist ${HOME}/.config/Cryptocat
-deny  ${HOME}/.config/Debauchee/Barrier.conf
+blacklist ${HOME}/.config/Debauchee/Barrier.conf
-deny  ${HOME}/.config/Dharkael
+blacklist ${HOME}/.config/Dharkael
-deny  ${HOME}/.config/ENCOM
+blacklist ${HOME}/.config/ENCOM
-deny  ${HOME}/.config/Element
+blacklist ${HOME}/.config/Element
-deny  ${HOME}/.config/Element (Riot)
+blacklist ${HOME}/.config/Element (Riot)
-deny  ${HOME}/.config/Enox
+blacklist ${HOME}/.config/Enox
-deny  ${HOME}/.config/Epic
+blacklist ${HOME}/.config/Epic
-deny  ${HOME}/.config/Ferdi
+blacklist ${HOME}/.config/Ferdi
-deny  ${HOME}/.config/Flavio Tordini
+blacklist ${HOME}/.config/Flavio Tordini
-deny  ${HOME}/.config/Franz
+blacklist ${HOME}/.config/Franz
-deny  ${HOME}/.config/FreeCAD
+blacklist ${HOME}/.config/FreeCAD
-deny  ${HOME}/.config/FreeTube
+blacklist ${HOME}/.config/FreeTube
-deny  ${HOME}/.config/Fritzing
+blacklist ${HOME}/.config/Fritzing
-deny  ${HOME}/.config/GIMP
+blacklist ${HOME}/.config/GIMP
-deny  ${HOME}/.config/GitHub Desktop
+blacklist ${HOME}/.config/GitHub Desktop
-deny  ${HOME}/.config/Gitter
+blacklist ${HOME}/.config/Gitter
-deny  ${HOME}/.config/Google
+blacklist ${HOME}/.config/Google
-deny  ${HOME}/.config/Google Play Music Desktop Player
+blacklist ${HOME}/.config/Google Play Music Desktop Player
-deny  ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/Gpredict
-deny  ${HOME}/.config/INRIA
+blacklist ${HOME}/.config/INRIA
-deny  ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/InSilmaril
-deny  ${HOME}/.config/Jitsi Meet
+blacklist ${HOME}/.config/Jitsi Meet
-deny  ${HOME}/.config/JetBrains/CLion*
+blacklist ${HOME}/.config/JetBrains/CLion*
-deny  ${HOME}/.config/KDE/neochat
+blacklist ${HOME}/.config/KDE/neochat
-deny  ${HOME}/.config/Kid3
+blacklist ${HOME}/.config/Kid3
-deny  ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/Kingsoft
-deny  ${HOME}/.config/LibreCAD
+blacklist ${HOME}/.config/LibreCAD
-deny  ${HOME}/.config/Loop_Hero
+blacklist ${HOME}/.config/Loop_Hero
-deny  ${HOME}/.config/Luminance
+blacklist ${HOME}/.config/Luminance
-deny  ${HOME}/.config/LyX
+blacklist ${HOME}/.config/LyX
-deny  ${HOME}/.config/Mattermost
+blacklist ${HOME}/.config/Mattermost
-deny  ${HOME}/.config/Meltytech
+blacklist ${HOME}/.config/Meltytech
-deny  ${HOME}/.config/Mendeley Ltd.
+blacklist ${HOME}/.config/Mendeley Ltd.
-deny  ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/Microsoft
-deny  ${HOME}/.config/Min
+blacklist ${HOME}/.config/Min
-deny  ${HOME}/.config/ModTheSpire
+blacklist ${HOME}/.config/ModTheSpire
-deny  ${HOME}/.config/Mousepad
+blacklist ${HOME}/.config/Mousepad
-deny  ${HOME}/.config/Mumble
+blacklist ${HOME}/.config/Mumble
-deny  ${HOME}/.config/MusE
+blacklist ${HOME}/.config/MusE
-deny  ${HOME}/.config/MuseScore
+blacklist ${HOME}/.config/MuseScore
-deny  ${HOME}/.config/MusicBrainz
+blacklist ${HOME}/.config/MusicBrainz
-deny  ${HOME}/.config/Nathan Osman
+blacklist ${HOME}/.config/Nathan Osman
-deny  ${HOME}/.config/Nextcloud
+blacklist ${HOME}/.config/Nextcloud
-deny  ${HOME}/.config/NitroShare
+blacklist ${HOME}/.config/NitroShare
-deny  ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/Nylas Mail
-deny  ${HOME}/.config/PBE
+blacklist ${HOME}/.config/PBE
-deny  ${HOME}/.config/PacmanLogViewer
+blacklist ${HOME}/.config/PacmanLogViewer
-deny  ${HOME}/.config/PawelStolowski
+blacklist ${HOME}/.config/PawelStolowski
-deny  ${HOME}/.config/Philipp Schmieder
+blacklist ${HOME}/.config/Philipp Schmieder
-deny  ${HOME}/.config/Pinta
+blacklist ${HOME}/.config/Pinta
-deny  ${HOME}/.config/QGIS
+blacklist ${HOME}/.config/QGIS
-deny  ${HOME}/.config/QMediathekView
+blacklist ${HOME}/.config/QMediathekView
-deny  ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/Qlipper
-deny  ${HOME}/.config/QuiteRss
+blacklist ${HOME}/.config/QuiteRss
-deny  ${HOME}/.config/QuiteRssrc
+blacklist ${HOME}/.config/QuiteRssrc
-deny  ${HOME}/.config/Quotient
+blacklist ${HOME}/.config/Quotient
-deny  ${HOME}/.config/Rambox
+blacklist ${HOME}/.config/Rambox
-deny  ${HOME}/.config/Riot
+blacklist ${HOME}/.config/Riot
-deny  ${HOME}/.config/Rocket.Chat
+blacklist ${HOME}/.config/Rocket.Chat
-deny  ${HOME}/.config/RogueLegacy
+blacklist ${HOME}/.config/RogueLegacy
-deny  ${HOME}/.config/RogueLegacyStorageContainer
+blacklist ${HOME}/.config/RogueLegacyStorageContainer
-deny  ${HOME}/.config/Signal
+blacklist ${HOME}/.config/Signal
-deny  ${HOME}/.config/Sinew Software Systems
+blacklist ${HOME}/.config/Sinew Software Systems
-deny  ${HOME}/.config/Slack
+blacklist ${HOME}/.config/Slack
-deny  ${HOME}/.config/Standard Notes
+blacklist ${HOME}/.config/Standard Notes
-deny  ${HOME}/.config/SubDownloader
+blacklist ${HOME}/.config/SubDownloader
-deny  ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/Thunar
-deny  ${HOME}/.config/Twitch
+blacklist ${HOME}/.config/Twitch
-deny  ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/Unknown Organization
-deny  ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.config/VirtualBox
-deny  ${HOME}/.config/Whalebird
+blacklist ${HOME}/.config/Whalebird
-deny  ${HOME}/.config/Wire
+blacklist ${HOME}/.config/Wire
-deny  ${HOME}/.config/Youtube
+blacklist ${HOME}/.config/Youtube
-deny  ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/ZeGrapher Project
-deny  ${HOME}/.config/Zeal
+blacklist ${HOME}/.config/Zeal
-deny  ${HOME}/.config/Zulip
+blacklist ${HOME}/.config/Zulip
-deny  ${HOME}/.config/aacs
+blacklist ${HOME}/.config/aacs
-deny  ${HOME}/.config/abiword
+blacklist ${HOME}/.config/abiword
-deny  ${HOME}/.config/agenda
+blacklist ${HOME}/.config/agenda
-deny  ${HOME}/.config/akonadi*
+blacklist ${HOME}/.config/akonadi*
-deny  ${HOME}/.config/akregatorrc
+blacklist ${HOME}/.config/akregatorrc
-deny  ${HOME}/.config/alacritty
+blacklist ${HOME}/.config/alacritty
-deny  ${HOME}/.config/ardour4
+blacklist ${HOME}/.config/ardour4
-deny  ${HOME}/.config/ardour5
+blacklist ${HOME}/.config/ardour5
-deny  ${HOME}/.config/aria2
+blacklist ${HOME}/.config/aria2
-deny  ${HOME}/.config/arkrc
+blacklist ${HOME}/.config/arkrc
-deny  ${HOME}/.config/artha.conf
+blacklist ${HOME}/.config/artha.conf
-deny  ${HOME}/.config/artha.log
+blacklist ${HOME}/.config/artha.log
-deny  ${HOME}/.config/asunder
+blacklist ${HOME}/.config/asunder
-deny  ${HOME}/.config/atril
+blacklist ${HOME}/.config/atril
-deny  ${HOME}/.config/audacious
+blacklist ${HOME}/.config/audacious
-deny  ${HOME}/.config/autokey
+blacklist ${HOME}/.config/autokey
-deny  ${HOME}/.config/avidemux3_qt5rc
+blacklist ${HOME}/.config/avidemux3_qt5rc
-deny  ${HOME}/.config/aweather
+blacklist ${HOME}/.config/aweather
-deny  ${HOME}/.config/backintime
+blacklist ${HOME}/.config/backintime
-deny  ${HOME}/.config/baloofilerc
+blacklist ${HOME}/.config/baloofilerc
-deny  ${HOME}/.config/baloorc
+blacklist ${HOME}/.config/baloorc
-deny  ${HOME}/.config/bcompare
+blacklist ${HOME}/.config/bcompare
-deny  ${HOME}/.config/blender
+blacklist ${HOME}/.config/blender
-deny  ${HOME}/.config/bless
+blacklist ${HOME}/.config/bless
-deny  ${HOME}/.config/bnox
+blacklist ${HOME}/.config/bnox
-deny  ${HOME}/.config/borg
+blacklist ${HOME}/.config/borg
-deny  ${HOME}/.config/brasero
+blacklist ${HOME}/.config/brasero
-deny  ${HOME}/.config/brave
+blacklist ${HOME}/.config/brave
-deny  ${HOME}/.config/brave-flags.conf
+blacklist ${HOME}/.config/brave-flags.conf
-deny  ${HOME}/.config/caja
+blacklist ${HOME}/.config/caja
-deny  ${HOME}/.config/calibre
+blacklist ${HOME}/.config/calibre
-deny  ${HOME}/.config/cantata
+blacklist ${HOME}/.config/cantata
-deny  ${HOME}/.config/catfish
+blacklist ${HOME}/.config/catfish
-deny  ${HOME}/.config/cawbird
+blacklist ${HOME}/.config/cawbird
-deny  ${HOME}/.config/celluloid
+blacklist ${HOME}/.config/celluloid
-deny  ${HOME}/.config/cherrytree
+blacklist ${HOME}/.config/cherrytree
-deny  ${HOME}/.config/chrome-beta-flags.conf
+blacklist ${HOME}/.config/chrome-beta-flags.conf
-deny  ${HOME}/.config/chrome-beta-flags.config
+blacklist ${HOME}/.config/chrome-beta-flags.config
-deny  ${HOME}/.config/chrome-flags.conf
+blacklist ${HOME}/.config/chrome-flags.conf
-deny  ${HOME}/.config/chrome-flags.config
+blacklist ${HOME}/.config/chrome-flags.config
-deny  ${HOME}/.config/chrome-unstable-flags.conf
+blacklist ${HOME}/.config/chrome-unstable-flags.conf
-deny  ${HOME}/.config/chrome-unstable-flags.config
+blacklist ${HOME}/.config/chrome-unstable-flags.config
-deny  ${HOME}/.config/chromium
+blacklist ${HOME}/.config/chromium
-deny  ${HOME}/.config/chromium-dev
+blacklist ${HOME}/.config/chromium-dev
-deny  ${HOME}/.config/chromium-flags.conf
+blacklist ${HOME}/.config/chromium-flags.conf
-deny  ${HOME}/.config/clipit
+blacklist ${HOME}/.config/clipit
-deny  ${HOME}/.config/cliqz
+blacklist ${HOME}/.config/cliqz
-deny  ${HOME}/.config/cmus
+blacklist ${HOME}/.config/cmus
-deny  ${HOME}/.config/com.github.bleakgrey.tootle
+blacklist ${HOME}/.config/com.github.bleakgrey.tootle
-deny  ${HOME}/.config/corebird
+blacklist ${HOME}/.config/corebird
-deny  ${HOME}/.config/cower
+blacklist ${HOME}/.config/cower
-deny  ${HOME}/.config/coyim
+blacklist ${HOME}/.config/coyim
-deny  ${HOME}/.config/d-feet
+blacklist ${HOME}/.config/d-feet
-deny  ${HOME}/.config/darktable
+blacklist ${HOME}/.config/darktable
-deny  ${HOME}/.config/deadbeef
+blacklist ${HOME}/.config/deadbeef
-deny  ${HOME}/.config/deluge
+blacklist ${HOME}/.config/deluge
-deny  ${HOME}/.config/devilspie2
+blacklist ${HOME}/.config/devilspie2
-deny  ${HOME}/.config/digikam
+blacklist ${HOME}/.config/digikam
-deny  ${HOME}/.config/digikamrc
+blacklist ${HOME}/.config/digikamrc
-deny  ${HOME}/.config/discord
+blacklist ${HOME}/.config/discord
-deny  ${HOME}/.config/discordcanary
+blacklist ${HOME}/.config/discordcanary
-deny  ${HOME}/.config/dkl
+blacklist ${HOME}/.config/dkl
-deny  ${HOME}/.config/dnox
+blacklist ${HOME}/.config/dnox
-deny  ${HOME}/.config/dolphin-emu
+blacklist ${HOME}/.config/dolphin-emu
-deny  ${HOME}/.config/dolphinrc
+blacklist ${HOME}/.config/dolphinrc
-deny  ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.config/dragonplayerrc
-deny  ${HOME}/.config/draw.io
+blacklist ${HOME}/.config/draw.io
-deny  ${HOME}/.config/electron-mail
+blacklist ${HOME}/.config/electron-mail
-deny  ${HOME}/.config/emaildefaults
+blacklist ${HOME}/.config/emaildefaults
-deny  ${HOME}/.config/emailidentities
+blacklist ${HOME}/.config/emailidentities
-deny  ${HOME}/.config/emilia
+blacklist ${HOME}/.config/emilia
-deny  ${HOME}/.config/enchant
+blacklist ${HOME}/.config/enchant
-deny  ${HOME}/.config/eog
+blacklist ${HOME}/.config/eog
-deny  ${HOME}/.config/epiphany
+blacklist ${HOME}/.config/epiphany
-deny  ${HOME}/.config/equalx
+blacklist ${HOME}/.config/equalx
-deny  ${HOME}/.config/evince
+blacklist ${HOME}/.config/evince
-deny  ${HOME}/.config/evolution
+blacklist ${HOME}/.config/evolution
-deny  ${HOME}/.config/falkon
+blacklist ${HOME}/.config/falkon
-deny  ${HOME}/.config/filezilla
+blacklist ${HOME}/.config/filezilla
-deny  ${HOME}/.config/flameshot
+blacklist ${HOME}/.config/flameshot
-deny  ${HOME}/.config/flaska.net
+blacklist ${HOME}/.config/flaska.net
-deny  ${HOME}/.config/flowblade
+blacklist ${HOME}/.config/flowblade
-deny  ${HOME}/.config/font-manager
+blacklist ${HOME}/.config/font-manager
-deny  ${HOME}/.config/freecol
+blacklist ${HOME}/.config/freecol
-deny  ${HOME}/.config/gajim
+blacklist ${HOME}/.config/gajim
-deny  ${HOME}/.config/galculator
+blacklist ${HOME}/.config/galculator
-deny  ${HOME}/.config/gconf
+blacklist ${HOME}/.config/gconf
-deny  ${HOME}/.config/geany
+blacklist ${HOME}/.config/geany
-deny  ${HOME}/.config/geary
+blacklist ${HOME}/.config/geary
-deny  ${HOME}/.config/gedit
+blacklist ${HOME}/.config/gedit
-deny  ${HOME}/.config/geeqie
+blacklist ${HOME}/.config/geeqie
-deny  ${HOME}/.config/ghb
+blacklist ${HOME}/.config/ghb
-deny  ${HOME}/.config/ghostwriter
+blacklist ${HOME}/.config/ghostwriter
-deny  ${HOME}/.config/git
+blacklist ${HOME}/.config/git
-deny  ${HOME}/.config/git-cola
+blacklist ${HOME}/.config/git-cola
-deny  ${HOME}/.config/glade.conf
+blacklist ${HOME}/.config/glade.conf
-deny  ${HOME}/.config/globaltime
+blacklist ${HOME}/.config/globaltime
-deny  ${HOME}/.config/gmpc
+blacklist ${HOME}/.config/gmpc
-deny  ${HOME}/.config/gnome-builder
+blacklist ${HOME}/.config/gnome-builder
-deny  ${HOME}/.config/gnome-chess
+blacklist ${HOME}/.config/gnome-chess
-deny  ${HOME}/.config/gnome-control-center
+blacklist ${HOME}/.config/gnome-control-center
-deny  ${HOME}/.config/gnome-initial-setup-done
+blacklist ${HOME}/.config/gnome-initial-setup-done
-deny  ${HOME}/.config/gnome-latex
+blacklist ${HOME}/.config/gnome-latex
-deny  ${HOME}/.config/gnome-mplayer
+blacklist ${HOME}/.config/gnome-mplayer
-deny  ${HOME}/.config/gnome-mpv
+blacklist ${HOME}/.config/gnome-mpv
-deny  ${HOME}/.config/gnome-pie
+blacklist ${HOME}/.config/gnome-pie
-deny  ${HOME}/.config/gnome-session
+blacklist ${HOME}/.config/gnome-session
-deny  ${HOME}/.config/gnote
+blacklist ${HOME}/.config/gnote
-deny  ${HOME}/.config/godot
+blacklist ${HOME}/.config/godot
-deny  ${HOME}/.config/google-chrome
+blacklist ${HOME}/.config/google-chrome
-deny  ${HOME}/.config/google-chrome-beta
+blacklist ${HOME}/.config/google-chrome-beta
-deny  ${HOME}/.config/google-chrome-unstable
+blacklist ${HOME}/.config/google-chrome-unstable
-deny  ${HOME}/.config/gpicview
+blacklist ${HOME}/.config/gpicview
-deny  ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/gthumb
-deny  ${HOME}/.config/gummi
+blacklist ${HOME}/.config/gummi
-deny  ${HOME}/.config/guvcview2
+blacklist ${HOME}/.config/guvcview2
-deny  ${HOME}/.config/gwenviewrc
+blacklist ${HOME}/.config/gwenviewrc
-deny  ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/hexchat
-deny  ${HOME}/.config/homebank
+blacklist ${HOME}/.config/homebank
-deny  ${HOME}/.config/i2p
+blacklist ${HOME}/.config/i2p
-deny  ${HOME}/.config/inkscape
+blacklist ${HOME}/.config/inkscape
-deny  ${HOME}/.config/inox
+blacklist ${HOME}/.config/inox
-deny  ${HOME}/.config/iridium
+blacklist ${HOME}/.config/iridium
-deny  ${HOME}/.config/itch
+blacklist ${HOME}/.config/itch
-deny  ${HOME}/.config/jami
+blacklist ${HOME}/.config/jami
-deny  ${HOME}/.config/jd-gui.cfg
+blacklist ${HOME}/.config/jd-gui.cfg
-deny  ${HOME}/.config/k3brc
+blacklist ${HOME}/.config/k3brc
-deny  ${HOME}/.config/kaffeinerc
+blacklist ${HOME}/.config/kaffeinerc
-deny  ${HOME}/.config/kalgebrarc
+blacklist ${HOME}/.config/kalgebrarc
-deny  ${HOME}/.config/katemetainfos
+blacklist ${HOME}/.config/katemetainfos
-deny  ${HOME}/.config/katepartrc
+blacklist ${HOME}/.config/katepartrc
-deny  ${HOME}/.config/katerc
+blacklist ${HOME}/.config/katerc
-deny  ${HOME}/.config/kateschemarc
+blacklist ${HOME}/.config/kateschemarc
-deny  ${HOME}/.config/katesyntaxhighlightingrc
+blacklist ${HOME}/.config/katesyntaxhighlightingrc
-deny  ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/katevirc
-deny  ${HOME}/.config/kazam
+blacklist ${HOME}/.config/kazam
-deny  ${HOME}/.config/kdeconnect
+blacklist ${HOME}/.config/kdeconnect
-deny  ${HOME}/.config/kdenliverc
+blacklist ${HOME}/.config/kdenliverc
-deny  ${HOME}/.config/kdiff3fileitemactionrc
+blacklist ${HOME}/.config/kdiff3fileitemactionrc
-deny  ${HOME}/.config/kdiff3rc
+blacklist ${HOME}/.config/kdiff3rc
-deny  ${HOME}/.config/kfindrc
+blacklist ${HOME}/.config/kfindrc
-deny  ${HOME}/.config/kgetrc
+blacklist ${HOME}/.config/kgetrc
-deny  ${HOME}/.config/kid3rc
+blacklist ${HOME}/.config/kid3rc
-deny  ${HOME}/.config/klavaro
+blacklist ${HOME}/.config/klavaro
-deny  ${HOME}/.config/klipperrc
+blacklist ${HOME}/.config/klipperrc
-deny  ${HOME}/.config/kmail2rc
+blacklist ${HOME}/.config/kmail2rc
-deny  ${HOME}/.config/kmailsearchindexingrc
+blacklist ${HOME}/.config/kmailsearchindexingrc
-deny  ${HOME}/.config/kmplayerrc
+blacklist ${HOME}/.config/kmplayerrc
-deny  ${HOME}/.config/knotesrc
+blacklist ${HOME}/.config/knotesrc
-deny  ${HOME}/.config/konversation.notifyrc
+blacklist ${HOME}/.config/konversation.notifyrc
-deny  ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/konversationrc
-deny  ${HOME}/.config/kritarc
+blacklist ${HOME}/.config/kritarc
-deny  ${HOME}/.config/ktorrentrc
+blacklist ${HOME}/.config/ktorrentrc
-deny  ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/ktouch2rc
-deny  ${HOME}/.config/kube
+blacklist ${HOME}/.config/kube
-deny  ${HOME}/.config/kwriterc
+blacklist ${HOME}/.config/kwriterc
-deny  ${HOME}/.config/leafpad
+blacklist ${HOME}/.config/leafpad
-deny  ${HOME}/.config/libreoffice
+blacklist ${HOME}/.config/libreoffice
-deny  ${HOME}/.config/liferea
+blacklist ${HOME}/.config/liferea
-deny  ${HOME}/.config/linphone
+blacklist ${HOME}/.config/linphone
-deny  ${HOME}/.config/lugaru
+blacklist ${HOME}/.config/lugaru
-deny  ${HOME}/.config/lutris
+blacklist ${HOME}/.config/lutris
-deny  ${HOME}/.config/lximage-qt
+blacklist ${HOME}/.config/lximage-qt
-deny  ${HOME}/.config/mailtransports
+blacklist ${HOME}/.config/mailtransports
-deny  ${HOME}/.config/mana
+blacklist ${HOME}/.config/mana
-deny  ${HOME}/.config/mate-calc
+blacklist ${HOME}/.config/mate-calc
-deny  ${HOME}/.config/mate/eom
+blacklist ${HOME}/.config/mate/eom
-deny  ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/mate/mate-dictionary
-deny  ${HOME}/.config/matrix-mirage
+blacklist ${HOME}/.config/matrix-mirage
-deny  ${HOME}/.config/mcomix
+blacklist ${HOME}/.config/mcomix
-deny  ${HOME}/.config/meld
+blacklist ${HOME}/.config/meld
-deny  ${HOME}/.config/menulibre.cfg
+blacklist ${HOME}/.config/menulibre.cfg
-deny  ${HOME}/.config/meteo-qt
+blacklist ${HOME}/.config/meteo-qt
-deny  ${HOME}/.config/mfusion
+blacklist ${HOME}/.config/mfusion
-deny  ${HOME}/.config/microsoft-edge-dev
+blacklist ${HOME}/.config/microsoft-edge-beta
-deny  ${HOME}/.config/midori
+blacklist ${HOME}/.config/microsoft-edge-dev
-deny  ${HOME}/.config/mirage
+blacklist ${HOME}/.config/midori
-deny  ${HOME}/.config/mono
+blacklist ${HOME}/.config/mirage
-deny  ${HOME}/.config/mpDris2
+blacklist ${HOME}/.config/mono
-deny  ${HOME}/.config/mpd
+blacklist ${HOME}/.config/mpDris2
-deny  ${HOME}/.config/mps-youtube
+blacklist ${HOME}/.config/mpd
-deny  ${HOME}/.config/mpv
+blacklist ${HOME}/.config/mps-youtube
-deny  ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/mpv
-deny  ${HOME}/.config/mutt
+blacklist ${HOME}/.config/mupen64plus
-deny  ${HOME}/.config/mutter
+blacklist ${HOME}/.config/mutt
-deny  ${HOME}/.config/mypaint
+blacklist ${HOME}/.config/mutter
-deny  ${HOME}/.config/nano
+blacklist ${HOME}/.config/mypaint
-deny  ${HOME}/.config/nautilus
+blacklist ${HOME}/.config/nano
-deny  ${HOME}/.config/nemo
+blacklist ${HOME}/.config/nautilus
-deny  ${HOME}/.config/neochat.notifyrc
+blacklist ${HOME}/.config/nemo
-deny  ${HOME}/.config/neochatrc
+blacklist ${HOME}/.config/neochat.notifyrc
-deny  ${HOME}/.config/neomutt
+blacklist ${HOME}/.config/neochatrc
-deny  ${HOME}/.config/netsurf
+blacklist ${HOME}/.config/neomutt
-deny  ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/netsurf
-deny  ${HOME}/.config/newsboat
+blacklist ${HOME}/.config/newsbeuter
-deny  ${HOME}/.config/newsflash
+blacklist ${HOME}/.config/newsboat
-deny  ${HOME}/.config/nheko
+blacklist ${HOME}/.config/newsflash
-deny  ${HOME}/.config/nomacs
+blacklist ${HOME}/.config/nheko
-deny  ${HOME}/.config/nuclear
+blacklist ${HOME}/.config/nomacs
-deny  ${HOME}/.config/obs-studio
+blacklist ${HOME}/.config/nuclear
-deny  ${HOME}/.config/okularpartrc
+blacklist ${HOME}/.config/obs-studio
-deny  ${HOME}/.config/okularrc
+blacklist ${HOME}/.config/okularpartrc
-deny  ${HOME}/.config/onboard
+blacklist ${HOME}/.config/okularrc
-deny  ${HOME}/.config/onionshare
+blacklist ${HOME}/.config/onboard
-deny  ${HOME}/.config/onlyoffice
+blacklist ${HOME}/.config/onionshare
-deny  ${HOME}/.config/openmw
+blacklist ${HOME}/.config/onlyoffice
-deny  ${HOME}/.config/opera
+blacklist ${HOME}/.config/openmw
-deny  ${HOME}/.config/opera-beta
+blacklist ${HOME}/.config/opera
-deny  ${HOME}/.config/orage
+blacklist ${HOME}/.config/opera-beta
-deny  ${HOME}/.config/org.gabmus.gfeeds.json
+blacklist ${HOME}/.config/orage
-deny  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+blacklist ${HOME}/.config/org.gabmus.gfeeds.json
-deny  ${HOME}/.config/org.kde.gwenviewrc
+blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-deny  ${HOME}/.config/otter
+blacklist ${HOME}/.config/org.kde.gwenviewrc
-deny  ${HOME}/.config/pavucontrol-qt
+blacklist ${HOME}/.config/otter
-deny  ${HOME}/.config/pavucontrol.ini
+blacklist ${HOME}/.config/pavucontrol-qt
-deny  ${HOME}/.config/pcmanfm
+blacklist ${HOME}/.config/pavucontrol.ini
-deny  ${HOME}/.config/pdfmod
+blacklist ${HOME}/.config/pcmanfm
-deny  ${HOME}/.config/pipe-viewer
+blacklist ${HOME}/.config/pdfmod
-deny  ${HOME}/.config/pitivi
+blacklist ${HOME}/.config/pipe-viewer
-deny  ${HOME}/.config/pix
+blacklist ${HOME}/.config/pitivi
-deny  ${HOME}/.config/pluma
+blacklist ${HOME}/.config/pix
-deny  ${HOME}/.config/ppsspp
+blacklist ${HOME}/.config/pluma
-deny  ${HOME}/.config/pragha
+blacklist ${HOME}/.config/ppsspp
-deny  ${HOME}/.config/profanity
+blacklist ${HOME}/.config/pragha
-deny  ${HOME}/.config/psi
+blacklist ${HOME}/.config/profanity
-deny  ${HOME}/.config/psi+
+blacklist ${HOME}/.config/psi
-deny  ${HOME}/.config/qBittorrent
+blacklist ${HOME}/.config/psi+
-deny  ${HOME}/.config/qBittorrentrc
+blacklist ${HOME}/.config/qBittorrent
-deny  ${HOME}/.config/qnapi.ini
+blacklist ${HOME}/.config/qBittorrentrc
-deny  ${HOME}/.config/qpdfview
+blacklist ${HOME}/.config/qnapi.ini
-deny  ${HOME}/.config/quodlibet
+blacklist ${HOME}/.config/qpdfview
-deny  ${HOME}/.config/qupzilla
+blacklist ${HOME}/.config/quodlibet
-deny  ${HOME}/.config/qutebrowser
+blacklist ${HOME}/.config/qupzilla
-deny  ${HOME}/.config/ranger
+blacklist ${HOME}/.config/qutebrowser
-deny  ${HOME}/.config/redshift
+blacklist ${HOME}/.config/ranger
-deny  ${HOME}/.config/redshift.conf
+blacklist ${HOME}/.config/redshift
-deny  ${HOME}/.config/remmina
+blacklist ${HOME}/.config/redshift.conf
-deny  ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/remmina
-deny  ${HOME}/.config/rtv
+blacklist ${HOME}/.config/ristretto
-deny  ${HOME}/.config/scribus
+blacklist ${HOME}/.config/rtv
-deny  ${HOME}/.config/scribusrc
+blacklist ${HOME}/.config/scribus
-deny  ${HOME}/.config/sinew.in
+blacklist ${HOME}/.config/scribusrc
-deny  ${HOME}/.config/sink
+blacklist ${HOME}/.config/sinew.in
-deny  ${HOME}/.config/skypeforlinux
+blacklist ${HOME}/.config/sink
-deny  ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/skypeforlinux
-deny  ${HOME}/.config/smplayer
+blacklist ${HOME}/.config/slimjet
-deny  ${HOME}/.config/smtube
+blacklist ${HOME}/.config/smplayer
-deny  ${HOME}/.config/smuxi
+blacklist ${HOME}/.config/smtube
-deny  ${HOME}/.config/snox
+blacklist ${HOME}/.config/smuxi
-deny  ${HOME}/.config/sound-juicer
+blacklist ${HOME}/.config/snox
-deny  ${HOME}/.config/specialmailcollectionsrc
+blacklist ${HOME}/.config/sound-juicer
-deny  ${HOME}/.config/spectaclerc
+blacklist ${HOME}/.config/specialmailcollectionsrc
-deny  ${HOME}/.config/spotify
+blacklist ${HOME}/.config/spectaclerc
-deny  ${HOME}/.config/sqlitebrowser
+blacklist ${HOME}/.config/spotify
-deny  ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/sqlitebrowser
-deny  ${HOME}/.config/straw-viewer
+blacklist ${HOME}/.config/stellarium
-deny  ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/straw-viewer
-deny  ${HOME}/.config/supertuxkart
+blacklist ${HOME}/.config/strawberry
-deny  ${HOME}/.config/synfig
+blacklist ${HOME}/.config/supertuxkart
-deny  ${HOME}/.config/teams
+blacklist ${HOME}/.config/synfig
-deny  ${HOME}/.config/teams-for-linux
+blacklist ${HOME}/.config/teams
-deny  ${HOME}/.config/telepathy-account-widgets
+blacklist ${HOME}/.config/teams-for-linux
-deny  ${HOME}/.config/torbrowser
+blacklist ${HOME}/.config/telepathy-account-widgets
-deny  ${HOME}/.config/totem
+blacklist ${HOME}/.config/torbrowser
-deny  ${HOME}/.config/tox
+blacklist ${HOME}/.config/totem
-deny  ${HOME}/.config/transgui
+blacklist ${HOME}/.config/tox
-deny  ${HOME}/.config/transmission
+blacklist ${HOME}/.config/transgui
-deny  ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/transmission
-deny  ${HOME}/.config/tuta_integration
+blacklist ${HOME}/.config/truecraft
-deny  ${HOME}/.config/tutanota-desktop
+blacklist ${HOME}/.config/tuta_integration
-deny  ${HOME}/.config/tvbrowser
+blacklist ${HOME}/.config/tutanota-desktop
-deny  ${HOME}/.config/uGet
+blacklist ${HOME}/.config/tvbrowser
-deny  ${HOME}/.config/ungoogled-chromium
+blacklist ${HOME}/.config/uGet
-deny  ${HOME}/.config/uzbl
+blacklist ${HOME}/.config/ungoogled-chromium
-deny  ${HOME}/.config/viewnior
+blacklist ${HOME}/.config/uzbl
-deny  ${HOME}/.config/vivaldi
+blacklist ${HOME}/.config/viewnior
-deny  ${HOME}/.config/vivaldi-snapshot
+blacklist ${HOME}/.config/vivaldi
-deny  ${HOME}/.config/vlc
+blacklist ${HOME}/.config/vivaldi-snapshot
-deny  ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/vlc
-deny  ${HOME}/.config/wireshark
+blacklist ${HOME}/.config/wesnoth
-deny  ${HOME}/.config/wormux
+blacklist ${HOME}/.config/wireshark
-deny  ${HOME}/.config/xchat
+blacklist ${HOME}/.config/wormux
-deny  ${HOME}/.config/xed
+blacklist ${HOME}/.config/xchat
-deny  ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xed
-deny  ${HOME}/.config/xfce4-dict
+blacklist ${HOME}/.config/xfburn
-deny  ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+blacklist ${HOME}/.config/xfce4-dict
-deny  ${HOME}/.config/xfce4/xfce4-notes.rc
+blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-deny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-deny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-deny  ${HOME}/.config/xiaoyong
+blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-deny  ${HOME}/.config/xmms2
+blacklist ${HOME}/.config/xiaoyong
-deny  ${HOME}/.config/xplayer
+blacklist ${HOME}/.config/xmms2
-deny  ${HOME}/.config/xreader
+blacklist ${HOME}/.config/xplayer
-deny  ${HOME}/.config/xviewer
+blacklist ${HOME}/.config/xreader
-deny  ${HOME}/.config/yandex-browser
+blacklist ${HOME}/.config/xviewer
-deny  ${HOME}/.config/yandex-browser-beta
+blacklist ${HOME}/.config/yandex-browser
-deny  ${HOME}/.config/yelp
+blacklist ${HOME}/.config/yandex-browser-beta
-deny  ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/yelp
-deny  ${HOME}/.config/youtube-dlg
+blacklist ${HOME}/.config/youtube-dl
-deny  ${HOME}/.config/youtube-music-desktop-app
+blacklist ${HOME}/.config/youtube-dlg
-deny  ${HOME}/.config/youtube-viewer
+blacklist ${HOME}/.config/youtube-music-desktop-app
-deny  ${HOME}/.config/youtubemusic-nativefier-040164
+blacklist ${HOME}/.config/youtube-viewer
-deny  ${HOME}/.config/zathura
+blacklist ${HOME}/.config/youtubemusic-nativefier-040164
-deny  ${HOME}/.config/zoomus.conf
+blacklist ${HOME}/.config/zathura
-deny  ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.config/zim
-deny  ${HOME}/.crawl
+blacklist ${HOME}/.config/zoomus.conf
-deny  ${HOME}/.cups
+blacklist ${HOME}/.conkeror.mozdev.org
-deny  ${HOME}/.curl-hsts
+blacklist ${HOME}/.crawl
-deny  ${HOME}/.curlrc
+blacklist ${HOME}/.cups
-deny  ${HOME}/.dashcore
+blacklist ${HOME}/.curl-hsts
-deny  ${HOME}/.devilspie
+blacklist ${HOME}/.curlrc
-deny  ${HOME}/.dia
+blacklist ${HOME}/.dashcore
-deny  ${HOME}/.digrc
+blacklist ${HOME}/.devilspie
-deny  ${HOME}/.dillo
+blacklist ${HOME}/.dia
-deny  ${HOME}/.dooble
+blacklist ${HOME}/.digrc
-deny  ${HOME}/.dosbox
+blacklist ${HOME}/.dillo
-deny  ${HOME}/.dropbox*
+blacklist ${HOME}/.dooble
-deny  ${HOME}/.easystroke
+blacklist ${HOME}/.dosbox
-deny  ${HOME}/.electron-cache
+blacklist ${HOME}/.dropbox*
-deny  ${HOME}/.electrum*
+blacklist ${HOME}/.easystroke
-deny  ${HOME}/.elinks
+blacklist ${HOME}/.electron-cache
-deny  ${HOME}/.emacs
+blacklist ${HOME}/.electrum*
-deny  ${HOME}/.emacs.d
+blacklist ${HOME}/.elinks
-deny  ${HOME}/.equalx
+blacklist ${HOME}/.emacs
-deny  ${HOME}/.ethereum
+blacklist ${HOME}/.emacs.d
-deny  ${HOME}/.etr
+blacklist ${HOME}/.equalx
-deny  ${HOME}/.filezilla
+blacklist ${HOME}/.ethereum
-deny  ${HOME}/.firedragon
+blacklist ${HOME}/.etr
-deny  ${HOME}/.flowblade
+blacklist ${HOME}/.filezilla
-deny  ${HOME}/.fltk
+blacklist ${HOME}/.firedragon
-deny  ${HOME}/.fossamail
+blacklist ${HOME}/.flowblade
-deny  ${HOME}/.freeciv
+blacklist ${HOME}/.fltk
-deny  ${HOME}/.freecol
+blacklist ${HOME}/.fossamail
-deny  ${HOME}/.freemind
+blacklist ${HOME}/.freeciv
-deny  ${HOME}/.frogatto
+blacklist ${HOME}/.freecol
-deny  ${HOME}/.frozen-bubble
+blacklist ${HOME}/.freemind
-deny  ${HOME}/.funnyboat
+blacklist ${HOME}/.frogatto
-deny  ${HOME}/.gimp*
+blacklist ${HOME}/.frozen-bubble
-deny  ${HOME}/.gist
+blacklist ${HOME}/.funnyboat
-deny  ${HOME}/.gitconfig
+blacklist ${HOME}/.gimp*
-deny  ${HOME}/.gl-117
+blacklist ${HOME}/.gist
-deny  ${HOME}/.glaxiumrc
+blacklist ${HOME}/.gitconfig
-deny  ${HOME}/.gnome/gnome-schedule
+blacklist ${HOME}/.gl-117
-deny  ${HOME}/.googleearth
+blacklist ${HOME}/.glaxiumrc
-deny  ${HOME}/.gradle
+blacklist ${HOME}/.gnome/gnome-schedule
-deny  ${HOME}/.gramps
+blacklist ${HOME}/.googleearth
-deny  ${HOME}/.guayadeque
+blacklist ${HOME}/.gradle
-deny  ${HOME}/.hashcat
+blacklist ${HOME}/.gramps
-deny  ${HOME}/.hedgewars
+blacklist ${HOME}/.guayadeque
-deny  ${HOME}/.hex-a-hop
+blacklist ${HOME}/.hashcat
-deny  ${HOME}/.hugin
+blacklist ${HOME}/.hedgewars
-deny  ${HOME}/.i2p
+blacklist ${HOME}/.hex-a-hop
-deny  ${HOME}/.icedove
+blacklist ${HOME}/.hugin
-deny  ${HOME}/.imagej
+blacklist ${HOME}/.i2p
-deny  ${HOME}/.inkscape
+blacklist ${HOME}/.icedove
-deny  ${HOME}/.itch
+blacklist ${HOME}/.imagej
-deny  ${HOME}/.jack-server
+blacklist ${HOME}/.inkscape
-deny  ${HOME}/.jack-settings
+blacklist ${HOME}/.itch
-deny  ${HOME}/.jak
+blacklist ${HOME}/.jack-server
-deny  ${HOME}/.java
+blacklist ${HOME}/.jack-settings
-deny  ${HOME}/.jd
+blacklist ${HOME}/.jak
-deny  ${HOME}/.jitsi
+blacklist ${HOME}/.java
-deny  ${HOME}/.jumpnbump
+blacklist ${HOME}/.jd
-deny  ${HOME}/.kde/share/apps/digikam
+blacklist ${HOME}/.jitsi
-deny  ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.jumpnbump
-deny  ${HOME}/.kde/share/apps/kaffeine
+blacklist ${HOME}/.kde/share/apps/digikam
-deny  ${HOME}/.kde/share/apps/kcookiejar
+blacklist ${HOME}/.kde/share/apps/gwenview
-deny  ${HOME}/.kde/share/apps/kget
+blacklist ${HOME}/.kde/share/apps/kaffeine
-deny  ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/kcookiejar
-deny  ${HOME}/.kde/share/apps/klatexformula
+blacklist ${HOME}/.kde/share/apps/kget
-deny  ${HOME}/.kde/share/apps/konqsidebartng
+blacklist ${HOME}/.kde/share/apps/khtml
-deny  ${HOME}/.kde/share/apps/konqueror
+blacklist ${HOME}/.kde/share/apps/klatexformula
-deny  ${HOME}/.kde/share/apps/kopete
+blacklist ${HOME}/.kde/share/apps/konqsidebartng
-deny  ${HOME}/.kde/share/apps/ktorrent
+blacklist ${HOME}/.kde/share/apps/konqueror
-deny  ${HOME}/.kde/share/apps/okular
+blacklist ${HOME}/.kde/share/apps/kopete
-deny  ${HOME}/.kde/share/config/baloofilerc
+blacklist ${HOME}/.kde/share/apps/ktorrent
-deny  ${HOME}/.kde/share/config/baloorc
+blacklist ${HOME}/.kde/share/apps/okular
-deny  ${HOME}/.kde/share/config/digikam
+blacklist ${HOME}/.kde/share/config/baloofilerc
-deny  ${HOME}/.kde/share/config/gwenviewrc
+blacklist ${HOME}/.kde/share/config/baloorc
-deny  ${HOME}/.kde/share/config/k3brc
+blacklist ${HOME}/.kde/share/config/digikam
-deny  ${HOME}/.kde/share/config/kaffeinerc
+blacklist ${HOME}/.kde/share/config/gwenviewrc
-deny  ${HOME}/.kde/share/config/kcookiejarrc
+blacklist ${HOME}/.kde/share/config/k3brc
-deny  ${HOME}/.kde/share/config/kfindrc
+blacklist ${HOME}/.kde/share/config/kaffeinerc
-deny  ${HOME}/.kde/share/config/kgetrc
+blacklist ${HOME}/.kde/share/config/kcookiejarrc
-deny  ${HOME}/.kde/share/config/khtmlrc
+blacklist ${HOME}/.kde/share/config/kfindrc
-deny  ${HOME}/.kde/share/config/klipperrc
+blacklist ${HOME}/.kde/share/config/kgetrc
-deny  ${HOME}/.kde/share/config/kmplayerrc
+blacklist ${HOME}/.kde/share/config/khtmlrc
-deny  ${HOME}/.kde/share/config/konq_history
+blacklist ${HOME}/.kde/share/config/klipperrc
-deny  ${HOME}/.kde/share/config/konqsidebartngrc
+blacklist ${HOME}/.kde/share/config/kmplayerrc
-deny  ${HOME}/.kde/share/config/konquerorrc
+blacklist ${HOME}/.kde/share/config/konq_history
-deny  ${HOME}/.kde/share/config/konversationrc
+blacklist ${HOME}/.kde/share/config/konqsidebartngrc
-deny  ${HOME}/.kde/share/config/kopeterc
+blacklist ${HOME}/.kde/share/config/konquerorrc
-deny  ${HOME}/.kde/share/config/ktorrentrc
+blacklist ${HOME}/.kde/share/config/konversationrc
-deny  ${HOME}/.kde/share/config/okularpartrc
+blacklist ${HOME}/.kde/share/config/kopeterc
-deny  ${HOME}/.kde/share/config/okularrc
+blacklist ${HOME}/.kde/share/config/ktorrentrc
-deny  ${HOME}/.kde4/share/apps/digikam
+blacklist ${HOME}/.kde/share/config/okularpartrc
-deny  ${HOME}/.kde4/share/apps/gwenview
+blacklist ${HOME}/.kde/share/config/okularrc
-deny  ${HOME}/.kde4/share/apps/kaffeine
+blacklist ${HOME}/.kde4/share/apps/digikam
-deny  ${HOME}/.kde4/share/apps/kcookiejar
+blacklist ${HOME}/.kde4/share/apps/gwenview
-deny  ${HOME}/.kde4/share/apps/kget
+blacklist ${HOME}/.kde4/share/apps/kaffeine
-deny  ${HOME}/.kde4/share/apps/khtml
+blacklist ${HOME}/.kde4/share/apps/kcookiejar
-deny  ${HOME}/.kde4/share/apps/konqsidebartng
+blacklist ${HOME}/.kde4/share/apps/kget
-deny  ${HOME}/.kde4/share/apps/konqueror
+blacklist ${HOME}/.kde4/share/apps/khtml
-deny  ${HOME}/.kde4/share/apps/kopete
+blacklist ${HOME}/.kde4/share/apps/konqsidebartng
-deny  ${HOME}/.kde4/share/apps/ktorrent
+blacklist ${HOME}/.kde4/share/apps/konqueror
-deny  ${HOME}/.kde4/share/apps/okular
+blacklist ${HOME}/.kde4/share/apps/kopete
-deny  ${HOME}/.kde4/share/config/baloofilerc
+blacklist ${HOME}/.kde4/share/apps/ktorrent
-deny  ${HOME}/.kde4/share/config/baloorc
+blacklist ${HOME}/.kde4/share/apps/okular
-deny  ${HOME}/.kde4/share/config/digikam
+blacklist ${HOME}/.kde4/share/config/baloofilerc
-deny  ${HOME}/.kde4/share/config/gwenviewrc
+blacklist ${HOME}/.kde4/share/config/baloorc
-deny  ${HOME}/.kde4/share/config/k3brc
+blacklist ${HOME}/.kde4/share/config/digikam
-deny  ${HOME}/.kde4/share/config/kaffeinerc
+blacklist ${HOME}/.kde4/share/config/gwenviewrc
-deny  ${HOME}/.kde4/share/config/kcookiejarrc
+blacklist ${HOME}/.kde4/share/config/k3brc
-deny  ${HOME}/.kde4/share/config/kfindrc
+blacklist ${HOME}/.kde4/share/config/kaffeinerc
-deny  ${HOME}/.kde4/share/config/kgetrc
+blacklist ${HOME}/.kde4/share/config/kcookiejarrc
-deny  ${HOME}/.kde4/share/config/khtmlrc
+blacklist ${HOME}/.kde4/share/config/kfindrc
-deny  ${HOME}/.kde4/share/config/klipperrc
+blacklist ${HOME}/.kde4/share/config/kgetrc
-deny  ${HOME}/.kde4/share/config/konq_history
+blacklist ${HOME}/.kde4/share/config/khtmlrc
-deny  ${HOME}/.kde4/share/config/konqsidebartngrc
+blacklist ${HOME}/.kde4/share/config/klipperrc
-deny  ${HOME}/.kde4/share/config/konquerorrc
+blacklist ${HOME}/.kde4/share/config/konq_history
-deny  ${HOME}/.kde4/share/config/konversationrc
+blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
-deny  ${HOME}/.kde4/share/config/kopeterc
+blacklist ${HOME}/.kde4/share/config/konquerorrc
-deny  ${HOME}/.kde4/share/config/ktorrentrc
+blacklist ${HOME}/.kde4/share/config/konversationrc
-deny  ${HOME}/.kde4/share/config/okularpartrc
+blacklist ${HOME}/.kde4/share/config/kopeterc
-deny  ${HOME}/.kde4/share/config/okularrc
+blacklist ${HOME}/.kde4/share/config/ktorrentrc
-deny  ${HOME}/.killingfloor
+blacklist ${HOME}/.kde4/share/config/okularpartrc
-deny  ${HOME}/.kingsoft
+blacklist ${HOME}/.kde4/share/config/okularrc
-deny  ${HOME}/.kino-history
+blacklist ${HOME}/.killingfloor
-deny  ${HOME}/.kinorc
+blacklist ${HOME}/.kingsoft
-deny  ${HOME}/.klatexformula
+blacklist ${HOME}/.kino-history
-deny  ${HOME}/.klei
+blacklist ${HOME}/.kinorc
-deny  ${HOME}/.kodi
+blacklist ${HOME}/.klatexformula
-deny  ${HOME}/.librewolf
+blacklist ${HOME}/.klei
-deny  ${HOME}/.lincity-ng
+blacklist ${HOME}/.kodi
-deny  ${HOME}/.links
+blacklist ${HOME}/.librewolf
-deny  ${HOME}/.links2
+blacklist ${HOME}/.lincity-ng
-deny  ${HOME}/.linphone-history.db
+blacklist ${HOME}/.links
-deny  ${HOME}/.linphonerc
+blacklist ${HOME}/.links2
-deny  ${HOME}/.lmmsrc.xml
+blacklist ${HOME}/.linphone-history.db
-deny  ${HOME}/.local/lib/vivaldi
+blacklist ${HOME}/.linphonerc
-deny  ${HOME}/.local/share/0ad
+blacklist ${HOME}/.lmmsrc.xml
-deny  ${HOME}/.local/share/3909/PapersPlease
+blacklist ${HOME}/.local/lib/vivaldi
-deny  ${HOME}/.local/share/Anki2
+blacklist ${HOME}/.local/share/0ad
-deny  ${HOME}/.local/share/Dredmor
+blacklist ${HOME}/.local/share/3909/PapersPlease
-deny  ${HOME}/.local/share/Empathy
+blacklist ${HOME}/.local/share/Anki2
-deny  ${HOME}/.local/share/Enpass
+blacklist ${HOME}/.local/share/Dredmor
-deny  ${HOME}/.local/share/FasterThanLight
+blacklist ${HOME}/.local/share/Empathy
-deny  ${HOME}/.local/share/Flavio Tordini
+blacklist ${HOME}/.local/share/Enpass
-deny  ${HOME}/.local/share/IntoTheBreach
+blacklist ${HOME}/.local/share/FasterThanLight
-deny  ${HOME}/.local/share/JetBrains
+blacklist ${HOME}/.local/share/Flavio Tordini
-deny  ${HOME}/.local/share/KDE/neochat
+blacklist ${HOME}/.local/share/IntoTheBreach
-deny  ${HOME}/.local/share/Kingsoft
+blacklist ${HOME}/.local/share/JetBrains
-deny  ${HOME}/.local/share/LibreCAD
+blacklist ${HOME}/.local/share/KDE/neochat
-deny  ${HOME}/.local/share/Mendeley Ltd.
+blacklist ${HOME}/.local/share/Kingsoft
-deny  ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/LibreCAD
-deny  ${HOME}/.local/share/Nextcloud
+blacklist ${HOME}/.local/share/Mendeley Ltd.
-deny  ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/Mumble
-deny  ${HOME}/.local/share/Paradox Interactive
+blacklist ${HOME}/.local/share/Nextcloud
-deny  ${HOME}/.local/share/PawelStolowski
+blacklist ${HOME}/.local/share/PBE
-deny  ${HOME}/.local/share/PillarsOfEternity
+blacklist ${HOME}/.local/share/Paradox Interactive
-deny  ${HOME}/.local/share/Psi
+blacklist ${HOME}/.local/share/PawelStolowski
-deny  ${HOME}/.local/share/QGIS
+blacklist ${HOME}/.local/share/PillarsOfEternity
-deny  ${HOME}/.local/share/QMediathekView
+blacklist ${HOME}/.local/share/Psi
-deny  ${HOME}/.local/share/QuiteRss
+blacklist ${HOME}/.local/share/QGIS
-deny  ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/QMediathekView
-deny  ${HOME}/.local/share/RogueLegacy
+blacklist ${HOME}/.local/share/QuiteRss
-deny  ${HOME}/.local/share/RogueLegacyStorageContainer
+blacklist ${HOME}/.local/share/Ricochet
-deny  ${HOME}/.local/share/Shortwave
+blacklist ${HOME}/.local/share/RogueLegacy
-deny  ${HOME}/.local/share/Steam
+blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
-deny  ${HOME}/.local/share/SteamWorld Dig 2
+blacklist ${HOME}/.local/share/Shortwave
-deny  ${HOME}/.local/share/SteamWorldDig
+blacklist ${HOME}/.local/share/Steam
-deny  ${HOME}/.local/share/SuperHexagon
+blacklist ${HOME}/.local/share/SteamWorld Dig 2
-deny  ${HOME}/.local/share/TelegramDesktop
+blacklist ${HOME}/.local/share/SteamWorldDig
-deny  ${HOME}/.local/share/Terraria
+blacklist ${HOME}/.local/share/SuperHexagon
-deny  ${HOME}/.local/share/TpLogger
+blacklist ${HOME}/.local/share/TelegramDesktop
-deny  ${HOME}/.local/share/Zeal
+blacklist ${HOME}/.local/share/Terraria
-deny  ${HOME}/.local/share/agenda
+blacklist ${HOME}/.local/share/TpLogger
-deny  ${HOME}/.local/share/akonadi*
+blacklist ${HOME}/.local/share/Zeal
-deny  ${HOME}/.local/share/akregator
+blacklist ${HOME}/.local/share/agenda
-deny  ${HOME}/.local/share/apps/korganizer
+blacklist ${HOME}/.local/share/akonadi*
-deny  ${HOME}/.local/share/aspyr-media
+blacklist ${HOME}/.local/share/akregator
-deny  ${HOME}/.local/share/authenticator-rs
+blacklist ${HOME}/.local/share/apps/korganizer
-deny  ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/aspyr-media
-deny  ${HOME}/.local/share/backintime
+blacklist ${HOME}/.local/share/authenticator-rs
-deny  ${HOME}/.local/share/baloo
+blacklist ${HOME}/.local/share/autokey
-deny  ${HOME}/.local/share/barrier
+blacklist ${HOME}/.local/share/backintime
-deny  ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.local/share/baloo
-deny  ${HOME}/.local/share/bijiben
+blacklist ${HOME}/.local/share/barrier
-deny  ${HOME}/.local/share/bohemiainteractive
+blacklist ${HOME}/.local/share/bibletime
-deny  ${HOME}/.local/share/caja-python
+blacklist ${HOME}/.local/share/bijiben
-deny  ${HOME}/.local/share/calligragemini
+blacklist ${HOME}/.local/share/bohemiainteractive
-deny  ${HOME}/.local/share/cantata
+blacklist ${HOME}/.local/share/caja-python
-deny  ${HOME}/.local/share/cdprojektred
+blacklist ${HOME}/.local/share/calligragemini
-deny  ${HOME}/.local/share/clipit
+blacklist ${HOME}/.local/share/cantata
-deny  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/cdprojektred
-deny  ${HOME}/.local/share/contacts
+blacklist ${HOME}/.local/share/clipit
-deny  ${HOME}/.local/share/cor-games
+blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
-deny  ${HOME}/.local/share/data/Mendeley Ltd.
+blacklist ${HOME}/.local/share/contacts
-deny  ${HOME}/.local/share/data/Mumble
+blacklist ${HOME}/.local/share/cor-games
-deny  ${HOME}/.local/share/data/MusE
+blacklist ${HOME}/.local/share/data/Mendeley Ltd.
-deny  ${HOME}/.local/share/data/MuseScore
+blacklist ${HOME}/.local/share/data/Mumble
-deny  ${HOME}/.local/share/data/nomacs
+blacklist ${HOME}/.local/share/data/MusE
-deny  ${HOME}/.local/share/data/qBittorrent
+blacklist ${HOME}/.local/share/data/MuseScore
-deny  ${HOME}/.local/share/dino
+blacklist ${HOME}/.local/share/data/nomacs
-deny  ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/data/qBittorrent
-deny  ${HOME}/.local/share/dolphin-emu
+blacklist ${HOME}/.local/share/dino
-deny  ${HOME}/.local/share/emailidentities
+blacklist ${HOME}/.local/share/dolphin
-deny  ${HOME}/.local/share/epiphany
+blacklist ${HOME}/.local/share/dolphin-emu
-deny  ${HOME}/.local/share/evolution
+blacklist ${HOME}/.local/share/emailidentities
-deny  ${HOME}/.local/share/feedreader
+blacklist ${HOME}/.local/share/epiphany
-deny  ${HOME}/.local/share/feral-interactive
+blacklist ${HOME}/.local/share/evolution
-deny  ${HOME}/.local/share/five-or-more
+blacklist ${HOME}/.local/share/feedreader
-deny  ${HOME}/.local/share/freecol
+blacklist ${HOME}/.local/share/feral-interactive
-deny  ${HOME}/.local/share/gajim
+blacklist ${HOME}/.local/share/five-or-more
-deny  ${HOME}/.local/share/geary
+blacklist ${HOME}/.local/share/freecol
-deny  ${HOME}/.local/share/geeqie
+blacklist ${HOME}/.local/share/gajim
-deny  ${HOME}/.local/share/ghostwriter
+blacklist ${HOME}/.local/share/geary
-deny  ${HOME}/.local/share/gitg
+blacklist ${HOME}/.local/share/geeqie
-deny  ${HOME}/.local/share/gnome-2048
+blacklist ${HOME}/.local/share/ghostwriter
-deny  ${HOME}/.local/share/gnome-boxes
+blacklist ${HOME}/.local/share/gitg
-deny  ${HOME}/.local/share/gnome-builder
+blacklist ${HOME}/.local/share/gnome-2048
-deny  ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-boxes
-deny  ${HOME}/.local/share/gnome-klotski
+blacklist ${HOME}/.local/share/gnome-builder
-deny  ${HOME}/.local/share/gnome-latex
+blacklist ${HOME}/.local/share/gnome-chess
-deny  ${HOME}/.local/share/gnome-mines
+blacklist ${HOME}/.local/share/gnome-klotski
-deny  ${HOME}/.local/share/gnome-music
+blacklist ${HOME}/.local/share/gnome-latex
-deny  ${HOME}/.local/share/gnome-nibbles
+blacklist ${HOME}/.local/share/gnome-mines
-deny  ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-music
-deny  ${HOME}/.local/share/gnome-pomodoro
+blacklist ${HOME}/.local/share/gnome-nibbles
-deny  ${HOME}/.local/share/gnome-recipes
+blacklist ${HOME}/.local/share/gnome-photos
-deny  ${HOME}/.local/share/gnome-ring
+blacklist ${HOME}/.local/share/gnome-pomodoro
-deny  ${HOME}/.local/share/gnome-sudoku
+blacklist ${HOME}/.local/share/gnome-recipes
-deny  ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/gnome-ring
-deny  ${HOME}/.local/share/gnote
+blacklist ${HOME}/.local/share/gnome-sudoku
-deny  ${HOME}/.local/share/godot
+blacklist ${HOME}/.local/share/gnome-twitch
-deny  ${HOME}/.local/share/gradio
+blacklist ${HOME}/.local/share/gnote
-deny  ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/godot
-deny  ${HOME}/.local/share/i2p
+blacklist ${HOME}/.local/share/gradio
-deny  ${HOME}/.local/share/jami
+blacklist ${HOME}/.local/share/gwenview
-deny  ${HOME}/.local/share/kaffeine
+blacklist ${HOME}/.local/share/i2p
-deny  ${HOME}/.local/share/kalgebra
+blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
-deny  ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/jami
-deny  ${HOME}/.local/share/kdenlive
+blacklist ${HOME}/.local/share/kaffeine
-deny  ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kalgebra
-deny  ${HOME}/.local/share/kiwix
+blacklist ${HOME}/.local/share/kate
-deny  ${HOME}/.local/share/kiwix-desktop
+blacklist ${HOME}/.local/share/kdenlive
-deny  ${HOME}/.local/share/klavaro
+blacklist ${HOME}/.local/share/kget
-deny  ${HOME}/.local/share/kmail2
+blacklist ${HOME}/.local/share/kiwix
-deny  ${HOME}/.local/share/kmplayer
+blacklist ${HOME}/.local/share/kiwix-desktop
-deny  ${HOME}/.local/share/knotes
+blacklist ${HOME}/.local/share/klavaro
-deny  ${HOME}/.local/share/krita
+blacklist ${HOME}/.local/share/kmail2
-deny  ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/kmplayer
-deny  ${HOME}/.local/share/ktorrentrc
+blacklist ${HOME}/.local/share/knotes
-deny  ${HOME}/.local/share/ktouch
+blacklist ${HOME}/.local/share/krita
-deny  ${HOME}/.local/share/kube
+blacklist ${HOME}/.local/share/ktorrent
-deny  ${HOME}/.local/share/kwrite
+blacklist ${HOME}/.local/share/ktorrentrc
-deny  ${HOME}/.local/share/kxmlgui5/*
+blacklist ${HOME}/.local/share/ktouch
-deny  ${HOME}/.local/share/liferea
+blacklist ${HOME}/.local/share/kube
-deny  ${HOME}/.local/share/linphone
+blacklist ${HOME}/.local/share/kwrite
-deny  ${HOME}/.local/share/local-mail
+blacklist ${HOME}/.local/share/kxmlgui5/*
-deny  ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/liferea
-deny  ${HOME}/.local/share/love
+blacklist ${HOME}/.local/share/linphone
-deny  ${HOME}/.local/share/lugaru
+blacklist ${HOME}/.local/share/local-mail
-deny  ${HOME}/.local/share/lutris
+blacklist ${HOME}/.local/share/lollypop
-deny  ${HOME}/.local/share/man
+blacklist ${HOME}/.local/share/love
-deny  ${HOME}/.local/share/mana
+blacklist ${HOME}/.local/share/lugaru
-deny  ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/lutris
-deny  ${HOME}/.local/share/matrix-mirage
+blacklist ${HOME}/.local/share/man
-deny  ${HOME}/.local/share/mcomix
+blacklist ${HOME}/.local/share/mana
-deny  ${HOME}/.local/share/meld
+blacklist ${HOME}/.local/share/maps-places.json
-deny  ${HOME}/.local/share/midori
+blacklist ${HOME}/.local/share/matrix-mirage
-deny  ${HOME}/.local/share/minder
+blacklist ${HOME}/.local/share/mcomix
-deny  ${HOME}/.local/share/mirage
+blacklist ${HOME}/.local/share/meld
-deny  ${HOME}/.local/share/multimc
+blacklist ${HOME}/.local/share/midori
-deny  ${HOME}/.local/share/multimc5
+blacklist ${HOME}/.local/share/minder
-deny  ${HOME}/.local/share/mupen64plus
+blacklist ${HOME}/.local/share/mirage
-deny  ${HOME}/.local/share/mypaint
+blacklist ${HOME}/.local/share/multimc
-deny  ${HOME}/.local/share/nautilus
+blacklist ${HOME}/.local/share/multimc5
-deny  ${HOME}/.local/share/nautilus-python
+blacklist ${HOME}/.local/share/mupen64plus
-deny  ${HOME}/.local/share/nemo
+blacklist ${HOME}/.local/share/mypaint
-deny  ${HOME}/.local/share/nemo-python
+blacklist ${HOME}/.local/share/nautilus
-deny  ${HOME}/.local/share/news-flash
+blacklist ${HOME}/.local/share/nautilus-python
-deny  ${HOME}/.local/share/newsbeuter
+blacklist ${HOME}/.local/share/nemo
-deny  ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.local/share/nemo-python
-deny  ${HOME}/.local/share/nheko
+blacklist ${HOME}/.local/share/news-flash
-deny  ${HOME}/.local/share/nomacs
+blacklist ${HOME}/.local/share/newsbeuter
-deny  ${HOME}/.local/share/notes
+blacklist ${HOME}/.local/share/newsboat
-deny  ${HOME}/.local/share/ocenaudio
+blacklist ${HOME}/.local/share/nheko
-deny  ${HOME}/.local/share/okular
+blacklist ${HOME}/.local/share/nomacs
-deny  ${HOME}/.local/share/onlyoffice
+blacklist ${HOME}/.local/share/notes
-deny  ${HOME}/.local/share/openmw
+blacklist ${HOME}/.local/share/ocenaudio
-deny  ${HOME}/.local/share/orage
+blacklist ${HOME}/.local/share/okular
-deny  ${HOME}/.local/share/org.kde.gwenview
+blacklist ${HOME}/.local/share/onlyoffice
-deny  ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/openmw
-deny  ${HOME}/.local/share/plasma_notes
+blacklist ${HOME}/.local/share/orage
-deny  ${HOME}/.local/share/profanity
+blacklist ${HOME}/.local/share/org.kde.gwenview
-deny  ${HOME}/.local/share/psi
+blacklist ${HOME}/.local/share/pix
-deny  ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/plasma_notes
-deny  ${HOME}/.local/share/qpdfview
+blacklist ${HOME}/.local/share/profanity
-deny  ${HOME}/.local/share/quadrapassel
+blacklist ${HOME}/.local/share/psi
-deny  ${HOME}/.local/share/qutebrowser
+blacklist ${HOME}/.local/share/psi+
-deny  ${HOME}/.local/share/remmina
+blacklist ${HOME}/.local/share/qpdfview
-deny  ${HOME}/.local/share/rhythmbox
+blacklist ${HOME}/.local/share/quadrapassel
-deny  ${HOME}/.local/share/rtv
+blacklist ${HOME}/.local/share/qutebrowser
-deny  ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/remmina
-deny  ${HOME}/.local/share/shotwell
+blacklist ${HOME}/.local/share/rhythmbox
-deny  ${HOME}/.local/share/signal-cli
+blacklist ${HOME}/.local/share/rtv
-deny  ${HOME}/.local/share/sink
+blacklist ${HOME}/.local/share/scribus
-deny  ${HOME}/.local/share/smuxi
+blacklist ${HOME}/.local/share/shotwell
-deny  ${HOME}/.local/share/spotify
+blacklist ${HOME}/.local/share/signal-cli
-deny  ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/sink
-deny  ${HOME}/.local/share/strawberry
+blacklist ${HOME}/.local/share/smuxi
-deny  ${HOME}/.local/share/supertux2
+blacklist ${HOME}/.local/share/spotify
-deny  ${HOME}/.local/share/supertuxkart
+blacklist ${HOME}/.local/share/steam
-deny  ${HOME}/.local/share/swell-foop
+blacklist ${HOME}/.local/share/strawberry
-deny  ${HOME}/.local/share/telepathy
+blacklist ${HOME}/.local/share/supertux2
-deny  ${HOME}/.local/share/terasology
+blacklist ${HOME}/.local/share/supertuxkart
-deny  ${HOME}/.local/share/torbrowser
+blacklist ${HOME}/.local/share/swell-foop
-deny  ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/telepathy
-deny  ${HOME}/.local/share/uzbl
+blacklist ${HOME}/.local/share/terasology
-deny  ${HOME}/.local/share/vlc
+blacklist ${HOME}/.local/share/torbrowser
-deny  ${HOME}/.local/share/vpltd
+blacklist ${HOME}/.local/share/totem
-deny  ${HOME}/.local/share/vulkan
+blacklist ${HOME}/.local/share/uzbl
-deny  ${HOME}/.local/share/warsow-2.1
+blacklist ${HOME}/.local/share/vlc
-deny  ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/vpltd
-deny  ${HOME}/.local/share/wormux
+blacklist ${HOME}/.local/share/vulkan
-deny  ${HOME}/.local/share/xplayer
+blacklist ${HOME}/.local/share/warsow-2.1
-deny  ${HOME}/.local/share/xreader
+blacklist ${HOME}/.local/share/wesnoth
-deny  ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/share/wormux
-deny  ${HOME}/.lv2
+blacklist ${HOME}/.local/share/xplayer
-deny  ${HOME}/.lyx
+blacklist ${HOME}/.local/share/xreader
-deny  ${HOME}/.magicor
+blacklist ${HOME}/.local/share/zathura
-deny  ${HOME}/.masterpdfeditor
+blacklist ${HOME}/.lv2
-deny  ${HOME}/.mbwarband
+blacklist ${HOME}/.lyx
-deny  ${HOME}/.mcabber
+blacklist ${HOME}/.magicor
-deny  ${HOME}/.mcabberrc
+blacklist ${HOME}/.masterpdfeditor
-deny  ${HOME}/.mediathek3
+blacklist ${HOME}/.mbwarband
-deny  ${HOME}/.megaglest
+blacklist ${HOME}/.mcabber
-deny  ${HOME}/.minecraft
+blacklist ${HOME}/.mcabberrc
-deny  ${HOME}/.minetest
+blacklist ${HOME}/.mediathek3
-deny  ${HOME}/.mirrormagic
+blacklist ${HOME}/.megaglest
-deny  ${HOME}/.moc
+blacklist ${HOME}/.minecraft
-deny  ${HOME}/.moonchild productions/basilisk
+blacklist ${HOME}/.minetest
-deny  ${HOME}/.moonchild productions/pale moon
+blacklist ${HOME}/.mirrormagic
-deny  ${HOME}/.mozilla
+blacklist ${HOME}/.moc
-deny  ${HOME}/.mp3splt-gtk
+blacklist ${HOME}/.moonchild productions/basilisk
-deny  ${HOME}/.mpd
+blacklist ${HOME}/.moonchild productions/pale moon
-deny  ${HOME}/.mpdconf
+blacklist ${HOME}/.mozilla
-deny  ${HOME}/.mplayer
+blacklist ${HOME}/.mp3splt-gtk
-deny  ${HOME}/.msmtprc
+blacklist ${HOME}/.mpd
-deny  ${HOME}/.multimc5
+blacklist ${HOME}/.mpdconf
-deny  ${HOME}/.nanorc
+blacklist ${HOME}/.mplayer
-deny  ${HOME}/.netactview
+blacklist ${HOME}/.msmtprc
-deny  ${HOME}/.neverball
+blacklist ${HOME}/.multimc5
-deny  ${HOME}/.newsbeuter
+blacklist ${HOME}/.nanorc
-deny  ${HOME}/.newsboat
+blacklist ${HOME}/.netactview
-deny  ${HOME}/.newsrc
+blacklist ${HOME}/.neverball
-deny  ${HOME}/.nicotine
+blacklist ${HOME}/.newsbeuter
-deny  ${HOME}/.node-gyp
+blacklist ${HOME}/.newsboat
-deny  ${HOME}/.npm
+blacklist ${HOME}/.newsrc
-deny  ${HOME}/.npmrc
+blacklist ${HOME}/.nicotine
-deny  ${HOME}/.nv
+blacklist ${HOME}/.node-gyp
-deny  ${HOME}/.nvm
+blacklist ${HOME}/.npm
-deny  ${HOME}/.nylas-mail
+blacklist ${HOME}/.npmrc
-deny  ${HOME}/.openarena
+blacklist ${HOME}/.nv
-deny  ${HOME}/.opencity
+blacklist ${HOME}/.nvm
-deny  ${HOME}/.openinvaders
+blacklist ${HOME}/.nylas-mail
-deny  ${HOME}/.openshot
+blacklist ${HOME}/.openarena
-deny  ${HOME}/.openshot_qt
+blacklist ${HOME}/.opencity
-deny  ${HOME}/.openttd
+blacklist ${HOME}/.openinvaders
-deny  ${HOME}/.opera
+blacklist ${HOME}/.openshot
-deny  ${HOME}/.opera-beta
+blacklist ${HOME}/.openshot_qt
-deny  ${HOME}/.ostrichriders
+blacklist ${HOME}/.openttd
-deny  ${HOME}/.paradoxinteractive
+blacklist ${HOME}/.opera
-deny  ${HOME}/.parallelrealities/blobwars
+blacklist ${HOME}/.opera-beta
-deny  ${HOME}/.pcsxr
+blacklist ${HOME}/.ostrichriders
-deny  ${HOME}/.penguin-command
+blacklist ${HOME}/.paradoxinteractive
-deny  ${HOME}/.pine-crash
+blacklist ${HOME}/.parallelrealities/blobwars
-deny  ${HOME}/.pine-debug1
+blacklist ${HOME}/.pcsxr
-deny  ${HOME}/.pine-debug2
+blacklist ${HOME}/.penguin-command
-deny  ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-crash
-deny  ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-debug1
-deny  ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pine-debug2
-deny  ${HOME}/.pinerc
+blacklist ${HOME}/.pine-debug3
-deny  ${HOME}/.pinercex
+blacklist ${HOME}/.pine-debug4
-deny  ${HOME}/.pingus
+blacklist ${HOME}/.pine-interrupted-mail
-deny  ${HOME}/.pioneer
+blacklist ${HOME}/.pinerc
-deny  ${HOME}/.purple
+blacklist ${HOME}/.pinercex
-deny  ${HOME}/.pylint.d
+blacklist ${HOME}/.pingus
-deny  ${HOME}/.qemu-launcher
+blacklist ${HOME}/.pioneer
-deny  ${HOME}/.qgis2
+blacklist ${HOME}/.purple
-deny  ${HOME}/.qmmp
+blacklist ${HOME}/.pylint.d
-deny  ${HOME}/.quodlibet
+blacklist ${HOME}/.qemu-launcher
-deny  ${HOME}/.redeclipse
+blacklist ${HOME}/.qgis2
-deny  ${HOME}/.remmina
+blacklist ${HOME}/.qmmp
-deny  ${HOME}/.repo_.gitconfig.json
+blacklist ${HOME}/.quodlibet
-deny  ${HOME}/.repoconfig
+blacklist ${HOME}/.redeclipse
-deny  ${HOME}/.retroshare
+blacklist ${HOME}/.rednotebook
-deny  ${HOME}/.ripperXrc
+blacklist ${HOME}/.remmina
-deny  ${HOME}/.scorched3d
+blacklist ${HOME}/.repo_.gitconfig.json
-deny  ${HOME}/.scribus
+blacklist ${HOME}/.repoconfig
-deny  ${HOME}/.scribusrc
+blacklist ${HOME}/.retroshare
-deny  ${HOME}/.simutrans
+blacklist ${HOME}/.ripperXrc
-deny  ${HOME}/.smartgit/*/passwords
+blacklist ${HOME}/.scorched3d
-deny  ${HOME}/.ssr
+blacklist ${HOME}/.scribus
-deny  ${HOME}/.steam
+blacklist ${HOME}/.scribusrc
-deny  ${HOME}/.steampath
+blacklist ${HOME}/.simutrans
-deny  ${HOME}/.steampid
+blacklist ${HOME}/.smartgit/*/passwords
-deny  ${HOME}/.stellarium
+blacklist ${HOME}/.ssr
-deny  ${HOME}/.subversion
+blacklist ${HOME}/.steam
-deny  ${HOME}/.surf
+blacklist ${HOME}/.steampath
-deny  ${HOME}/.suve/colorful
+blacklist ${HOME}/.steampid
-deny  ${HOME}/.swb.ini
+blacklist ${HOME}/.stellarium
-deny  ${HOME}/.sword
+blacklist ${HOME}/.subversion
-deny  ${HOME}/.sylpheed-2.0
+blacklist ${HOME}/.surf
-deny  ${HOME}/.synfig
+blacklist ${HOME}/.suve/colorful
-deny  ${HOME}/.tb
+blacklist ${HOME}/.swb.ini
-deny  ${HOME}/.tconn
+blacklist ${HOME}/.sword
-deny  ${HOME}/.teeworlds
+blacklist ${HOME}/.sylpheed-2.0
-deny  ${HOME}/.texlive20*
+blacklist ${HOME}/.synfig
-deny  ${HOME}/.thunderbird
+blacklist ${HOME}/.tb
-deny  ${HOME}/.tilp
+blacklist ${HOME}/.tconn
-deny  ${HOME}/.tin
+blacklist ${HOME}/.teeworlds
-deny  ${HOME}/.tooling
+blacklist ${HOME}/.texlive20*
-deny  ${HOME}/.tor-browser*
+blacklist ${HOME}/.thunderbird
-deny  ${HOME}/.torcs
+blacklist ${HOME}/.tilp
-deny  ${HOME}/.tremulous
+blacklist ${HOME}/.tin
-deny  ${HOME}/.ts3client
+blacklist ${HOME}/.tooling
-deny  ${HOME}/.tuxguitar*
+blacklist ${HOME}/.tor-browser*
-deny  ${HOME}/.tvbrowser
+blacklist ${HOME}/.torcs
-deny  ${HOME}/.unknown-horizons
+blacklist ${HOME}/.tremulous
-deny  ${HOME}/.viking
+blacklist ${HOME}/.ts3client
-deny  ${HOME}/.viking-maps
+blacklist ${HOME}/.tuxguitar*
-deny  ${HOME}/.vim
+blacklist ${HOME}/.tvbrowser
-deny  ${HOME}/.vimrc
+blacklist ${HOME}/.unknown-horizons
-deny  ${HOME}/.vmware
+blacklist ${HOME}/.viking
-deny  ${HOME}/.vscode
+blacklist ${HOME}/.viking-maps
-deny  ${HOME}/.vscode-oss
+blacklist ${HOME}/.vim
-deny  ${HOME}/.vst
+blacklist ${HOME}/.vimrc
-deny  ${HOME}/.vultures
+blacklist ${HOME}/.vmware
-deny  ${HOME}/.w3m
+blacklist ${HOME}/.vscode
-deny  ${HOME}/.warzone2100-3.*
+blacklist ${HOME}/.vscode-oss
-deny  ${HOME}/.waterfox
+blacklist ${HOME}/.vst
-deny  ${HOME}/.weechat
+blacklist ${HOME}/.vultures
-deny  ${HOME}/.wget-hsts
+blacklist ${HOME}/.w3m
-deny  ${HOME}/.wgetrc
+blacklist ${HOME}/.warzone2100-3.*
-deny  ${HOME}/.widelands
+blacklist ${HOME}/.waterfox
-deny  ${HOME}/.wine
+blacklist ${HOME}/.weechat
-deny  ${HOME}/.wine64
+blacklist ${HOME}/.wget-hsts
-deny  ${HOME}/.wireshark
+blacklist ${HOME}/.wgetrc
-deny  ${HOME}/.wordwarvi
+blacklist ${HOME}/.widelands
-deny  ${HOME}/.wormux
+blacklist ${HOME}/.wine
-deny  ${HOME}/.xiphos
+blacklist ${HOME}/.wine64
-deny  ${HOME}/.xmind
+blacklist ${HOME}/.wireshark
-deny  ${HOME}/.xmms
+blacklist ${HOME}/.wordwarvi
-deny  ${HOME}/.xmr-stak
+blacklist ${HOME}/.wormux
-deny  ${HOME}/.xonotic
+blacklist ${HOME}/.xiphos
-deny  ${HOME}/.xournalpp
+blacklist ${HOME}/.xmind
-deny  ${HOME}/.xpdfrc
+blacklist ${HOME}/.xmms
-deny  ${HOME}/.yarn
+blacklist ${HOME}/.xmr-stak
-deny  ${HOME}/.yarn-config
+blacklist ${HOME}/.xonotic
-deny  ${HOME}/.yarncache
+blacklist ${HOME}/.xournalpp
-deny  ${HOME}/.yarnrc
+blacklist ${HOME}/.xpdfrc
-deny  ${HOME}/.zoom
+blacklist ${HOME}/.yarn
-deny  ${HOME}/Arduino
+blacklist ${HOME}/.yarn-config
-deny  ${HOME}/Monero/wallets
+blacklist ${HOME}/.yarncache
-deny  ${HOME}/Nextcloud
+blacklist ${HOME}/.yarnrc
-deny  ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/.zoom
-deny  ${HOME}/SoftMaker
+blacklist ${HOME}/Arduino
-deny  ${HOME}/Standard Notes Backups
+blacklist ${HOME}/Monero/wallets
-deny  ${HOME}/TeamSpeak3-Client-linux_amd64
+blacklist ${HOME}/Nextcloud
-deny  ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/Nextcloud/Notes
-deny  ${HOME}/hyperrogue.ini
+blacklist ${HOME}/SoftMaker
-deny  ${HOME}/i2p
+blacklist ${HOME}/Standard Notes Backups
-deny  ${HOME}/mps
+blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
-deny  ${HOME}/wallet.dat
+blacklist ${HOME}/TeamSpeak3-Client-linux_x86
-deny  /tmp/.wine-*
+blacklist ${HOME}/hyperrogue.ini
-deny  /tmp/akonadi-*
+blacklist ${HOME}/i2p
-deny  /var/games/nethack
+blacklist ${HOME}/mps
-deny  /var/games/slashem
+blacklist ${HOME}/wallet.dat
-deny  /var/games/vulturesclaw
+blacklist /tmp/.wine-*
-deny  /var/games/vultureseye
+blacklist /tmp/akonadi-*
-deny  /var/lib/games/Maelstrom-Scores
+blacklist /var/games/nethack
+blacklist /var/games/slashem
+blacklist /var/games/vulturesclaw
+blacklist /var/games/vultureseye
+blacklist /var/lib/games/Maelstrom-Scores
 # ${HOME}/.cache directory
-deny  ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/0ad
-deny  ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/8pecxstudios
-deny  ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/Authenticator
-deny  ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/BraveSoftware
-deny  ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/Clementine
-deny  ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/ENCOM/Spectral
-deny  ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enox
-deny  ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Enpass
-deny  ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Ferdi
-deny  ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Flavio Tordini
-deny  ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/Franz
-deny  ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA
-deny  ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/INRIA/Natron
-deny  ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/KDE/neochat
-deny  ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/Mendeley Ltd.
-deny  ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/MusicBrainz
-deny  ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/NewsFlashGTK
-deny  ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/Otter
-deny  ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/PawelStolowski
-deny  ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/Psi
-deny  ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/QuiteRss
-deny  ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Quotient/quaternion
-deny  ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Shortwave
-deny  ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Tox
-deny  ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/Zeal
-deny  ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/agenda
-deny  ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/akonadi*
-deny  ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/atril
-deny  ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/attic
-deny  ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/babl
-deny  ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/bnox
-deny  ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/borg
-deny  ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/calibre
-deny  ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/cantata
-deny  ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/champlain
-deny  ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium
-deny  ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/chromium-dev
-deny  ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/cliqz
-deny  ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-deny  ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/darktable
-deny  ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/deja-dup
-deny  ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/discover
-deny  ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dnox
-deny  ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin
-deny  ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/dolphin-emu
-deny  ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/ephemeral
-deny  ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/epiphany
-deny  ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/evolution
-deny  ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/falkon
-deny  ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/feedreader
-deny  ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/firedragon
-deny  ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/flaska.net/trojita
-deny  ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/folks
-deny  ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/font-manager
-deny  ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fossamail
-deny  ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/fractal
-deny  ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/freecol
-deny  ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/gajim
-deny  ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geary
-deny  ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/geeqie
-deny  ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gegl-0.4
-deny  ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gfeeds
-deny  ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gimp
-deny  ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-boxes
-deny  ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-builder
-deny  ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-control-center
-deny  ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-recipes
-deny  ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-screenshot
-deny  ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-software
-deny  ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/gnome-twitch
-deny  ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/godot
-deny  ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome
-deny  ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-beta
-deny  ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/google-chrome-unstable
-deny  ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gradio
-deny  ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/gummi
-deny  ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/icedove
-deny  ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inkscape
-deny  ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/inox
-deny  ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
-deny  ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/iridium
-deny  ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/JetBrains/CLion*
-deny  ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/kcmshell5
-deny  ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kdenlive
-deny  ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/keepassxc
-deny  ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kfind
-deny  ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/kinfocenter
-deny  ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/kmail2
-deny  ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/krunner
-deny  ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-deny  ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/kscreenlocker_greet
-deny  ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
-deny  ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/ksplashqml
-deny  ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/kube
-deny  ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/kwin
-deny  ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/libgweather
-deny  ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/librewolf
-deny  ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/liferea
-deny  ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/lutris
-deny  ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/marker
-deny  ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/matrix-mirage
-deny  ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/microsoft-edge-beta
-deny  ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/microsoft-edge-dev
-deny  ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/midori
-deny  ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/minetest
-deny  ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mirage
-deny  ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/moonchild productions/basilisk
-deny  ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/moonchild productions/pale moon
-deny  ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/mozilla
-deny  ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-excel-online
-deny  ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-office-online
-deny  ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-onenote-online
-deny  ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-outlook-online
-deny  ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
-deny  ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/ms-skype-online
-deny  ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/ms-word-online
-deny  ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/mutt
-deny  ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/mypaint
-deny  ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/netsurf
-deny  ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/nheko
-deny  ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/okular
-deny  ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/opera
-deny  ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/opera-beta
-deny  ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
-deny  ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/org.gnome.Books
-deny  ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/org.gnome.Maps
-deny  ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pdfmod
-deny  ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/peek
-deny  ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/pip
-deny  ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/pipe-viewer
-deny  ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/plasmashell
-deny  ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-deny  ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/psi
-deny  ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qBittorrent
-deny  ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/quodlibet
-deny  ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/qupzilla
-deny  ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/qutebrowser
-deny  ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/rednotebook
-deny  ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/rhythmbox
-deny  ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/shotwell
-deny  ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/simple-scan
-deny  ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/slimjet
-deny  ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/smuxi
-deny  ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/snox
-deny  ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/spotify
-deny  ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/straw-viewer
-deny  ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/strawberry
-deny  ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/supertuxkart
-deny  ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/systemsettings
-deny  ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/telepathy
-deny  ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/thunderbird
-deny  ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/torbrowser
-deny  ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/transmission
-deny  ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/ungoogled-chromium
-deny  ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/vivaldi
-deny  ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/vivaldi-snapshot
-deny  ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/vlc
-deny  ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/vmware
-deny  ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/warsow-2.1
-deny  ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/waterfox
-deny  ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/wesnoth
-deny  ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/winetricks
-deny  ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/xmms2
-deny  ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/xreader
-deny  ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yandex-browser
-deny  ${RUNUSER}/*firefox*
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${RUNUSER}/*firefox*
+blacklist ${HOME}/.cache/zim
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index da6fb31a3..8274b0215 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -2,14 +2,14 @@
 # Persistent customizations should go in a .local file.
 include disable-shell.local
-deny  ${PATH}/bash
+blacklist ${PATH}/bash
-deny  ${PATH}/csh
+blacklist ${PATH}/csh
-deny  ${PATH}/dash
+blacklist ${PATH}/dash
-deny  ${PATH}/fish
+blacklist ${PATH}/fish
-deny  ${PATH}/ksh
+blacklist ${PATH}/ksh
-deny  ${PATH}/mksh
+blacklist ${PATH}/mksh
-deny  ${PATH}/oksh
+blacklist ${PATH}/oksh
-deny  ${PATH}/sh
+blacklist ${PATH}/sh
-deny  ${PATH}/tclsh
+blacklist ${PATH}/tclsh
-deny  ${PATH}/tcsh
+blacklist ${PATH}/tcsh
-deny  ${PATH}/zsh
+blacklist ${PATH}/zsh
diff --git a/etc/inc/disable-xdg.inc b/etc/inc/disable-xdg.inc
index 32aa8c7f6..22acf272d 100644
--- a/etc/inc/disable-xdg.inc
+++ b/etc/inc/disable-xdg.inc
@@ -2,10 +2,10 @@
 # Persistent customizations should go in a .local file.
 include disable-xdg.local
-deny  ${DOCUMENTS}
+blacklist ${DOCUMENTS}
-deny  ${MUSIC}
+blacklist ${MUSIC}
-deny  ${PICTURES}
+blacklist ${PICTURES}
-deny  ${VIDEOS}
+blacklist ${VIDEOS}
 # The following should be considered catch-all directories
 #blacklist ${DESKTOP}
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc
index 06a424440..862837f12 100644
--- a/etc/inc/whitelist-1793-workaround.inc
+++ b/etc/inc/whitelist-1793-workaround.inc
@@ -3,27 +3,27 @@
 include whitelist-1793-workaround.local
 # This works around bug 1793, and allows whitelisting to be used for some KDE applications.
-nodeny  ${HOME}/.config/ibus
+noblacklist ${HOME}/.config/ibus
-nodeny  ${HOME}/.config/mimeapps.list
+noblacklist ${HOME}/.config/mimeapps.list
-nodeny  ${HOME}/.config/pkcs11
+noblacklist ${HOME}/.config/pkcs11
-nodeny  ${HOME}/.config/user-dirs.dirs
+noblacklist ${HOME}/.config/user-dirs.dirs
-nodeny  ${HOME}/.config/user-dirs.locale
+noblacklist ${HOME}/.config/user-dirs.locale
-nodeny  ${HOME}/.config/dconf
+noblacklist ${HOME}/.config/dconf
-nodeny  ${HOME}/.config/fontconfig
+noblacklist ${HOME}/.config/fontconfig
-nodeny  ${HOME}/.config/gtk-2.0
+noblacklist ${HOME}/.config/gtk-2.0
-nodeny  ${HOME}/.config/gtk-3.0
+noblacklist ${HOME}/.config/gtk-3.0
-nodeny  ${HOME}/.config/gtk-4.0
+noblacklist ${HOME}/.config/gtk-4.0
-nodeny  ${HOME}/.config/gtkrc
+noblacklist ${HOME}/.config/gtkrc
-nodeny  ${HOME}/.config/gtkrc-2.0
+noblacklist ${HOME}/.config/gtkrc-2.0
-nodeny  ${HOME}/.config/Kvantum
+noblacklist ${HOME}/.config/Kvantum
-nodeny  ${HOME}/.config/Trolltech.conf
+noblacklist ${HOME}/.config/Trolltech.conf
-nodeny  ${HOME}/.config/QtProject.conf
+noblacklist ${HOME}/.config/QtProject.conf
-nodeny  ${HOME}/.config/kdeglobals
+noblacklist ${HOME}/.config/kdeglobals
-nodeny  ${HOME}/.config/kio_httprc
+noblacklist ${HOME}/.config/kio_httprc
-nodeny  ${HOME}/.config/kioslaverc
+noblacklist ${HOME}/.config/kioslaverc
-nodeny  ${HOME}/.config/ksslcablacklist
+noblacklist ${HOME}/.config/ksslcablacklist
-nodeny  ${HOME}/.config/qt5ct
+noblacklist ${HOME}/.config/qt5ct
-nodeny  ${HOME}/.config/qtcurve
+noblacklist ${HOME}/.config/qtcurve
-deny  ${HOME}/.config/*
+blacklist ${HOME}/.config/*
-allow  ${HOME}/.config
+whitelist ${HOME}/.config
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 11070e372..fedfb2bc2 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -4,82 +4,82 @@ include whitelist-common.local
 # common whitelist for all profiles
-allow  ${HOME}/.XCompose
+whitelist ${HOME}/.XCompose
-allow  ${HOME}/.alsaequal.bin
+whitelist ${HOME}/.alsaequal.bin
-allow  ${HOME}/.asoundrc
+whitelist ${HOME}/.asoundrc
-allow  ${HOME}/.config/ibus
+whitelist ${HOME}/.config/ibus
-allow  ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.config/mimeapps.list
-allow  ${HOME}/.config/pkcs11
+whitelist ${HOME}/.config/pkcs11
 read-only ${HOME}/.config/pkcs11
-allow  ${HOME}/.config/user-dirs.dirs
+whitelist ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.dirs
-allow  ${HOME}/.config/user-dirs.locale
+whitelist ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.config/user-dirs.locale
-allow  ${HOME}/.drirc
+whitelist ${HOME}/.drirc
-allow  ${HOME}/.icons
+whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
-allow  ${HOME}/.local/share/applications
+whitelist ${HOME}/.local/share/applications
 read-only ${HOME}/.local/share/applications
-allow  ${HOME}/.local/share/icons
+whitelist ${HOME}/.local/share/icons
-allow  ${HOME}/.local/share/mime
+whitelist ${HOME}/.local/share/mime
-allow  ${HOME}/.mime.types
+whitelist ${HOME}/.mime.types
-allow  ${HOME}/.sndio/cookie
+whitelist ${HOME}/.sndio/cookie
-allow  ${HOME}/.uim.d
+whitelist ${HOME}/.uim.d
 # dconf
 mkdir ${HOME}/.config/dconf
-allow  ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
 # fonts
-allow  ${HOME}/.cache/fontconfig
+whitelist ${HOME}/.cache/fontconfig
-allow  ${HOME}/.config/fontconfig
+whitelist ${HOME}/.config/fontconfig
-allow  ${HOME}/.fontconfig
+whitelist ${HOME}/.fontconfig
-allow  ${HOME}/.fonts
+whitelist ${HOME}/.fonts
-allow  ${HOME}/.fonts.conf
+whitelist ${HOME}/.fonts.conf
-allow  ${HOME}/.fonts.conf.d
+whitelist ${HOME}/.fonts.conf.d
-allow  ${HOME}/.fonts.d
+whitelist ${HOME}/.fonts.d
-allow  ${HOME}/.local/share/fonts
+whitelist ${HOME}/.local/share/fonts
-allow  ${HOME}/.pangorc
+whitelist ${HOME}/.pangorc
 # gtk
-allow  ${HOME}/.config/gtk-2.0
+whitelist ${HOME}/.config/gtk-2.0
-allow  ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/gtk-3.0
-allow  ${HOME}/.config/gtk-4.0
+whitelist ${HOME}/.config/gtk-4.0
-allow  ${HOME}/.config/gtkrc
+whitelist ${HOME}/.config/gtkrc
-allow  ${HOME}/.config/gtkrc-2.0
+whitelist ${HOME}/.config/gtkrc-2.0
-allow  ${HOME}/.gnome2
+whitelist ${HOME}/.gnome2
-allow  ${HOME}/.gnome2-private
+whitelist ${HOME}/.gnome2-private
-allow  ${HOME}/.gtk-2.0
+whitelist ${HOME}/.gtk-2.0
-allow  ${HOME}/.gtkrc
+whitelist ${HOME}/.gtkrc
-allow  ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.gtkrc-2.0
-allow  ${HOME}/.kde/share/config/gtkrc
+whitelist ${HOME}/.kde/share/config/gtkrc
-allow  ${HOME}/.kde/share/config/gtkrc-2.0
+whitelist ${HOME}/.kde/share/config/gtkrc-2.0
-allow  ${HOME}/.kde4/share/config/gtkrc
+whitelist ${HOME}/.kde4/share/config/gtkrc
-allow  ${HOME}/.kde4/share/config/gtkrc-2.0
+whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
-allow  ${HOME}/.local/share/themes
+whitelist ${HOME}/.local/share/themes
-allow  ${HOME}/.themes
+whitelist ${HOME}/.themes
 # qt/kde
-allow  ${HOME}/.cache/kioexec/krun
+whitelist ${HOME}/.cache/kioexec/krun
-allow  ${HOME}/.config/Kvantum
+whitelist ${HOME}/.config/Kvantum
-allow  ${HOME}/.config/Trolltech.conf
+whitelist ${HOME}/.config/Trolltech.conf
-allow  ${HOME}/.config/QtProject.conf
+whitelist ${HOME}/.config/QtProject.conf
-allow  ${HOME}/.config/kdeglobals
+whitelist ${HOME}/.config/kdeglobals
-allow  ${HOME}/.config/kio_httprc
+whitelist ${HOME}/.config/kio_httprc
-allow  ${HOME}/.config/kioslaverc
+whitelist ${HOME}/.config/kioslaverc
-allow  ${HOME}/.config/ksslcablacklist
+whitelist ${HOME}/.config/ksslcablacklist
-allow  ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qt5ct
-allow  ${HOME}/.config/qtcurve
+whitelist ${HOME}/.config/qtcurve
-allow  ${HOME}/.kde/share/config/kdeglobals
+whitelist ${HOME}/.kde/share/config/kdeglobals
-allow  ${HOME}/.kde/share/config/kio_httprc
+whitelist ${HOME}/.kde/share/config/kio_httprc
-allow  ${HOME}/.kde/share/config/kioslaverc
+whitelist ${HOME}/.kde/share/config/kioslaverc
-allow  ${HOME}/.kde/share/config/ksslcablacklist
+whitelist ${HOME}/.kde/share/config/ksslcablacklist
-allow  ${HOME}/.kde/share/config/oxygenrc
+whitelist ${HOME}/.kde/share/config/oxygenrc
-allow  ${HOME}/.kde/share/icons
+whitelist ${HOME}/.kde/share/icons
-allow  ${HOME}/.kde4/share/config/kdeglobals
+whitelist ${HOME}/.kde4/share/config/kdeglobals
-allow  ${HOME}/.kde4/share/config/kio_httprc
+whitelist ${HOME}/.kde4/share/config/kio_httprc
-allow  ${HOME}/.kde4/share/config/kioslaverc
+whitelist ${HOME}/.kde4/share/config/kioslaverc
-allow  ${HOME}/.kde4/share/config/ksslcablacklist
+whitelist ${HOME}/.kde4/share/config/ksslcablacklist
-allow  ${HOME}/.kde4/share/config/oxygenrc
+whitelist ${HOME}/.kde4/share/config/oxygenrc
-allow  ${HOME}/.kde4/share/icons
+whitelist ${HOME}/.kde4/share/icons
-allow  ${HOME}/.local/share/qt5ct
+whitelist ${HOME}/.local/share/qt5ct
diff --git a/etc/inc/whitelist-player-common.inc b/etc/inc/whitelist-player-common.inc
index d6ae8eab6..e5bf36804 100644
--- a/etc/inc/whitelist-player-common.inc
+++ b/etc/inc/whitelist-player-common.inc
@@ -4,8 +4,8 @@ include whitelist-player-common.local
 # common whitelist for all media players
-allow  ${DESKTOP}
+whitelist ${DESKTOP}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${MUSIC}
+whitelist ${MUSIC}
-allow  ${PICTURES}
+whitelist ${PICTURES}
-allow  ${VIDEOS}
+whitelist ${VIDEOS}
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 86e5264b9..48309ffe3 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -4,13 +4,13 @@ include whitelist-runuser-common.local
 # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
-allow  ${RUNUSER}/bus
+whitelist ${RUNUSER}/bus
-allow  ${RUNUSER}/dconf
+whitelist ${RUNUSER}/dconf
-allow  ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/gdm/Xauthority
-allow  ${RUNUSER}/ICEauthority
+whitelist ${RUNUSER}/ICEauthority
-allow  ${RUNUSER}/.mutter-Xwaylandauth.*
+whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
-allow  ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/pulse/native
-allow  ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/wayland-0
-allow  ${RUNUSER}/wayland-1
+whitelist ${RUNUSER}/wayland-1
-allow  ${RUNUSER}/xauth_*
+whitelist ${RUNUSER}/xauth_*
-allow  ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index 64296da15..fe0097934 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
 # common /usr/share whitelist for all profiles
-allow  /usr/share/alsa
+whitelist /usr/share/alsa
-allow  /usr/share/applications
+whitelist /usr/share/applications
-allow  /usr/share/ca-certificates
+whitelist /usr/share/ca-certificates
-allow  /usr/share/crypto-policies
+whitelist /usr/share/crypto-policies
-allow  /usr/share/cursors
+whitelist /usr/share/cursors
-allow  /usr/share/dconf
+whitelist /usr/share/dconf
-allow  /usr/share/distro-info
+whitelist /usr/share/distro-info
-allow  /usr/share/drirc.d
+whitelist /usr/share/drirc.d
-allow  /usr/share/enchant
+whitelist /usr/share/enchant
-allow  /usr/share/enchant-2
+whitelist /usr/share/enchant-2
-allow  /usr/share/file
+whitelist /usr/share/file
-allow  /usr/share/fontconfig
+whitelist /usr/share/fontconfig
-allow  /usr/share/fonts
+whitelist /usr/share/fonts
-allow  /usr/share/fonts-config
+whitelist /usr/share/fonts-config
-allow  /usr/share/gir-1.0
+whitelist /usr/share/gir-1.0
-allow  /usr/share/gjs-1.0
+whitelist /usr/share/gjs-1.0
-allow  /usr/share/glib-2.0
+whitelist /usr/share/glib-2.0
-allow  /usr/share/glvnd
+whitelist /usr/share/glvnd
-allow  /usr/share/gtk-2.0
+whitelist /usr/share/gtk-2.0
-allow  /usr/share/gtk-3.0
+whitelist /usr/share/gtk-3.0
-allow  /usr/share/gtk-engines
+whitelist /usr/share/gtk-engines
-allow  /usr/share/gtksourceview-3.0
+whitelist /usr/share/gtksourceview-3.0
-allow  /usr/share/gtksourceview-4
+whitelist /usr/share/gtksourceview-4
-allow  /usr/share/hunspell
+whitelist /usr/share/hunspell
-allow  /usr/share/hwdata
+whitelist /usr/share/hwdata
-allow  /usr/share/icons
+whitelist /usr/share/icons
-allow  /usr/share/icu
+whitelist /usr/share/icu
-allow  /usr/share/knotifications5
+whitelist /usr/share/knotifications5
-allow  /usr/share/kservices5
+whitelist /usr/share/kservices5
-allow  /usr/share/Kvantum
+whitelist /usr/share/Kvantum
-allow  /usr/share/kxmlgui5
+whitelist /usr/share/kxmlgui5
-allow  /usr/share/libdrm
+whitelist /usr/share/libdrm
-allow  /usr/share/libthai
+whitelist /usr/share/libthai
-allow  /usr/share/locale
+whitelist /usr/share/locale
-allow  /usr/share/mime
+whitelist /usr/share/mime
-allow  /usr/share/misc
+whitelist /usr/share/misc
-allow  /usr/share/Modules
+whitelist /usr/share/Modules
-allow  /usr/share/myspell
+whitelist /usr/share/myspell
-allow  /usr/share/p11-kit
+whitelist /usr/share/p11-kit
-allow  /usr/share/perl
+whitelist /usr/share/perl
-allow  /usr/share/perl5
+whitelist /usr/share/perl5
-allow  /usr/share/pixmaps
+whitelist /usr/share/pixmaps
-allow  /usr/share/pki
+whitelist /usr/share/pki
-allow  /usr/share/plasma
+whitelist /usr/share/plasma
-allow  /usr/share/publicsuffix
+whitelist /usr/share/publicsuffix
-allow  /usr/share/qt
+whitelist /usr/share/qt
-allow  /usr/share/qt4
+whitelist /usr/share/qt4
-allow  /usr/share/qt5
+whitelist /usr/share/qt5
-allow  /usr/share/qt5ct
+whitelist /usr/share/qt5ct
-allow  /usr/share/sounds
+whitelist /usr/share/sounds
-allow  /usr/share/tcl8.6
+whitelist /usr/share/tcl8.6
-allow  /usr/share/tcltk
+whitelist /usr/share/tcltk
-allow  /usr/share/terminfo
+whitelist /usr/share/terminfo
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
-allow  /usr/share/texmf
+whitelist /usr/share/texmf
-allow  /usr/share/themes
+whitelist /usr/share/themes
-allow  /usr/share/thumbnail.so
+whitelist /usr/share/thumbnail.so
-allow  /usr/share/uim
+whitelist /usr/share/uim
-allow  /usr/share/vulkan
+whitelist /usr/share/vulkan
-allow  /usr/share/X11
+whitelist /usr/share/X11
-allow  /usr/share/xml
+whitelist /usr/share/xml
-allow  /usr/share/zenity
+whitelist /usr/share/zenity
-allow  /usr/share/zoneinfo
+whitelist /usr/share/zoneinfo
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index c449e8905..d8ba84ad0 100644
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@@ -4,12 +4,12 @@ include whitelist-var-common.local
 # common /var whitelist for all profiles
-allow  /var/lib/aspell
+whitelist /var/lib/aspell
-allow  /var/lib/ca-certificates
+whitelist /var/lib/ca-certificates
-allow  /var/lib/dbus
+whitelist /var/lib/dbus
-allow  /var/lib/menu-xdg
+whitelist /var/lib/menu-xdg
-allow  /var/lib/uim
+whitelist /var/lib/uim
-allow  /var/cache/fontconfig
+whitelist /var/cache/fontconfig
-allow  /var/tmp
+whitelist /var/tmp
-allow  /var/run
+whitelist /var/run
-allow  /var/lock
+whitelist /var/lock
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 6f493fff1..4009853d3 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -6,11 +6,11 @@ include 0ad.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/0ad
+noblacklist ${HOME}/.cache/0ad
-nodeny  ${HOME}/.config/0ad
+noblacklist ${HOME}/.config/0ad
-nodeny  ${HOME}/.local/share/0ad
+noblacklist ${HOME}/.local/share/0ad
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -23,11 +23,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
 mkdir ${HOME}/.local/share/0ad
-allow  ${HOME}/.cache/0ad
+whitelist ${HOME}/.cache/0ad
-allow  ${HOME}/.config/0ad
+whitelist ${HOME}/.config/0ad
-allow  ${HOME}/.local/share/0ad
+whitelist ${HOME}/.local/share/0ad
-allow  /usr/share/0ad
+whitelist /usr/share/0ad
-allow  /usr/share/games
+whitelist /usr/share/games
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 3a7b331a7..1d787cba7 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -6,8 +6,8 @@ include 2048-qt.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/2048-qt
+noblacklist ${HOME}/.config/2048-qt
-nodeny  ${HOME}/.config/xiaoyong
+noblacklist ${HOME}/.config/xiaoyong
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.config/2048-qt
 mkdir ${HOME}/.config/xiaoyong
-allow  ${HOME}/.config/2048-qt
+whitelist ${HOME}/.config/2048-qt
-allow  ${HOME}/.config/xiaoyong
+whitelist ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index def0ec111..1d86b0fbf 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -5,7 +5,7 @@ include Cryptocat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Cryptocat
+noblacklist ${HOME}/.config/Cryptocat
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile
index 1d3ae49ca..3f274b21c 100644
--- a/etc/profile-a-l/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
@@ -5,10 +5,10 @@ include Discord.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/discord
+noblacklist ${HOME}/.config/discord
 mkdir ${HOME}/.config/discord
-allow  ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
 private-bin Discord
 private-opt Discord
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
index 3c85f187b..d24e73ed8 100644
--- a/etc/profile-a-l/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
@@ -5,10 +5,10 @@ include DiscordCanary.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/discordcanary
+noblacklist ${HOME}/.config/discordcanary
 mkdir ${HOME}/.config/discordcanary
-allow  ${HOME}/.config/discordcanary
+whitelist ${HOME}/.config/discordcanary
 private-bin DiscordCanary
 private-opt DiscordCanary
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index 8f746581f..7dc6b5ff0 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -6,8 +6,8 @@ include Fritzing.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Fritzing
+noblacklist ${HOME}/.config/Fritzing
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index 9a00c3230..d10b70796 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -5,7 +5,7 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.jd
+noblacklist ${HOME}/.jd
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.jd
-allow  ${HOME}/.jd
+whitelist ${HOME}/.jd
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 2a92c7db4..75da9a956 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -6,7 +6,7 @@ include abiword.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/abiword
+noblacklist ${HOME}/.config/abiword
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-allow  /usr/share/abiword-3.0
+whitelist /usr/share/abiword-3.0
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 70ddcec20..2e6e8f1af 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -5,13 +5,13 @@ include abrowser.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.cache/mozilla
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
 mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
-allow  ${HOME}/.cache/mozilla/abrowser
+whitelist ${HOME}/.cache/mozilla/abrowser
-allow  ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla
 # private-etc must first be enabled in firefox-common.profile
 #private-etc abrowser
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index d32586c5b..34f59769e 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -7,8 +7,8 @@ include agetpkg.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -23,7 +23,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 7b1d1445f..37fdb38b5 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -4,22 +4,22 @@ include akonadi_control.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.cache/akonadi*
-nodeny  ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/akonadi*
-nodeny  ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/baloorc
-nodeny  ${HOME}/.config/emaildefaults
+noblacklist ${HOME}/.config/emaildefaults
-nodeny  ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/emailidentities
-nodeny  ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.config/kmail2rc
-nodeny  ${HOME}/.config/mailtransports
+noblacklist ${HOME}/.config/mailtransports
-nodeny  ${HOME}/.config/specialmailcollectionsrc
+noblacklist ${HOME}/.config/specialmailcollectionsrc
-nodeny  ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/akonadi*
-nodeny  ${HOME}/.local/share/apps/korganizer
+noblacklist ${HOME}/.local/share/apps/korganizer
-nodeny  ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/contacts
-nodeny  ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/local-mail
-nodeny  ${HOME}/.local/share/notes
+noblacklist ${HOME}/.local/share/notes
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /tmp/akonadi-*
+noblacklist /tmp/akonadi-*
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index b2323547c..38fcd2dc1 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -6,9 +6,9 @@ include akregator.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/akregatorrc
+noblacklist ${HOME}/.config/akregatorrc
-nodeny  ${HOME}/.local/share/akregator
+noblacklist ${HOME}/.local/share/akregator
-nodeny  ${HOME}/.local/share/kxmlgui5/akregator
+noblacklist ${HOME}/.local/share/kxmlgui5/akregator
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-shell.inc
 mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
 mkdir ${HOME}/.local/share/kxmlgui5/akregator
-allow  ${HOME}/.config/akregatorrc
+whitelist ${HOME}/.config/akregatorrc
-allow  ${HOME}/.local/share/akregator
+whitelist ${HOME}/.local/share/akregator
-allow  ${HOME}/.local/share/kssl
+whitelist ${HOME}/.local/share/kssl
-allow  ${HOME}/.local/share/kxmlgui5/akregator
+whitelist ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index ca6c8d887..4c6d68020 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 # Whitelist your system icon directory,varies by distro
-allow  /usr/share/alacarte
+whitelist /usr/share/alacarte
-allow  /usr/share/app-info
+whitelist /usr/share/app-info
-allow  /usr/share/desktop-directories
+whitelist /usr/share/desktop-directories
-allow  /usr/share/icons
+whitelist /usr/share/icons
-allow  /var/lib/app-info/icons
+whitelist /var/lib/app-info/icons
-allow  /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/applications
-allow  /var/lib/flatpak/exports/share/icons
+whitelist /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 220c3345d..81ee6bd46 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -6,7 +6,7 @@ include alienarena.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/cor-games
+noblacklist ${HOME}/.local/share/cor-games
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/cor-games
-allow  ${HOME}/.local/share/cor-games
+whitelist ${HOME}/.local/share/cor-games
-allow  /usr/share/alienarena
+whitelist /usr/share/alienarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
index 6fa3edfa1..0b5cf0df0 100644
--- a/etc/profile-a-l/alpine.profile
+++ b/etc/profile-a-l/alpine.profile
@@ -10,28 +10,28 @@ include globals.local
 # Workaround for bug https://github.com/netblue30/firejail/issues/2747
 # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
-nodeny  /var/mail
+noblacklist /var/mail
-nodeny  /var/spool/mail
+noblacklist /var/spool/mail
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.addressbook
+noblacklist ${HOME}/.addressbook
-nodeny  ${HOME}/.alpine-smime
+noblacklist ${HOME}/.alpine-smime
-nodeny  ${HOME}/.mailcap
+noblacklist ${HOME}/.mailcap
-nodeny  ${HOME}/.mh_profile
+noblacklist ${HOME}/.mh_profile
-nodeny  ${HOME}/.mime.types
+noblacklist ${HOME}/.mime.types
-nodeny  ${HOME}/.newsrc
+noblacklist ${HOME}/.newsrc
-nodeny  ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-crash
-nodeny  ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug1
-nodeny  ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug2
-nodeny  ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug3
-nodeny  ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-debug4
-nodeny  ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pine-interrupted-mail
-nodeny  ${HOME}/.pinerc
+noblacklist ${HOME}/.pinerc
-nodeny  ${HOME}/.pinercex
+noblacklist ${HOME}/.pinercex
-nodeny  ${HOME}/.signature
+noblacklist ${HOME}/.signature
-nodeny  ${HOME}/mail
+noblacklist ${HOME}/mail
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -60,8 +60,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.pine-debug4
 #whitelist ${HOME}/.signature
 #whitelist ${HOME}/mail
-allow  /var/mail
+whitelist /var/mail
-allow  /var/spool/mail
+whitelist /var/spool/mail
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 03aba36e4..a7caddc4c 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -6,7 +6,7 @@ include amarok.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index 00039a7e9..e3c4164ee 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -6,7 +6,7 @@ include amule.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.aMule
+noblacklist ${HOME}/.aMule
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.aMule
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.aMule
+whitelist ${HOME}/.aMule
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 5bf6ed773..5a21744cf 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -5,13 +5,13 @@ include android-studio.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Google
+noblacklist ${HOME}/.config/Google
-nodeny  ${HOME}/.AndroidStudio*
+noblacklist ${HOME}/.AndroidStudio*
-nodeny  ${HOME}/.android
+noblacklist ${HOME}/.android
-nodeny  ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-server
-nodeny  ${HOME}/.jack-settings
+noblacklist ${HOME}/.jack-settings
-nodeny  ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.local/share/JetBrains
-nodeny  ${HOME}/.tooling
+noblacklist ${HOME}/.tooling
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index c1aa18ff3..13bb01ce2 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -6,8 +6,8 @@ include anki.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.local/share/Anki2
+noblacklist ${HOME}/.local/share/Anki2
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -23,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/Anki2
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${HOME}/.local/share/Anki2
+whitelist ${HOME}/.local/share/Anki2
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index cb30ed8da..fdaf10259 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -5,7 +5,7 @@ include anydesk.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.anydesk
+noblacklist ${HOME}/.anydesk
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.anydesk
-allow  ${HOME}/.anydesk
+whitelist ${HOME}/.anydesk
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index d647a4657..e7b09283e 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -5,13 +5,13 @@ include aosp.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.android
+noblacklist ${HOME}/.android
-nodeny  ${HOME}/.bash_history
+noblacklist ${HOME}/.bash_history
-nodeny  ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-server
-nodeny  ${HOME}/.jack-settings
+noblacklist ${HOME}/.jack-settings
-nodeny  ${HOME}/.repo_.gitconfig.json
+noblacklist ${HOME}/.repo_.gitconfig.json
-nodeny  ${HOME}/.repoconfig
+noblacklist ${HOME}/.repoconfig
-nodeny  ${HOME}/.tooling
+noblacklist ${HOME}/.tooling
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 020ae2812..01566314f 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -6,9 +6,9 @@ include apostrophe.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.texlive20*
+noblacklist ${HOME}/.texlive20*
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -31,12 +31,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/libexec/webkit2gtk-4.0
+whitelist /usr/libexec/webkit2gtk-4.0
-allow  /usr/share/apostrophe
+whitelist /usr/share/apostrophe
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
-allow  /usr/share/texmf
+whitelist /usr/share/texmf
-allow  /usr/share/pandoc-*
+whitelist /usr/share/pandoc-*
-allow  /usr/share/perl5
+whitelist /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index 8c71dd574..accabb6f5 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -7,7 +7,7 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/lib/pacman
+noblacklist /var/lib/pacman
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/arch-audit
+whitelist /usr/share/arch-audit
 include whitelist-usr-share-common.inc
 apparmor
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 0915ede33..19c37f90e 100644
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -6,7 +6,7 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/lib/pacman
+noblacklist /var/lib/pacman
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 5b859ceb1..1fab4606b 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -4,7 +4,7 @@ include archiver-common.local
 # common profile for archiver/compression tools
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 # Comment/uncomment the relevant include file(s) in your archiver-common.local
 # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index 960948afc..84b1d6c18 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -5,12 +5,12 @@ include ardour5.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ardour4
+noblacklist ${HOME}/.config/ardour4
-nodeny  ${HOME}/.config/ardour5
+noblacklist ${HOME}/.config/ardour5
-nodeny  ${HOME}/.lv2
+noblacklist ${HOME}/.lv2
-nodeny  ${HOME}/.vst
+noblacklist ${HOME}/.vst
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index 88f14fbfe..fd1ca9a09 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -6,9 +6,9 @@ include arduino.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.arduino15
+noblacklist ${HOME}/.arduino15
-nodeny  ${HOME}/Arduino
+noblacklist ${HOME}/Arduino
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index be56011f0..22b8ecd65 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -6,12 +6,12 @@ include aria2c.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.aria2
+noblacklist ${HOME}/.aria2
-nodeny  ${HOME}/.config/aria2
+noblacklist ${HOME}/.config/aria2
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 031c57080..a63dd8f5f 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -6,8 +6,8 @@ include ark.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/arkrc
+noblacklist ${HOME}/.config/arkrc
-nodeny  ${HOME}/.local/share/kxmlgui5/ark
+noblacklist ${HOME}/.local/share/kxmlgui5/ark
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/ark
+whitelist /usr/share/ark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 9ed8076be..2c8b630ce 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -6,7 +6,7 @@ include arm.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.arm
+noblacklist ${HOME}/.arm
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.arm
-allow  ${HOME}/.arm
+whitelist ${HOME}/.arm
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 7cfac4915..fab72b7d3 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -6,12 +6,12 @@ include artha.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/artha.conf
+noblacklist ${HOME}/.config/artha.conf
-nodeny  ${HOME}/.config/artha.log
+noblacklist ${HOME}/.config/artha.log
-nodeny  ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/enchant
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -28,8 +28,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/artha.conf
 #whitelist ${HOME}/.config/artha.log
 #whitelist ${HOME}/.config/enchant
-allow  /usr/share/artha
+whitelist /usr/share/artha
-allow  /usr/share/wordnet
+whitelist /usr/share/wordnet
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index f2251c210..977fe30a4 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -6,7 +6,7 @@ include assogiate.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${PICTURES}
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index e65072266..c97fd691a 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -6,11 +6,11 @@ include asunder.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/asunder
+noblacklist ${HOME}/.config/asunder
-nodeny  ${HOME}/.asunder_album_genre
+noblacklist ${HOME}/.asunder_album_genre
-nodeny  ${HOME}/.asunder_album_title
+noblacklist ${HOME}/.asunder_album_title
-nodeny  ${HOME}/.asunder_album_artist
+noblacklist ${HOME}/.asunder_album_artist
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index ea3038537..5f237ac59 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
 ignore apparmor
 ignore disable-mnt
-nodeny  ${HOME}/.atom
+noblacklist ${HOME}/.atom
-nodeny  ${HOME}/.config/Atom
+noblacklist ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 8ae8617cf..1c3ed66ff 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -6,9 +6,9 @@ include atril.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/atril
+noblacklist ${HOME}/.cache/atril
-nodeny  ${HOME}/.config/atril
+noblacklist ${HOME}/.config/atril
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 #noblacklist ${HOME}/.local/share
 # it seems to use only ${HOME}/.local/share/webkitgtk
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index 53baf0a2a..f9f209786 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -6,9 +6,9 @@ include audacious.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Audaciousrc
+noblacklist ${HOME}/.config/Audaciousrc
-nodeny  ${HOME}/.config/audacious
+noblacklist ${HOME}/.config/audacious
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index c244846e1..a2de8436a 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -6,9 +6,9 @@ include audacity.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.audacity-data
+noblacklist ${HOME}/.audacity-data
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 534792cc6..2c7fdc812 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -7,7 +7,7 @@ include audio-recorder.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
@@ -17,10 +17,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${MUSIC}
+whitelist ${MUSIC}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/audio-recorder
+whitelist /usr/share/audio-recorder
-allow  /usr/share/gstreamer-1.0
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 0d6eb6a21..2ebe35dd5 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -6,7 +6,7 @@ include authenticator-rs.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/authenticator-rs
+noblacklist ${HOME}/.local/share/authenticator-rs
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/authenticator-rs
-allow  ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/uk.co.grumlimited.authenticator-rs
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 55d967e3e..42d9cd56a 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -6,8 +6,8 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Authenticator
+noblacklist ${HOME}/.cache/Authenticator
-nodeny  ${HOME}/.config/Authenticator
+noblacklist ${HOME}/.config/Authenticator
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index a5b3b22f6..891928e5a 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -7,8 +7,8 @@ include autokey-common.local
 # added by caller profile
 #include globals.local
-nodeny  ${HOME}/.config/autokey
+noblacklist ${HOME}/.config/autokey
-nodeny  ${HOME}/.local/share/autokey
+noblacklist ${HOME}/.local/share/autokey
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 0feb05d75..7f9d0f6e7 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -5,9 +5,9 @@ include avidemux.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.avidemux6
+noblacklist ${HOME}/.avidemux6
-nodeny  ${HOME}/.config/avidemux3_qt5rc
+noblacklist ${HOME}/.config/avidemux3_qt5rc
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.avidemux6
 mkdir ${HOME}/.config/avidemux3_qt5rc
-allow  ${HOME}/.avidemux6
+whitelist ${HOME}/.avidemux6
-allow  ${HOME}/.config/avidemux3_qt5rc
+whitelist ${HOME}/.config/avidemux3_qt5rc
-allow  ${VIDEOS}
+whitelist ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index abe9fdb24..a57ad4014 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -6,7 +6,7 @@ include aweather.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/aweather
+noblacklist ${HOME}/.config/aweather
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/aweather
-allow  ${HOME}/.config/aweather
+whitelist ${HOME}/.config/aweather
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index 58f4f5e96..5d1bf5071 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -7,7 +7,7 @@ include awesome.local
 include globals.local
 # all applications started in awesome will run in this profile
-nodeny  ${HOME}/.config/awesome
+noblacklist ${HOME}/.config/awesome
 include disable-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index 46bb0b44e..3952921a3 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -6,7 +6,7 @@ include ballbuster.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.ballbuster.hs
+noblacklist ${HOME}/.ballbuster.hs
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.ballbuster.hs
-allow  ${HOME}/.ballbuster.hs
+whitelist ${HOME}/.ballbuster.hs
-allow  /usr/share/ballbuster
+whitelist /usr/share/ballbuster
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 2b10883f7..fe86d9b80 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -12,12 +12,12 @@ include globals.local
 # read-write ${HOME}/.local/share/baloo
 # ignore read-write
-nodeny  ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.config/baloofilerc
-nodeny  ${HOME}/.kde/share/config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloofilerc
-nodeny  ${HOME}/.kde/share/config/baloorc
+noblacklist ${HOME}/.kde/share/config/baloorc
-nodeny  ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
-nodeny  ${HOME}/.kde4/share/config/baloorc
+noblacklist ${HOME}/.kde4/share/config/baloorc
-nodeny  ${HOME}/.local/share/baloo
+noblacklist ${HOME}/.local/share/baloo
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 1e74443aa..8c69652c5 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -6,13 +6,13 @@ include balsa.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.balsa
+noblacklist ${HOME}/.balsa
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-nodeny  ${HOME}/.signature
+noblacklist ${HOME}/.signature
-nodeny  ${HOME}/mail
+noblacklist ${HOME}/mail
-nodeny  /var/mail
+noblacklist /var/mail
-nodeny  /var/spool/mail
+noblacklist /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
-allow  ${HOME}/.balsa
+whitelist ${HOME}/.balsa
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
-allow  ${HOME}/.signature
+whitelist ${HOME}/.signature
-allow  ${HOME}/mail
+whitelist ${HOME}/mail
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  /usr/share/balsa
+whitelist /usr/share/balsa
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
-allow  /var/mail
+whitelist /var/mail
-allow  /var/spool/mail
+whitelist /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index fcea9b3ba..7b50e9199 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -6,9 +6,9 @@ include barrier.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Debauchee/Barrier.conf
+noblacklist ${HOME}/.config/Debauchee/Barrier.conf
-nodeny  ${HOME}/.local/share/barrier
+noblacklist ${HOME}/.local/share/barrier
-nodeny  ${PATH}/openssl
+noblacklist ${PATH}/openssl
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 547c67fc8..8dc3847a0 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -5,13 +5,13 @@ include basilisk.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/moonchild productions/basilisk
+noblacklist ${HOME}/.cache/moonchild productions/basilisk
-nodeny  ${HOME}/.moonchild productions/basilisk
+noblacklist ${HOME}/.moonchild productions/basilisk
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-allow  ${HOME}/.cache/moonchild productions/basilisk
+whitelist ${HOME}/.cache/moonchild productions/basilisk
-allow  ${HOME}/.moonchild productions
+whitelist ${HOME}/.moonchild productions
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index a1d2b1e73..3ecaea7fe 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -7,10 +7,10 @@ include bcompare.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/bcompare
+noblacklist ${HOME}/.config/bcompare
 # In case the user decides to include disable-programs.inc, still allow
 # KDE's Gwenview to view images via right click -> Open With -> Associated Application
-nodeny  ${HOME}/.config/gwenviewrc
+noblacklist ${HOME}/.config/gwenviewrc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index 588f460a8..f3a9568bd 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -19,10 +19,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
-nodeny  ${HOME}/.config/Beaker Browser
+noblacklist ${HOME}/.config/Beaker Browser
 mkdir ${HOME}/.config/Beaker Browser
-allow  ${HOME}/.config/Beaker Browser
+whitelist ${HOME}/.config/Beaker Browser
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 717d7258d..c7a82afbd 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -6,11 +6,11 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.bibletime
+noblacklist ${HOME}/.bibletime
-nodeny  ${HOME}/.sword
+noblacklist ${HOME}/.sword
-nodeny  ${HOME}/.local/share/bibletime
+noblacklist ${HOME}/.local/share/bibletime
-deny  ${HOME}/.bashrc
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
@@ -22,12 +22,12 @@ include disable-programs.inc
 mkdir ${HOME}/.bibletime
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.local/share/bibletime
-allow  ${HOME}/.bibletime
+whitelist ${HOME}/.bibletime
-allow  ${HOME}/.sword
+whitelist ${HOME}/.sword
-allow  ${HOME}/.local/share/bibletime
+whitelist ${HOME}/.local/share/bibletime
-allow  /usr/share/bibletime
+whitelist /usr/share/bibletime
-allow  /usr/share/doc/bibletime
+whitelist /usr/share/doc/bibletime
-allow  /usr/share/sword
+whitelist /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index b02fcc3e0..854fe5cb9 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -6,7 +6,7 @@ include bijiben.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/bijiben
+noblacklist ${HOME}/.local/share/bijiben
 include disable-common.inc
 include disable-devel.inc
@@ -18,12 +18,12 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/bijiben
-allow  ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.local/share/bijiben
-allow  ${HOME}/.cache/tracker
+whitelist ${HOME}/.cache/tracker
-allow  /usr/libexec/webkit2gtk-4.0
+whitelist /usr/libexec/webkit2gtk-4.0
-allow  /usr/share/bijiben
+whitelist /usr/share/bijiben
-allow  /usr/share/tracker
+whitelist /usr/share/tracker
-allow  /usr/share/tracker3
+whitelist /usr/share/tracker3
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index c4ec0f820..932db9b73 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -6,8 +6,8 @@ include bitcoin-qt.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.bitcoin
+noblacklist ${HOME}/.bitcoin
-nodeny  ${HOME}/.config/Bitcoin
+noblacklist ${HOME}/.config/Bitcoin
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
-allow  ${HOME}/.bitcoin
+whitelist ${HOME}/.bitcoin
-allow  ${HOME}/.config/Bitcoin
+whitelist ${HOME}/.config/Bitcoin
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 0f000b26b..dd7651979 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -8,8 +8,8 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # noblacklist /var/log
 include disable-common.inc
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index 4b292d72a..ba2eb2ea7 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -11,12 +11,12 @@ ignore include whitelist-usr-share-common.inc
 ignore noexec /tmp
-nodeny  ${HOME}/.config/Bitwarden
+noblacklist ${HOME}/.config/Bitwarden
 include disable-shell.inc
 mkdir ${HOME}/.config/Bitwarden
-allow  ${HOME}/.config/Bitwarden
+whitelist ${HOME}/.config/Bitwarden
 machine-id
 no3d
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 616ad6801..233f9a96f 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -7,7 +7,7 @@ include blackbox.local
 include globals.local
 # all applications started in blackbox will run in this profile
-nodeny  ${HOME}/.blackbox
+noblacklist ${HOME}/.blackbox
 include disable-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 8d0b5616f..701ae431e 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -6,7 +6,7 @@ include blender.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/blender
+noblacklist ${HOME}/.config/blender
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 # Allow usage of AMD GPU by OpenCL
-nodeny  /sys/module
+noblacklist /sys/module
-allow  /sys/module/amdgpu
+whitelist /sys/module/amdgpu
 read-only /sys/module/amdgpu
 caps.drop all
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index ca5f96eee..80dc750f7 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -6,7 +6,7 @@ include bless.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/bless
+noblacklist ${HOME}/.config/bless
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index ee2a73b54..229c20293 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -4,7 +4,7 @@ include blobby.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.blobby
+noblacklist ${HOME}/.blobby
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.blobby
-allow  ${HOME}/.blobby
+whitelist ${HOME}/.blobby
 include whitelist-common.inc
-allow  /usr/share/blobby
+whitelist /usr/share/blobby
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index e0be5261e..904710cb5 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -6,7 +6,7 @@ include blobwars.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.parallelrealities/blobwars
+noblacklist ${HOME}/.parallelrealities/blobwars
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
-allow  ${HOME}/.parallelrealities/blobwars
+whitelist ${HOME}/.parallelrealities/blobwars
-allow  /usr/share/blobwars
+whitelist /usr/share/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index dcfd5d8d2..6e8f0d7d1 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/bnox
+noblacklist ${HOME}/.cache/bnox
-nodeny  ${HOME}/.config/bnox
+noblacklist ${HOME}/.config/bnox
 mkdir ${HOME}/.cache/bnox
 mkdir ${HOME}/.config/bnox
-allow  ${HOME}/.cache/bnox
+whitelist ${HOME}/.cache/bnox
-allow  ${HOME}/.config/bnox
+whitelist ${HOME}/.config/bnox
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index a14bb8fef..0cbac049a 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -5,7 +5,7 @@ include brackets.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Brackets
+noblacklist ${HOME}/.config/Brackets
 #noblacklist /opt/brackets
 #noblacklist /opt/google
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index a78882409..417a6b3e0 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -6,7 +6,7 @@ include brasero.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/brasero
+noblacklist ${HOME}/.config/brasero
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index bc2d7a6a1..09548c761 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -14,24 +14,24 @@ ignore noexec /tmp
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/BraveSoftware
+noblacklist ${HOME}/.cache/BraveSoftware
-nodeny  ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/BraveSoftware
-nodeny  ${HOME}/.config/brave
+noblacklist ${HOME}/.config/brave
-nodeny  ${HOME}/.config/brave-flags.conf
+noblacklist ${HOME}/.config/brave-flags.conf
 # brave uses gpg for built-in password manager
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 mkdir ${HOME}/.cache/BraveSoftware
 mkdir ${HOME}/.config/BraveSoftware
 mkdir ${HOME}/.config/brave
-allow  ${HOME}/.cache/BraveSoftware
+whitelist ${HOME}/.cache/BraveSoftware
-allow  ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/BraveSoftware
-allow  ${HOME}/.config/brave
+whitelist ${HOME}/.config/brave
-allow  ${HOME}/.config/brave-flags.conf
+whitelist ${HOME}/.config/brave-flags.conf
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
 # Brave sandbox needs read access to /proc/config.gz
-nodeny  /proc/config.gz
+noblacklist /proc/config.gz
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index 62ca041c2..bda96bbb3 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -6,7 +6,7 @@ include bzflag.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.bzf
+noblacklist ${HOME}/.bzf
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.bzf
-allow  ${HOME}/.bzf
+whitelist ${HOME}/.bzf
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index 99706620c..83571397b 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -6,9 +6,9 @@ include calibre.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/calibre
+noblacklist ${HOME}/.cache/calibre
-nodeny  ${HOME}/.config/calibre
+noblacklist ${HOME}/.config/calibre
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index 36ecc06a0..fcff47662 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -6,7 +6,7 @@ include calligra.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/calligra
+noblacklist ${HOME}/.local/share/kxmlgui5/calligra
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile
index 76123c96a..006c307ab 100644
--- a/etc/profile-a-l/calligragemini.profile
+++ b/etc/profile-a-l/calligragemini.profile
@@ -6,7 +6,7 @@ include calligragemini.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/calligragemini
+noblacklist ${HOME}/.local/share/calligragemini
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 5fb1e16da..81dbd4dcd 100644
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -6,7 +6,7 @@ include calligraplan.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/calligraplan
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index c176bfea1..bba91b66b 100644
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -6,7 +6,7 @@ include calligraplanwork.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/calligraplanwork
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index b7ac68945..7bc296047 100644
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -6,7 +6,7 @@ include calligrasheets.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/calligrasheets
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index 1258fec56..7694abbe4 100644
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -6,7 +6,7 @@ include calligrastage.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/calligrastage
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index c2b6c8041..d69d56a95 100644
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -6,7 +6,7 @@ include calligrawords.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/calligrawords
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index 390ae383c..74c7cc34b 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/cameramonitor
+whitelist /usr/share/cameramonitor
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 77bdc09e0..96f88a7c4 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -6,10 +6,10 @@ include cantata.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/cantata
+noblacklist ${HOME}/.cache/cantata
-nodeny  ${HOME}/.config/cantata
+noblacklist ${HOME}/.config/cantata
-nodeny  ${HOME}/.local/share/cantata
+noblacklist ${HOME}/.local/share/cantata
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 9c53af84f..7cf04c550 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -10,11 +10,11 @@ include globals.local
 ignore noexec ${HOME}
 ignore noexec /tmp
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${HOME}/.cargo/credentials
+noblacklist ${HOME}/.cargo/credentials
-nodeny  ${HOME}/.cargo/credentials.toml
+noblacklist ${HOME}/.cargo/credentials.toml
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
@@ -34,7 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
-allow  /usr/share/pkgconfig
+whitelist /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index 4ea53ea6b..009d3a049 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -9,7 +9,7 @@ include globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
-nodeny  ${HOME}/.config/catfish
+noblacklist ${HOME}/.config/catfish
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,7 +21,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 # include disable-programs.inc
-allow  /var/lib/mlocate
+whitelist /var/lib/mlocate
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index d7aee1902..6e137010c 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -6,7 +6,7 @@ include cawbird.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/cawbird
+noblacklist ${HOME}/.config/cawbird
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index d6f4306ba..1c539cc93 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -6,9 +6,9 @@ include celluloid.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/celluloid
+noblacklist ${HOME}/.config/celluloid
-nodeny  ${HOME}/.config/gnome-mpv
+noblacklist ${HOME}/.config/gnome-mpv
-nodeny  ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -17,7 +17,7 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -30,9 +30,9 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/celluloid
 mkdir ${HOME}/.config/gnome-mpv
 mkdir ${HOME}/.config/youtube-dl
-allow  ${HOME}/.config/celluloid
+whitelist ${HOME}/.config/celluloid
-allow  ${HOME}/.config/gnome-mpv
+whitelist ${HOME}/.config/gnome-mpv
-allow  ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/youtube-dl
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index 0f61084e0..24939fc70 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -7,9 +7,9 @@ include checkbashisms.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index bde3e1311..aca1f5876 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -6,8 +6,8 @@ include cheese.local
 # Persistent global definitions
 include globals.local
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${VIDEOS}
+whitelist ${VIDEOS}
-allow  ${PICTURES}
+whitelist ${PICTURES}
-allow  /usr/share/gnome-video-effects
+whitelist /usr/share/gnome-video-effects
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index d5dedd81d..7621b3c8c 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -6,8 +6,8 @@ include cherrytree.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/cherrytree
+noblacklist ${HOME}/.config/cherrytree
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 64c45772a..8803a4d9d 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -3,15 +3,15 @@
 # Persistent local customizations
 include chromium-browser-privacy.local
-nodeny  ${HOME}/.cache/ungoogled-chromium
+noblacklist ${HOME}/.cache/ungoogled-chromium
-nodeny  ${HOME}/.config/ungoogled-chromium
+noblacklist ${HOME}/.config/ungoogled-chromium
-deny  /usr/libexec
+blacklist /usr/libexec
 mkdir ${HOME}/.cache/ungoogled-chromium
 mkdir ${HOME}/.config/ungoogled-chromium
-allow  ${HOME}/.cache/ungoogled-chromium
+whitelist ${HOME}/.cache/ungoogled-chromium
-allow  ${HOME}/.config/ungoogled-chromium
+whitelist ${HOME}/.config/ungoogled-chromium
 # private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 87a0a0994..19addd285 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -6,5 +6,4 @@ caps.drop all
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
-# kcmp is required for ozone-platform=wayland, see #3783.
+seccomp !chroot
-seccomp !chroot,!kcmp
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index dbeb715d4..b0e0254d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -9,8 +9,8 @@ include chromium-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
@@ -26,9 +26,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index ea92e90a8..9ac33aa1c 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -6,17 +6,17 @@ include chromium.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/chromium
+noblacklist ${HOME}/.cache/chromium
-nodeny  ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/chromium
-nodeny  ${HOME}/.config/chromium-flags.conf
+noblacklist ${HOME}/.config/chromium-flags.conf
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
-allow  ${HOME}/.cache/chromium
+whitelist ${HOME}/.cache/chromium
-allow  ${HOME}/.config/chromium
+whitelist ${HOME}/.config/chromium
-allow  ${HOME}/.config/chromium-flags.conf
+whitelist ${HOME}/.config/chromium-flags.conf
-allow  /usr/share/chromium
+whitelist /usr/share/chromium
-allow  /usr/share/mozilla/extensions
+whitelist /usr/share/mozilla/extensions
 # private-bin chromium,chromium-browser,chromedriver
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index c967e1c96..e1f9523c4 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -5,7 +5,7 @@ include cin.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.bcast5
+noblacklist ${HOME}/.bcast5
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
index 0efbcd4f2..e403c2c41 100644
--- a/etc/profile-a-l/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -7,7 +7,7 @@ include clamav.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-exec.inc
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 3e4e1f2a1..691657fa0 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -6,17 +6,17 @@ include claws-mail.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.claws-mail
+noblacklist ${HOME}/.claws-mail
 mkdir ${HOME}/.claws-mail
-allow  ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
 # Add the below lines to your claws-mail.local if you use python-based plugins.
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
 #include allow-python3.inc
-allow  /usr/share/doc/claws-mail
+whitelist /usr/share/doc/claws-mail
 # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index ee64391d9..9b62a1f73 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -6,7 +6,7 @@ include clawsker.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.claws-mail
+noblacklist ${HOME}/.claws-mail
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.claws-mail
-allow  ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index f9c0006f9..fa33795c1 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -6,9 +6,9 @@ include clementine.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Clementine
+noblacklist ${HOME}/.cache/Clementine
-nodeny  ${HOME}/.config/Clementine
+noblacklist ${HOME}/.config/Clementine
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 5c5399069..77952358f 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -5,16 +5,16 @@ include clion.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/JetBrains/CLion*
+noblacklist ${HOME}/.config/JetBrains/CLion*
-nodeny  ${HOME}/.cache/JetBrains/CLion*
+noblacklist ${HOME}/.cache/JetBrains/CLion*
-nodeny  ${HOME}/.clion*
+noblacklist ${HOME}/.clion*
-nodeny  ${HOME}/.CLion*
+noblacklist ${HOME}/.CLion*
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
-nodeny  ${HOME}/.java
+noblacklist ${HOME}/.java
-nodeny  ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.local/share/JetBrains
-nodeny  ${HOME}/.tooling
+noblacklist ${HOME}/.tooling
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 89f8d96f0..c8258da07 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -6,9 +6,9 @@ include clipgrab.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Philipp Schmieder
+noblacklist ${HOME}/.config/Philipp Schmieder
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 4a2a5171b..d421903a3 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -6,8 +6,8 @@ include clipit.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/clipit
+noblacklist ${HOME}/.config/clipit
-nodeny  ${HOME}/.local/share/clipit
+noblacklist ${HOME}/.local/share/clipit
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/clipit
 mkdir ${HOME}/.local/share/clipit
-allow  ${HOME}/.config/clipit
+whitelist ${HOME}/.config/clipit
-allow  ${HOME}/.local/share/clipit
+whitelist ${HOME}/.local/share/clipit
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index 22c6ef882..d0b8cc0ef 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -5,16 +5,16 @@ include cliqz.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/cliqz
+noblacklist ${HOME}/.cache/cliqz
-nodeny  ${HOME}/.cliqz
+noblacklist ${HOME}/.cliqz
-nodeny  ${HOME}/.config/cliqz
+noblacklist ${HOME}/.config/cliqz
 mkdir ${HOME}/.cache/cliqz
 mkdir ${HOME}/.cliqz
 mkdir ${HOME}/.config/cliqz
-allow  ${HOME}/.cache/cliqz
+whitelist ${HOME}/.cache/cliqz
-allow  ${HOME}/.cliqz
+whitelist ${HOME}/.cliqz
-allow  ${HOME}/.config/cliqz
+whitelist ${HOME}/.config/cliqz
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cliqz
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index 51e53209f..bcd557787 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -6,8 +6,8 @@ include cmus.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/cmus
+noblacklist ${HOME}/.config/cmus
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index 1933c66fa..fdf94ec41 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -5,39 +5,36 @@ include code.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Code
+# Disabled until someone reported positive feedback
-nodeny  ${HOME}/.config/Code - OSS
+ignore include disable-devel.inc
-nodeny  ${HOME}/.vscode
+ignore include disable-exec.inc
-nodeny  ${HOME}/.vscode-oss
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore dbus-user none
+ignore dbus-system none
+noblacklist ${HOME}/.config/Code
+noblacklist ${HOME}/.config/Code - OSS
+noblacklist ${HOME}/.vscode
+noblacklist ${HOME}/.vscode-oss
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
-include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-private-cache
-private-dev
-private-tmp
 # Disabling noexec ${HOME} for now since it will
 # probably interfere with running some programmes
 # in VS Code
 # noexec ${HOME}
 noexec /tmp
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index efa7f516c..bd6d8f5b0 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -6,7 +6,7 @@ include colorful.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.suve/colorful
+noblacklist ${HOME}/.suve/colorful
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.suve/colorful
-allow  ${HOME}/.suve/colorful
+whitelist ${HOME}/.suve/colorful
-allow  /usr/share/suve
+whitelist /usr/share/suve
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 34b662959..c8bdfec23 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -6,7 +6,7 @@ include com.github.bleakgrey.tootle.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/com.github.bleakgrey.tootle
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/com.github.bleakgrey.tootle
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index 4e26e4925..b467a0f7a 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -6,9 +6,9 @@ include com.github.dahenson.agenda.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/agenda
+noblacklist ${HOME}/.cache/agenda
-nodeny  ${HOME}/.config/agenda
+noblacklist ${HOME}/.config/agenda
-nodeny  ${HOME}/.local/share/agenda
+noblacklist ${HOME}/.local/share/agenda
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/agenda
 mkdir ${HOME}/.config/agenda
 mkdir ${HOME}/.local/share/agenda
-allow  ${HOME}/.cache/agenda
+whitelist ${HOME}/.cache/agenda
-allow  ${HOME}/.config/agenda
+whitelist ${HOME}/.config/agenda
-allow  ${HOME}/.local/share/agenda
+whitelist ${HOME}/.local/share/agenda
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index bbfc1fe41..c13f9618b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -6,9 +6,9 @@ include foliate.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.cache/com.github.johnfactotum.Foliate
+noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-nodeny  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
@@ -24,12 +24,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
 mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
-allow  ${HOME}/.cache/com.github.johnfactotum.Foliate
+whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
-allow  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/com.github.johnfactotum.Foliate
+whitelist /usr/share/com.github.johnfactotum.Foliate
-allow  /usr/share/hyphen
+whitelist /usr/share/hyphen
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index 3e9acc6c8..d0402d188 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -6,9 +6,9 @@ include com.github.phase1geo.minder.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/minder
+noblacklist ${HOME}/.local/share/minder
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/minder
-allow  ${HOME}/.local/share/minder
+whitelist ${HOME}/.local/share/minder
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${PICTURES}
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 6cc9ec551..38edf0d21 100644
--- a/etc/profile-a-l/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
@@ -5,23 +5,23 @@ include conkeror.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.conkeror.mozdev.org
+noblacklist ${HOME}/.conkeror.mozdev.org
 include disable-common.inc
 include disable-programs.inc
 mkdir ${HOME}/.conkeror.mozdev.org
 mkfile ${HOME}/.conkerorrc
-allow  ${HOME}/.conkeror.mozdev.org
+whitelist ${HOME}/.conkeror.mozdev.org
-allow  ${HOME}/.conkerorrc
+whitelist ${HOME}/.conkerorrc
-allow  ${HOME}/.lastpass
+whitelist ${HOME}/.lastpass
-allow  ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactyl
-allow  ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pentadactylrc
-allow  ${HOME}/.vimperator
+whitelist ${HOME}/.vimperator
-allow  ${HOME}/.vimperatorrc
+whitelist ${HOME}/.vimperatorrc
-allow  ${HOME}/.zotero
+whitelist ${HOME}/.zotero
-allow  ${HOME}/dwhelper
+whitelist ${HOME}/dwhelper
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index 1b3fe6651..eaa18739d 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -6,7 +6,7 @@ include conky.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 266c404ee..2fb446e2a 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -6,7 +6,7 @@ include corebird.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/corebird
+noblacklist ${HOME}/.config/corebird
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 0a1353e40..1635995dc 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -7,8 +7,8 @@ include cower.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/cower
+noblacklist ${HOME}/.config/cower
-nodeny  /var/lib/pacman
+noblacklist /var/lib/pacman
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 5e48c8022..7ece35c2b 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -6,7 +6,7 @@ include coyim.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/coyim
+noblacklist ${HOME}/.config/coyim
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/coyim
-allow  ${HOME}/.config/coyim
+whitelist ${HOME}/.config/coyim
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index dec8c086b..bdc4f21a6 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -7,8 +7,8 @@ include cpio.local
 # Persistent global definitions
 include globals.local
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index 81292c01c..b10216895 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -6,7 +6,7 @@ include crawl-tiles.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.crawl
+noblacklist ${HOME}/.crawl
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.crawl
-allow  ${HOME}/.crawl
+whitelist ${HOME}/.crawl
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 36bd93778..02b15ecc2 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -8,8 +8,8 @@ include globals.local
 mkdir ${HOME}/.config/crow
 mkdir ${HOME}/.cache/gstreamer-1.0
-allow  ${HOME}/.config/crow
+whitelist ${HOME}/.config/crow
-allow  ${HOME}/.cache/gstreamer-1.0
+whitelist ${HOME}/.cache/gstreamer-1.0
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 4950b7a4c..c9867c5d7 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -12,11 +12,11 @@ include globals.local
 # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
 # If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
 # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
-nodeny  ${HOME}/.curl-hsts
+noblacklist ${HOME}/.curl-hsts
-nodeny  ${HOME}/.curlrc
+noblacklist ${HOME}/.curlrc
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index 49f972e4a..d1fff0004 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -5,13 +5,13 @@ include cyberfox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.8pecxstudios
+noblacklist ${HOME}/.8pecxstudios
-nodeny  ${HOME}/.cache/8pecxstudios
+noblacklist ${HOME}/.cache/8pecxstudios
 mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
-allow  ${HOME}/.8pecxstudios
+whitelist ${HOME}/.8pecxstudios
-allow  ${HOME}/.cache/8pecxstudios
+whitelist ${HOME}/.cache/8pecxstudios
 # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index c7ce1730a..ba1e7adad 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -6,7 +6,7 @@ include d-feet.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/d-feet
+noblacklist ${HOME}/.config/d-feet
 # Allow python (disabled by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/d-feet
-allow  ${HOME}/.config/d-feet
+whitelist ${HOME}/.config/d-feet
-allow  /usr/share/d-feet
+whitelist /usr/share/d-feet
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 4d51c255e..61fa52928 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -6,9 +6,9 @@ include darktable.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/darktable
+noblacklist ${HOME}/.cache/darktable
-nodeny  ${HOME}/.config/darktable
+noblacklist ${HOME}/.config/darktable
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 745042d6f..67a61bb60 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -7,8 +7,8 @@ include dbus-send.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index c1231c6cf..0c221850a 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${HOME}/.local/share/glib-2.0
+whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index b9d385adf..be7514cbf 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -6,7 +6,7 @@ include dconf.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${HOME}/.local/share/glib-2.0
+whitelist ${HOME}/.local/share/glib-2.0
 # dconf paths are whitelisted by the following
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 09fa7a07a..5b95b74be 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -18,8 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/ddgtk
+whitelist /usr/share/ddgtk
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 25fa944a1..a221ebbd7 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -6,8 +6,8 @@ include deadbeef.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/deadbeef
+noblacklist ${HOME}/.config/deadbeef
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index d41a4a023..ad7aa6ed5 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -6,7 +6,7 @@ include deluge.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/deluge
+noblacklist ${HOME}/.config/deluge
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.config/deluge
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/deluge
+whitelist ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index aed4355d5..212cdab60 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -6,9 +6,9 @@ include desktopeditors.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/onlyoffice
+noblacklist ${HOME}/.config/onlyoffice
-nodeny  ${HOME}/.local/share/onlyoffice
+noblacklist ${HOME}/.local/share/onlyoffice
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index dc0f290fb..5007f8e74 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -16,9 +16,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/devhelp
+whitelist /usr/share/devhelp
-allow  /usr/share/doc
+whitelist /usr/share/doc
-allow  /usr/share/gtk-doc/html
+whitelist /usr/share/gtk-doc/html
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 631f15f93..6267b5709 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -6,9 +6,9 @@ include devilspie.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.devilspie
+noblacklist ${HOME}/.devilspie
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.devilspie
-allow  ${HOME}/.devilspie
+whitelist ${HOME}/.devilspie
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
index 140c9da0f..9eab3f536 100644
--- a/etc/profile-a-l/devilspie2.profile
+++ b/etc/profile-a-l/devilspie2.profile
@@ -6,17 +6,17 @@ include devilspie2.local
 # Persistent global definitions
 #include globals.local
-deny  ${HOME}/.devilspie
+blacklist ${HOME}/.devilspie
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.config/devilspie2
+noblacklist ${HOME}/.config/devilspie2
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 mkdir ${HOME}/.config/devilspie2
-allow  ${HOME}/.config/devilspie2
+whitelist ${HOME}/.config/devilspie2
 private-bin devilspie2
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 2a808238b..531734b7d 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -6,8 +6,8 @@ include dia.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.dia
+noblacklist ${HOME}/.dia
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -25,7 +25,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.dia
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
-allow  /usr/share/dia
+whitelist /usr/share/dia
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 2d683b811..247159a8a 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -7,11 +7,11 @@ include dig.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.digrc
+noblacklist ${HOME}/.digrc
-nodeny  ${PATH}/dig
+noblacklist ${PATH}/dig
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 # include disable-devel.inc
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 #mkfile ${HOME}/.digrc - see #903
-allow  ${HOME}/.digrc
+whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 124b50952..2ca7bd400 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -6,12 +6,12 @@ include digikam.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/digikam
+noblacklist ${HOME}/.config/digikam
-nodeny  ${HOME}/.config/digikamrc
+noblacklist ${HOME}/.config/digikamrc
-nodeny  ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.kde/share/apps/digikam
-nodeny  ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.kde4/share/apps/digikam
-nodeny  ${HOME}/.local/share/kxmlgui5/digikam
+noblacklist ${HOME}/.local/share/kxmlgui5/digikam
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 883466f4d..9871a6095 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -6,7 +6,7 @@ include dillo.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.dillo
+noblacklist ${HOME}/.dillo
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 mkdir ${HOME}/.dillo
 mkdir ${HOME}/.fltk
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.dillo
+whitelist ${HOME}/.dillo
-allow  ${HOME}/.fltk
+whitelist ${HOME}/.fltk
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 3078bef71..c3174b35f 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -6,7 +6,7 @@ include dino.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/dino
+noblacklist ${HOME}/.local/share/dino
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.local/share/dino
-allow  ${HOME}/.local/share/dino
+whitelist ${HOME}/.local/share/dino
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 1c53cd211..43db95b8a 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -5,10 +5,10 @@ include discord-canary.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/discordcanary
+noblacklist ${HOME}/.config/discordcanary
 mkdir ${HOME}/.config/discordcanary
-allow  ${HOME}/.config/discordcanary
+whitelist ${HOME}/.config/discordcanary
 private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
 private-opt discord-canary
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 6bee1901c..19e7bd9ab 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -20,8 +20,8 @@ ignore dbus-system none
 ignore noexec ${HOME}
 ignore novideo
-allow  ${HOME}/.config/BetterDiscord
+whitelist ${HOME}/.config/BetterDiscord
-allow  ${HOME}/.local/share/betterdiscordctl
+whitelist ${HOME}/.local/share/betterdiscordctl
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 658d3fc83..8ef02a30f 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -5,10 +5,10 @@ include discord.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/discord
+noblacklist ${HOME}/.config/discord
 mkdir ${HOME}/.config/discord
-allow  ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
 private-bin discord
 private-opt discord
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 4474b97d2..11f3fd36e 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -5,7 +5,7 @@ include display.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index 8c3d6211b..51ba6f8b7 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/dnox
+noblacklist ${HOME}/.cache/dnox
-nodeny  ${HOME}/.config/dnox
+noblacklist ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/dnox
 mkdir ${HOME}/.config/dnox
-allow  ${HOME}/.cache/dnox
+whitelist ${HOME}/.cache/dnox
-allow  ${HOME}/.config/dnox
+whitelist ${HOME}/.config/dnox
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index dbcef36f8..f8fb1a331 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -7,11 +7,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/dnscrypt-proxy
+whitelist /usr/share/dnscrypt-proxy
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index b1acbf392..01398c2b2 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -7,11 +7,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 15b312ecb..49feec32e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -8,9 +8,9 @@ include globals.local
 # Note: you must whitelist your games folder in your dolphin-emu.local.
-nodeny  ${HOME}/.cache/dolphin-emu
+noblacklist ${HOME}/.cache/dolphin-emu
-nodeny  ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.config/dolphin-emu
-nodeny  ${HOME}/.local/share/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/dolphin-emu
 mkdir ${HOME}/.config/dolphin-emu
 mkdir ${HOME}/.local/share/dolphin-emu
-allow  ${HOME}/.cache/dolphin-emu
+whitelist ${HOME}/.cache/dolphin-emu
-allow  ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
-allow  ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
-allow  /usr/share/dolphin-emu
+whitelist /usr/share/dolphin-emu
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index 3b0adcc36..37a4113cb 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -7,7 +7,7 @@ include dooble-qt4.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.dooble
+noblacklist ${HOME}/.dooble
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.dooble
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.dooble
+whitelist ${HOME}/.dooble
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 29e506764..988f66f28 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -6,8 +6,8 @@ include dosbox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.dosbox
+noblacklist ${HOME}/.dosbox
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 90ca11774..8fa01d504 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -6,9 +6,9 @@ include dragon.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/dragonplayerrc
+noblacklist ${HOME}/.config/dragonplayerrc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/dragonplayer
+whitelist /usr/share/dragonplayer
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 84a77ce34..82d96e405 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -6,7 +6,7 @@ include drawio.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/draw.io
+noblacklist ${HOME}/.config/draw.io
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/draw.io
-allow  ${HOME}/.config/draw.io
+whitelist ${HOME}/.config/draw.io
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index e177fd60e..068bd88d8 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -7,10 +7,10 @@ include drill.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PATH}/drill
+noblacklist ${PATH}/drill
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 274cdd478..b3b2aaf40 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -5,9 +5,9 @@ include dropbox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/autostart
-nodeny  ${HOME}/.dropbox
+noblacklist ${HOME}/.dropbox
-nodeny  ${HOME}/.dropbox-dist
+noblacklist ${HOME}/.dropbox-dist
 # Allow python3 (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -22,10 +22,10 @@ mkdir ${HOME}/.dropbox
 mkdir ${HOME}/.dropbox-dist
 mkdir ${HOME}/Dropbox
 mkfile ${HOME}/.config/autostart/dropbox.desktop
-allow  ${HOME}/.config/autostart/dropbox.desktop
+whitelist ${HOME}/.config/autostart/dropbox.desktop
-allow  ${HOME}/.dropbox
+whitelist ${HOME}/.dropbox
-allow  ${HOME}/.dropbox-dist
+whitelist ${HOME}/.dropbox-dist
-allow  ${HOME}/Dropbox
+whitelist ${HOME}/Dropbox
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index da54fec34..38e4b16f7 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -6,7 +6,7 @@ include easystroke.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.easystroke
+noblacklist ${HOME}/.easystroke
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.easystroke
-allow  ${HOME}/.easystroke
+whitelist ${HOME}/.easystroke
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 10e57371e..278dd6cbd 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -6,7 +6,7 @@ include electron-mail.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/electron-mail
+noblacklist ${HOME}/.config/electron-mail
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/electron-mail
-allow  ${HOME}/.config/electron-mail
+whitelist ${HOME}/.config/electron-mail
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index e8d8d35c4..493af79d4 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -12,7 +12,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index f6691017c..ad636d71a 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -6,7 +6,7 @@ include electrum.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.electrum
+noblacklist ${HOME}/.electrum
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,7 +22,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.electrum
-allow  ${HOME}/.electrum
+whitelist ${HOME}/.electrum
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index ec28866b8..48a826f2e 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -9,11 +9,11 @@ include element-desktop.local
 ignore dbus-user none
-nodeny  ${HOME}/.config/Element
+noblacklist ${HOME}/.config/Element
 mkdir ${HOME}/.config/Element
-allow  ${HOME}/.config/Element
+whitelist ${HOME}/.config/Element
-allow  /opt/Element
+whitelist /opt/Element
 private-opt Element
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 30dca05cb..5a29eb24b 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -7,10 +7,10 @@ include elinks.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.elinks
+noblacklist ${HOME}/.elinks
 mkdir ${HOME}/.elinks
-allow  ${HOME}/.elinks
+whitelist ${HOME}/.elinks
 private-bin elinks
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index f0e0e2830..55bf743ef 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -6,8 +6,8 @@ include emacs.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.emacs
+noblacklist ${HOME}/.emacs
-nodeny  ${HOME}/.emacs.d
+noblacklist ${HOME}/.emacs.d
 # Add the next line to your emacs.local if you need gpg support.
 #noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 5fc72d340..6c9a8a6ea 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -7,14 +7,14 @@ include email-common.local
 # added by caller profile
 #include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-nodeny  ${HOME}/.signature
+noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-nodeny  ${HOME}/Mail
+noblacklist ${HOME}/Mail
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -27,17 +27,17 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
-allow  ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.config/mimeapps.list
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.signature
+whitelist ${HOME}/.signature
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
-allow  ${HOME}/Mail
+whitelist ${HOME}/Mail
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index 36015b702..ac17b1726 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -6,9 +6,9 @@ include enchant.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/enchant
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/enchant
-allow  ${HOME}/.config/enchant
+whitelist ${HOME}/.config/enchant
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index 9a1d89bba..d982433e2 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -10,15 +10,15 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/Enox
+noblacklist ${HOME}/.cache/Enox
-nodeny  ${HOME}/.config/Enox
+noblacklist ${HOME}/.config/Enox
 #mkdir ${HOME}/.cache/dnox
 #mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/Enox
 mkdir ${HOME}/.config/Enox
-allow  ${HOME}/.cache/Enox
+whitelist ${HOME}/.cache/Enox
-allow  ${HOME}/.config/Enox
+whitelist ${HOME}/.config/Enox
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 5d8f8a0b9..c4123b4c2 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -6,11 +6,11 @@ include enpass.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Enpass
+noblacklist ${HOME}/.cache/Enpass
-nodeny  ${HOME}/.config/sinew.in
+noblacklist ${HOME}/.config/sinew.in
-nodeny  ${HOME}/.config/Sinew Software Systems
+noblacklist ${HOME}/.config/Sinew Software Systems
-nodeny  ${HOME}/.local/share/Enpass
+noblacklist ${HOME}/.local/share/Enpass
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -24,11 +24,11 @@ mkdir ${HOME}/.cache/Enpass
 mkfile ${HOME}/.config/sinew.in
 mkdir ${HOME}/.config/Sinew Software Systems
 mkdir ${HOME}/.local/share/Enpass
-allow  ${HOME}/.cache/Enpass
+whitelist ${HOME}/.cache/Enpass
-allow  ${HOME}/.config/sinew.in
+whitelist ${HOME}/.config/sinew.in
-allow  ${HOME}/.config/Sinew Software Systems
+whitelist ${HOME}/.config/Sinew Software Systems
-allow  ${HOME}/.local/share/Enpass
+whitelist ${HOME}/.local/share/Enpass
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index ff7040e5c..fe7913e77 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -7,11 +7,11 @@ include eo-common.local
 # added by caller profile
 #include globals.local
-nodeny  ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.local/share/Trash
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index e8592c7df..5892374bd 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -6,9 +6,9 @@ include eog.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/eog
+noblacklist ${HOME}/.config/eog
-allow  /usr/share/eog
+whitelist /usr/share/eog
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
 # Add the next lines to your eog.local if you need that functionality.
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
index 323f5ade2..7143a8e03 100644
--- a/etc/profile-a-l/eom.profile
+++ b/etc/profile-a-l/eom.profile
@@ -6,9 +6,9 @@ include eom.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mate/eom
+noblacklist ${HOME}/.config/mate/eom
-allow  /usr/share/eom
+whitelist /usr/share/eom
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
 # Add the next lines to your eom.local if you need that functionality.
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 3657742b9..131d68951 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -9,8 +9,8 @@ include globals.local
 # enforce private-cache
 #noblacklist ${HOME}/.cache/ephemeral
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
@@ -27,9 +27,9 @@ mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 # enforce private-cache
 #whitelist ${HOME}/.cache/ephemeral
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile
index daedb2193..225811226 100644
--- a/etc/profile-a-l/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
@@ -9,9 +9,9 @@ include globals.local
 # Note: Epiphany use bwrap since 3.34 and can not be firejailed any more.
 # See https://github.com/netblue30/firejail/issues/2995
-nodeny  ${HOME}/.cache/epiphany
+noblacklist ${HOME}/.cache/epiphany
-nodeny  ${HOME}/.config/epiphany
+noblacklist ${HOME}/.config/epiphany
-nodeny  ${HOME}/.local/share/epiphany
+noblacklist ${HOME}/.local/share/epiphany
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/epiphany
 mkdir ${HOME}/.config/epiphany
 mkdir ${HOME}/.local/share/epiphany
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/epiphany
+whitelist ${HOME}/.cache/epiphany
-allow  ${HOME}/.config/epiphany
+whitelist ${HOME}/.config/epiphany
-allow  ${HOME}/.local/share/epiphany
+whitelist ${HOME}/.local/share/epiphany
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index ac957870c..964d3b7ca 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -6,8 +6,8 @@ include equalx.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/equalx
+noblacklist ${HOME}/.config/equalx
-nodeny  ${HOME}/.equalx
+noblacklist ${HOME}/.equalx
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/equalx
 mkdir ${HOME}/.equalx
-allow  ${HOME}/.config/equalx
+whitelist ${HOME}/.config/equalx
-allow  ${HOME}/.equalx
+whitelist ${HOME}/.equalx
-allow  /usr/share/poppler
+whitelist /usr/share/poppler
-allow  /usr/share/ghostscript
+whitelist /usr/share/ghostscript
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
-allow  /usr/share/equalx
+whitelist /usr/share/equalx
-allow  /var/lib/texmf
+whitelist /var/lib/texmf
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index a2f46b757..fdff1e4b5 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -6,9 +6,9 @@ include etr.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.etr
+noblacklist ${HOME}/.etr
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.etr
-allow  ${HOME}/.etr
+whitelist ${HOME}/.etr
-allow  /usr/share/etr
+whitelist /usr/share/etr
 # Debian version
-allow  /usr/share/games/etr
+whitelist /usr/share/games/etr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index ce2617ad6..a9e39b15c 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -10,10 +10,10 @@ include globals.local
 # Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
 #noblacklist ${HOME}/.local/share/gvfs-metadata
-nodeny  ${HOME}/.config/evince
+noblacklist ${HOME}/.config/evince
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/doc
+whitelist /usr/share/doc
-allow  /usr/share/evince
+whitelist /usr/share/evince
-allow  /usr/share/poppler
+whitelist /usr/share/poppler
-allow  /usr/share/tracker
+whitelist /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 142498a28..7222493ac 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,15 @@ include evolution.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/mail
+noblacklist /var/mail
-nodeny  /var/spool/mail
+noblacklist /var/spool/mail
-nodeny  ${HOME}/.bogofilter
+noblacklist ${HOME}/.bogofilter
-nodeny  ${HOME}/.cache/evolution
+noblacklist ${HOME}/.cache/evolution
-nodeny  ${HOME}/.config/evolution
+noblacklist ${HOME}/.config/evolution
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.local/share/evolution
+noblacklist ${HOME}/.local/share/evolution
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 216814989..7b09a2c64 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -6,7 +6,7 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -18,7 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/perl-image-exiftool
+whitelist /usr/share/perl-image-exiftool
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 9bb42945b..b2061db79 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -6,8 +6,8 @@ include falkon.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/falkon
+noblacklist ${HOME}/.cache/falkon
-nodeny  ${HOME}/.config/falkon
+noblacklist ${HOME}/.config/falkon
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/falkon
+whitelist ${HOME}/.cache/falkon
-allow  ${HOME}/.config/falkon
+whitelist ${HOME}/.config/falkon
-allow  /usr/share/falkon
+whitelist /usr/share/falkon
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index d141c6ed5..8e81000fd 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -6,8 +6,8 @@ include fbreader.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.FBReader
+noblacklist ${HOME}/.FBReader
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 17a365053..31cb1776c 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -5,11 +5,11 @@ include fdns.local
 # Persistent global definitions
 include globals.local
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 359be083e..664ec2da6 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -6,8 +6,8 @@ include feedreader.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/feedreader
+noblacklist ${HOME}/.cache/feedreader
-nodeny  ${HOME}/.local/share/feedreader
+noblacklist ${HOME}/.local/share/feedreader
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/feedreader
 mkdir ${HOME}/.local/share/feedreader
-allow  ${HOME}/.cache/feedreader
+whitelist ${HOME}/.cache/feedreader
-allow  ${HOME}/.local/share/feedreader
+whitelist ${HOME}/.local/share/feedreader
-allow  /usr/share/feedreader
+whitelist /usr/share/feedreader
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index f60055f37..a2372ec8a 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -7,10 +7,10 @@ include globals.local
 ignore noexec /tmp
-nodeny  ${HOME}/.cache/Ferdi
+noblacklist ${HOME}/.cache/Ferdi
-nodeny  ${HOME}/.config/Ferdi
+noblacklist ${HOME}/.config/Ferdi
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.cache/Ferdi
 mkdir ${HOME}/.config/Ferdi
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/Ferdi
+whitelist ${HOME}/.cache/Ferdi
-allow  ${HOME}/.config/Ferdi
+whitelist ${HOME}/.config/Ferdi
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index 1e06ec29a..7358ed5c7 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -6,8 +6,8 @@ include fetchmail.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.fetchmailrc
+noblacklist ${HOME}/.fetchmailrc
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 1a64183ab..13ef1beb9 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -7,8 +7,8 @@ include ffmpeg.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/devedeng
+whitelist /usr/share/devedeng
-allow  /usr/share/ffmpeg
+whitelist /usr/share/ffmpeg
-allow  /usr/share/qtchooser
+whitelist /usr/share/qtchooser
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index f7a938f24..4eeceeee8 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -13,9 +13,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/libexec/file-roller
+whitelist /usr/libexec/file-roller
-allow  /usr/libexec/p7zip
+whitelist /usr/libexec/p7zip
-allow  /usr/share/file-roller
+whitelist /usr/share/file-roller
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index 426d1e72d..5c7583605 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -7,7 +7,7 @@ include file.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index d9e0e9da0..dc5def54f 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -6,8 +6,8 @@ include filezilla.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/filezilla
+noblacklist ${HOME}/.config/filezilla
-nodeny  ${HOME}/.filezilla
+noblacklist ${HOME}/.filezilla
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
index e22424794..77487161e 100644
--- a/etc/profile-a-l/firedragon.profile
+++ b/etc/profile-a-l/firedragon.profile
@@ -6,13 +6,13 @@ include firedragon.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/firedragon
+noblacklist ${HOME}/.cache/firedragon
-nodeny  ${HOME}/.firedragon
+noblacklist ${HOME}/.firedragon
 mkdir ${HOME}/.cache/firedragon
 mkdir ${HOME}/.firedragon
-allow  ${HOME}/.cache/firedragon
+whitelist ${HOME}/.cache/firedragon
-allow  ${HOME}/.firedragon
+whitelist ${HOME}/.firedragon
 # Add the next lines to your firedragon.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index 7e2e8760d..d282f9a60 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -5,74 +5,74 @@ include firefox-common-addons.local
 ignore include whitelist-runuser-common.inc
 ignore private-cache
-nodeny  ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.cache/youtube-dl
-nodeny  ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.config/kgetrc
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularpartrc
-nodeny  ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/okularrc
-nodeny  ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.config/qpdfview
-nodeny  ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
-nodeny  ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/kget
-nodeny  ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/apps/okular
-nodeny  ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/kgetrc
-nodeny  ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
-nodeny  ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde/share/config/okularrc
-nodeny  ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/kget
-nodeny  ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/apps/okular
-nodeny  ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/kgetrc
-nodeny  ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
-nodeny  ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
-nodeny  ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kget
-nodeny  ${HOME}/.local/share/kxmlgui5/okular
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
-nodeny  ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/okular
-nodeny  ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.local/share/qpdfview
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
-allow  ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
-allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
-allow  ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/gnome-mplayer
-allow  ${HOME}/.config/kgetrc
+whitelist ${HOME}/.config/kgetrc
-allow  ${HOME}/.config/mpv
+whitelist ${HOME}/.config/mpv
-allow  ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularpartrc
-allow  ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/okularrc
-allow  ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-silverlight5.1
-allow  ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/pipelight-widevine
-allow  ${HOME}/.config/qpdfview
+whitelist ${HOME}/.config/qpdfview
-allow  ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/youtube-dl
-allow  ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/kget
-allow  ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/apps/okular
-allow  ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/kgetrc
-allow  ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
-allow  ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde/share/config/okularrc
-allow  ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/kget
-allow  ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/apps/okular
-allow  ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/kgetrc
-allow  ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
-allow  ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.kde4/share/config/okularrc
-allow  ${HOME}/.keysnail.js
+whitelist ${HOME}/.keysnail.js
-allow  ${HOME}/.lastpass
+whitelist ${HOME}/.lastpass
-allow  ${HOME}/.local/share/kget
+whitelist ${HOME}/.local/share/kget
-allow  ${HOME}/.local/share/kxmlgui5/okular
+whitelist ${HOME}/.local/share/kxmlgui5/okular
-allow  ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/okular
-allow  ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.local/share/qpdfview
-allow  ${HOME}/.local/share/tridactyl
+whitelist ${HOME}/.local/share/tridactyl
-allow  ${HOME}/.netrc
+whitelist ${HOME}/.netrc
-allow  ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactyl
-allow  ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pentadactylrc
-allow  ${HOME}/.tridactylrc
+whitelist ${HOME}/.tridactylrc
-allow  ${HOME}/.vimperator
+whitelist ${HOME}/.vimperator
-allow  ${HOME}/.vimperatorrc
+whitelist ${HOME}/.vimperatorrc
-allow  ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight
-allow  ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.wine-pipelight64
-allow  ${HOME}/.zotero
+whitelist ${HOME}/.zotero
-allow  ${HOME}/dwhelper
+whitelist ${HOME}/dwhelper
-allow  /usr/share/lua
+whitelist /usr/share/lua
-allow  /usr/share/lua*
+whitelist /usr/share/lua*
-allow  /usr/share/vulkan
+whitelist /usr/share/vulkan
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
-nodeny  ${HOME}/.local/share/gnome-shell
+noblacklist ${HOME}/.local/share/gnome-shell
-allow  ${HOME}/.local/share/gnome-shell
+whitelist ${HOME}/.local/share/gnome-shell
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.ChromeGnomeShell
 dbus-user.talk org.gnome.Shell
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index cb0fae5dc..8b74ed979 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -12,8 +12,8 @@ include firefox-common.local
 # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
@@ -23,9 +23,9 @@ include disable-programs.inc
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
index 4fd315fdf..5e69fdb51 100644
--- a/etc/profile-a-l/firefox-esr.profile
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -6,7 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
-allow  /usr/share/firefox-esr
+whitelist /usr/share/firefox-esr
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 93d32d141..ff2a499dc 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,29 +14,29 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
-nodeny  ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.cache/mozilla
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-nodeny  ${RUNUSER}/*firefox* # location of profiles if profile-sync-daemon is used
+noblacklist ${RUNUSER}/*firefox*
-deny  /usr/libexec
+blacklist /usr/libexec
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
-allow  ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.cache/mozilla/firefox
-allow  ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla
 # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
 # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
-allow  /usr/share/doc
+whitelist /usr/share/doc
-allow  /usr/share/firefox
+whitelist /usr/share/firefox
-allow  /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
-allow  /usr/share/gtk-doc/html
+whitelist /usr/share/gtk-doc/html
-allow  /usr/share/mozilla
+whitelist /usr/share/mozilla
-allow  /usr/share/webext
+whitelist /usr/share/webext
-allow  ${RUNUSER}/*firefox*
+whitelist  ${RUNUSER}/*firefox*
 include whitelist-usr-share-common.inc
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
index bd1becaf0..2c86d3ac7 100644
--- a/etc/profile-a-l/five-or-more.profile
+++ b/etc/profile-a-l/five-or-more.profile
@@ -6,12 +6,12 @@ include five-or-more.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/five-or-more
+noblacklist ${HOME}/.local/share/five-or-more
 mkdir ${HOME}/.local/share/five-or-more
-allow  ${HOME}/.local/share/five-or-more
+whitelist ${HOME}/.local/share/five-or-more
-allow  /usr/share/five-or-more
+whitelist /usr/share/five-or-more
 private-bin five-or-more
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index f16a65536..55af96c84 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -7,9 +7,9 @@ include flameshot.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${HOME}/.config/Dharkael
+noblacklist ${HOME}/.config/Dharkael
-nodeny  ${HOME}/.config/flameshot
+noblacklist ${HOME}/.config/flameshot
 include disable-common.inc
 include disable-devel.inc
@@ -25,7 +25,7 @@ include disable-xdg.inc
 #whitelist ${PICTURES}
 #whitelist ${HOME}/.config/Dharkael
 #whitelist ${HOME}/.config/flameshot
-allow  /usr/share/flameshot
+whitelist /usr/share/flameshot
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index af114e129..310fb378f 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/slimjet
+noblacklist ${HOME}/.cache/slimjet
-nodeny  ${HOME}/.config/slimjet
+noblacklist ${HOME}/.config/slimjet
 mkdir ${HOME}/.cache/slimjet
 mkdir ${HOME}/.config/slimjet
-allow  ${HOME}/.cache/slimjet
+whitelist ${HOME}/.cache/slimjet
-allow  ${HOME}/.config/slimjet
+whitelist ${HOME}/.config/slimjet
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 505763fb9..a4421e3ce 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -6,8 +6,8 @@ include flowblade.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/flowblade
+noblacklist ${HOME}/.config/flowblade
-nodeny  ${HOME}/.flowblade
+noblacklist ${HOME}/.flowblade
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index a22c0e103..1210f365c 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -7,7 +7,7 @@ include fluxbox.local
 include globals.local
 # all applications started in fluxbox will run in this profile
-nodeny  ${HOME}/.fluxbox
+noblacklist ${HOME}/.fluxbox
 include disable-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index ff9167c1a..cd0129436 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -6,8 +6,8 @@ include font-manager.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/font-manager
+noblacklist ${HOME}/.cache/font-manager
-nodeny  ${HOME}/.config/font-manager
+noblacklist ${HOME}/.config/font-manager
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -24,9 +24,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/font-manager
 mkdir ${HOME}/.config/font-manager
-allow  ${HOME}/.cache/font-manager
+whitelist ${HOME}/.cache/font-manager
-allow  ${HOME}/.config/font-manager
+whitelist ${HOME}/.config/font-manager
-allow  /usr/share/font-manager
+whitelist /usr/share/font-manager
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index 64c7655e2..bd1495877 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -6,8 +6,8 @@ include fontforge.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.FontForge
+noblacklist ${HOME}/.FontForge
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/fossamail.profile b/etc/profile-a-l/fossamail.profile
index 5e5a12794..2d700d336 100644
--- a/etc/profile-a-l/fossamail.profile
+++ b/etc/profile-a-l/fossamail.profile
@@ -6,16 +6,16 @@ include fossamail.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/fossamail
+noblacklist ${HOME}/.cache/fossamail
-nodeny  ${HOME}/.fossamail
+noblacklist ${HOME}/.fossamail
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 mkdir ${HOME}/.cache/fossamail
 mkdir ${HOME}/.fossamail
 mkdir ${HOME}/.gnupg
-allow  ${HOME}/.cache/fossamail
+whitelist ${HOME}/.cache/fossamail
-allow  ${HOME}/.fossamail
+whitelist ${HOME}/.fossamail
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
 include whitelist-common.inc
 # allow browsers
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
index 97fd4a626..eb0c43ca5 100644
--- a/etc/profile-a-l/four-in-a-row.profile
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
-allow  /usr/share/four-in-a-row
+whitelist /usr/share/four-in-a-row
 private-bin four-in-a-row
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index 8edc9b02d..1b1d031b4 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -6,7 +6,7 @@ include fractal.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/fractal
+noblacklist ${HOME}/.cache/fractal
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/fractal
-allow  ${HOME}/.cache/fractal
+whitelist ${HOME}/.cache/fractal
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 1a8ec8f99..9b780a572 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -7,10 +7,10 @@ include globals.local
 ignore noexec /tmp
-nodeny  ${HOME}/.cache/Franz
+noblacklist ${HOME}/.cache/Franz
-nodeny  ${HOME}/.config/Franz
+noblacklist ${HOME}/.config/Franz
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.cache/Franz
 mkdir ${HOME}/.config/Franz
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/Franz
+whitelist ${HOME}/.cache/Franz
-allow  ${HOME}/.config/Franz
+whitelist ${HOME}/.config/Franz
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index a45ad4c7a..8043d0530 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -6,8 +6,8 @@ include freecad.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/FreeCAD
+noblacklist ${HOME}/.config/FreeCAD
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 20abd4056..23c19682c 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -6,7 +6,7 @@ include freeciv.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.freeciv
+noblacklist ${HOME}/.freeciv
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.freeciv
-allow  ${HOME}/.freeciv
+whitelist ${HOME}/.freeciv
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 79ccf4101..93fa7da03 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -6,10 +6,10 @@ include freecol.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.freecol
+noblacklist ${HOME}/.freecol
-nodeny  ${HOME}/.cache/freecol
+noblacklist ${HOME}/.cache/freecol
-nodeny  ${HOME}/.config/freecol
+noblacklist ${HOME}/.config/freecol
-nodeny  ${HOME}/.local/share/freecol
+noblacklist ${HOME}/.local/share/freecol
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -26,11 +26,11 @@ mkdir ${HOME}/.java
 mkdir ${HOME}/.cache/freecol
 mkdir ${HOME}/.config/freecol
 mkdir ${HOME}/.local/share/freecol
-allow  ${HOME}/.freecol
+whitelist ${HOME}/.freecol
-allow  ${HOME}/.java
+whitelist ${HOME}/.java
-allow  ${HOME}/.cache/freecol
+whitelist ${HOME}/.cache/freecol
-allow  ${HOME}/.config/freecol
+whitelist ${HOME}/.config/freecol
-allow  ${HOME}/.local/share/freecol
+whitelist ${HOME}/.local/share/freecol
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index ba52dd208..699177039 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -6,8 +6,8 @@ include freemind.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.freemind
+noblacklist ${HOME}/.freemind
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 4c321322c..e6aff533d 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -6,12 +6,12 @@ include freetube.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/FreeTube
+noblacklist ${HOME}/.config/FreeTube
 include disable-shell.inc
 mkdir ${HOME}/.config/FreeTube
-allow  ${HOME}/.config/FreeTube
+whitelist ${HOME}/.config/FreeTube
 private-bin freetube
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 3a6dfcfd6..b4ad81046 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -6,7 +6,7 @@ include frogatto.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.frogatto
+noblacklist ${HOME}/.frogatto
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.frogatto
-allow  ${HOME}/.frogatto
+whitelist ${HOME}/.frogatto
-allow  /usr/libexec/frogatto
+whitelist /usr/libexec/frogatto
-allow  /usr/share/frogatto
+whitelist /usr/share/frogatto
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 12eca8eb0..76352e41e 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -6,7 +6,7 @@ include frozen-bubble.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.frozen-bubble
+noblacklist ${HOME}/.frozen-bubble
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.frozen-bubble
-allow  ${HOME}/.frozen-bubble
+whitelist ${HOME}/.frozen-bubble
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 07030df4b..8852925b1 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -5,7 +5,7 @@ include funnyboat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.funnyboat
+noblacklist ${HOME}/.funnyboat
 ignore noexec /dev/shm
 include allow-python2.inc
@@ -21,12 +21,12 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.funnyboat
-allow  ${HOME}/.funnyboat
+whitelist ${HOME}/.funnyboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-allow  /usr/share/funnyboat
+whitelist /usr/share/funnyboat
 # Debian:
-allow  /usr/share/games/funnyboat
+whitelist /usr/share/games/funnyboat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 4cd2cb1e6..ed3f0357d 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,10 +6,10 @@ include gajim.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.cache/gajim
+noblacklist ${HOME}/.cache/gajim
-nodeny  ${HOME}/.config/gajim
+noblacklist ${HOME}/.config/gajim
-nodeny  ${HOME}/.local/share/gajim
+noblacklist ${HOME}/.local/share/gajim
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -28,14 +28,14 @@ mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.cache/gajim
+whitelist ${HOME}/.cache/gajim
-allow  ${HOME}/.config/gajim
+whitelist ${HOME}/.config/gajim
-allow  ${HOME}/.local/share/gajim
+whitelist ${HOME}/.local/share/gajim
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 0b1b595a6..550b3808b 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -6,7 +6,7 @@ include galculator.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/galculator
+noblacklist ${HOME}/.config/galculator
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/galculator
-allow  ${HOME}/.config/galculator
+whitelist ${HOME}/.config/galculator
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 00b830234..3a8c055f2 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -6,8 +6,8 @@ include gapplication.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 896a100fc..388f4c0df 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -8,9 +8,9 @@ include globals.local
 # noexec ${HOME} will break user-local installs of gcloud tooling
 ignore noexec ${HOME}
-nodeny  ${HOME}/.boto
+noblacklist ${HOME}/.boto
-nodeny  ${HOME}/.config/gcloud
+noblacklist ${HOME}/.config/gcloud
-nodeny  /var/run/docker.sock
+noblacklist /var/run/docker.sock
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
index 8f72f0b34..cb39174e5 100644
--- a/etc/profile-a-l/gconf-editor.profile
+++ b/etc/profile-a-l/gconf-editor.profile
@@ -7,9 +7,9 @@ include gconf-editor.local
 # added by included profile
 #include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-allow  /usr/share/gconf-editor
+whitelist /usr/share/gconf-editor
 ignore x11 none
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index 8c7013574..fec1a555a 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -6,9 +6,9 @@ include gconf.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.config/gconf
+noblacklist ${HOME}/.config/gconf
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -23,9 +23,9 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/gconf
-allow  ${HOME}/.config/gconf
+whitelist ${HOME}/.config/gconf
-allow  /usr/share/GConf
+whitelist /usr/share/GConf
-allow  /usr/share/gconf
+whitelist /usr/share/gconf
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 706a85c75..6fdb9b37a 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -6,7 +6,7 @@ include geany.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/geany
+noblacklist ${HOME}/.config/geany
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 512fc1e59..74e135a7c 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -6,14 +6,14 @@ include geary.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/evolution
+noblacklist ${HOME}/.cache/evolution
-nodeny  ${HOME}/.cache/folks
+noblacklist ${HOME}/.cache/folks
-nodeny  ${HOME}/.cache/geary
+noblacklist ${HOME}/.cache/geary
-nodeny  ${HOME}/.config/evolution
+noblacklist ${HOME}/.config/evolution
-nodeny  ${HOME}/.config/geary
+noblacklist ${HOME}/.config/geary
-nodeny  ${HOME}/.local/share/evolution
+noblacklist ${HOME}/.local/share/evolution
-nodeny  ${HOME}/.local/share/geary
+noblacklist ${HOME}/.local/share/geary
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
 include disable-common.inc
 include disable-devel.inc
@@ -31,16 +31,16 @@ mkdir ${HOME}/.config/evolution
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/evolution
 mkdir ${HOME}/.local/share/geary
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/evolution
+whitelist ${HOME}/.cache/evolution
-allow  ${HOME}/.cache/folks
+whitelist ${HOME}/.cache/folks
-allow  ${HOME}/.cache/geary
+whitelist ${HOME}/.cache/geary
-allow  ${HOME}/.config/evolution
+whitelist ${HOME}/.config/evolution
-allow  ${HOME}/.config/geary
+whitelist ${HOME}/.config/geary
-allow  ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/evolution
-allow  ${HOME}/.local/share/geary
+whitelist ${HOME}/.local/share/geary
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
-allow  /usr/share/geary
+whitelist /usr/share/geary
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index f11540374..108b7041d 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -6,8 +6,8 @@ include gedit.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/enchant
-nodeny  ${HOME}/.config/gedit
+noblacklist ${HOME}/.config/gedit
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 8ec3bbaf9..dd33b3fb5 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -6,9 +6,9 @@ include geeqie.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/geeqie
+noblacklist ${HOME}/.cache/geeqie
-nodeny  ${HOME}/.config/geeqie
+noblacklist ${HOME}/.config/geeqie
-nodeny  ${HOME}/.local/share/geeqie
+noblacklist ${HOME}/.local/share/geeqie
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 1661da639..f894a42ca 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -6,10 +6,10 @@ include gfeeds.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/gfeeds
+noblacklist ${HOME}/.cache/gfeeds
-nodeny  ${HOME}/.cache/org.gabmus.gfeeds
+noblacklist ${HOME}/.cache/org.gabmus.gfeeds
-nodeny  ${HOME}/.config/org.gabmus.gfeeds.json
+noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
-nodeny  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -27,12 +27,12 @@ mkdir ${HOME}/.cache/gfeeds
 mkdir ${HOME}/.cache/org.gabmus.gfeeds
 mkfile ${HOME}/.config/org.gabmus.gfeeds.json
 mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-allow  ${HOME}/.cache/gfeeds
+whitelist ${HOME}/.cache/gfeeds
-allow  ${HOME}/.cache/org.gabmus.gfeeds
+whitelist ${HOME}/.cache/org.gabmus.gfeeds
-allow  ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist ${HOME}/.config/org.gabmus.gfeeds.json
-allow  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-allow  /usr/libexec/webkit2gtk-4.0
+whitelist /usr/libexec/webkit2gtk-4.0
-allow  /usr/share/gfeeds
+whitelist /usr/share/gfeeds
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index 06929dbe3..d9c5a0d9a 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -7,8 +7,8 @@ include gget.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 0577fe24f..276ab76df 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -6,10 +6,10 @@ include ghostwriter.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ghostwriter
+noblacklist ${HOME}/.config/ghostwriter
-nodeny  ${HOME}/.local/share/ghostwriter
+noblacklist ${HOME}/.local/share/ghostwriter
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include allow-lua.inc
@@ -22,10 +22,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/ghostwriter
+whitelist /usr/share/ghostwriter
-allow  /usr/share/mozilla-dicts
+whitelist /usr/share/mozilla-dicts
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
-allow  /usr/share/pandoc*
+whitelist /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index de9db8d0f..dfc1304d1 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -18,13 +18,13 @@ include globals.local
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/babl
+noblacklist ${HOME}/.cache/babl
-nodeny  ${HOME}/.cache/gegl-0.4
+noblacklist ${HOME}/.cache/gegl-0.4
-nodeny  ${HOME}/.cache/gimp
+noblacklist ${HOME}/.cache/gimp
-nodeny  ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/GIMP
-nodeny  ${HOME}/.gimp*
+noblacklist ${HOME}/.gimp*
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-exec.inc
@@ -33,10 +33,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/gegl-0.4
+whitelist /usr/share/gegl-0.4
-allow  /usr/share/gimp
+whitelist /usr/share/gimp
-allow  /usr/share/mypaint-data
+whitelist /usr/share/mypaint-data
-allow  /usr/share/lensfun
+whitelist /usr/share/lensfun
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index e601d3ab0..661c3a375 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -7,10 +7,10 @@ include gist.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.gist
+noblacklist ${HOME}/.gist
 # Allow ruby (blacklisted by disable-interpreters.inc)
 include allow-ruby.inc
@@ -24,8 +24,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.gist
-allow  ${HOME}/.gist
+whitelist ${HOME}/.gist
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 74b7506cf..5e4249376 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -8,12 +8,12 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.subversion
+noblacklist ${HOME}/.subversion
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.config/git-cola
+noblacklist ${HOME}/.config/git-cola
 # Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings.
 #noblacklist ${HOME}/
@@ -32,17 +32,17 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  ${RUNUSER}/keyring
+whitelist ${RUNUSER}/keyring
 # Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer.
-allow  /usr/share/git
+whitelist /usr/share/git
-allow  /usr/share/git-cola
+whitelist /usr/share/git-cola
-allow  /usr/share/git-core
+whitelist /usr/share/git-core
-allow  /usr/share/git-gui
+whitelist /usr/share/git-gui
-allow  /usr/share/gitk
+whitelist /usr/share/gitk
-allow  /usr/share/gitweb
+whitelist /usr/share/gitweb
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index 680e91085..bfa0081c6 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -7,33 +7,33 @@ include git.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.config/nano
+noblacklist ${HOME}/.config/nano
-nodeny  ${HOME}/.emacs
+noblacklist ${HOME}/.emacs
-nodeny  ${HOME}/.emacs.d
+noblacklist ${HOME}/.emacs.d
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.nanorc
+noblacklist ${HOME}/.nanorc
-nodeny  ${HOME}/.vim
+noblacklist ${HOME}/.vim
-nodeny  ${HOME}/.viminfo
+noblacklist ${HOME}/.viminfo
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/git
+whitelist /usr/share/git
-allow  /usr/share/git-core
+whitelist /usr/share/git-core
-allow  /usr/share/gitgui
+whitelist /usr/share/gitgui
-allow  /usr/share/gitweb
+whitelist /usr/share/gitweb
-allow  /usr/share/nano
+whitelist /usr/share/nano
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index d313b5022..05d7dffa9 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -6,10 +6,10 @@ include gitg.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
-nodeny  ${HOME}/.local/share/gitg
+noblacklist ${HOME}/.local/share/gitg
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -29,7 +29,7 @@ include disable-programs.inc
 #whitelist ${HOME}/.ssh
 #include whitelist-common.inc
-allow  /usr/share/gitg
+whitelist /usr/share/gitg
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 81b534a74..325c54ced 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -22,10 +22,10 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/GitHub Desktop
+noblacklist ${HOME}/.config/GitHub Desktop
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
 # no3d
 nosound
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 2d1694ef7..460e2b990 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -5,8 +5,8 @@ include gitter.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/autostart
-nodeny  ${HOME}/.config/Gitter
+noblacklist ${HOME}/.config/Gitter
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.config/Gitter
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/autostart
+whitelist ${HOME}/.config/autostart
-allow  ${HOME}/.config/Gitter
+whitelist ${HOME}/.config/Gitter
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index e00bb1dbf..ed68b3c2d 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -8,10 +8,10 @@ include globals.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-nodeny  ${HOME}/.cache/libgweather
+noblacklist ${HOME}/.cache/libgweather
-nodeny  ${HOME}/.cache/org.gnome.Books
+noblacklist ${HOME}/.cache/org.gnome.Books
-nodeny  ${HOME}/.config/libreoffice
+noblacklist ${HOME}/.config/libreoffice
-nodeny  ${HOME}/.local/share/gnome-photos
+noblacklist ${HOME}/.local/share/gnome-photos
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index a3236c2be..c8cefc67e 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -6,7 +6,7 @@ include gl-117.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gl-117
+noblacklist ${HOME}/.gl-117
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.gl-117
-allow  ${HOME}/.gl-117
+whitelist ${HOME}/.gl-117
-allow  /usr/share/gl-117
+whitelist /usr/share/gl-117
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index ec894a5f3..ee7af0546 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -6,7 +6,7 @@ include glaxium.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.glaxiumrc
+noblacklist ${HOME}/.glaxiumrc
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.glaxiumrc
-allow  ${HOME}/.glaxiumrc
+whitelist ${HOME}/.glaxiumrc
-allow  /usr/share/glaxium
+whitelist /usr/share/glaxium
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index e091b811f..14b3ef811 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -5,7 +5,7 @@ include globaltime.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/globaltime
+noblacklist ${HOME}/.config/globaltime
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 79397d28f..b3aad8b2c 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -6,8 +6,8 @@ include gmpc.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gmpc
+noblacklist ${HOME}/.config/gmpc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/gmpc
-allow  ${HOME}/.config/gmpc
+whitelist ${HOME}/.config/gmpc
-allow  ${MUSIC}
+whitelist ${MUSIC}
-allow  /usr/share/gmpc
+whitelist /usr/share/gmpc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
index c723f6e46..777c81dbe 100644
--- a/etc/profile-a-l/gnome-2048.profile
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -6,10 +6,10 @@ include gnome-2048.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-2048
+noblacklist ${HOME}/.local/share/gnome-2048
 mkdir ${HOME}/.local/share/gnome-2048
-allow  ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
 private-bin gnome-2048
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 2ed5fa76b..34a7f557c 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -7,8 +7,8 @@ include globals.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-nodeny  ${HOME}/.cache/org.gnome.Books
+noblacklist ${HOME}/.cache/org.gnome.Books
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 7dd1c6e22..37ca5aeff 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -6,11 +6,11 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.bash_history
+noblacklist ${HOME}/.bash_history
-nodeny  ${HOME}/.cache/gnome-builder
+noblacklist ${HOME}/.cache/gnome-builder
-nodeny  ${HOME}/.config/gnome-builder
+noblacklist ${HOME}/.config/gnome-builder
-nodeny  ${HOME}/.local/share/gnome-builder
+noblacklist ${HOME}/.local/share/gnome-builder
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index d91fbaa4b..03acd66aa 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/libgweather
+whitelist /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 806d7e571..741fe9bf7 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/org.gnome.Characters
+whitelist /usr/share/org.gnome.Characters
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 095210565..bd39f625c 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -6,8 +6,8 @@ include gnome-chess.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gnome-chess
+noblacklist ${HOME}/.config/gnome-chess
-nodeny  ${HOME}/.local/share/gnome-chess
+noblacklist ${HOME}/.local/share/gnome-chess
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.local/share/gnome-chess
 #include whitelist-common.inc
-allow  /usr/share/gnuchess
+whitelist /usr/share/gnuchess
-allow  /usr/share/gnome-chess
+whitelist /usr/share/gnome-chess
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 7e2d458fd..1e7c70b84 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -15,8 +15,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/gnome-clocks
+whitelist /usr/share/gnome-clocks
-allow  /usr/share/libgweather
+whitelist /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 7902fa169..dcc6163b6 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -6,7 +6,7 @@ include gnome-contacts.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 0f601149f..29ad67af8 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -8,8 +8,8 @@ include globals.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-nodeny  ${HOME}/.config/libreoffice
+noblacklist ${HOME}/.config/libreoffice
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 50c3e2c6f..2db956faf 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -16,7 +16,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/mesa_shader_cache
-allow  /usr/share/gnome-hexgl
+whitelist /usr/share/gnome-hexgl
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 62a5a34ea..25b4c47de 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -7,7 +7,7 @@ include gnome-keyring.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 include disable-common.inc
 include disable-devel.inc
@@ -18,12 +18,12 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.gnupg
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  ${RUNUSER}/keyring
+whitelist ${RUNUSER}/keyring
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
index ed074f944..c67a5c0da 100644
--- a/etc/profile-a-l/gnome-klotski.profile
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -6,10 +6,10 @@ include gnome-klotski.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-klotski
+noblacklist ${HOME}/.local/share/gnome-klotski
 mkdir ${HOME}/.local/share/gnome-klotski
-allow  ${HOME}/.local/share/gnome-klotski
+whitelist ${HOME}/.local/share/gnome-klotski
 private-bin gnome-klotski
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 4a03a7ff5..1a7eafeca 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -6,8 +6,8 @@ include gnome-latex.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gnome-latex
+noblacklist ${HOME}/.config/gnome-latex
-nodeny  ${HOME}/.local/share/gnome-latex
+noblacklist ${HOME}/.local/share/gnome-latex
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/gnome-latex
+whitelist /usr/share/gnome-latex
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index fcc02dc76..9d2ea7b7b 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /var/log/journal
+whitelist /var/log/journal
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
index e21f03efe..42409dce8 100644
--- a/etc/profile-a-l/gnome-mahjongg.profile
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -6,7 +6,7 @@ include gnome-mahjongg.local
 # Persistent global definitions
 include globals.local
-allow  /usr/share/gnome-mahjongg
+whitelist /usr/share/gnome-mahjongg
 private-bin gnome-mahjongg
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index cf4eceee3..23aab343f 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -11,14 +11,14 @@ include globals.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-nodeny  ${HOME}/.cache/champlain
+noblacklist ${HOME}/.cache/champlain
-nodeny  ${HOME}/.cache/org.gnome.Maps
+noblacklist ${HOME}/.cache/org.gnome.Maps
-nodeny  ${HOME}/.local/share/maps-places.json
+noblacklist ${HOME}/.local/share/maps-places.json
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -31,12 +31,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/champlain
 mkfile ${HOME}/.local/share/maps-places.json
-allow  ${HOME}/.cache/champlain
+whitelist ${HOME}/.cache/champlain
-allow  ${HOME}/.local/share/maps-places.json
+whitelist ${HOME}/.local/share/maps-places.json
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${PICTURES}
+whitelist ${PICTURES}
-allow  /usr/share/gnome-maps
+whitelist /usr/share/gnome-maps
-allow  /usr/share/libgweather
+whitelist /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
index 1b2949bc5..4fe8986c2 100644
--- a/etc/profile-a-l/gnome-mines.profile
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -6,11 +6,11 @@ include gnome-mines.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-mines
+noblacklist ${HOME}/.local/share/gnome-mines
 mkdir ${HOME}/.local/share/gnome-mines
-allow  ${HOME}/.local/share/gnome-mines
+whitelist ${HOME}/.local/share/gnome-mines
-allow  /usr/share/gnome-mines
+whitelist /usr/share/gnome-mines
 private-bin gnome-mines
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index c1cbc796a..43fe71f5e 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -6,9 +6,9 @@ include gnome-mplayer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 8fd0826c4..2fcbe9910 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -6,8 +6,8 @@ include gnome-music.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-music
+noblacklist ${HOME}/.local/share/gnome-music
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index a929582f8..814751db3 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/gnome-nettool
+whitelist /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
index d4c037a41..b22810d34 100644
--- a/etc/profile-a-l/gnome-nibbles.profile
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -9,11 +9,11 @@ include globals.local
 ignore machine-id
 ignore nosound
-nodeny  ${HOME}/.local/share/gnome-nibbles
+noblacklist ${HOME}/.local/share/gnome-nibbles
 mkdir ${HOME}/.local/share/gnome-nibbles
-allow  ${HOME}/.local/share/gnome-nibbles
+whitelist ${HOME}/.local/share/gnome-nibbles
-allow  /usr/share/gnome-nibbles
+whitelist /usr/share/gnome-nibbles
 private-bin gnome-nibbles
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index d2cf828cc..fee5f88b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -6,14 +6,14 @@ include gnome-passwordsafe.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdb
-nodeny  ${HOME}/*.kdbx
+noblacklist ${HOME}/*.kdbx
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -24,8 +24,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/cracklib
+whitelist /usr/share/cracklib
-allow  /usr/share/passwordsafe
+whitelist /usr/share/passwordsafe
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 3702da2c7..58bf3f349 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -8,7 +8,7 @@ include globals.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-nodeny  ${HOME}/.local/share/gnome-photos
+noblacklist ${HOME}/.local/share/gnome-photos
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index e9ae2bcb0..41903b136 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -6,7 +6,7 @@ include gnome-pie.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gnome-pie
+noblacklist ${HOME}/.config/gnome-pie
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index bec23910c..c2ba7556d 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -6,7 +6,7 @@ include gnome-pomodoro.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-pomodoro
+noblacklist ${HOME}/.local/share/gnome-pomodoro
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/gnome-pomodoro
-allow  ${HOME}/.local/share/gnome-pomodoro
+whitelist ${HOME}/.local/share/gnome-pomodoro
-allow  /usr/share/gnome-pomodoro
+whitelist /usr/share/gnome-pomodoro
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 5ef33fdd8..48c98ebe0 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -7,8 +7,8 @@ include gnome-recipes.local
 include globals.local
-nodeny  ${HOME}/.cache/gnome-recipes
+noblacklist ${HOME}/.cache/gnome-recipes
-nodeny  ${HOME}/.local/share/gnome-recipes
+noblacklist ${HOME}/.local/share/gnome-recipes
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-shell.inc
 mkdir ${HOME}/.cache/gnome-recipes
 mkdir ${HOME}/.local/share/gnome-recipes
-allow  ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.cache/gnome-recipes
-allow  ${HOME}/.local/share/gnome-recipes
+whitelist ${HOME}/.local/share/gnome-recipes
-allow  /usr/share/gnome-recipes
+whitelist /usr/share/gnome-recipes
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index b34d264f4..78ceb9c4f 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -5,7 +5,7 @@ include gnome-ring.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-ring
+noblacklist ${HOME}/.local/share/gnome-ring
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
index 836d4e2b2..8835f2b93 100644
--- a/etc/profile-a-l/gnome-robots.profile
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
-allow  /usr/share/gnome-robots
+whitelist /usr/share/gnome-robots
 private-bin gnome-robots
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 146f8bc4e..69c90b33d 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -6,17 +6,17 @@ include gnome-schedule.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnome/gnome-schedule
+noblacklist ${HOME}/.gnome/gnome-schedule
 # Needs at and crontab to read/write user cron
-nodeny  ${PATH}/at
+noblacklist ${PATH}/at
-nodeny  ${PATH}/crontab
+noblacklist ${PATH}/crontab
 # Needs access to these files/dirs
-nodeny  /etc/cron.allow
+noblacklist /etc/cron.allow
-nodeny  /etc/cron.deny
+noblacklist /etc/cron.deny
-nodeny  /etc/shadow
+noblacklist /etc/shadow
-nodeny  /var/spool/cron
+noblacklist /var/spool/cron
 # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
 # add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
@@ -34,10 +34,10 @@ include disable-programs.inc
 include disable-xdg.inc
 mkfile ${HOME}/.gnome/gnome-schedule
-allow  ${HOME}/.gnome/gnome-schedule
+whitelist ${HOME}/.gnome/gnome-schedule
-allow  /usr/share/gnome-schedule
+whitelist /usr/share/gnome-schedule
-allow  /var/spool/atd
+whitelist /var/spool/atd
-allow  /var/spool/cron
+whitelist /var/spool/cron
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 175549e99..b683b6f6c 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -6,8 +6,8 @@ include gnome-screenshot.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${HOME}/.cache/gnome-screenshot
+noblacklist ${HOME}/.cache/gnome-screenshot
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index c2fb14fa4..34f5fdeff 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -6,8 +6,8 @@ include gnome-sound-recorder.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.local/share/Trash
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
index 3b7835e52..12fd48a86 100644
--- a/etc/profile-a-l/gnome-sudoku.profile
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -6,10 +6,10 @@ include gnome-sudoku.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/gnome-sudoku
+noblacklist ${HOME}/.local/share/gnome-sudoku
 mkdir ${HOME}/.local/share/gnome-sudoku
-allow  ${HOME}/.local/share/gnome-sudoku
+whitelist ${HOME}/.local/share/gnome-sudoku
 private-bin gnome-sudoku
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 6978f7cab..8a818695d 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /var/log
+whitelist /var/log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
index ac87cf70f..2341334f7 100644
--- a/etc/profile-a-l/gnome-taquin.profile
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
-allow  /usr/share/gnome-taquin
+whitelist /usr/share/gnome-taquin
 private-bin gnome-taquin
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 092fd58a3..3b147cd48 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/gnome-todo
+whitelist /usr/share/gnome-todo
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index d76872ea6..b8ec195d3 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -6,8 +6,8 @@ include gnome-twitch.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/gnome-twitch
+noblacklist ${HOME}/.cache/gnome-twitch
-nodeny  ${HOME}/.local/share/gnome-twitch
+noblacklist ${HOME}/.local/share/gnome-twitch
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/gnome-twitch
 mkdir ${HOME}/.local/share/gnome-twitch
-allow  ${HOME}/.cache/gnome-twitch
+whitelist ${HOME}/.cache/gnome-twitch
-allow  ${HOME}/.local/share/gnome-twitch
+whitelist ${HOME}/.local/share/gnome-twitch
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 6f557ff8d..2e08fa41d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -8,7 +8,7 @@ include globals.local
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-nodeny  ${HOME}/.cache/libgweather
+noblacklist ${HOME}/.cache/libgweather
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 261efefac..c3014a288 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -6,8 +6,8 @@ include gnote.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gnote
+noblacklist ${HOME}/.config/gnote
-nodeny  ${HOME}/.local/share/gnote
+noblacklist ${HOME}/.local/share/gnote
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/gnote
 mkdir ${HOME}/.local/share/gnote
-allow  ${HOME}/.config/gnote
+whitelist ${HOME}/.config/gnote
-allow  ${HOME}/.local/share/gnote
+whitelist ${HOME}/.local/share/gnote
-allow  /usr/share/gnote
+whitelist /usr/share/gnote
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index e6fbca26f..22851ce9f 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/gnubik
+whitelist /usr/share/gnubik
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index f35a53ca4..09ca17caa 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -6,9 +6,9 @@ include godot.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/godot
+noblacklist ${HOME}/.cache/godot
-nodeny  ${HOME}/.config/godot
+noblacklist ${HOME}/.config/godot
-nodeny  ${HOME}/.local/share/godot
+noblacklist ${HOME}/.local/share/godot
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 95dd41c2a..8399d77c4 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -6,7 +6,7 @@ include goobox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index 07f0e587d..ebe5e870b 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/google-chrome-beta
+noblacklist ${HOME}/.cache/google-chrome-beta
-nodeny  ${HOME}/.config/google-chrome-beta
+noblacklist ${HOME}/.config/google-chrome-beta
-nodeny  ${HOME}/.config/chrome-beta-flags.conf
+noblacklist ${HOME}/.config/chrome-beta-flags.conf
-nodeny  ${HOME}/.config/chrome-beta-flags.config
+noblacklist ${HOME}/.config/chrome-beta-flags.config
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
-allow  ${HOME}/.cache/google-chrome-beta
+whitelist ${HOME}/.cache/google-chrome-beta
-allow  ${HOME}/.config/google-chrome-beta
+whitelist ${HOME}/.config/google-chrome-beta
-allow  ${HOME}/.config/chrome-beta-flags.conf
+whitelist ${HOME}/.config/chrome-beta-flags.conf
-allow  ${HOME}/.config/chrome-beta-flags.config
+whitelist ${HOME}/.config/chrome-beta-flags.config
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 229904411..4d303f71b 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/google-chrome-unstable
+noblacklist ${HOME}/.cache/google-chrome-unstable
-nodeny  ${HOME}/.config/google-chrome-unstable
+noblacklist ${HOME}/.config/google-chrome-unstable
-nodeny  ${HOME}/.config/chrome-unstable-flags.conf
+noblacklist ${HOME}/.config/chrome-unstable-flags.conf
-nodeny  ${HOME}/.config/chrome-unstable-flags.config
+noblacklist ${HOME}/.config/chrome-unstable-flags.config
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
-allow  ${HOME}/.cache/google-chrome-unstable
+whitelist ${HOME}/.cache/google-chrome-unstable
-allow  ${HOME}/.config/google-chrome-unstable
+whitelist ${HOME}/.config/google-chrome-unstable
-allow  ${HOME}/.config/chrome-unstable-flags.conf
+whitelist ${HOME}/.config/chrome-unstable-flags.conf
-allow  ${HOME}/.config/chrome-unstable-flags.config
+whitelist ${HOME}/.config/chrome-unstable-flags.config
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index f61642f17..ed2595f72 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/google-chrome
+noblacklist ${HOME}/.cache/google-chrome
-nodeny  ${HOME}/.config/google-chrome
+noblacklist ${HOME}/.config/google-chrome
-nodeny  ${HOME}/.config/chrome-flags.conf
+noblacklist ${HOME}/.config/chrome-flags.conf
-nodeny  ${HOME}/.config/chrome-flags.config
+noblacklist ${HOME}/.config/chrome-flags.config
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
-allow  ${HOME}/.cache/google-chrome
+whitelist ${HOME}/.cache/google-chrome
-allow  ${HOME}/.config/google-chrome
+whitelist ${HOME}/.config/google-chrome
-allow  ${HOME}/.config/chrome-flags.conf
+whitelist ${HOME}/.config/chrome-flags.conf
-allow  ${HOME}/.config/chrome-flags.config
+whitelist ${HOME}/.config/chrome-flags.config
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 6039f7cbd..65ac04771 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -5,8 +5,8 @@ include google-earth.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Google
+noblacklist ${HOME}/.config/Google
-nodeny  ${HOME}/.googleearth
+noblacklist ${HOME}/.googleearth
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Google
 mkdir ${HOME}/.googleearth
-allow  ${HOME}/.config/Google
+whitelist ${HOME}/.config/Google
-allow  ${HOME}/.googleearth
+whitelist ${HOME}/.googleearth
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index fdb65b93c..a7aabe105 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -8,7 +8,7 @@ include globals.local
 # noexec /tmp breaks mpris support
 ignore noexec /tmp
-nodeny  ${HOME}/.config/Google Play Music Desktop Player
+noblacklist ${HOME}/.config/Google Play Music Desktop Player
 include disable-common.inc
 include disable-devel.inc
@@ -20,7 +20,7 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
-allow  ${HOME}/.config/Google Play Music Desktop Player
+whitelist ${HOME}/.config/Google Play Music Desktop Player
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index 952c9c1d4..2d0bce52b 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -7,10 +7,10 @@ include googler-common.local
 # added by caller profile
 #include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${HOME}/.w3m
+noblacklist ${HOME}/.w3m
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -26,7 +26,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${HOME}/.w3m
+whitelist ${HOME}/.w3m
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index 9b8da361b..37b4f0b1c 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -6,7 +6,7 @@ include gpa.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 5fa66bb55..7f0b614b1 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -7,10 +7,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -20,11 +20,11 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.gnupg
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  ${RUNUSER}/keyring
+whitelist ${RUNUSER}/keyring
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 2ad896abe..4a4d6527c 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -7,10 +7,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  ${RUNUSER}/keyring
+whitelist ${RUNUSER}/keyring
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
-allow  /usr/share/pacman/keyrings
+whitelist /usr/share/pacman/keyrings
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 0552dc3d7..fa53c26c8 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -6,7 +6,7 @@ include gpicview.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gpicview
+noblacklist ${HOME}/.config/gpicview
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-allow  /usr/share/gpicview
+whitelist /usr/share/gpicview
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index c9e62a73f..253d644f1 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -6,7 +6,7 @@ include gpredict.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Gpredict
+noblacklist ${HOME}/.config/Gpredict
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/Gpredict
-allow  ${HOME}/.config/Gpredict
+whitelist ${HOME}/.config/Gpredict
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 2aebe2338..2b4c536d2 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -5,8 +5,8 @@ include gradio.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/gradio
+noblacklist ${HOME}/.cache/gradio
-nodeny  ${HOME}/.local/share/gradio
+noblacklist ${HOME}/.local/share/gradio
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/gradio
 mkdir ${HOME}/.local/share/gradio
-allow  ${HOME}/.cache/gradio
+whitelist ${HOME}/.cache/gradio
-allow  ${HOME}/.local/share/gradio
+whitelist ${HOME}/.local/share/gradio
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index 53f0baccb..c7e0c2977 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -6,7 +6,7 @@ include gramps.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gramps
+noblacklist ${HOME}/.gramps
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -21,7 +21,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.gramps
-allow  ${HOME}/.gramps
+whitelist ${HOME}/.gramps
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index ecc871c2e..890ba2560 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/gravity-beams-and-evaporating-stars
+whitelist /usr/share/gravity-beams-and-evaporating-stars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 9a4f7b4fb..5927e8c4d 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -6,9 +6,9 @@ include gthumb.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/gthumb
+noblacklist ${HOME}/.config/gthumb
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index d6bb9902a..c8addae75 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -7,7 +7,7 @@ include gtk-update-icon-cache.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 8241de43a..787c7bd90 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -8,8 +8,8 @@ include gtk2-youtube-viewer.local
 ignore quiet
-nodeny  /tmp/.X11-unix
+noblacklist /tmp/.X11-unix
-nodeny  ${RUNUSER}
+noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 6ea4ebbdc..988882622 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -8,8 +8,8 @@ include gtk3-youtube-viewer.local
 ignore quiet
-nodeny  /tmp/.X11-unix
+noblacklist /tmp/.X11-unix
-nodeny  ${RUNUSER}
+noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 731bcad1d..3d2b71e9d 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -5,8 +5,8 @@ include guayadeque.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.guayadeque
+noblacklist ${HOME}/.guayadeque
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
index 5cdc2cc18..2223c37a1 100644
--- a/etc/profile-a-l/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -5,8 +5,8 @@ include gummi.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/gummi
+noblacklist ${HOME}/.cache/gummi
-nodeny  ${HOME}/.config/gummi
+noblacklist ${HOME}/.config/gummi
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 3404f5177..9221ca31c 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -6,10 +6,10 @@ include guvcview.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/guvcview2
+noblacklist ${HOME}/.config/guvcview2
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/guvcview2
-allow  ${HOME}/.config/guvcview2
+whitelist ${HOME}/.config/guvcview2
-allow  ${PICTURES}
+whitelist ${PICTURES}
-allow  ${VIDEOS}
+whitelist ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 132b5a2e2..d33e2a673 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -6,17 +6,17 @@ include gwenview.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/GIMP
-nodeny  ${HOME}/.config/gwenviewrc
+noblacklist ${HOME}/.config/gwenviewrc
-nodeny  ${HOME}/.config/org.kde.gwenviewrc
+noblacklist ${HOME}/.config/org.kde.gwenviewrc
-nodeny  ${HOME}/.gimp*
+noblacklist ${HOME}/.gimp*
-nodeny  ${HOME}/.kde/share/apps/gwenview
+noblacklist ${HOME}/.kde/share/apps/gwenview
-nodeny  ${HOME}/.kde/share/config/gwenviewrc
+noblacklist ${HOME}/.kde/share/config/gwenviewrc
-nodeny  ${HOME}/.kde4/share/apps/gwenview
+noblacklist ${HOME}/.kde4/share/apps/gwenview
-nodeny  ${HOME}/.kde4/share/config/gwenviewrc
+noblacklist ${HOME}/.kde4/share/config/gwenviewrc
-nodeny  ${HOME}/.local/share/gwenview
+noblacklist ${HOME}/.local/share/gwenview
-nodeny  ${HOME}/.local/share/kxmlgui5/gwenview
+noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
-nodeny  ${HOME}/.local/share/org.kde.gwenview
+noblacklist ${HOME}/.local/share/org.kde.gwenview
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index 46c98bdc2..b261c16f4 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -9,7 +9,7 @@ include globals.local
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
 # all capabilities this is automatically read-only.
-nodeny  /var/lib/pacman
+noblacklist /var/lib/pacman
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index c102ac4cb..847e1ec1e 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -6,9 +6,9 @@ include handbrake.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ghb
+noblacklist ${HOME}/.config/ghb
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index d98a1b554..aab4b0c21 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -7,11 +7,11 @@ include hashcat.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.hashcat
+noblacklist ${HOME}/.hashcat
-nodeny  /usr/include
+noblacklist /usr/include
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 1c2a44e06..44584f26b 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -4,7 +4,7 @@ include hasher-common.local
 # common profile for hasher/checksum tools
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 # Comment/uncomment the relevant include file(s) in your hasher-common.local
 # to (un)restrict file access for **all** hashers. Another option is to do this **per hasher**
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 90833af91..c0675d8ec 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -6,7 +6,7 @@ include hedgewars.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.hedgewars
+noblacklist ${HOME}/.hedgewars
 include allow-lua.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.hedgewars
-allow  ${HOME}/.hedgewars
+whitelist ${HOME}/.hedgewars
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index 993efb591..b887de147 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -6,7 +6,7 @@ include hexchat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/hexchat
+noblacklist ${HOME}/.config/hexchat
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -28,7 +28,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/hexchat
-allow  ${HOME}/.config/hexchat
+whitelist ${HOME}/.config/hexchat
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 53db642dc..643736ac7 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -6,7 +6,7 @@ include highlight.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index ef259cc00..199b1a5e5 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -6,7 +6,7 @@ include homebank.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/homebank
+noblacklist ${HOME}/.config/homebank
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/homebank
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/homebank
+whitelist ${HOME}/.config/homebank
-allow  /usr/share/homebank
+whitelist /usr/share/homebank
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index 63e1be259..00d9f7a76 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -7,8 +7,8 @@ include host.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${PATH}/host
+noblacklist ${PATH}/host
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index db5cd29cc..267712c87 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -6,9 +6,9 @@ include hugin.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.hugin
+noblacklist ${HOME}/.hugin
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index 1fb33ceb8..e66ffd7e1 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -6,7 +6,7 @@ include hyperrogue.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/hyperrogue.ini
+noblacklist ${HOME}/hyperrogue.ini
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/hyperrogue.ini
-allow  ${HOME}/hyperrogue.ini
+whitelist ${HOME}/hyperrogue.ini
-allow  /usr/share/hyperrogue
+whitelist /usr/share/hyperrogue
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c8a2e8a04..47c984175 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -14,12 +14,12 @@ include globals.local
 # Only needed when i2prouter binary resides in home directory (official I2P java installer does so).
 ignore noexec ${HOME}
-nodeny  ${HOME}/.config/i2p
+noblacklist ${HOME}/.config/i2p
-nodeny  ${HOME}/.i2p
+noblacklist ${HOME}/.i2p
-nodeny  ${HOME}/.local/share/i2p
+noblacklist ${HOME}/.local/share/i2p
-nodeny  ${HOME}/i2p
+noblacklist ${HOME}/i2p
 # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -36,12 +36,12 @@ mkdir ${HOME}/.config/i2p
 mkdir ${HOME}/.i2p
 mkdir ${HOME}/.local/share/i2p
 mkdir ${HOME}/i2p
-allow  ${HOME}/.config/i2p
+whitelist ${HOME}/.config/i2p
-allow  ${HOME}/.i2p
+whitelist ${HOME}/.i2p
-allow  ${HOME}/.local/share/i2p
+whitelist ${HOME}/.local/share/i2p
-allow  ${HOME}/i2p
+whitelist ${HOME}/i2p
 # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
-allow  /usr/sbin/wrapper*
+whitelist /usr/sbin/wrapper*
 include whitelist-common.inc
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index 95ddad221..e96b1843c 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -7,7 +7,7 @@ include i3.local
 include globals.local
 # all applications started in i3 will run in this profile
-nodeny  ${HOME}/.config/i3
+noblacklist ${HOME}/.config/i3
 include disable-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index 0de2f658b..660343a29 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -5,13 +5,13 @@ include icecat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.cache/mozilla
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
 mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
-allow  ${HOME}/.cache/mozilla/icecat
+whitelist ${HOME}/.cache/mozilla/icecat
-allow  ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla
 # private-etc must first be enabled in firefox-common.profile
 #private-etc icecat
diff --git a/etc/profile-a-l/icedove.profile b/etc/profile-a-l/icedove.profile
index 0c22d87d0..19690cd5a 100644
--- a/etc/profile-a-l/icedove.profile
+++ b/etc/profile-a-l/icedove.profile
@@ -9,16 +9,16 @@ include icedove.local
 # Users have icedove set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
-nodeny  ${HOME}/.cache/icedove
+noblacklist ${HOME}/.cache/icedove
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.icedove
+noblacklist ${HOME}/.icedove
 mkdir ${HOME}/.cache/icedove
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.icedove
-allow  ${HOME}/.cache/icedove
+whitelist ${HOME}/.cache/icedove
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.icedove
+whitelist ${HOME}/.icedove
 include whitelist-common.inc
 ignore private-tmp
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 180b62ec2..680b8e777 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -5,12 +5,12 @@ include idea.sh.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.IdeaIC*
+noblacklist ${HOME}/.IdeaIC*
-nodeny  ${HOME}/.android
+noblacklist ${HOME}/.android
-nodeny  ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-server
-nodeny  ${HOME}/.jack-settings
+noblacklist ${HOME}/.jack-settings
-nodeny  ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.local/share/JetBrains
-nodeny  ${HOME}/.tooling
+noblacklist ${HOME}/.tooling
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 5d28e7aca..12ce7976b 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -6,7 +6,7 @@ include imagej.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.imagej
+noblacklist ${HOME}/.imagej
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index 70d56a7dc..c26958d06 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -5,10 +5,10 @@ include img2txt.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/imlib2
+whitelist /usr/share/imlib2
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index 4914cd9d0..c152be01c 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -6,9 +6,9 @@ include impressive.local
 # Persistent global definitions
 #include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -23,8 +23,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/mesa_shader_cache
-allow  /usr/share/opengl-games-utils
+whitelist /usr/share/opengl-games-utils
-allow  /usr/share/zenity
+whitelist /usr/share/zenity
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 1a949b300..35dd86b32 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -6,14 +6,14 @@ include inkscape.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/inkscape
+noblacklist ${HOME}/.cache/inkscape
-nodeny  ${HOME}/.config/inkscape
+noblacklist ${HOME}/.config/inkscape
-nodeny  ${HOME}/.inkscape
+noblacklist ${HOME}/.inkscape
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow exporting .xcf files
-nodeny  ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/GIMP
-nodeny  ${HOME}/.gimp*
+noblacklist ${HOME}/.gimp*
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -28,7 +28,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/inkscape
+whitelist /usr/share/inkscape
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
index 1591ed7ea..a5cac12f2 100644
--- a/etc/profile-a-l/inox.profile
+++ b/etc/profile-a-l/inox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/inox
+noblacklist ${HOME}/.cache/inox
-nodeny  ${HOME}/.config/inox
+noblacklist ${HOME}/.config/inox
 mkdir ${HOME}/.cache/inox
 mkdir ${HOME}/.config/inox
-allow  ${HOME}/.cache/inox
+whitelist ${HOME}/.cache/inox
-allow  ${HOME}/.config/inox
+whitelist ${HOME}/.config/inox
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index f361fd663..3037d00e9 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/iridium
+noblacklist ${HOME}/.cache/iridium
-nodeny  ${HOME}/.config/iridium
+noblacklist ${HOME}/.config/iridium
 mkdir ${HOME}/.cache/iridium
 mkdir ${HOME}/.config/iridium
-allow  ${HOME}/.cache/iridium
+whitelist ${HOME}/.cache/iridium
-allow  ${HOME}/.config/iridium
+whitelist ${HOME}/.config/iridium
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index fa0bcf986..e02dcbdb1 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -8,8 +8,8 @@ include globals.local
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
-nodeny  ${HOME}/.itch
+noblacklist ${HOME}/.itch
-nodeny  ${HOME}/.config/itch
+noblacklist ${HOME}/.config/itch
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
-allow  ${HOME}/.itch
+whitelist ${HOME}/.itch
-allow  ${HOME}/.config/itch
+whitelist ${HOME}/.config/itch
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index e4be574df..3e9abf369 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -6,8 +6,8 @@ include jami-gnome.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/jami
+noblacklist ${HOME}/.config/jami
-nodeny  ${HOME}/.local/share/jami
+noblacklist ${HOME}/.local/share/jami
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.config/jami
 mkdir ${HOME}/.local/share/jami
-allow  ${HOME}/.config/jami
+whitelist ${HOME}/.config/jami
-allow  ${HOME}/.local/share/jami
+whitelist ${HOME}/.local/share/jami
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index bfea84c69..7d29f1068 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -5,7 +5,7 @@ include jd-gui.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/jd-gui.cfg
+noblacklist ${HOME}/.config/jd-gui.cfg
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index c41027618..85b1f2120 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -6,7 +6,7 @@ include jerry.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/dkl
+noblacklist ${HOME}/.config/dkl
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index 9ca30c36d..edb7ed840 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -13,12 +13,12 @@ ignore shell none
 ignore noexec /tmp
-nodeny  ${HOME}/.config/Jitsi Meet
+noblacklist ${HOME}/.config/Jitsi Meet
-noallow  ${DOWNLOADS}
+nowhitelist ${DOWNLOADS}
 mkdir ${HOME}/.config/Jitsi Meet
-allow  ${HOME}/.config/Jitsi Meet
+whitelist ${HOME}/.config/Jitsi Meet
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
index f53e6ca32..223c360b8 100644
--- a/etc/profile-a-l/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -5,7 +5,7 @@ include jitsi.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.jitsi
+noblacklist ${HOME}/.jitsi
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index c0a78ecc0..9954b8aea 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -6,7 +6,7 @@ include jumpnbump.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.jumpnbump
+noblacklist ${HOME}/.jumpnbump
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.jumpnbump
-allow  ${HOME}/.jumpnbump
+whitelist ${HOME}/.jumpnbump
-allow  /usr/share/jumpnbump
+whitelist /usr/share/jumpnbump
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 73ce8670f..5ae90dff6 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -6,11 +6,11 @@ include k3b.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/k3brc
+noblacklist ${HOME}/.config/k3brc
-nodeny  ${HOME}/.kde/share/config/k3brc
+noblacklist ${HOME}/.kde/share/config/k3brc
-nodeny  ${HOME}/.kde4/share/config/k3brc
+noblacklist ${HOME}/.kde4/share/config/k3brc
-nodeny  ${HOME}/.local/share/kxmlgui5/k3b
+noblacklist ${HOME}/.local/share/kxmlgui5/k3b
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index e6a00e350..d55fd22cb 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -6,14 +6,14 @@ include kaffeine.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/kaffeinerc
+noblacklist ${HOME}/.config/kaffeinerc
-nodeny  ${HOME}/.kde/share/apps/kaffeine
+noblacklist ${HOME}/.kde/share/apps/kaffeine
-nodeny  ${HOME}/.kde/share/config/kaffeinerc
+noblacklist ${HOME}/.kde/share/config/kaffeinerc
-nodeny  ${HOME}/.kde4/share/apps/kaffeine
+noblacklist ${HOME}/.kde4/share/apps/kaffeine
-nodeny  ${HOME}/.kde4/share/config/kaffeinerc
+noblacklist ${HOME}/.kde4/share/config/kaffeinerc
-nodeny  ${HOME}/.local/share/kaffeine
+noblacklist ${HOME}/.local/share/kaffeine
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 98b04353e..503dac4b6 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -6,8 +6,8 @@ include kalgebra.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/kalgebrarc
+noblacklist ${HOME}/.config/kalgebrarc
-nodeny  ${HOME}/.local/share/kalgebra
+noblacklist ${HOME}/.local/share/kalgebra
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/kalgebramobile
+whitelist /usr/share/kalgebramobile
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
index db5394550..231299a2f 100644
--- a/etc/profile-a-l/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -6,7 +6,7 @@ include karbon.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/karbon
+noblacklist ${HOME}/.local/share/kxmlgui5/karbon
 # Redirect
 include krita.profile
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index d2b180492..27b87e7c3 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -8,20 +8,20 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.config/katemetainfos
+noblacklist ${HOME}/.config/katemetainfos
-nodeny  ${HOME}/.config/katepartrc
+noblacklist ${HOME}/.config/katepartrc
-nodeny  ${HOME}/.config/katerc
+noblacklist ${HOME}/.config/katerc
-nodeny  ${HOME}/.config/kateschemarc
+noblacklist ${HOME}/.config/kateschemarc
-nodeny  ${HOME}/.config/katesyntaxhighlightingrc
+noblacklist ${HOME}/.config/katesyntaxhighlightingrc
-nodeny  ${HOME}/.config/katevirc
+noblacklist ${HOME}/.config/katevirc
-nodeny  ${HOME}/.local/share/kate
+noblacklist ${HOME}/.local/share/kate
-nodeny  ${HOME}/.local/share/kxmlgui5/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/kate
-nodeny  ${HOME}/.local/share/kxmlgui5/katefiletree
+noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
-nodeny  ${HOME}/.local/share/kxmlgui5/katekonsole
+noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
-nodeny  ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
+noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
-nodeny  ${HOME}/.local/share/kxmlgui5/katepart
+noblacklist ${HOME}/.local/share/kxmlgui5/katepart
-nodeny  ${HOME}/.local/share/kxmlgui5/kateproject
+noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
-nodeny  ${HOME}/.local/share/kxmlgui5/katesearch
+noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index a4e2e64f4..9795cf168 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -8,9 +8,9 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
-nodeny  ${HOME}/.config/kazam
+noblacklist ${HOME}/.config/kazam
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/kazam
+whitelist /usr/share/kazam
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index fcb168d4d..e36ee5ed2 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -6,7 +6,7 @@ include kcalc.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/kxmlgui5/kcalc
+noblacklist ${HOME}/.local/share/kxmlgui5/kcalc
 include disable-common.inc
 include disable-devel.inc
@@ -21,13 +21,13 @@ mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
 mkfile ${HOME}/.kde/share/config/kcalcrc
 mkfile ${HOME}/.kde4/share/config/kcalcrc
-allow  ${HOME}/.config/kcalcrc
+whitelist ${HOME}/.config/kcalcrc
-allow  ${HOME}/.kde/share/config/kcalcrc
+whitelist ${HOME}/.kde/share/config/kcalcrc
-allow  ${HOME}/.kde4/share/config/kcalcrc
+whitelist ${HOME}/.kde4/share/config/kcalcrc
-allow  ${HOME}/.local/share/kxmlgui5/kcalc
+whitelist ${HOME}/.local/share/kxmlgui5/kcalc
-allow  /usr/share/config.kcfg/kcalc.kcfg
+whitelist /usr/share/config.kcfg/kcalc.kcfg
-allow  /usr/share/kcalc
+whitelist /usr/share/kcalc
-allow  /usr/share/kconf_update/kcalcrc.upd
+whitelist /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index 4acafbf2a..d2a08a269 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -8,10 +8,10 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/kdenlive
+noblacklist ${HOME}/.cache/kdenlive
-nodeny  ${HOME}/.config/kdenliverc
+noblacklist ${HOME}/.config/kdenliverc
-nodeny  ${HOME}/.local/share/kdenlive
+noblacklist ${HOME}/.local/share/kdenlive
-nodeny  ${HOME}/.local/share/kxmlgui5/kdenlive
+noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 0c37f7968..7c1cb2294 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -6,14 +6,14 @@ include kdiff3.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/kdiff3fileitemactionrc
+noblacklist ${HOME}/.config/kdiff3fileitemactionrc
-nodeny  ${HOME}/.config/kdiff3rc
+noblacklist ${HOME}/.config/kdiff3rc
 # Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc.
 # By default we deny access only to .ssh and .gnupg.
 #include disable-common.inc
-deny  ${HOME}/.ssh
+blacklist ${HOME}/.ssh
-deny  ${HOME}/.gnupg
+blacklist ${HOME}/.gnupg
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index 9c06962bc..ae8971ab4 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -6,14 +6,14 @@ include keepass.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdb
-nodeny  ${HOME}/*.kdbx
+noblacklist ${HOME}/*.kdbx
-nodeny  ${HOME}/.config/KeePass
+noblacklist ${HOME}/.config/KeePass
-nodeny  ${HOME}/.config/keepass
+noblacklist ${HOME}/.config/keepass
-nodeny  ${HOME}/.keepass
+noblacklist ${HOME}/.keepass
-nodeny  ${HOME}/.local/share/KeePass
+noblacklist ${HOME}/.local/share/KeePass
-nodeny  ${HOME}/.local/share/keepass
+noblacklist ${HOME}/.local/share/keepass
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 2772fa8bf..ac364986d 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -6,11 +6,11 @@ include keepassx.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdb
-nodeny  ${HOME}/*.kdbx
+noblacklist ${HOME}/*.kdbx
-nodeny  ${HOME}/.config/keepassx
+noblacklist ${HOME}/.config/keepassx
-nodeny  ${HOME}/.keepassx
+noblacklist ${HOME}/.keepassx
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 9c530b20d..f71dcf82b 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -6,23 +6,23 @@ include keepassxc.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdb
-nodeny  ${HOME}/*.kdbx
+noblacklist ${HOME}/*.kdbx
-nodeny  ${HOME}/.cache/keepassxc
+noblacklist ${HOME}/.cache/keepassxc
-nodeny  ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.config/keepassxc
-nodeny  ${HOME}/.config/KeePassXCrc
+noblacklist ${HOME}/.config/KeePassXCrc
-nodeny  ${HOME}/.keepassxc
+noblacklist ${HOME}/.keepassxc
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow browser profiles, required for browser integration.
-nodeny  ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/BraveSoftware
-nodeny  ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/chromium
-nodeny  ${HOME}/.config/google-chrome
+noblacklist ${HOME}/.config/google-chrome
-nodeny  ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.config/vivaldi
-nodeny  ${HOME}/.local/share/torbrowser
+noblacklist ${HOME}/.local/share/torbrowser
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -57,7 +57,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/KeePassXCrc
 #include whitelist-common.inc
-allow  /usr/share/keepassxc
+whitelist /usr/share/keepassxc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 30c041cbc..2c684504b 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -6,13 +6,13 @@ include kget.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.config/kgetrc
-nodeny  ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/kget
-nodeny  ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/kgetrc
-nodeny  ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/kget
-nodeny  ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/kgetrc
-nodeny  ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kget
-nodeny  ${HOME}/.local/share/kxmlgui5/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/kget
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
index 84d135fc3..9bcede077 100644
--- a/etc/profile-a-l/kid3-qt.profile
+++ b/etc/profile-a-l/kid3-qt.profile
@@ -2,7 +2,7 @@
 # This file is overwritten after every install/update
 include kid3-qt.local
-nodeny  ${HOME}/.config/Kid3
+noblacklist ${HOME}/.config/Kid3
 # Redirect
 include kid3.profile
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index 0ef2a7845..e18292e99 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -6,9 +6,9 @@ include kid3.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${HOME}/.config/kid3rc
+noblacklist ${HOME}/.config/kid3rc
-nodeny  ${HOME}/.local/share/kxmlgui5/kid3
+noblacklist ${HOME}/.local/share/kxmlgui5/kid3
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index 833c1d22a..74014ffe6 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -6,8 +6,8 @@ include kino.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.kino-history
+noblacklist ${HOME}/.kino-history
-nodeny  ${HOME}/.kinorc
+noblacklist ${HOME}/.kinorc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index b188ba0e3..40ee0bbc7 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -6,8 +6,8 @@ include kiwix-desktop.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/kiwix
+noblacklist ${HOME}/.local/share/kiwix
-nodeny  ${HOME}/.local/share/kiwix-desktop
+noblacklist ${HOME}/.local/share/kiwix-desktop
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/kiwix
 mkdir ${HOME}/.local/share/kiwix-desktop
-allow  ${HOME}/.local/share/kiwix
+whitelist ${HOME}/.local/share/kiwix
-allow  ${HOME}/.local/share/kiwix-desktop
+whitelist ${HOME}/.local/share/kiwix-desktop
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index e087e4973..c6a9023f1 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -6,8 +6,8 @@ include klatexformula.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.kde/share/apps/klatexformula
+noblacklist ${HOME}/.kde/share/apps/klatexformula
-nodeny  ${HOME}/.klatexformula
+noblacklist ${HOME}/.klatexformula
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index ec3912419..f5cd3a48c 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -6,8 +6,8 @@ include klavaro.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/klavaro
+noblacklist ${HOME}/.config/klavaro
-nodeny  ${HOME}/.local/share/klavaro
+noblacklist ${HOME}/.local/share/klavaro
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/klavaro
 mkdir ${HOME}/.config/klavaro
-allow  ${HOME}/.local/share/klavaro
+whitelist ${HOME}/.local/share/klavaro
-allow  ${HOME}/.config/klavaro
+whitelist ${HOME}/.config/klavaro
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 3c582c08c..95ae98e53 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,27 +9,27 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
-nodeny  ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.cache/akonadi*
-nodeny  ${HOME}/.cache/kmail2
+noblacklist ${HOME}/.cache/kmail2
-nodeny  ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/akonadi*
-nodeny  ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/baloorc
-nodeny  ${HOME}/.config/emaildefaults
+noblacklist ${HOME}/.config/emaildefaults
-nodeny  ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/emailidentities
-nodeny  ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.config/kmail2rc
-nodeny  ${HOME}/.config/kmailsearchindexingrc
+noblacklist ${HOME}/.config/kmailsearchindexingrc
-nodeny  ${HOME}/.config/mailtransports
+noblacklist ${HOME}/.config/mailtransports
-nodeny  ${HOME}/.config/specialmailcollectionsrc
+noblacklist ${HOME}/.config/specialmailcollectionsrc
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/akonadi*
-nodeny  ${HOME}/.local/share/apps/korganizer
+noblacklist ${HOME}/.local/share/apps/korganizer
-nodeny  ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/contacts
-nodeny  ${HOME}/.local/share/emailidentities
+noblacklist ${HOME}/.local/share/emailidentities
-nodeny  ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/kmail2
-nodeny  ${HOME}/.local/share/kxmlgui5/kmail
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail
-nodeny  ${HOME}/.local/share/kxmlgui5/kmail2
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
-nodeny  ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/local-mail
-nodeny  ${HOME}/.local/share/notes
+noblacklist ${HOME}/.local/share/notes
-nodeny  /tmp/akonadi-*
+noblacklist /tmp/akonadi-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index d2ce14ab6..e88b53499 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -6,11 +6,11 @@ include kmplayer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.config/kmplayerrc
-nodeny  ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
-nodeny  ${HOME}/.local/share/kmplayer
+noblacklist ${HOME}/.local/share/kmplayer
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile
index 5a9ac34da..f155d0ad6 100644
--- a/etc/profile-a-l/knotes.profile
+++ b/etc/profile-a-l/knotes.profile
@@ -10,9 +10,9 @@ include knotes.local
 # knotes has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when knotes is started
-nodeny  ${HOME}/.config/knotesrc
+noblacklist ${HOME}/.config/knotesrc
-nodeny  ${HOME}/.local/share/knotes
+noblacklist ${HOME}/.local/share/knotes
-nodeny  ${HOME}/.local/share/kxmlgui5/knotes
+noblacklist ${HOME}/.local/share/kxmlgui5/knotes
 # Redirect
 include kmail.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index 2725c87be..f909728a5 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -12,11 +12,17 @@ ignore noexec ${HOME}
 #ignore nogroups
 #ignore noroot
 #ignore private-dev
+# Add the following to your kodi.local if you use the Lutris Kodi Addon
+#noblacklist /sbin
+#noblacklist /usr/sbin
+#noblacklist ${HOME}/.cache/lutris
+#noblacklist ${HOME}/.config/lutris
+#noblacklist ${HOME}/.local/share/lutris
-nodeny  ${HOME}/.kodi
+noblacklist ${HOME}/.kodi
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index d8ce33838..5b5ed6e24 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -6,11 +6,11 @@ include konversation.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/konversationrc
+noblacklist ${HOME}/.config/konversationrc
-nodeny  ${HOME}/.config/konversation.notifyrc
+noblacklist ${HOME}/.config/konversation.notifyrc
-nodeny  ${HOME}/.kde/share/config/konversationrc
+noblacklist ${HOME}/.kde/share/config/konversationrc
-nodeny  ${HOME}/.kde4/share/config/konversationrc
+noblacklist ${HOME}/.kde4/share/config/konversationrc
-nodeny  ${HOME}/.local/share/kxmlgui5/konversation
+noblacklist ${HOME}/.local/share/kxmlgui5/konversation
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index 749591f32..88f47d1bf 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -6,11 +6,11 @@ include kopete.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.kde/share/apps/kopete
+noblacklist ${HOME}/.kde/share/apps/kopete
-nodeny  ${HOME}/.kde/share/config/kopeterc
+noblacklist ${HOME}/.kde/share/config/kopeterc
-nodeny  ${HOME}/.kde4/share/apps/kopete
+noblacklist ${HOME}/.kde4/share/apps/kopete
-nodeny  ${HOME}/.kde4/share/config/kopeterc
+noblacklist ${HOME}/.kde4/share/config/kopeterc
-nodeny  ${HOME}/.local/share/kxmlgui5/kopete
+noblacklist ${HOME}/.local/share/kxmlgui5/kopete
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /var/lib/winpopup
+whitelist /var/lib/winpopup
 include whitelist-var-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index 950341def..8604e63d0 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -9,10 +9,10 @@ include globals.local
 # noexec ${HOME} may break krita, see issue #1953
 ignore noexec ${HOME}
-nodeny  ${HOME}/.config/kritarc
+noblacklist ${HOME}/.config/kritarc
-nodeny  ${HOME}/.local/share/krita
+noblacklist ${HOME}/.local/share/krita
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 7b325d273..9cb5eff87 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -13,9 +13,9 @@ include globals.local
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
 # noblacklist ${HOME}/.config/chromium
-nodeny  ${HOME}/.config/krunnerrc
+noblacklist ${HOME}/.config/krunnerrc
-nodeny  ${HOME}/.kde/share/config/krunnerrc
+noblacklist ${HOME}/.kde/share/config/krunnerrc
-nodeny  ${HOME}/.kde4/share/config/krunnerrc
+noblacklist ${HOME}/.kde4/share/config/krunnerrc
 # noblacklist ${HOME}/.local/share/baloo
 # noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index ac9fee585..5a85194e0 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -6,13 +6,13 @@ include ktorrent.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ktorrentrc
+noblacklist ${HOME}/.config/ktorrentrc
-nodeny  ${HOME}/.kde/share/apps/ktorrent
+noblacklist ${HOME}/.kde/share/apps/ktorrent
-nodeny  ${HOME}/.kde/share/config/ktorrentrc
+noblacklist ${HOME}/.kde/share/config/ktorrentrc
-nodeny  ${HOME}/.kde4/share/apps/ktorrent
+noblacklist ${HOME}/.kde4/share/apps/ktorrent
-nodeny  ${HOME}/.kde4/share/config/ktorrentrc
+noblacklist ${HOME}/.kde4/share/config/ktorrentrc
-nodeny  ${HOME}/.local/share/ktorrent
+noblacklist ${HOME}/.local/share/ktorrent
-nodeny  ${HOME}/.local/share/kxmlgui5/ktorrent
+noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent
 include disable-common.inc
 include disable-devel.inc
@@ -29,14 +29,14 @@ mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
 mkfile ${HOME}/.config/ktorrentrc
 mkfile ${HOME}/.kde/share/config/ktorrentrc
 mkfile ${HOME}/.kde4/share/config/ktorrentrc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/ktorrentrc
+whitelist ${HOME}/.config/ktorrentrc
-allow  ${HOME}/.kde/share/apps/ktorrent
+whitelist ${HOME}/.kde/share/apps/ktorrent
-allow  ${HOME}/.kde/share/config/ktorrentrc
+whitelist ${HOME}/.kde/share/config/ktorrentrc
-allow  ${HOME}/.kde4/share/apps/ktorrent
+whitelist ${HOME}/.kde4/share/apps/ktorrent
-allow  ${HOME}/.kde4/share/config/ktorrentrc
+whitelist ${HOME}/.kde4/share/config/ktorrentrc
-allow  ${HOME}/.local/share/ktorrent
+whitelist ${HOME}/.local/share/ktorrent
-allow  ${HOME}/.local/share/kxmlgui5/ktorrent
+whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 71f8e4977..4cf72b74c 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -6,8 +6,8 @@ include ktouch.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.config/ktouch2rc
-nodeny  ${HOME}/.local/share/ktouch
+noblacklist ${HOME}/.local/share/ktouch
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-xdg.inc
 mkfile ${HOME}/.config/ktouch2rc
 mkdir ${HOME}/.local/share/ktouch
-allow  ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.config/ktouch2rc
-allow  ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.local/share/ktouch
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 74ffd1162..4e9a12e5f 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -6,13 +6,13 @@ include kube.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-nodeny  ${HOME}/.cache/kube
+noblacklist ${HOME}/.cache/kube
-nodeny  ${HOME}/.config/kube
+noblacklist ${HOME}/.config/kube
-nodeny  ${HOME}/.config/sink
+noblacklist ${HOME}/.config/sink
-nodeny  ${HOME}/.local/share/kube
+noblacklist ${HOME}/.local/share/kube
-nodeny  ${HOME}/.local/share/sink
+noblacklist ${HOME}/.local/share/sink
 include disable-common.inc
 include disable-devel.inc
@@ -29,17 +29,17 @@ mkdir ${HOME}/.config/kube
 mkdir ${HOME}/.config/sink
 mkdir ${HOME}/.local/share/kube
 mkdir ${HOME}/.local/share/sink
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
-allow  ${HOME}/.cache/kube
+whitelist ${HOME}/.cache/kube
-allow  ${HOME}/.config/kube
+whitelist ${HOME}/.config/kube
-allow  ${HOME}/.config/sink
+whitelist ${HOME}/.config/sink
-allow  ${HOME}/.local/share/kube
+whitelist ${HOME}/.local/share/kube
-allow  ${HOME}/.local/share/sink
+whitelist ${HOME}/.local/share/sink
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  /usr/share/kube
+whitelist /usr/share/kube
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 580f93736..15e7ceb17 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -8,10 +8,10 @@ include globals.local
 # fix automatical kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
-nodeny  ${HOME}/.cache/kwin
+noblacklist ${HOME}/.cache/kwin
-nodeny  ${HOME}/.config/kwinrc
+noblacklist ${HOME}/.config/kwinrc
-nodeny  ${HOME}/.config/kwinrulesrc
+noblacklist ${HOME}/.config/kwinrulesrc
-nodeny  ${HOME}/.local/share/kwin
+noblacklist ${HOME}/.local/share/kwin
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 08b0e0224..804ffafeb 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -6,15 +6,15 @@ include kwrite.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/katepartrc
+noblacklist ${HOME}/.config/katepartrc
-nodeny  ${HOME}/.config/katerc
+noblacklist ${HOME}/.config/katerc
-nodeny  ${HOME}/.config/kateschemarc
+noblacklist ${HOME}/.config/kateschemarc
-nodeny  ${HOME}/.config/katesyntaxhighlightingrc
+noblacklist ${HOME}/.config/katesyntaxhighlightingrc
-nodeny  ${HOME}/.config/katevirc
+noblacklist ${HOME}/.config/katevirc
-nodeny  ${HOME}/.config/kwriterc
+noblacklist ${HOME}/.config/kwriterc
-nodeny  ${HOME}/.local/share/kwrite
+noblacklist ${HOME}/.local/share/kwrite
-nodeny  ${HOME}/.local/share/kxmlgui5/kwrite
+noblacklist ${HOME}/.local/share/kxmlgui5/kwrite
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index 91693bfc1..ac1b8785d 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -13,7 +13,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /var/lib
+whitelist /var/lib
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index e154708eb..4bbb0a86d 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -6,7 +6,7 @@ include leafpad.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/leafpad
+noblacklist ${HOME}/.config/leafpad
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index abee392de..8eb5ad0c2 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -7,9 +7,9 @@ include less.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${HOME}/.lesshst
+noblacklist ${HOME}/.lesshst
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
index 8ec41eee3..c57eae73d 100644
--- a/etc/profile-a-l/librecad.profile
+++ b/etc/profile-a-l/librecad.profile
@@ -4,8 +4,8 @@ include librecad.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/LibreCAD
+noblacklist ${HOME}/.config/LibreCAD
-nodeny  ${HOME}/.local/share/LibreCAD
+noblacklist ${HOME}/.local/share/LibreCAD
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/librecad
+whitelist /usr/share/librecad
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index ae01d39b8..b1a24888c 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -6,15 +6,15 @@ include libreoffice.local
 # Persistent global definitions
 include globals.local
-nodeny  /usr/local/sbin
+noblacklist /usr/local/sbin
-nodeny  ${HOME}/.config/libreoffice
+noblacklist ${HOME}/.config/libreoffice
 # libreoffice uses java for some functionality.
 # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 5c614ab8e..da047357a 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -6,13 +6,13 @@ include librewolf.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.cache/librewolf
-nodeny  ${HOME}/.librewolf
+noblacklist ${HOME}/.librewolf
 mkdir ${HOME}/.cache/librewolf
 mkdir ${HOME}/.librewolf
-allow  ${HOME}/.cache/librewolf
+whitelist ${HOME}/.cache/librewolf
-allow  ${HOME}/.librewolf
+whitelist ${HOME}/.librewolf
 # Add the next lines to your librewolf.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
@@ -23,10 +23,10 @@ allow  ${HOME}/.librewolf
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
-allow  /usr/share/doc
+whitelist /usr/share/doc
-allow  /usr/share/gtk-doc/html
+whitelist /usr/share/gtk-doc/html
-allow  /usr/share/mozilla
+whitelist /usr/share/mozilla
-allow  /usr/share/webext
+whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
new file mode 100644
index 000000000..b9ed0de8e
--- /dev/null
+++ b/etc/profile-a-l/lifeograph.profile
@@ -0,0 +1,58 @@
+# Firejail profile for lifeograph
+# Description: Lifeograph is a diary program to take personal notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lifeograph.local
+# Persistent global definitions
+include globals.local
+nodeny ${DOCUMENTS}
+deny /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+allow ${DOCUMENTS}
+allow /usr/share/lifeograph
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin lifeograph
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 595ecc257..7afca1d5f 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -6,9 +6,9 @@ include liferea.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/liferea
+noblacklist ${HOME}/.cache/liferea
-nodeny  ${HOME}/.config/liferea
+noblacklist ${HOME}/.config/liferea
-nodeny  ${HOME}/.local/share/liferea
+noblacklist ${HOME}/.local/share/liferea
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/liferea
 mkdir ${HOME}/.config/liferea
 mkdir ${HOME}/.local/share/liferea
-allow  ${HOME}/.cache/liferea
+whitelist ${HOME}/.cache/liferea
-allow  ${HOME}/.config/liferea
+whitelist ${HOME}/.config/liferea
-allow  ${HOME}/.local/share/liferea
+whitelist ${HOME}/.local/share/liferea
-allow  /usr/share/liferea
+whitelist /usr/share/liferea
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
index 58d5bcd6d..c065c44a9 100644
--- a/etc/profile-a-l/lightsoff.profile
+++ b/etc/profile-a-l/lightsoff.profile
@@ -6,7 +6,7 @@ include lightsoff.local
 # Persistent global definitions
 include globals.local
-allow  /usr/share/lightsoff
+whitelist /usr/share/lightsoff
 private-bin lightsoff
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index e14c50d77..4254b7f33 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -6,7 +6,7 @@ include lincity-ng.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.lincity-ng
+noblacklist ${HOME}/.lincity-ng
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.lincity-ng
-allow  ${HOME}/.lincity-ng
+whitelist ${HOME}/.lincity-ng
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 51e3d5b94..cd885b1d4 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -4,8 +4,8 @@ include links-common.local
 # common profile for links browsers
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index ae57601ca..8ce39cc7f 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -7,10 +7,10 @@ include links.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.links
+noblacklist ${HOME}/.links
 mkdir ${HOME}/.links
-allow  ${HOME}/.links
+whitelist ${HOME}/.links
 private-bin links
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
index eb349c73a..5f91dfcd2 100644
--- a/etc/profile-a-l/links2.profile
+++ b/etc/profile-a-l/links2.profile
@@ -7,10 +7,10 @@ include links2.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.links2
+noblacklist ${HOME}/.links2
 mkdir ${HOME}/.links2
-allow  ${HOME}/.links2
+whitelist ${HOME}/.links2
 private-bin links2
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index dd1dac05b..7ebdbef4c 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -6,10 +6,10 @@ include linphone.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/linphone
+noblacklist ${HOME}/.config/linphone
-nodeny  ${HOME}/.linphone-history.db
+noblacklist ${HOME}/.linphone-history.db
-nodeny  ${HOME}/.linphonerc
+noblacklist ${HOME}/.linphonerc
-nodeny  ${HOME}/.local/share/linphone
+noblacklist ${HOME}/.local/share/linphone
 include disable-common.inc
 include disable-devel.inc
@@ -23,11 +23,11 @@ include disable-programs.inc
 # ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
 mkdir ${HOME}/.config/linphone
 mkdir ${HOME}/.local/share/linphone
-allow  ${HOME}/.config/linphone
+whitelist ${HOME}/.config/linphone
-allow  ${HOME}/.linphone-history.db
+whitelist ${HOME}/.linphone-history.db
-allow  ${HOME}/.linphonerc
+whitelist ${HOME}/.linphonerc
-allow  ${HOME}/.local/share/linphone
+whitelist ${HOME}/.local/share/linphone
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index b22110fdc..48b0e14dc 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -6,9 +6,9 @@ include lmms.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.lmmsrc.xml
+noblacklist ${HOME}/.lmmsrc.xml
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 0a7ce86e8..f2676fec5 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -6,8 +6,8 @@ include lollypop.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/lollypop
+noblacklist ${HOME}/.local/share/lollypop
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index 30802b3b7..174c65a65 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -8,8 +8,8 @@ include globals.local
 # note: crashes after entering
-nodeny  ${HOME}/.config/lugaru
+noblacklist ${HOME}/.config/lugaru
-nodeny  ${HOME}/.local/share/lugaru
+noblacklist ${HOME}/.local/share/lugaru
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/lugaru
 mkdir ${HOME}/.local/share/lugaru
-allow  ${HOME}/.config/lugaru
+whitelist ${HOME}/.config/lugaru
-allow  ${HOME}/.local/share/lugaru
+whitelist ${HOME}/.local/share/lugaru
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 73400dbd6..31067034e 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -6,8 +6,8 @@ include luminance-hdr.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Luminance
+noblacklist ${HOME}/.config/Luminance
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 9d5169b80..80a3aba86 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -6,18 +6,18 @@ include lutris.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PATH}/llvm*
+noblacklist ${PATH}/llvm*
-nodeny  ${HOME}/Games
+noblacklist ${HOME}/Games
-nodeny  ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/lutris
-nodeny  ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.cache/winetricks
-nodeny  ${HOME}/.config/lutris
+noblacklist ${HOME}/.config/lutris
-nodeny  ${HOME}/.local/share/lutris
+noblacklist ${HOME}/.local/share/lutris
 # noblacklist ${HOME}/.wine
-nodeny  /tmp/.wine-*
+noblacklist /tmp/.wine-*
 # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
 # Lutris won't even start.
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 ignore noexec ${HOME}
@@ -39,15 +39,15 @@ mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
 # mkdir ${HOME}/.wine
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/Games
+whitelist ${HOME}/Games
-allow  ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/lutris
-allow  ${HOME}/.cache/winetricks
+whitelist ${HOME}/.cache/winetricks
-allow  ${HOME}/.config/lutris
+whitelist ${HOME}/.config/lutris
-allow  ${HOME}/.local/share/lutris
+whitelist ${HOME}/.local/share/lutris
 # whitelist ${HOME}/.wine
-allow  /usr/share/lutris
+whitelist /usr/share/lutris
-allow  /usr/share/wine
+whitelist /usr/share/wine
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index 43147211b..b2a56012e 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -6,7 +6,7 @@ include lximage-qt.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/lximage-qt
+noblacklist ${HOME}/.config/lximage-qt
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index c849f2ad2..cc4b95551 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -6,9 +6,9 @@ include lxmusic.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/xmms2
+noblacklist ${HOME}/.cache/xmms2
-nodeny  ${HOME}/.config/xmms2
+noblacklist ${HOME}/.config/xmms2
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index 15c8f1faa..a919e924b 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -7,8 +7,8 @@ include lynx.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index 358dbf2f2..fa69463d1 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -8,8 +8,8 @@ include globals.local
 ignore private-tmp
-nodeny  ${HOME}/.config/LyX
+noblacklist ${HOME}/.config/LyX
-nodeny  ${HOME}/.lyx
+noblacklist ${HOME}/.lyx
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -21,11 +21,11 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
-allow  /usr/share/lyx
+whitelist /usr/share/lyx
-allow  /usr/share/texinfo
+whitelist /usr/share/texinfo
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
-allow  /usr/share/texmf-dist
+whitelist /usr/share/texmf-dist
-allow  /usr/share/tlpkg
+whitelist /usr/share/tlpkg
 include whitelist-usr-share-common.inc
 apparmor
diff --git a/etc/profile-a-l/sway.profile b/etc/profile-a-l/sway.profile
index 3a4edcf69..4637419bf 100644
--- a/etc/profile-a-l/sway.profile
+++ b/etc/profile-a-l/sway.profile
@@ -7,9 +7,9 @@ include sway.local
 include globals.local
 # all applications started in sway will run in this profile
-nodeny  ${HOME}/.config/sway
+noblacklist ${HOME}/.config/sway
 # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
-nodeny  ${HOME}/.config/i3
+noblacklist ${HOME}/.config/i3
 include disable-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index e6c43007d..62d0a8b3a 100644
--- a/etc/profile-m-z/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -6,7 +6,7 @@ include Maelstrom.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/lib/games/Maelstrom-Scores
+noblacklist /var/lib/games/Maelstrom-Scores
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /var/lib/games
+whitelist /var/lib/games
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index bd929d21a..c2734b1c1 100644
--- a/etc/profile-m-z/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
@@ -5,8 +5,8 @@ include Mathematica.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.Mathematica
+noblacklist ${HOME}/.Mathematica
-nodeny  ${HOME}/.Wolfram Research
+noblacklist ${HOME}/.Wolfram Research
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
 mkdir ${HOME}/Documents/Wolfram Mathematica
-allow  ${HOME}/.Mathematica
+whitelist ${HOME}/.Mathematica
-allow  ${HOME}/.Wolfram Research
+whitelist ${HOME}/.Wolfram Research
-allow  ${HOME}/Documents/Wolfram Mathematica
+whitelist ${HOME}/Documents/Wolfram Mathematica
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index f833b9446..e678b7204 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -8,7 +8,7 @@ include globals.local
 # Note: you must whitelist your games folder in your PCSX2.local.
-nodeny  ${HOME}/.config/PCSX2
+noblacklist ${HOME}/.config/PCSX2
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/PCSX2
-allow  ${HOME}/.config/PCSX2
+whitelist ${HOME}/.config/PCSX2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index d7b01fe06..86120587b 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -6,18 +6,18 @@ include QMediathekView.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/QMediathekView
+noblacklist ${HOME}/.config/QMediathekView
-nodeny  ${HOME}/.local/share/QMediathekView
+noblacklist ${HOME}/.local/share/QMediathekView
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/smplayer
-nodeny  ${HOME}/.config/totem
+noblacklist ${HOME}/.config/totem
-nodeny  ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/vlc
-nodeny  ${HOME}/.config/xplayer
+noblacklist ${HOME}/.config/xplayer
-nodeny  ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/totem
-nodeny  ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/share/xplayer
-nodeny  ${HOME}/.mplayer
+noblacklist ${HOME}/.mplayer
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -28,7 +28,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/qtchooser
+whitelist /usr/share/qtchooser
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 4ca42730a..660378089 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -6,10 +6,10 @@ include QOwnNotes.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/Nextcloud/Notes
+noblacklist ${HOME}/Nextcloud/Notes
-nodeny  ${HOME}/.config/PBE
+noblacklist ${HOME}/.config/PBE
-nodeny  ${HOME}/.local/share/PBE
+noblacklist ${HOME}/.local/share/PBE
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/Nextcloud/Notes
 mkdir ${HOME}/.config/PBE
 mkdir ${HOME}/.local/share/PBE
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${HOME}/Nextcloud/Notes
+whitelist ${HOME}/Nextcloud/Notes
-allow  ${HOME}/.config/PBE
+whitelist ${HOME}/.config/PBE
-allow  ${HOME}/.local/share/PBE
+whitelist ${HOME}/.local/share/PBE
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index b98847d3a..3195e39fa 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -5,8 +5,8 @@ include Viber.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.ViberPC
+noblacklist ${HOME}/.ViberPC
-nodeny  ${PATH}/dig
+noblacklist ${PATH}/dig
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.ViberPC
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.ViberPC
+whitelist ${HOME}/.ViberPC
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index c9cf7adf7..d78e04595 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -5,7 +5,7 @@ include XMind.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.xmind
+noblacklist ${HOME}/.xmind
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.xmind
-allow  ${HOME}/.xmind
+whitelist ${HOME}/.xmind
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 7ba1cdac9..5cf5161ce 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -15,7 +15,7 @@ include globals.local
 # or run "sudo firecfg"
 #
-allow  /var/lib/xkb
+whitelist /var/lib/xkb
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index a246ccb23..1acd43023 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -18,7 +18,7 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
-allow  /var/lib/xkb
+whitelist /var/lib/xkb
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
index 4f65ad7d1..7686c3442 100644
--- a/etc/profile-m-z/ZeGrapher.profile
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -6,7 +6,7 @@ include ZeGrapher.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ZeGrapher Project
+noblacklist ${HOME}/.config/ZeGrapher Project
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-allow  /usr/share/ZeGrapher
+whitelist /usr/share/ZeGrapher
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/io.github.lainsce.Notejot.profile b/etc/profile-m-z/io.github.lainsce.Notejot.profile
new file mode 100644
index 000000000..a8029db72
--- /dev/null
+++ b/etc/profile-m-z/io.github.lainsce.Notejot.profile
@@ -0,0 +1,61 @@
+# Firejail profile for notejot
+# Description: Jot your ideas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include io.github.lainsce.Notejot.local
+# Persistent global definitions
+include globals.local
+nodeny ${HOME}/.cache/io.github.lainsce.Notejot
+nodeny ${HOME}/.local/share/io.github.lainsce.Notejot
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/io.github.lainsce.Notejot
+mkdir ${HOME}/.local/share/io.github.lainsce.Notejot
+allow ${HOME}/.cache/io.github.lainsce.Notejot
+allow ${HOME}/.local/share/io.github.lainsce.Notejot
+allow /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin io.github.lainsce.Notejot
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+dbus-user filter
+dbus-user.own io.github.lainsce.Notejot
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index 763d475bb..d1dcb6fe0 100644
--- a/etc/profile-m-z/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -5,8 +5,8 @@ include macrofusion.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mfusion
+noblacklist ${HOME}/.config/mfusion
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index d561a5095..8a27b2626 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -6,7 +6,7 @@ include magicor.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.magicor
+noblacklist ${HOME}/.magicor
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.magicor
-allow  ${HOME}/.magicor
+whitelist ${HOME}/.magicor
-allow  /usr/share/magicor
+whitelist /usr/share/magicor
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index a7c486c9f..513fcae55 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -6,8 +6,8 @@ include makepkg.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
 # for potential issues and their solutions when Firejailing makepkg
@@ -17,18 +17,18 @@ deny  ${RUNUSER}/wayland-*
 # whitelist ${HOME}/.gnupg
 # Enable severely restricted access to ${HOME}/.gnupg
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
-deny  ${HOME}/.gnupg/random_seed
+blacklist ${HOME}/.gnupg/random_seed
-deny  ${HOME}/.gnupg/pubring.kbx~
+blacklist ${HOME}/.gnupg/pubring.kbx~
-deny  ${HOME}/.gnupg/private-keys-v1.d
+blacklist ${HOME}/.gnupg/private-keys-v1.d
-deny  ${HOME}/.gnupg/crls.d
+blacklist ${HOME}/.gnupg/crls.d
-deny  ${HOME}/.gnupg/openpgp-revocs.d
+blacklist ${HOME}/.gnupg/openpgp-revocs.d
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
-nodeny  /var/lib/pacman
+noblacklist /var/lib/pacman
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index 383eeeeb7..bd510fcac 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -7,10 +7,10 @@ include man.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${HOME}/.local/share/man
+noblacklist ${HOME}/.local/share/man
-nodeny  ${HOME}/.rustup
+noblacklist ${HOME}/.rustup
 include disable-common.inc
 include disable-devel.inc
@@ -23,12 +23,12 @@ include disable-xdg.inc
 #mkdir ${HOME}/.local/share/man
 #whitelist ${HOME}/.local/share/man
 #whitelist ${HOME}/.manpath
-allow  /usr/share/groff
+whitelist /usr/share/groff
-allow  /usr/share/info
+whitelist /usr/share/info
-allow  /usr/share/lintian
+whitelist /usr/share/lintian
-allow  /usr/share/locale
+whitelist /usr/share/locale
-allow  /usr/share/man
+whitelist /usr/share/man
-allow  /var/cache/man
+whitelist /var/cache/man
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
index 67ee783a6..f59a56ac6 100644
--- a/etc/profile-m-z/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -6,8 +6,8 @@ include manaplus.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mana
+noblacklist ${HOME}/.config/mana
-nodeny  ${HOME}/.local/share/mana
+noblacklist ${HOME}/.local/share/mana
 include disable-common.inc
 include disable-devel.inc
@@ -21,8 +21,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/mana
 mkdir ${HOME}/.config/mana/mana
 mkdir ${HOME}/.local/share/mana
-allow  ${HOME}/.config/mana
+whitelist ${HOME}/.config/mana
-allow  ${HOME}/.local/share/mana
+whitelist ${HOME}/.local/share/mana
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 7645ad335..bd56a8221 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -11,8 +11,8 @@ include globals.local
 #protocol unix,inet,inet6
 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
-nodeny  ${HOME}/.cache/marker
+noblacklist ${HOME}/.cache/marker
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include allow-python3.inc
@@ -25,8 +25,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/libexec/webkit2gtk-4.0
+whitelist /usr/libexec/webkit2gtk-4.0
-allow  /usr/share/com.github.fabiocolacio.marker
+whitelist /usr/share/com.github.fabiocolacio.marker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index d8b215b7f..de1135071 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -6,8 +6,8 @@ include masterpdfeditor.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Code Industry
+noblacklist ${HOME}/.config/Code Industry
-nodeny  ${HOME}/.masterpdfeditor
+noblacklist ${HOME}/.masterpdfeditor
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 92832783e..39ee7439d 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -6,7 +6,7 @@ include mate-calc.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mate-calc
+noblacklist ${HOME}/.config/mate-calc
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/mate-calc
 mkdir ${HOME}/.config/caja
 mkdir ${HOME}/.config/mate-menu
-allow  ${HOME}/.cache/mate-calc
+whitelist ${HOME}/.cache/mate-calc
-allow  ${HOME}/.config/caja
+whitelist ${HOME}/.config/caja
-allow  ${HOME}/.config/mate-menu
+whitelist ${HOME}/.config/mate-menu
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 90c9d0993..ae1fcbf62 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -5,7 +5,7 @@ include mate-dictionary.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mate/mate-dictionary
+noblacklist ${HOME}/.config/mate/mate-dictionary
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/mate/mate-dictionary
-allow  ${HOME}/.config/mate/mate-dictionary
+whitelist ${HOME}/.config/mate/mate-dictionary
 include whitelist-common.inc
 apparmor
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
index 8ee470a50..b3080df88 100644
--- a/etc/profile-m-z/matrix-mirage.profile
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -7,16 +7,16 @@ include matrix-mirage.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.cache/matrix-mirage
-nodeny  ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
-nodeny  ${HOME}/.local/share/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
 mkdir ${HOME}/.cache/matrix-mirage
 mkdir ${HOME}/.config/matrix-mirage
 mkdir ${HOME}/.local/share/matrix-mirage
-allow  ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
-allow  ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
-allow  ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
 private-bin matrix-mirage
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index 01076a90a..3c2bf4fa3 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -10,12 +10,12 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/Mattermost
+noblacklist ${HOME}/.config/Mattermost
 include disable-shell.inc
 mkdir ${HOME}/.config/Mattermost
-allow  ${HOME}/.config/Mattermost
+whitelist ${HOME}/.config/Mattermost
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index ae749114a..38d2d8d63 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -6,8 +6,8 @@ include mcabber.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.mcabber
+noblacklist ${HOME}/.mcabber
-nodeny  ${HOME}/.mcabberrc
+noblacklist ${HOME}/.mcabberrc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
index d9e12fb5d..fcd1e24e5 100644
--- a/etc/profile-m-z/mcomix.profile
+++ b/etc/profile-m-z/mcomix.profile
@@ -6,9 +6,9 @@ include mcomix.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mcomix
+noblacklist ${HOME}/.config/mcomix
-nodeny  ${HOME}/.local/share/mcomix
+noblacklist ${HOME}/.local/share/mcomix
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -30,7 +30,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/mcomix
 mkdir ${HOME}/.local/share/mcomix
-allow  /usr/share/mcomix
+whitelist /usr/share/mcomix
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 9e8656290..5d3f8dc41 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -5,7 +5,7 @@ include mdr.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index ae34ea321..17363624f 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -6,7 +6,7 @@ include mediainfo.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 3459ad4cf..0063badd8 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -6,16 +6,16 @@ include mediathekview.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/smplayer
-nodeny  ${HOME}/.config/totem
+noblacklist ${HOME}/.config/totem
-nodeny  ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/vlc
-nodeny  ${HOME}/.config/xplayer
+noblacklist ${HOME}/.config/xplayer
-nodeny  ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/totem
-nodeny  ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/share/xplayer
-nodeny  ${HOME}/.mediathek3
+noblacklist ${HOME}/.mediathek3
-nodeny  ${HOME}/.mplayer
+noblacklist ${HOME}/.mplayer
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index ad9094ddf..f07b9166a 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -6,7 +6,7 @@ include megaglest.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.megaglest
+noblacklist ${HOME}/.megaglest
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.megaglest
-allow  ${HOME}/.megaglest
+whitelist ${HOME}/.megaglest
-allow  /usr/share/megaglest
+whitelist /usr/share/megaglest
-allow  /usr/share/games/megaglest       # Debian version
+whitelist /usr/share/games/megaglest    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 06ee572c9..2a8bb3acf 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -13,12 +13,12 @@ include globals.local
 # Calling it by its absolute path (example for git mergetool):
 # $ git config --global mergetool.meld.cmd /usr/bin/meld
-nodeny  ${HOME}/.config/meld
+noblacklist ${HOME}/.config/meld
-nodeny  ${HOME}/.config/git
+noblacklist ${HOME}/.config/git
-nodeny  ${HOME}/.gitconfig
+noblacklist ${HOME}/.gitconfig
-nodeny  ${HOME}/.git-credentials
+noblacklist ${HOME}/.git-credentials
-nodeny  ${HOME}/.local/share/meld
+noblacklist ${HOME}/.local/share/meld
-nodeny  ${HOME}/.subversion
+noblacklist ${HOME}/.subversion
 # Allow python (blacklisted by disable-interpreters.inc)
 # Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks
@@ -29,7 +29,7 @@ include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 # Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index e33d6c157..c0bdbb230 100644
--- a/etc/profile-m-z/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -6,13 +6,13 @@ include mendeleydesktop.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.cache/Mendeley Ltd.
+noblacklist ${HOME}/.cache/Mendeley Ltd.
-nodeny  ${HOME}/.config/Mendeley Ltd.
+noblacklist ${HOME}/.config/Mendeley Ltd.
-nodeny  ${HOME}/.local/share/Mendeley Ltd.
+noblacklist ${HOME}/.local/share/Mendeley Ltd.
-nodeny  ${HOME}/.local/share/data/Mendeley Ltd.
+noblacklist ${HOME}/.local/share/data/Mendeley Ltd.
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 52808a5b5..2081b8c96 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 # Whitelist your system icon directory,varies by distro
-allow  /usr/share/app-info
+whitelist /usr/share/app-info
-allow  /usr/share/desktop-directories
+whitelist /usr/share/desktop-directories
-allow  /usr/share/icons
+whitelist /usr/share/icons
-allow  /usr/share/menulibre
+whitelist /usr/share/menulibre
-allow  /var/lib/app-info/icons
+whitelist /var/lib/app-info/icons
-allow  /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/applications
-allow  /var/lib/flatpak/exports/share/icons
+whitelist /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 48f936632..85ed7bc74 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -6,8 +6,8 @@ include meteo-qt.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/autostart
-nodeny  ${HOME}/.config/meteo-qt
+noblacklist ${HOME}/.config/meteo-qt
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/meteo-qt
-allow  ${HOME}/.config/autostart
+whitelist ${HOME}/.config/autostart
-allow  ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
new file mode 100644
index 000000000..34d9f470a
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Beta
+# Description: Web browser from Microsoft,beta channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-beta.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/microsoft-edge-beta
+noblacklist ${HOME}/.config/microsoft-edge-beta
+mkdir ${HOME}/.cache/microsoft-edge-beta
+mkdir ${HOME}/.config/microsoft-edge-beta
+whitelist ${HOME}/.cache/microsoft-edge-beta
+whitelist ${HOME}/.config/microsoft-edge-beta
+private-opt microsoft
+# Redirect
+include chromium-common.profile
+\ No newline at end of file
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index 96465866c..039cd36a8 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -6,13 +6,13 @@ include microsoft-edge-dev.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/microsoft-edge-dev
+noblacklist ${HOME}/.cache/microsoft-edge-dev
-nodeny  ${HOME}/.config/microsoft-edge-dev
+noblacklist ${HOME}/.config/microsoft-edge-dev
 mkdir ${HOME}/.cache/microsoft-edge-dev
 mkdir ${HOME}/.config/microsoft-edge-dev
-allow  ${HOME}/.cache/microsoft-edge-dev
+whitelist ${HOME}/.cache/microsoft-edge-dev
-allow  ${HOME}/.config/microsoft-edge-dev
+whitelist ${HOME}/.config/microsoft-edge-dev
 private-opt microsoft
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index c4a444e0d..e15259608 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -9,17 +9,17 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/midori
+noblacklist ${HOME}/.cache/midori
-nodeny  ${HOME}/.config/midori
+noblacklist ${HOME}/.config/midori
-nodeny  ${HOME}/.local/share/midori
+noblacklist ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
 # noblacklist ${HOME}/.local/share/webkitgtk
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
-nodeny  ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.cache/gnome-mplayer
-nodeny  ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
-nodeny  ${HOME}/.lastpass
+noblacklist ${HOME}/.lastpass
 include disable-common.inc
 include disable-devel.inc
@@ -36,17 +36,17 @@ mkdir ${HOME}/.local/share/webkit
 mkdir ${HOME}/.local/share/webkitgtk
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
-allow  ${HOME}/.cache/midori
+whitelist ${HOME}/.cache/midori
-allow  ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/gnome-mplayer
-allow  ${HOME}/.config/midori
+whitelist ${HOME}/.config/midori
-allow  ${HOME}/.lastpass
+whitelist ${HOME}/.lastpass
-allow  ${HOME}/.local/share/midori
+whitelist ${HOME}/.local/share/midori
-allow  ${HOME}/.local/share/webkit
+whitelist ${HOME}/.local/share/webkit
-allow  ${HOME}/.local/share/webkitgtk
+whitelist ${HOME}/.local/share/webkitgtk
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index 214332184..7f3aeab44 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,10 +6,10 @@ include min.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Min
+noblacklist ${HOME}/.config/Min
 mkdir ${HOME}/.config/Min
-allow  ${HOME}/.config/Min
+whitelist ${HOME}/.config/Min
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index ee8402b87..fbf6b58e8 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/mindless
+whitelist /usr/share/mindless
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 595313851..1028e374a 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -11,7 +11,7 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.minecraft
+noblacklist ${HOME}/.minecraft
 include allow-java.inc
@@ -25,7 +25,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.minecraft
-allow  ${HOME}/.minecraft
+whitelist ${HOME}/.minecraft
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 11d0859b7..cad1adbda 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -9,8 +9,8 @@ include globals.local
 # In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
 #   screenshot_path = /home/<USER>/.minetest/screenshots
-nodeny  ${HOME}/.cache/minetest
+noblacklist ${HOME}/.cache/minetest
-nodeny  ${HOME}/.minetest
+noblacklist ${HOME}/.minetest
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -26,10 +26,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
-allow  ${HOME}/.cache/minetest
+whitelist ${HOME}/.cache/minetest
-allow  ${HOME}/.minetest
+whitelist ${HOME}/.minetest
-allow  /usr/share/games/minetest
+whitelist /usr/share/games/minetest
-allow  /usr/share/minetest
+whitelist /usr/share/minetest
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 192913dbf..b8a551b6c 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -6,10 +6,10 @@ include minitube.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.cache/Flavio Tordini
-nodeny  ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
-nodeny  ${HOME}/.local/share/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
 include allow-lua.inc
@@ -25,11 +25,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
 mkdir ${HOME}/.config/Flavio Tordini
 mkdir ${HOME}/.local/share/Flavio Tordini
-allow  ${PICTURES}
+whitelist ${PICTURES}
-allow  ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.cache/Flavio Tordini
-allow  ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
-allow  ${HOME}/.local/share/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
-allow  /usr/share/minitube
+whitelist /usr/share/minitube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp !kcmp
+seccomp
 shell none
 tracelog
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index b2f2cc5b1..505009283 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -6,10 +6,10 @@ include mirage.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/mirage
+noblacklist ${HOME}/.cache/mirage
-nodeny  ${HOME}/.config/mirage
+noblacklist ${HOME}/.config/mirage
-nodeny  ${HOME}/.local/share/mirage
+noblacklist ${HOME}/.local/share/mirage
-nodeny  /sbin
+noblacklist /sbin
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -27,10 +27,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/mirage
 mkdir ${HOME}/.config/mirage
 mkdir ${HOME}/.local/share/mirage
-allow  ${HOME}/.cache/mirage
+whitelist ${HOME}/.cache/mirage
-allow  ${HOME}/.config/mirage
+whitelist ${HOME}/.config/mirage
-allow  ${HOME}/.local/share/mirage
+whitelist ${HOME}/.local/share/mirage
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index d5ebfd4b0..58dfd56f5 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -6,7 +6,7 @@ include mirrormagic.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.mirrormagic
+noblacklist ${HOME}/.mirrormagic
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.mirrormagic
-allow  ${HOME}/.mirrormagic
+whitelist ${HOME}/.mirrormagic
-allow  /usr/share/mirrormagic
+whitelist /usr/share/mirrormagic
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index b734bd7c0..e71ba4569 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -7,8 +7,8 @@ include mocp.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.moc
+noblacklist ${HOME}/.moc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
index a02b29b61..98063fa7c 100644
--- a/etc/profile-m-z/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -6,7 +6,7 @@ include mousepad.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Mousepad
+noblacklist ${HOME}/.config/Mousepad
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index f47384753..37ce60e04 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -6,7 +6,7 @@ include mp3splt-gtk.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.mp3splt-gtk
+noblacklist ${HOME}/.mp3splt-gtk
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 8a2ab15bd..070de8451 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -6,9 +6,9 @@ include mp3splt.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 6994b0429..55a0b5897 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -6,13 +6,13 @@ include mpDris2.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mpDris2
+noblacklist ${HOME}/.config/mpDris2
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${MUSIC}
+whitelist ${MUSIC}
 mkdir ${HOME}/.config/mpDris2
-allow  ${HOME}/.config/mpDris2
+whitelist ${HOME}/.config/mpDris2
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index 8b3350ac8..b517d4ab2 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -6,10 +6,10 @@ include mpd.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mpd
+noblacklist ${HOME}/.config/mpd
-nodeny  ${HOME}/.mpd
+noblacklist ${HOME}/.mpd
-nodeny  ${HOME}/.mpdconf
+noblacklist ${HOME}/.mpdconf
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 03bd44daa..25187e894 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -7,7 +7,7 @@ include mpg123.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 84754aeb2..5d023b7f1 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -6,7 +6,7 @@ include mplayer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.mplayer
+noblacklist ${HOME}/.mplayer
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.mplayer
-allow  ${HOME}/.mplayer
+whitelist ${HOME}/.mplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index d35519103..bfe57a132 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -6,12 +6,12 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mps-youtube
+noblacklist ${HOME}/.config/mps-youtube
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
-nodeny  ${HOME}/.mplayer
+noblacklist ${HOME}/.mplayer
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
-nodeny  ${HOME}/mps
+noblacklist ${HOME}/mps
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -20,8 +20,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -37,12 +37,12 @@ mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
-allow  ${HOME}/.config/mps-youtube
+whitelist ${HOME}/.config/mps-youtube
-allow  ${HOME}/.config/mpv
+whitelist ${HOME}/.config/mpv
-allow  ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/youtube-dl
-allow  ${HOME}/.mplayer
+whitelist ${HOME}/.mplayer
-allow  ${HOME}/.netrc
+whitelist ${HOME}/.netrc
-allow  ${HOME}/mps
+whitelist ${HOME}/mps
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 4ea2dd348..af5c214f7 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -24,9 +24,9 @@ include globals.local
 #include allow-bin-sh.inc
 #private-bin sh
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -35,7 +35,7 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -49,14 +49,14 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.config/youtube-dl
 mkfile ${HOME}/.netrc
-allow  ${HOME}/.config/mpv
+whitelist ${HOME}/.config/mpv
-allow  ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/youtube-dl
-allow  ${HOME}/.netrc
+whitelist ${HOME}/.netrc
 include whitelist-common.inc
 include whitelist-player-common.inc
-allow  /usr/share/lua
+whitelist /usr/share/lua
-allow  /usr/share/lua*
+whitelist /usr/share/lua*
-allow  /usr/share/vulkan
+whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index a8c49a690..e3ceb3bd4 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -6,7 +6,7 @@ include mrrescue.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/love
+noblacklist ${HOME}/.local/share/love
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -14,7 +14,7 @@ include allow-bin-sh.inc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -26,8 +26,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/love
-allow  ${HOME}/.local/share/love
+whitelist ${HOME}/.local/share/love
-allow  /usr/share/mrrescue
+whitelist /usr/share/mrrescue
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
index 5fea86ae7..db24e8f9b 100644
--- a/etc/profile-m-z/ms-excel.profile
+++ b/etc/profile-m-z/ms-excel.profile
@@ -6,7 +6,7 @@ include ms-excel.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/ms-excel-online
+noblacklist ${HOME}/.cache/ms-excel-online
 private-bin ms-excel
 # Redirect
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 4033627f7..38fc84ecc 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -5,8 +5,8 @@ include ms-office.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/ms-office-online
+noblacklist ${HOME}/.cache/ms-office-online
-nodeny  ${HOME}/.jak
+noblacklist ${HOME}/.jak
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
index 805de5102..9ea0637bd 100644
--- a/etc/profile-m-z/ms-onenote.profile
+++ b/etc/profile-m-z/ms-onenote.profile
@@ -6,7 +6,7 @@ include ms-onenote.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/ms-onenote-online
+noblacklist ${HOME}/.cache/ms-onenote-online
 private-bin ms-onenote
 # Redirect
diff --git a/etc/profile-m-z/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
index bd14fb7d3..fc3e7c009 100644
--- a/etc/profile-m-z/ms-outlook.profile
+++ b/etc/profile-m-z/ms-outlook.profile
@@ -6,7 +6,7 @@ include ms-outlook.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/ms-outlook-online
+noblacklist ${HOME}/.cache/ms-outlook-online
 private-bin ms-outlook
 # Redirect
diff --git a/etc/profile-m-z/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
index 02a7424e2..dadcd5b1e 100644
--- a/etc/profile-m-z/ms-powerpoint.profile
+++ b/etc/profile-m-z/ms-powerpoint.profile
@@ -6,7 +6,7 @@ include ms-powerpoint.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/ms-powerpoint-online
+noblacklist ${HOME}/.cache/ms-powerpoint-online
 private-bin ms-powerpoint
 # Redirect
diff --git a/etc/profile-m-z/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
index 01729f9a2..df1618361 100644
--- a/etc/profile-m-z/ms-skype.profile
+++ b/etc/profile-m-z/ms-skype.profile
@@ -8,7 +8,7 @@ include ms-skype.local
 ignore novideo
-nodeny  ${HOME}/.cache/ms-skype-online
+noblacklist ${HOME}/.cache/ms-skype-online
 private-bin ms-skype
diff --git a/etc/profile-m-z/ms-word.profile b/etc/profile-m-z/ms-word.profile
index 34cf02128..5a617a893 100644
--- a/etc/profile-m-z/ms-word.profile
+++ b/etc/profile-m-z/ms-word.profile
@@ -6,7 +6,7 @@ include ms-word.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/ms-word-online
+noblacklist ${HOME}/.cache/ms-word-online
 private-bin ms-word
 # Redirect
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index ec7cd5d04..85c3ee9f2 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -6,7 +6,7 @@ include mtpaint.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 447e7753f..6df681df1 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -5,9 +5,9 @@ include multimc5.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/multimc
+noblacklist ${HOME}/.local/share/multimc
-nodeny  ${HOME}/.local/share/multimc5
+noblacklist ${HOME}/.local/share/multimc5
-nodeny  ${HOME}/.multimc5
+noblacklist ${HOME}/.multimc5
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -22,9 +22,9 @@ include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
 mkdir ${HOME}/.local/share/multimc5
 mkdir ${HOME}/.multimc5
-allow  ${HOME}/.local/share/multimc
+whitelist ${HOME}/.local/share/multimc
-allow  ${HOME}/.local/share/multimc5
+whitelist ${HOME}/.local/share/multimc5
-allow  ${HOME}/.multimc5
+whitelist ${HOME}/.multimc5
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index 1d72e07b8..c7f59c5ee 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -6,9 +6,9 @@ include mumble.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Mumble
+noblacklist ${HOME}/.config/Mumble
-nodeny  ${HOME}/.local/share/data/Mumble
+noblacklist ${HOME}/.local/share/data/Mumble
-nodeny  ${HOME}/.local/share/Mumble
+noblacklist ${HOME}/.local/share/Mumble
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Mumble
 mkdir ${HOME}/.local/share/data/Mumble
 mkdir ${HOME}/.local/share/Mumble
-allow  ${HOME}/.config/Mumble
+whitelist ${HOME}/.config/Mumble
-allow  ${HOME}/.local/share/data/Mumble
+whitelist ${HOME}/.local/share/data/Mumble
-allow  ${HOME}/.local/share/Mumble
+whitelist ${HOME}/.local/share/Mumble
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
index c208a5e54..be94a9083 100644
--- a/etc/profile-m-z/mupdf-gl.profile
+++ b/etc/profile-m-z/mupdf-gl.profile
@@ -7,7 +7,7 @@ include mupdf-gl.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.mupdf.history
+noblacklist ${HOME}/.mupdf.history
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index e602b1429..9e4609c48 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -6,7 +6,7 @@ include mupdf.local
 # Persistent global definitions
 #include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index ecc7e2957..00983a8f3 100644
--- a/etc/profile-m-z/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -6,8 +6,8 @@ include mupen64plus.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mupen64plus
+noblacklist ${HOME}/.config/mupen64plus
-nodeny  ${HOME}/.local/share/mupen64plus
+noblacklist ${HOME}/.local/share/mupen64plus
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 # you'll need to manually whitelist ROM files
 mkdir ${HOME}/.config/mupen64plus
 mkdir ${HOME}/.local/share/mupen64plus
-allow  ${HOME}/.config/mupen64plus
+whitelist ${HOME}/.config/mupen64plus
-allow  ${HOME}/.local/share/mupen64plus
+whitelist ${HOME}/.local/share/mupen64plus
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index aa141f9c0..679e82ae8 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -6,12 +6,12 @@ include musescore.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/MusE
+noblacklist ${HOME}/.config/MusE
-nodeny  ${HOME}/.config/MuseScore
+noblacklist ${HOME}/.config/MuseScore
-nodeny  ${HOME}/.local/share/data/MusE
+noblacklist ${HOME}/.local/share/data/MusE
-nodeny  ${HOME}/.local/share/data/MuseScore
+noblacklist ${HOME}/.local/share/data/MuseScore
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 5ab1303a2..04500ac6a 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -6,9 +6,9 @@ include musictube.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.cache/Flavio Tordini
-nodeny  ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
-nodeny  ${HOME}/.local/share/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
 mkdir ${HOME}/.config/Flavio Tordini
 mkdir ${HOME}/.local/share/Flavio Tordini
-allow  ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.cache/Flavio Tordini
-allow  ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
-allow  ${HOME}/.local/share/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
-allow  /usr/share/musictube
+whitelist /usr/share/musictube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 9390f9dcf..74b3e9a5f 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -5,7 +5,7 @@ include musixmatch.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 91606bdfa..debf81659 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -7,36 +7,36 @@ include mutt.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/mail
+noblacklist /var/mail
-nodeny  /var/spool/mail
+noblacklist /var/spool/mail
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.Mail
+noblacklist ${HOME}/.Mail
-nodeny  ${HOME}/.bogofilter
+noblacklist ${HOME}/.bogofilter
-nodeny  ${HOME}/.cache/mutt
+noblacklist ${HOME}/.cache/mutt
-nodeny  ${HOME}/.config/mutt
+noblacklist ${HOME}/.config/mutt
-nodeny  ${HOME}/.config/nano
+noblacklist ${HOME}/.config/nano
-nodeny  ${HOME}/.elinks
+noblacklist ${HOME}/.elinks
-nodeny  ${HOME}/.emacs
+noblacklist ${HOME}/.emacs
-nodeny  ${HOME}/.emacs.d
+noblacklist ${HOME}/.emacs.d
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.mail
+noblacklist ${HOME}/.mail
-nodeny  ${HOME}/.mailcap
+noblacklist ${HOME}/.mailcap
-nodeny  ${HOME}/.msmtprc
+noblacklist ${HOME}/.msmtprc
-nodeny  ${HOME}/.mutt
+noblacklist ${HOME}/.mutt
-nodeny  ${HOME}/.muttrc
+noblacklist ${HOME}/.muttrc
-nodeny  ${HOME}/.nanorc
+noblacklist ${HOME}/.nanorc
-nodeny  ${HOME}/.signature
+noblacklist ${HOME}/.signature
-nodeny  ${HOME}/.vim
+noblacklist ${HOME}/.vim
-nodeny  ${HOME}/.viminfo
+noblacklist ${HOME}/.viminfo
-nodeny  ${HOME}/.vimrc
+noblacklist ${HOME}/.vimrc
-nodeny  ${HOME}/.w3m
+noblacklist ${HOME}/.w3m
-nodeny  ${HOME}/Mail
+noblacklist ${HOME}/Mail
-nodeny  ${HOME}/mail
+noblacklist ${HOME}/mail
-nodeny  ${HOME}/postponed
+noblacklist ${HOME}/postponed
-nodeny  ${HOME}/sent
+noblacklist ${HOME}/sent
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 # Add the next lines to your mutt.local for oauth.py,S/MIME support.
 #include allow-perl.inc
@@ -75,37 +75,37 @@ mkfile ${HOME}/.nanorc
 mkfile ${HOME}/.signature
 mkfile ${HOME}/.viminfo
 mkfile ${HOME}/.vimrc
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.Mail
+whitelist ${HOME}/.Mail
-allow  ${HOME}/.bogofilter
+whitelist ${HOME}/.bogofilter
-allow  ${HOME}/.cache/mutt
+whitelist ${HOME}/.cache/mutt
-allow  ${HOME}/.config/mutt
+whitelist ${HOME}/.config/mutt
-allow  ${HOME}/.config/nano
+whitelist ${HOME}/.config/nano
-allow  ${HOME}/.elinks
+whitelist ${HOME}/.elinks
-allow  ${HOME}/.emacs
+whitelist ${HOME}/.emacs
-allow  ${HOME}/.emacs.d
+whitelist ${HOME}/.emacs.d
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.mail
+whitelist ${HOME}/.mail
-allow  ${HOME}/.mailcap
+whitelist ${HOME}/.mailcap
-allow  ${HOME}/.msmtprc
+whitelist ${HOME}/.msmtprc
-allow  ${HOME}/.mutt
+whitelist ${HOME}/.mutt
-allow  ${HOME}/.muttrc
+whitelist ${HOME}/.muttrc
-allow  ${HOME}/.nanorc
+whitelist ${HOME}/.nanorc
-allow  ${HOME}/.signature
+whitelist ${HOME}/.signature
-allow  ${HOME}/.vim
+whitelist ${HOME}/.vim
-allow  ${HOME}/.viminfo
+whitelist ${HOME}/.viminfo
-allow  ${HOME}/.vimrc
+whitelist ${HOME}/.vimrc
-allow  ${HOME}/.w3m
+whitelist ${HOME}/.w3m
-allow  ${HOME}/Mail
+whitelist ${HOME}/Mail
-allow  ${HOME}/mail
+whitelist ${HOME}/mail
-allow  ${HOME}/postponed
+whitelist ${HOME}/postponed
-allow  ${HOME}/sent
+whitelist ${HOME}/sent
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
-allow  /usr/share/mutt
+whitelist /usr/share/mutt
-allow  /var/mail
+whitelist /var/mail
-allow  /var/spool/mail
+whitelist /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 19af47498..d8d487fe7 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -6,10 +6,10 @@ include mypaint.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/mypaint
+noblacklist ${HOME}/.cache/mypaint
-nodeny  ${HOME}/.config/mypaint
+noblacklist ${HOME}/.config/mypaint
-nodeny  ${HOME}/.local/share/mypaint
+noblacklist ${HOME}/.local/share/mypaint
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index f0553bed5..4698c2287 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -7,10 +7,10 @@ include nano.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.config/nano
+noblacklist ${HOME}/.config/nano
-nodeny  ${HOME}/.nanorc
+noblacklist ${HOME}/.nanorc
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/nano
+whitelist /usr/share/nano
 include whitelist-usr-share-common.inc
 apparmor
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index 35d152748..5bf152f84 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -5,9 +5,9 @@ include natron.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.Natron
+noblacklist ${HOME}/.Natron
-nodeny  ${HOME}/.cache/INRIA/Natron
+noblacklist ${HOME}/.cache/INRIA/Natron
-nodeny  ${HOME}/.config/INRIA
+noblacklist ${HOME}/.config/INRIA
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 38646dc90..063e30366 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -6,7 +6,7 @@ include ncdu.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-exec.inc
diff --git a/etc/profile-m-z/ncdu2.profile b/etc/profile-m-z/ncdu2.profile
new file mode 100644
index 000000000..5b6364c5d
--- /dev/null
+++ b/etc/profile-m-z/ncdu2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for ncdu2
+# Description: Ncurses disk usage viewer (zig rewrite)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ncdu2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include ncdu.profile
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index ceb885908..9f00448c8 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -6,12 +6,12 @@ include neochat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/KDE/neochat
+noblacklist ${HOME}/.cache/KDE/neochat
-nodeny  ${HOME}/.config/KDE
+noblacklist ${HOME}/.config/KDE
-nodeny  ${HOME}/.config/KDE/neochat
+noblacklist ${HOME}/.config/KDE/neochat
-nodeny  ${HOME}/.config/neochatrc
+noblacklist ${HOME}/.config/neochatrc
-nodeny  ${HOME}/.config/neochat.notifyrc
+noblacklist ${HOME}/.config/neochat.notifyrc
-nodeny  ${HOME}/.local/share/KDE/neochat
+noblacklist ${HOME}/.local/share/KDE/neochat
 include disable-common.inc
 include disable-devel.inc
@@ -24,9 +24,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/KDE/neochat
 mkdir ${HOME}/.local/share/KDE/neochat
-allow  ${HOME}/.cache/KDE/neochat
+whitelist ${HOME}/.cache/KDE/neochat
-allow  ${HOME}/.local/share/KDE/neochat
+whitelist ${HOME}/.local/share/KDE/neochat
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-1793-workaround.inc
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 939d6f111..fafa129e4 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -7,38 +7,38 @@ include neomutt.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${HOME}/.Mail
+noblacklist ${HOME}/.Mail
-nodeny  ${HOME}/.bogofilter
+noblacklist ${HOME}/.bogofilter
-nodeny  ${HOME}/.config/mutt
+noblacklist ${HOME}/.config/mutt
-nodeny  ${HOME}/.config/nano
+noblacklist ${HOME}/.config/nano
-nodeny  ${HOME}/.config/neomutt
+noblacklist ${HOME}/.config/neomutt
-nodeny  ${HOME}/.elinks
+noblacklist ${HOME}/.elinks
-nodeny  ${HOME}/.emacs
+noblacklist ${HOME}/.emacs
-nodeny  ${HOME}/.emacs.d
+noblacklist ${HOME}/.emacs.d
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.mail
+noblacklist ${HOME}/.mail
-nodeny  ${HOME}/.mailcap
+noblacklist ${HOME}/.mailcap
-nodeny  ${HOME}/.msmtprc
+noblacklist ${HOME}/.msmtprc
-nodeny  ${HOME}/.mutt
+noblacklist ${HOME}/.mutt
-nodeny  ${HOME}/.muttrc
+noblacklist ${HOME}/.muttrc
-nodeny  ${HOME}/.nanorc
+noblacklist ${HOME}/.nanorc
-nodeny  ${HOME}/.neomutt
+noblacklist ${HOME}/.neomutt
-nodeny  ${HOME}/.neomuttrc
+noblacklist ${HOME}/.neomuttrc
-nodeny  ${HOME}/.signature
+noblacklist ${HOME}/.signature
-nodeny  ${HOME}/.vim
+noblacklist ${HOME}/.vim
-nodeny  ${HOME}/.viminfo
+noblacklist ${HOME}/.viminfo
-nodeny  ${HOME}/.vimrc
+noblacklist ${HOME}/.vimrc
-nodeny  ${HOME}/.w3m
+noblacklist ${HOME}/.w3m
-nodeny  ${HOME}/Mail
+noblacklist ${HOME}/Mail
-nodeny  ${HOME}/mail
+noblacklist ${HOME}/mail
-nodeny  ${HOME}/postponed
+noblacklist ${HOME}/postponed
-nodeny  ${HOME}/sent
+noblacklist ${HOME}/sent
-nodeny  /var/mail
+noblacklist /var/mail
-nodeny  /var/spool/mail
+noblacklist /var/spool/mail
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include allow-lua.inc
@@ -76,39 +76,39 @@ mkfile ${HOME}/.neomuttrc
 mkfile ${HOME}/.signature
 mkfile ${HOME}/.viminfo
 mkfile ${HOME}/.vimrc
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.Mail
+whitelist ${HOME}/.Mail
-allow  ${HOME}/.bogofilter
+whitelist ${HOME}/.bogofilter
-allow  ${HOME}/.config/mutt
+whitelist ${HOME}/.config/mutt
-allow  ${HOME}/.config/nano
+whitelist ${HOME}/.config/nano
-allow  ${HOME}/.config/neomutt
+whitelist ${HOME}/.config/neomutt
-allow  ${HOME}/.elinks
+whitelist ${HOME}/.elinks
-allow  ${HOME}/.emacs
+whitelist ${HOME}/.emacs
-allow  ${HOME}/.emacs.d
+whitelist ${HOME}/.emacs.d
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.mail
+whitelist ${HOME}/.mail
-allow  ${HOME}/.mailcap
+whitelist ${HOME}/.mailcap
-allow  ${HOME}/.msmtprc
+whitelist ${HOME}/.msmtprc
-allow  ${HOME}/.mutt
+whitelist ${HOME}/.mutt
-allow  ${HOME}/.muttrc
+whitelist ${HOME}/.muttrc
-allow  ${HOME}/.nanorc
+whitelist ${HOME}/.nanorc
-allow  ${HOME}/.neomutt
+whitelist ${HOME}/.neomutt
-allow  ${HOME}/.neomuttrc
+whitelist ${HOME}/.neomuttrc
-allow  ${HOME}/.signature
+whitelist ${HOME}/.signature
-allow  ${HOME}/.vim
+whitelist ${HOME}/.vim
-allow  ${HOME}/.viminfo
+whitelist ${HOME}/.viminfo
-allow  ${HOME}/.vimrc
+whitelist ${HOME}/.vimrc
-allow  ${HOME}/.w3m
+whitelist ${HOME}/.w3m
-allow  ${HOME}/Mail
+whitelist ${HOME}/Mail
-allow  ${HOME}/mail
+whitelist ${HOME}/mail
-allow  ${HOME}/postponed
+whitelist ${HOME}/postponed
-allow  ${HOME}/sent
+whitelist ${HOME}/sent
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
-allow  /usr/share/neomutt
+whitelist /usr/share/neomutt
-allow  /var/mail
+whitelist /var/mail
-allow  /var/spool/mail
+whitelist /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 68297c110..5d45dd7bc 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -6,7 +6,7 @@ include netactview.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.netactview
+noblacklist ${HOME}/.netactview
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.netactview
-allow  ${HOME}/.netactview
+whitelist ${HOME}/.netactview
-allow  /usr/share/netactview
+whitelist /usr/share/netactview
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index d5bf8a52a..c9a537370 100644
--- a/etc/profile-m-z/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -6,7 +6,7 @@ include nethack.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.vultures
+noblacklist ${HOME}/.vultures
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.vultures
-allow  ${HOME}/.vultures
+whitelist ${HOME}/.vultures
-allow  /var/log/vultures
+whitelist /var/log/vultures
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
index 23b57bb52..b57abe260 100644
--- a/etc/profile-m-z/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -6,7 +6,7 @@ include nethack.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/games/nethack
+noblacklist /var/games/nethack
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /var/games/nethack
+whitelist /var/games/nethack
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile
index b099d6f0c..0ddb7bbbe 100644
--- a/etc/profile-m-z/netsurf.profile
+++ b/etc/profile-m-z/netsurf.profile
@@ -6,8 +6,8 @@ include netsurf.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/netsurf
+noblacklist ${HOME}/.cache/netsurf
-nodeny  ${HOME}/.config/netsurf
+noblacklist ${HOME}/.config/netsurf
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/netsurf
 mkdir ${HOME}/.config/netsurf
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/netsurf
+whitelist ${HOME}/.cache/netsurf
-allow  ${HOME}/.config/netsurf
+whitelist ${HOME}/.config/netsurf
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index dad90a66c..ecfbb14e4 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -6,7 +6,7 @@ include neverball.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.neverball
+noblacklist ${HOME}/.neverball
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.neverball
-allow  ${HOME}/.neverball
+whitelist ${HOME}/.neverball
-allow  /usr/share/neverball
+whitelist /usr/share/neverball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index c26ba4be0..6efb19502 100644
--- a/etc/profile-m-z/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -11,15 +11,15 @@ ignore include newsboat.local
 ignore mkdir ${HOME}/.config/newsboat
 ignore mkdir ${HOME}/.local/share/newsboat
 ignore mkdir ${HOME}/.newsboat
-deny  ${PATH}/newsboat
+blacklist ${PATH}/newsboat
-deny  ${HOME}/.config/newsboat
+blacklist ${HOME}/.config/newsboat
-deny  ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.local/share/newsboat
-deny  ${HOME}/.newsboat
+blacklist ${HOME}/.newsboat
-noallow  ${HOME}/.config/newsboat
+nowhitelist ${HOME}/.config/newsboat
-noallow  ${HOME}/.local/share/newsboat
+nowhitelist ${HOME}/.local/share/newsboat
-noallow  ${HOME}/.newsboat
+nowhitelist ${HOME}/.newsboat
 mkdir ${HOME}/.config/newsbeuter
 mkdir ${HOME}/.local/share/newsbeuter
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index e34752b55..13bc3a615 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -6,12 +6,12 @@ include newsboat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.config/newsbeuter
-nodeny  ${HOME}/.config/newsboat
+noblacklist ${HOME}/.config/newsboat
-nodeny  ${HOME}/.local/share/newsbeuter
+noblacklist ${HOME}/.local/share/newsbeuter
-nodeny  ${HOME}/.local/share/newsboat
+noblacklist ${HOME}/.local/share/newsboat
-nodeny  ${HOME}/.newsbeuter
+noblacklist ${HOME}/.newsbeuter
-nodeny  ${HOME}/.newsboat
+noblacklist ${HOME}/.newsboat
 include disable-common.inc
 include disable-devel.inc
@@ -24,12 +24,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/newsboat
 mkdir ${HOME}/.local/share/newsboat
 mkdir ${HOME}/.newsboat
-allow  ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.config/newsbeuter
-allow  ${HOME}/.config/newsboat
+whitelist ${HOME}/.config/newsboat
-allow  ${HOME}/.local/share/newsbeuter
+whitelist ${HOME}/.local/share/newsbeuter
-allow  ${HOME}/.local/share/newsboat
+whitelist ${HOME}/.local/share/newsboat
-allow  ${HOME}/.newsbeuter
+whitelist ${HOME}/.newsbeuter
-allow  ${HOME}/.newsboat
+whitelist ${HOME}/.newsboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 273628ea2..18d8c6ed4 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -6,9 +6,9 @@ include newsflash.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/NewsFlashGTK
+noblacklist ${HOME}/.cache/NewsFlashGTK
-nodeny  ${HOME}/.config/news-flash
+noblacklist ${HOME}/.config/news-flash
-nodeny  ${HOME}/.local/share/news-flash
+noblacklist ${HOME}/.local/share/news-flash
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/NewsFlashGTK
 mkdir ${HOME}/.config/news-flash
 mkdir ${HOME}/.local/share/news-flash
-allow  ${HOME}/.cache/NewsFlashGTK
+whitelist ${HOME}/.cache/NewsFlashGTK
-allow  ${HOME}/.config/news-flash
+whitelist ${HOME}/.config/news-flash
-allow  ${HOME}/.local/share/news-flash
+whitelist ${HOME}/.local/share/news-flash
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 7ba46691d..9fd76fbe7 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -6,9 +6,9 @@ include nextcloud.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/Nextcloud
+noblacklist ${HOME}/Nextcloud
-nodeny  ${HOME}/.config/Nextcloud
+noblacklist ${HOME}/.config/Nextcloud
-nodeny  ${HOME}/.local/share/Nextcloud
+noblacklist ${HOME}/.local/share/Nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #noblacklist ${DOCUMENTS}
 #noblacklist ${MUSIC}
@@ -27,9 +27,9 @@ include disable-xdg.inc
 mkdir ${HOME}/Nextcloud
 mkdir ${HOME}/.config/Nextcloud
 mkdir ${HOME}/.local/share/Nextcloud
-allow  ${HOME}/Nextcloud
+whitelist ${HOME}/Nextcloud
-allow  ${HOME}/.config/Nextcloud
+whitelist ${HOME}/.config/Nextcloud
-allow  ${HOME}/.local/share/Nextcloud
+whitelist ${HOME}/.local/share/Nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
 #whitelist ${MUSIC}
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 0149e0737..f8062891c 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -6,9 +6,9 @@ include nheko.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/nheko
+noblacklist ${HOME}/.cache/nheko
-nodeny  ${HOME}/.config/nheko
+noblacklist ${HOME}/.config/nheko
-nodeny  ${HOME}/.local/share/nheko
+noblacklist ${HOME}/.local/share/nheko
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/nheko
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.local/share/nheko
-allow  ${HOME}/.cache/nheko
+whitelist ${HOME}/.cache/nheko
-allow  ${HOME}/.config/nheko
+whitelist ${HOME}/.config/nheko
-allow  ${HOME}/.local/share/nheko
+whitelist ${HOME}/.local/share/nheko
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index b31a7babf..1c7dbc009 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -6,7 +6,7 @@ include nicotine.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.nicotine
+noblacklist ${HOME}/.nicotine
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.nicotine
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.nicotine
+whitelist ${HOME}/.nicotine
-allow  /usr/share/GeoIP
+whitelist /usr/share/GeoIP
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 70fffd5d4..8dba84f02 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -6,8 +6,8 @@ include nitroshare.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Nathan Osman
+noblacklist ${HOME}/.config/Nathan Osman
-nodeny  ${HOME}/.config/NitroShare
+noblacklist ${HOME}/.config/NitroShare
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 7981ba6ae..fa69f9214 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,22 +7,22 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 ignore read-only ${HOME}/.npm-packages
 ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
-nodeny  ${HOME}/.node-gyp
+noblacklist ${HOME}/.node-gyp
-nodeny  ${HOME}/.npm
+noblacklist ${HOME}/.npm
-nodeny  ${HOME}/.npmrc
+noblacklist ${HOME}/.npmrc
-nodeny  ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
-nodeny  ${HOME}/.yarn
+noblacklist ${HOME}/.yarn
-nodeny  ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarn-config
-nodeny  ${HOME}/.yarncache
+noblacklist ${HOME}/.yarncache
-nodeny  ${HOME}/.yarnrc
+noblacklist ${HOME}/.yarnrc
 ignore noexec ${HOME}
@@ -58,9 +58,9 @@ include disable-xdg.inc
 #whitelist ${HOME}/Projects
 #include whitelist-common.inc
-allow  /usr/share/doc/node
+whitelist /usr/share/doc/node
-allow  /usr/share/nvm
+whitelist /usr/share/nvm
-allow  /usr/share/systemtap/tapset/node.stp
+whitelist /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 80fbd0fcb..a36dee874 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -6,10 +6,10 @@ include nomacs.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/nomacs
+noblacklist ${HOME}/.config/nomacs
-nodeny  ${HOME}/.local/share/nomacs
+noblacklist ${HOME}/.local/share/nomacs
-nodeny  ${HOME}/.local/share/data/nomacs
+noblacklist ${HOME}/.local/share/data/nomacs
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index a3bcc040c..650118c98 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -7,7 +7,7 @@ include notify-send.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index b3002ad0e..c7a131a2c 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -7,10 +7,10 @@ include nslookup.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${PATH}/nslookup
+noblacklist ${PATH}/nslookup
 include disable-common.inc
 include disable-devel.inc
@@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${HOME}/.nslookuprc
+whitelist ${HOME}/.nslookuprc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 67f54f9fc..886403b9e 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -8,12 +8,12 @@ include globals.local
 ignore dbus-user
-nodeny  ${HOME}/.config/nuclear
+noblacklist ${HOME}/.config/nuclear
 include disable-shell.inc
 mkdir ${HOME}/.config/nuclear
-allow  ${HOME}/.config/nuclear
+whitelist ${HOME}/.config/nuclear
 no3d
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
index ee7710b9c..fe0c2116b 100644
--- a/etc/profile-m-z/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
@@ -5,8 +5,8 @@ include nylas.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Nylas Mail
+noblacklist ${HOME}/.config/Nylas Mail
-nodeny  ${HOME}/.nylas-mail
+noblacklist ${HOME}/.nylas-mail
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Nylas Mail
 mkdir ${HOME}/.nylas-mail
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/Nylas Mail
+whitelist ${HOME}/.config/Nylas Mail
-allow  ${HOME}/.nylas-mail
+whitelist ${HOME}/.nylas-mail
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 1d606f70c..d040d42af 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -10,7 +10,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
-nodeny  ${HOME}/.nyx
+noblacklist ${HOME}/.nyx
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +22,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.nyx
-allow  ${HOME}/.nyx
+whitelist ${HOME}/.nyx
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index f70bdc55a..9345cee4f 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -5,10 +5,10 @@ include obs.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/obs-studio
+noblacklist ${HOME}/.config/obs-studio
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 792c2ffc6..7be68a201 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,9 +6,9 @@ include ocenaudio.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/ocenaudio
+noblacklist ${HOME}/.local/share/ocenaudio
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 61b71ec10..6163d2e22 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -6,9 +6,9 @@ include odt2txt.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index feeed86cb..ab8ccf623 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -6,18 +6,18 @@ include okular.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/okular
+noblacklist ${HOME}/.cache/okular
-nodeny  ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularpartrc
-nodeny  ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/okularrc
-nodeny  ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/apps/okular
-nodeny  ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
-nodeny  ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde/share/config/okularrc
-nodeny  ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/apps/okular
-nodeny  ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
-nodeny  ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
-nodeny  ${HOME}/.local/share/kxmlgui5/okular
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
-nodeny  ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/okular
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -28,15 +28,15 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/config.kcfg/gssettings.kcfg
+whitelist /usr/share/config.kcfg/gssettings.kcfg
-allow  /usr/share/config.kcfg/pdfsettings.kcfg
+whitelist /usr/share/config.kcfg/pdfsettings.kcfg
-allow  /usr/share/config.kcfg/okular.kcfg
+whitelist /usr/share/config.kcfg/okular.kcfg
-allow  /usr/share/config.kcfg/okular_core.kcfg
+whitelist /usr/share/config.kcfg/okular_core.kcfg
-allow  /usr/share/ghostscript
+whitelist /usr/share/ghostscript
-allow  /usr/share/kconf_update/okular.upd
+whitelist /usr/share/kconf_update/okular.upd
-allow  /usr/share/kxmlgui5/okular
+whitelist /usr/share/kxmlgui5/okular
-allow  /usr/share/okular
+whitelist /usr/share/okular
-allow  /usr/share/poppler
+whitelist /usr/share/poppler
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 748d17995..5b367b639 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -6,7 +6,7 @@ include onboard.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/onboard
+noblacklist ${HOME}/.config/onboard
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/onboard
-allow  ${HOME}/.config/onboard
+whitelist ${HOME}/.config/onboard
-allow  /usr/share/onboard
+whitelist /usr/share/onboard
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 188818a7f..960df9034 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -5,7 +5,7 @@ include onionshare-gui.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/onionshare
+noblacklist ${HOME}/.config/onionshare
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 6e2b31def..7a840d4a9 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -6,7 +6,7 @@ include open-invaders.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.openinvaders
+noblacklist ${HOME}/.openinvaders
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.openinvaders
-allow  ${HOME}/.openinvaders
+whitelist ${HOME}/.openinvaders
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index dfc78e5a9..36ce0316f 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -6,7 +6,7 @@ include openarena.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.openarena
+noblacklist ${HOME}/.openarena
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.openarena
-allow  ${HOME}/.openarena
+whitelist ${HOME}/.openarena
-allow  /usr/share/openarena
+whitelist /usr/share/openarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 5a6b378f0..b49fd9932 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -7,7 +7,7 @@ include openbox.local
 include globals.local
 # all applications started in openbox will run in this profile
-nodeny  ${HOME}/.config/openbox
+noblacklist ${HOME}/.config/openbox
 include disable-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
index 268e7cee3..a3d371e15 100644
--- a/etc/profile-m-z/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -6,7 +6,7 @@ include opencity.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.opencity
+noblacklist ${HOME}/.opencity
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.opencity
-allow  ${HOME}/.opencity
+whitelist ${HOME}/.opencity
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 588191cb3..32b40df42 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -6,7 +6,7 @@ include openclonk.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.clonk
+noblacklist ${HOME}/.clonk
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.clonk
-allow  ${HOME}/.clonk
+whitelist ${HOME}/.clonk
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index 95d507c98..d1fe67aed 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -6,8 +6,8 @@ include openmw.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/openmw
+noblacklist ${HOME}/.config/openmw
-nodeny  ${HOME}/.local/share/openmw
+noblacklist ${HOME}/.local/share/openmw
 include disable-common.inc
 include disable-devel.inc
@@ -21,11 +21,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/openmw
 mkdir ${HOME}/.local/share/openmw
-allow  ${HOME}/.config/openmw
+whitelist ${HOME}/.config/openmw
 # Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt.
 # Alternatively you can whitelist custom paths in your openmw.local.
-allow  ${HOME}/.local/share/openmw
+whitelist ${HOME}/.local/share/openmw
-allow  /usr/share/openmw
+whitelist /usr/share/openmw
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index ebb536b3e..6118630c4 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -6,8 +6,8 @@ include openshot.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.openshot
+noblacklist ${HOME}/.openshot
-nodeny  ${HOME}/.openshot_qt
+noblacklist ${HOME}/.openshot_qt
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/blender
+whitelist /usr/share/blender
-allow  /usr/share/inkscape
+whitelist /usr/share/inkscape
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
index 79c1f8ffa..546958bb7 100644
--- a/etc/profile-m-z/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -6,7 +6,7 @@ include openttd.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.openttd
+noblacklist ${HOME}/.openttd
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.openttd
-allow  ${HOME}/.openttd
+whitelist ${HOME}/.openttd
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 548afc0b4..551f1aba4 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/opera
+noblacklist ${HOME}/.cache/opera
-nodeny  ${HOME}/.config/opera-beta
+noblacklist ${HOME}/.config/opera-beta
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera-beta
-allow  ${HOME}/.cache/opera
+whitelist ${HOME}/.cache/opera
-allow  ${HOME}/.config/opera-beta
+whitelist ${HOME}/.config/opera-beta
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index 5a3fe064e..2c7c5fc35 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -11,16 +11,16 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/opera
+noblacklist ${HOME}/.cache/opera
-nodeny  ${HOME}/.config/opera
+noblacklist ${HOME}/.config/opera
-nodeny  ${HOME}/.opera
+noblacklist ${HOME}/.opera
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera
 mkdir ${HOME}/.opera
-allow  ${HOME}/.cache/opera
+whitelist ${HOME}/.cache/opera
-allow  ${HOME}/.config/opera
+whitelist ${HOME}/.config/opera
-allow  ${HOME}/.opera
+whitelist ${HOME}/.opera
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index a49cbdb91..4e4d8bea5 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -6,8 +6,8 @@ include orage.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/orage
+noblacklist ${HOME}/.config/orage
-nodeny  ${HOME}/.local/share/orage
+noblacklist ${HOME}/.local/share/orage
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index ed881816e..310b90919 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -6,7 +6,7 @@ include ostrichriders.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.ostrichriders
+noblacklist ${HOME}/.ostrichriders
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.ostrichriders
-allow  ${HOME}/.ostrichriders
+whitelist ${HOME}/.ostrichriders
-allow  /usr/share/ostrichriders
+whitelist /usr/share/ostrichriders
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index bc9e730a1..20a4e25ed 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -8,10 +8,10 @@ include globals.local
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/Otter
+noblacklist ${HOME}/.cache/Otter
-nodeny  ${HOME}/.config/otter
+noblacklist ${HOME}/.config/otter
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
@@ -25,12 +25,12 @@ mkdir ${HOME}/.cache/Otter
 mkdir ${HOME}/.config/otter
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/Otter
+whitelist ${HOME}/.cache/Otter
-allow  ${HOME}/.config/otter
+whitelist ${HOME}/.config/otter
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
-allow  /usr/share/otter-browser
+whitelist /usr/share/otter-browser
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index 503c141d8..acb2ce176 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -5,13 +5,13 @@ include palemoon.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/moonchild productions/pale moon
+noblacklist ${HOME}/.cache/moonchild productions/pale moon
-nodeny  ${HOME}/.moonchild productions/pale moon
+noblacklist ${HOME}/.moonchild productions/pale moon
 mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
-allow  ${HOME}/.cache/moonchild productions/pale moon
+whitelist ${HOME}/.cache/moonchild productions/pale moon
-allow  ${HOME}/.moonchild productions
+whitelist ${HOME}/.moonchild productions
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index a59f53298..513b4119e 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -7,9 +7,9 @@ include pandoc.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index a277d1cbc..0a4422a73 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -6,8 +6,8 @@ include parole.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 156c3956d..0de968185 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -7,9 +7,9 @@ include patch.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index dcd69cdd0..f96ba14d2 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -7,10 +7,10 @@ include pavucontrol-qt.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.config/pavucontrol-qt
+noblacklist ${HOME}/.config/pavucontrol-qt
 mkdir ${HOME}/.config/pavucontrol-qt
-allow  ${HOME}/.config/pavucontrol-qt
+whitelist ${HOME}/.config/pavucontrol-qt
 private-bin pavucontrol-qt
 ignore private-lib
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index f44730c33..b46fb3026 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -6,7 +6,7 @@ include pavucontrol.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/pavucontrol.ini
+noblacklist ${HOME}/.config/pavucontrol.ini
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 # whitelisting in ${HOME} is broken, see #3112
 #mkfile ${HOME}/.config/pavucontrol.ini
 #whitelist ${HOME}/.config/pavucontrol.ini
-allow  /usr/share/pavucontrol
+whitelist /usr/share/pavucontrol
-allow  /usr/share/pavucontrol-qt
+whitelist /usr/share/pavucontrol-qt
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index 3f920ced8..a6dab2a9a 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -8,7 +8,7 @@ include globals.local
 # Note: you must whitelist your games folder in your pcsxr.local
-nodeny  ${HOME}/.pcsxr
+noblacklist ${HOME}/.pcsxr
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 mkdir ${HOME}/.pcsxr
-allow  ${HOME}/.pcsxr
+whitelist ${HOME}/.pcsxr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 13a011072..d72417914 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -5,7 +5,7 @@ include pdfchain.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index e49ce8073..a19826555 100644
--- a/etc/profile-m-z/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -6,9 +6,9 @@ include pdfmod.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/pdfmod
+noblacklist ${HOME}/.cache/pdfmod
-nodeny  ${HOME}/.config/pdfmod
+noblacklist ${HOME}/.config/pdfmod
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index 67c14bbc3..e2808d4d2 100644
--- a/etc/profile-m-z/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -6,7 +6,7 @@ include pdfsam.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 1c7ebfad5..d3902a51c 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -6,9 +6,9 @@ include pdftotext.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/poppler
+whitelist /usr/share/poppler
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index e809625ad..c33953687 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -5,9 +5,9 @@ include peek.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/peek
+noblacklist ${HOME}/.cache/peek
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
index 5ebd7b462..f5ad0321d 100644
--- a/etc/profile-m-z/penguin-command.profile
+++ b/etc/profile-m-z/penguin-command.profile
@@ -6,7 +6,7 @@ include penguin-command.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.penguin-command
+noblacklist ${HOME}/.penguin-command
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-allow  ${HOME}/.penguin-command
+whitelist ${HOME}/.penguin-command
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index 8dd506850..40068ff78 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -6,7 +6,7 @@ include photoflare.local
 # Persistent global definitions
 include photoflare.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
index ac178ee6c..a5ea47088 100644
--- a/etc/profile-m-z/picard.profile
+++ b/etc/profile-m-z/picard.profile
@@ -6,9 +6,9 @@ include picard.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/MusicBrainz
+noblacklist ${HOME}/.cache/MusicBrainz
-nodeny  ${HOME}/.config/MusicBrainz
+noblacklist ${HOME}/.config/MusicBrainz
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index a65abeb2e..26872e9a1 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
-nodeny  ${HOME}/.purple
+noblacklist ${HOME}/.purple
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.purple
-allow  ${HOME}/.purple
+whitelist ${HOME}/.purple
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${PICTURES}
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
index 41e4fb6c0..2e17be2ce 100644
--- a/etc/profile-m-z/pinball.profile
+++ b/etc/profile-m-z/pinball.profile
@@ -6,7 +6,7 @@ include pinball.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/emilia
+noblacklist ${HOME}/.config/emilia
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,11 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/emilia
-allow  ${HOME}/.config/emilia
+whitelist ${HOME}/.config/emilia
-allow  /usr/share/pinball
+whitelist /usr/share/pinball
 # on debian games are stored under /usr/share/games
-allow  /usr/share/games/pinball
+whitelist /usr/share/games/pinball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index 65e77abfa..e914007c0 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,8 +7,8 @@ include ping.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index aa2cfe203..f1fdfcbad 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -6,12 +6,12 @@ include pingus.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.pingus
+noblacklist ${HOME}/.pingus
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -23,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.pingus
-allow  ${HOME}/.pingus
+whitelist ${HOME}/.pingus
-allow  /usr/share/pingus
+whitelist /usr/share/pingus
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
index d0d4f1fce..19406c399 100644
--- a/etc/profile-m-z/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -6,9 +6,9 @@ include pinta.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Pinta
+noblacklist ${HOME}/.config/Pinta
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
index 6cfea28b6..721b3944a 100644
--- a/etc/profile-m-z/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -6,7 +6,7 @@ include pioneer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.pioneer
+noblacklist ${HOME}/.pioneer
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.pioneer
-allow  ${HOME}/.pioneer
+whitelist ${HOME}/.pioneer
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
index acd7eeaf2..3de064311 100644
--- a/etc/profile-m-z/pipe-viewer.profile
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -7,13 +7,13 @@ include pipe-viewer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/pipe-viewer
+noblacklist ${HOME}/.cache/pipe-viewer
-nodeny  ${HOME}/.config/pipe-viewer
+noblacklist ${HOME}/.config/pipe-viewer
 mkdir ${HOME}/.config/pipe-viewer
 mkdir ${HOME}/.cache/pipe-viewer
-allow  ${HOME}/.cache/pipe-viewer
+whitelist ${HOME}/.cache/pipe-viewer
-allow  ${HOME}/.config/pipe-viewer
+whitelist ${HOME}/.config/pipe-viewer
 private-bin gtk-pipe-viewer,pipe-viewer
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
index abce4c911..a2dd809c4 100644
--- a/etc/profile-m-z/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -6,7 +6,7 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/pitivi
+noblacklist ${HOME}/.config/pitivi
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
index 63451d352..81d3e9370 100644
--- a/etc/profile-m-z/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -5,10 +5,10 @@ include pix.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/pix
+noblacklist ${HOME}/.config/pix
-nodeny  ${HOME}/.local/share/pix
+noblacklist ${HOME}/.local/share/pix
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 13d7db7f7..4eb41b3bd 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -17,9 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /var/log/apt/history.log
+whitelist /var/log/apt/history.log
-allow  /var/log/dnf.rpm.log
+whitelist /var/log/dnf.rpm.log
-allow  /var/log/pacman.log
+whitelist /var/log/pacman.log
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 9c23841e2..8e98905b5 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -7,10 +7,10 @@ include playonlinux.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.PlayOnLinux
+noblacklist ${HOME}/.PlayOnLinux
 # nc is needed to run playonlinux
-nodeny  ${PATH}/nc
+noblacklist ${PATH}/nc
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index ab7e0c64b..10e12e5b1 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -6,8 +6,8 @@ include pluma.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/enchant
-nodeny  ${HOME}/.config/pluma
+noblacklist ${HOME}/.config/pluma
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 02cb83ef6..5201fd853 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -6,7 +6,7 @@ include plv.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/PacmanLogViewer
+noblacklist ${HOME}/.config/PacmanLogViewer
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/PacmanLogViewer
-allow  ${HOME}/.config/PacmanLogViewer
+whitelist ${HOME}/.config/PacmanLogViewer
-allow  /var/log/pacman.log
+whitelist /var/log/pacman.log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 2c4dda43e..8a181d5a8 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,9 +7,9 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile
index 115ac36ab..a3d4f9851 100644
--- a/etc/profile-m-z/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -21,12 +21,12 @@ mkdir ${HOME}/.local/share/Empathy
 mkdir ${HOME}/.local/share/TpLogger
 mkdir ${HOME}/.local/share/telepathy
 mkdir ${HOME}/.purple
-allow  ${HOME}/.cache/telepathy
+whitelist ${HOME}/.cache/telepathy
-allow  ${HOME}/.config/telepathy-account-widgets
+whitelist ${HOME}/.config/telepathy-account-widgets
-allow  ${HOME}/.local/share/Empathy
+whitelist ${HOME}/.local/share/Empathy
-allow  ${HOME}/.local/share/TpLogger
+whitelist ${HOME}/.local/share/TpLogger
-allow  ${HOME}/.local/share/telepathy
+whitelist ${HOME}/.local/share/telepathy
-allow  ${HOME}/.purple
+whitelist ${HOME}/.purple
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 10c59ea32..1f73c1d89 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -8,7 +8,7 @@ include globals.local
 # Note: you must whitelist your games folder in your ppsspp.local.
-nodeny  ${HOME}/.config/ppsspp
+noblacklist ${HOME}/.config/ppsspp
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/ppsspp
-allow  ${HOME}/.config/ppsspp
+whitelist ${HOME}/.config/ppsspp
-allow  /usr/share/ppsspp
+whitelist /usr/share/ppsspp
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index 9b03bf632..f138d785e 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -6,8 +6,8 @@ include pragha.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/pragha
+noblacklist ${HOME}/.config/pragha
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 137b4cb20..743458725 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -7,8 +7,8 @@ include profanity.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/profanity
+noblacklist ${HOME}/.config/profanity
-nodeny  ${HOME}/.local/share/profanity
+noblacklist ${HOME}/.local/share/profanity
 # Allow Python
 include allow-python2.inc
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index b0e28baf7..5ac58b0ac 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -6,8 +6,8 @@ include psi-plus.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/psi+
+noblacklist ${HOME}/.config/psi+
-nodeny  ${HOME}/.local/share/psi+
+noblacklist ${HOME}/.local/share/psi+
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/psi+
 mkdir ${HOME}/.config/psi+
 mkdir ${HOME}/.local/share/psi+
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/psi+
+whitelist ${HOME}/.cache/psi+
-allow  ${HOME}/.config/psi+
+whitelist ${HOME}/.config/psi+
-allow  ${HOME}/.local/share/psi+
+whitelist ${HOME}/.local/share/psi+
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 2588c3b75..7e0ef99fc 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -8,11 +8,11 @@ include globals.local
 # Add the next line to your psi.local to enable GPG support.
 #noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.cache/psi
+noblacklist ${HOME}/.cache/psi
-nodeny  ${HOME}/.cache/Psi
+noblacklist ${HOME}/.cache/Psi
-nodeny  ${HOME}/.config/psi
+noblacklist ${HOME}/.config/psi
-nodeny  ${HOME}/.local/share/psi
+noblacklist ${HOME}/.local/share/psi
-nodeny  ${HOME}/.local/share/Psi
+noblacklist ${HOME}/.local/share/Psi
 include disable-common.inc
 include disable-devel.inc
@@ -32,16 +32,16 @@ mkdir ${HOME}/.local/share/psi
 mkdir ${HOME}/.local/share/Psi
 # Add the next line to your psi.local to enable GPG support.
 #whitelist ${HOME}/.gnupg
-allow  ${HOME}/.cache/psi
+whitelist ${HOME}/.cache/psi
-allow  ${HOME}/.cache/Psi
+whitelist ${HOME}/.cache/Psi
-allow  ${HOME}/.config/psi
+whitelist ${HOME}/.config/psi
-allow  ${HOME}/.local/share/psi
+whitelist ${HOME}/.local/share/psi
-allow  ${HOME}/.local/share/Psi
+whitelist ${HOME}/.local/share/Psi
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 # Add the next lines to your psi.local to enable GPG support.
 #whitelist /usr/share/gnupg
 #whitelist /usr/share/gnupg2
-allow  /usr/share/psi
+whitelist /usr/share/psi
 # Add the next lines to your psi.local to enable GPG support.
 #whitelist ${RUNUSER}/gnupg
 #whitelist ${RUNUSER}/keyring
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 1f0e83ab6..60ae37930 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -5,9 +5,9 @@ include pybitmessage.local
 # Persistent global definitions
 include globals.local
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/local/sbin
+noblacklist /usr/local/sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index b6c08290e..00d7239ae 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -5,7 +5,7 @@ include pycharm-community.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.PyCharmCE*
+noblacklist ${HOME}/.PyCharmCE*
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index fa0932cc0..b754a18c9 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -6,7 +6,7 @@ include pyucharm-professional.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.PyCharm*
+noblacklist ${HOME}/.PyCharm*
 # Redirect
 include pycharm-community.profile
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index fb8e622b0..506b738cc 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -6,10 +6,10 @@ include qbittorrent.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/qBittorrent
+noblacklist ${HOME}/.cache/qBittorrent
-nodeny  ${HOME}/.config/qBittorrent
+noblacklist ${HOME}/.config/qBittorrent
-nodeny  ${HOME}/.config/qBittorrentrc
+noblacklist ${HOME}/.config/qBittorrentrc
-nodeny  ${HOME}/.local/share/data/qBittorrent
+noblacklist ${HOME}/.local/share/data/qBittorrent
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -27,11 +27,11 @@ mkdir ${HOME}/.cache/qBittorrent
 mkdir ${HOME}/.config/qBittorrent
 mkfile ${HOME}/.config/qBittorrentrc
 mkdir ${HOME}/.local/share/data/qBittorrent
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/qBittorrent
+whitelist ${HOME}/.cache/qBittorrent
-allow  ${HOME}/.config/qBittorrent
+whitelist ${HOME}/.config/qBittorrent
-allow  ${HOME}/.config/qBittorrentrc
+whitelist ${HOME}/.config/qBittorrentrc
-allow  ${HOME}/.local/share/data/qBittorrent
+whitelist ${HOME}/.local/share/data/qBittorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
index 7bcc4b065..0e52d7fc4 100644
--- a/etc/profile-m-z/qcomicbook.profile
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -6,10 +6,10 @@ include qcomicbook.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/PawelStolowski
+noblacklist ${HOME}/.cache/PawelStolowski
-nodeny  ${HOME}/.config/PawelStolowski
+noblacklist ${HOME}/.config/PawelStolowski
-nodeny  ${HOME}/.local/share/PawelStolowski
+noblacklist ${HOME}/.local/share/PawelStolowski
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -27,7 +27,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/PawelStolowski
 mkdir ${HOME}/.config/PawelStolowski
 mkdir ${HOME}/.local/share/PawelStolowski
-allow  /usr/share/qcomicbook
+whitelist /usr/share/qcomicbook
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index d527a2b82..ac60384fd 100644
--- a/etc/profile-m-z/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -5,7 +5,7 @@ include qemu-launcher.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.qemu-launcher
+noblacklist ${HOME}/.qemu-launcher
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index e99140c22..2e97daea2 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -6,10 +6,10 @@ include qgis.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/QGIS
+noblacklist ${HOME}/.config/QGIS
-nodeny  ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.local/share/QGIS
-nodeny  ${HOME}/.qgis2
+noblacklist ${HOME}/.qgis2
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -25,10 +25,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/QGIS
 mkdir ${HOME}/.qgis2
 mkdir ${HOME}/.config/QGIS
-allow  ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.local/share/QGIS
-allow  ${HOME}/.qgis2
+whitelist ${HOME}/.qgis2
-allow  ${HOME}/.config/QGIS
+whitelist ${HOME}/.config/QGIS
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
index 75dc58ae4..6e94d5845 100644
--- a/etc/profile-m-z/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -6,7 +6,7 @@ include qlipper.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Qlipper
+noblacklist ${HOME}/.config/Qlipper
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index d37fce997..c3d982c17 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -6,8 +6,8 @@ include qmmp.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.qmmp
+noblacklist ${HOME}/.qmmp
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index f12340052..ca11df5be 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -6,7 +6,7 @@ include qnapi.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/qnapi.ini
+noblacklist ${HOME}/.config/qnapi.ini
 ignore noexec /tmp
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.config/qnapi.ini
-allow  ${HOME}/.config/qnapi.ini
+whitelist ${HOME}/.config/qnapi.ini
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 62fae324c..be690ffa4 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -6,9 +6,9 @@ include qpdfview.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.config/qpdfview
-nodeny  ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.local/share/qpdfview
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 5f0aec804..6cbf8519f 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -7,7 +7,7 @@ include qrencode.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index 1ad46814e..8ffe24d11 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -6,8 +6,8 @@ include qtox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Tox
+noblacklist ${HOME}/.cache/Tox
-nodeny  ${HOME}/.config/tox
+noblacklist ${HOME}/.config/tox
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/tox
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/tox
+whitelist ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
index aee24925c..91e0d9d0d 100644
--- a/etc/profile-m-z/quadrapassel.profile
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -6,11 +6,11 @@ include quadrapassel.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/quadrapassel
+noblacklist ${HOME}/.local/share/quadrapassel
 mkdir ${HOME}/.local/share/quadrapassel
-allow  ${HOME}/.local/share/quadrapassel
+whitelist ${HOME}/.local/share/quadrapassel
-allow  /usr/share/quadrapassel
+whitelist /usr/share/quadrapassel
 private-bin quadrapassel
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index a319e1e12..1d146aa39 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -6,8 +6,8 @@ include quaternion.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Quotient/quaternion
+noblacklist ${HOME}/.cache/Quotient/quaternion
-nodeny  ${HOME}/.config/Quotient
+noblacklist ${HOME}/.config/Quotient
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Quotient/quaternion
 mkdir ${HOME}/.config/Quotient
-allow  ${HOME}/.cache/Quotient/quaternion
+whitelist ${HOME}/.cache/Quotient/quaternion
-allow  ${HOME}/.config/Quotient
+whitelist ${HOME}/.config/Quotient
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/Quotient/quaternion
+whitelist /usr/share/Quotient/quaternion
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 2693f2ed5..9490089b2 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -6,10 +6,10 @@ include quiterss.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/QuiteRss
+noblacklist ${HOME}/.cache/QuiteRss
-nodeny  ${HOME}/.config/QuiteRss
+noblacklist ${HOME}/.config/QuiteRss
-nodeny  ${HOME}/.config/QuiteRssrc
+noblacklist ${HOME}/.config/QuiteRssrc
-nodeny  ${HOME}/.local/share/QuiteRss
+noblacklist ${HOME}/.local/share/QuiteRss
 include disable-common.inc
 include disable-devel.inc
@@ -25,12 +25,12 @@ mkdir ${HOME}/.local/share/data
 mkdir ${HOME}/.local/share/data/QuiteRss
 mkdir ${HOME}/.local/share/QuiteRss
 mkfile ${HOME}/quiterssfeeds.opml
-allow  ${HOME}/.cache/QuiteRss
+whitelist ${HOME}/.cache/QuiteRss
-allow  ${HOME}/.config/QuiteRss
+whitelist ${HOME}/.config/QuiteRss
-allow  ${HOME}/.config/QuiteRssrc
+whitelist ${HOME}/.config/QuiteRssrc
-allow  ${HOME}/.local/share/data/QuiteRss
+whitelist ${HOME}/.local/share/data/QuiteRss
-allow  ${HOME}/.local/share/QuiteRss
+whitelist ${HOME}/.local/share/QuiteRss
-allow  ${HOME}/quiterssfeeds.opml
+whitelist ${HOME}/quiterssfeeds.opml
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index 52c120c08..92b02b2bf 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -6,10 +6,10 @@ include quodlibet.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/quodlibet
+noblacklist ${HOME}/.cache/quodlibet
-nodeny  ${HOME}/.config/quodlibet
+noblacklist ${HOME}/.config/quodlibet
-nodeny  ${HOME}/.quodlibet
+noblacklist ${HOME}/.quodlibet
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include allow-bin-sh.inc
@@ -30,11 +30,11 @@ mkdir ${HOME}/.cache/quodlibet
 mkdir ${HOME}/.config/quodlibet
 mkdir ${HOME}/.quodlibet
-allow  ${HOME}/.cache/quodlibet
+whitelist ${HOME}/.cache/quodlibet
-allow  ${HOME}/.config/quodlibet
+whitelist ${HOME}/.config/quodlibet
-allow  ${HOME}/.quodlibet
+whitelist ${HOME}/.quodlibet
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${MUSIC}
+whitelist ${MUSIC}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
index 9bc91808b..7aa71c848 100644
--- a/etc/profile-m-z/qupzilla.profile
+++ b/etc/profile-m-z/qupzilla.profile
@@ -6,8 +6,8 @@ include qupzilla.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.cache/qupzilla
+noblacklist ${HOME}/.cache/qupzilla
-nodeny  ${HOME}/.config/qupzilla
+noblacklist ${HOME}/.config/qupzilla
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/qupzilla
 mkdir ${HOME}/.config/qupzilla
-allow  ${HOME}/.cache/qupzilla
+whitelist ${HOME}/.cache/qupzilla
-allow  ${HOME}/.config/qupzilla
+whitelist ${HOME}/.config/qupzilla
 # Redirect
 include falkon.profile
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index a342e2acd..fc910b589 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -6,9 +6,9 @@ include qutebrowser.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/qutebrowser
+noblacklist ${HOME}/.cache/qutebrowser
-nodeny  ${HOME}/.config/qutebrowser
+noblacklist ${HOME}/.config/qutebrowser
-nodeny  ${HOME}/.local/share/qutebrowser
+noblacklist ${HOME}/.local/share/qutebrowser
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,10 +22,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/qutebrowser
 mkdir ${HOME}/.config/qutebrowser
 mkdir ${HOME}/.local/share/qutebrowser
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/qutebrowser
+whitelist ${HOME}/.cache/qutebrowser
-allow  ${HOME}/.config/qutebrowser
+whitelist ${HOME}/.config/qutebrowser
-allow  ${HOME}/.local/share/qutebrowser
+whitelist ${HOME}/.local/share/qutebrowser
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
index b1059cee8..ffa2022ee 100644
--- a/etc/profile-m-z/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -6,9 +6,9 @@ include rambox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Rambox
+noblacklist ${HOME}/.config/Rambox
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +18,10 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Rambox
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/Rambox
+whitelist ${HOME}/.config/Rambox
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index 3b56f651f..9bc196a16 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -6,7 +6,7 @@ include redeclipse.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.redeclipse
+noblacklist ${HOME}/.redeclipse
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.redeclipse
-allow  ${HOME}/.redeclipse
+whitelist ${HOME}/.redeclipse
-allow  /usr/share/redeclipse
+whitelist /usr/share/redeclipse
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
new file mode 100644
index 000000000..67281c518
--- /dev/null
+++ b/etc/profile-m-z/rednotebook.profile
@@ -0,0 +1,67 @@
+# Firejail profile for rednotebook
+# Description: Daily journal with calendar, templates and keyword searching
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rednotebook.local
+# Persistent global definitions
+include globals.local
+nodeny ${HOME}/.cache/rednotebook
+nodeny ${HOME}/.rednotebook
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+mkdir ${HOME}/.cache/rednotebook
+mkdir ${HOME}/.rednotebook
+allow ${HOME}/.cache/rednotebook
+allow ${HOME}/.rednotebook
+allow ${DESKTOP}
+allow ${DOCUMENTS}
+allow ${DOWNLOADS}
+allow ${MUSIC}
+allow ${PICTURES}
+allow ${VIDEOS}
+allow /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin python3*,rednotebook
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
index 3035e1d74..f87c5f67c 100644
--- a/etc/profile-m-z/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -7,8 +7,8 @@ include redshift.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/redshift
+noblacklist ${HOME}/.config/redshift
-nodeny  ${HOME}/.config/redshift.conf
+noblacklist ${HOME}/.config/redshift.conf
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/redshift
-allow  ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift
-allow  ${HOME}/.config/redshift.conf
+whitelist ${HOME}/.config/redshift.conf
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 82feafab9..f5131c5d0 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/com.github.artemanufrij.regextester
+whitelist /usr/share/com.github.artemanufrij.regextester
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 3f385f602..aca22f187 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -6,9 +6,9 @@ include remmina.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.remmina
+noblacklist ${HOME}/.remmina
-nodeny  ${HOME}/.config/remmina
+noblacklist ${HOME}/.config/remmina
-nodeny  ${HOME}/.local/share/remmina
+noblacklist ${HOME}/.local/share/remmina
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index c532d3dc1..970e8ffba 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -6,9 +6,9 @@ include rhythmbox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${HOME}/.cache/rhythmbox
+noblacklist ${HOME}/.cache/rhythmbox
-nodeny  ${HOME}/.local/share/rhythmbox
+noblacklist ${HOME}/.local/share/rhythmbox
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -26,10 +26,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/rhythmbox
+whitelist /usr/share/rhythmbox
-allow  /usr/share/lua
+whitelist /usr/share/lua
-allow  /usr/share/libquvi-scripts
+whitelist /usr/share/libquvi-scripts
-allow  /usr/share/tracker
+whitelist /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
index c3ee57ef3..b664a2be3 100644
--- a/etc/profile-m-z/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -5,7 +5,7 @@ include ricochet.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/Ricochet
+noblacklist ${HOME}/.local/share/Ricochet
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.local/share/Ricochet
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.local/share/Ricochet
+whitelist ${HOME}/.local/share/Ricochet
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index 782396a50..687c943b0 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -8,11 +8,11 @@ include globals.local
 ignore noexec /tmp
-nodeny  ${HOME}/.config/Riot
+noblacklist ${HOME}/.config/Riot
 mkdir ${HOME}/.config/Riot
-allow  ${HOME}/.config/Riot
+whitelist ${HOME}/.config/Riot
-allow  /usr/share/webapps/element
+whitelist /usr/share/webapps/element
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
index c97ac8090..be815e714 100644
--- a/etc/profile-m-z/ripperx.profile
+++ b/etc/profile-m-z/ripperx.profile
@@ -6,8 +6,8 @@ include ripperx.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.ripperXrc
+noblacklist ${HOME}/.ripperXrc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 109d2f8f1..5572cab5a 100644
--- a/etc/profile-m-z/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -6,9 +6,9 @@ include ristretto.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/ristretto
+noblacklist ${HOME}/.config/ristretto
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index 1a76c4211..8d3607c75 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -21,10 +21,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
-nodeny  ${HOME}/.config/Rocket.Chat
+noblacklist ${HOME}/.config/Rocket.Chat
 mkdir ${HOME}/.config/Rocket.Chat
-allow  ${HOME}/.config/Rocket.Chat
+whitelist ${HOME}/.config/Rocket.Chat
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 4807b7d36..690b44bb1 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -11,8 +11,8 @@ include globals.local
 # not as a daemon (rsync --daemon) nor to create backups.
 # Usage: firejail --profile=rsync-download_only rsync
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
index 6b7d6b155..cc6db5043 100644
--- a/etc/profile-m-z/rtv-addons.profile
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -11,16 +11,16 @@ ignore nosound
 ignore private-bin
 ignore dbus-user none
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.mailcap
+noblacklist ${HOME}/.mailcap
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
-nodeny  ${HOME}/.w3m
+noblacklist ${HOME}/.w3m
-allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
-allow  ${HOME}/.config/mpv
+whitelist ${HOME}/.config/mpv
-allow  ${HOME}/.mailcap
+whitelist ${HOME}/.mailcap
-allow  ${HOME}/.netrc
+whitelist ${HOME}/.netrc
-allow  ${HOME}/.w3m
+whitelist ${HOME}/.w3m
 #private-bin w3m,mpv,youtube-dl
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index 074050792..2f1fe0155 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -6,11 +6,11 @@ include rtv.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.config/rtv
+noblacklist ${HOME}/.config/rtv
-nodeny  ${HOME}/.local/share/rtv
+noblacklist ${HOME}/.local/share/rtv
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -33,8 +33,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/rtv
 mkdir ${HOME}/.local/share/rtv
-allow  ${HOME}/.config/rtv
+whitelist ${HOME}/.config/rtv
-allow  ${HOME}/.local/share/rtv
+whitelist ${HOME}/.local/share/rtv
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
index 963f5da02..de79913cc 100644
--- a/etc/profile-m-z/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -5,8 +5,8 @@ include sayonara.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.Sayonara
+noblacklist ${HOME}/.Sayonara
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
index 26550b5e0..eb8468c3b 100644
--- a/etc/profile-m-z/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -6,10 +6,10 @@ include scallion.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PATH}/llvm*
+noblacklist ${PATH}/llvm*
-nodeny  ${PATH}/openssl
+noblacklist ${PATH}/openssl
-nodeny  ${PATH}/openssl-1.0
+noblacklist ${PATH}/openssl-1.0
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index 921efb49e..b1989e474 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -6,7 +6,7 @@ include scorched3d.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.scorched3d
+noblacklist ${HOME}/.scorched3d
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.scorched3d
-allow  ${HOME}/.scorched3d
+whitelist ${HOME}/.scorched3d
-allow  /usr/share/scorched3d
+whitelist /usr/share/scorched3d
-allow  /usr/share/games/scorched3d
+whitelist /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 54a6c3a01..2cb1df6b5 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -6,7 +6,7 @@ include scorchwentbonkers.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.swb.ini
+noblacklist ${HOME}/.swb.ini
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.swb.ini
-allow  ${HOME}/.swb.ini
+whitelist ${HOME}/.swb.ini
-allow  /usr/share/scorchwentbonkers
+whitelist /usr/share/scorchwentbonkers
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 6519f8e87..1fdeaa145 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -7,24 +7,24 @@ include scribus.local
 include globals.local
 # Support for PDF readers comes with Scribus 1.5 and higher
-nodeny  ${HOME}/.cache/okular
+noblacklist ${HOME}/.cache/okular
-nodeny  ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/GIMP
-nodeny  ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularpartrc
-nodeny  ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/okularrc
-nodeny  ${HOME}/.config/scribus
+noblacklist ${HOME}/.config/scribus
-nodeny  ${HOME}/.config/scribusrc
+noblacklist ${HOME}/.config/scribusrc
-nodeny  ${HOME}/.gimp*
+noblacklist ${HOME}/.gimp*
-nodeny  ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/apps/okular
-nodeny  ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
-nodeny  ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde/share/config/okularrc
-nodeny  ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/apps/okular
-nodeny  ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
-nodeny  ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
-nodeny  ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/okular
-nodeny  ${HOME}/.local/share/scribus
+noblacklist ${HOME}/.local/share/scribus
-nodeny  ${HOME}/.scribus
+noblacklist ${HOME}/.scribus
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 95cedac3f..7799ab7ed 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -22,8 +22,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/seahorse-adventures
+whitelist /usr/share/seahorse-adventures
-allow  /usr/share/games/seahorse-adventures
+whitelist /usr/share/games/seahorse-adventures
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 66605173b..d3d8e453f 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -6,9 +6,9 @@ include seahorse.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -27,13 +27,13 @@ include disable-xdg.inc
 #mkdir ${HOME}/.ssh
 #whitelist ${HOME}/.gnupg
 #whitelist ${HOME}/.ssh
-allow  /tmp/ssh-*
+whitelist /tmp/ssh-*
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/gnupg2
+whitelist /usr/share/gnupg2
-allow  /usr/share/seahorse
+whitelist /usr/share/seahorse
-allow  /usr/share/seahorse-nautilus
+whitelist /usr/share/seahorse-nautilus
-allow  ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/gnupg
-allow  ${RUNUSER}/keyring
+whitelist ${RUNUSER}/keyring
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index c9867719a..807effbeb 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -6,10 +6,10 @@ include seamonkey.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.cache/mozilla
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-nodeny  ${HOME}/.pki
+noblacklist ${HOME}/.pki
-nodeny  ${HOME}/.local/share/pki
+noblacklist ${HOME}/.local/share/pki
 include disable-common.inc
 include disable-devel.inc
@@ -20,25 +20,25 @@ mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
-allow  ${HOME}/.cache/mozilla
+whitelist ${HOME}/.cache/mozilla
-allow  ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/gnome-mplayer
-allow  ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-silverlight5.1
-allow  ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/pipelight-widevine
-allow  ${HOME}/.keysnail.js
+whitelist ${HOME}/.keysnail.js
-allow  ${HOME}/.lastpass
+whitelist ${HOME}/.lastpass
-allow  ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla
-allow  ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactyl
-allow  ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pentadactylrc
-allow  ${HOME}/.pki
+whitelist ${HOME}/.pki
-allow  ${HOME}/.local/share/pki
+whitelist ${HOME}/.local/share/pki
-allow  ${HOME}/.vimperator
+whitelist ${HOME}/.vimperator
-allow  ${HOME}/.vimperatorrc
+whitelist ${HOME}/.vimperatorrc
-allow  ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight
-allow  ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.wine-pipelight64
-allow  ${HOME}/.zotero
+whitelist ${HOME}/.zotero
-allow  ${HOME}/dwhelper
+whitelist ${HOME}/dwhelper
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 23f464637..7d56684db 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -32,12 +32,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # noblacklist /var/opt
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 0cb9de45a..b7f398f45 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -7,9 +7,9 @@ include shellcheck.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/shellcheck
+whitelist /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index a8e5f6b18..d629240ec 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -6,8 +6,8 @@ include shortwave.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.cache/Shortwave
-nodeny  ${HOME}/.local/share/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Shortwave
 mkdir ${HOME}/.local/share/Shortwave
-allow  ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.cache/Shortwave
-allow  ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
-allow  /usr/share/shortwave
+whitelist /usr/share/shortwave
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
index 1f3c39c46..63af4d367 100644
--- a/etc/profile-m-z/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -8,7 +8,7 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.config/Meltytech
+noblacklist ${HOME}/.config/Meltytech
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index b653930c3..ddc8a7743 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -6,10 +6,10 @@ include shotwell.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/shotwell
+noblacklist ${HOME}/.cache/shotwell
-nodeny  ${HOME}/.local/share/shotwell
+noblacklist ${HOME}/.local/share/shotwell
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,9 +21,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/shotwell
 mkdir ${HOME}/.local/share/shotwell
-allow  ${HOME}/.cache/shotwell
+whitelist ${HOME}/.cache/shotwell
-allow  ${HOME}/.local/share/shotwell
+whitelist ${HOME}/.local/share/shotwell
-allow  ${PICTURES}
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 8a46899f1..478377344 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -6,10 +6,10 @@ include signal-cli.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${HOME}/.local/share/signal-cli
+noblacklist ${HOME}/.local/share/signal-cli
 include allow-java.inc
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/signal-cli
-allow  ${HOME}/.local/share/signal-cli
+whitelist ${HOME}/.local/share/signal-cli
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index a12080748..77a7f5b38 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -9,15 +9,15 @@ ignore novideo
 ignore noexec /tmp
-nodeny  ${HOME}/.config/Signal
+noblacklist ${HOME}/.config/Signal
 # These lines are needed to allow Firefox to open links
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 mkdir ${HOME}/.config/Signal
-allow  ${HOME}/.config/Signal
+whitelist ${HOME}/.config/Signal
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 589a44ffc..17920677b 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -6,8 +6,8 @@ include simple-scan.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/simple-scan
+noblacklist ${HOME}/.cache/simple-scan
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/hplip
+whitelist /usr/share/hplip
-allow  /usr/share/simple-scan
+whitelist /usr/share/simple-scan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index 83f833508..d664f8bf5 100644
--- a/etc/profile-m-z/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -6,8 +6,8 @@ include simplescreenrecorder.local
 # Persistent global definitions
 include globals.local
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
-nodeny  ${HOME}/.ssr
+noblacklist ${HOME}/.ssr
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/simplescreenrecorder
+whitelist /usr/share/simplescreenrecorder
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index 1d7f41579..afaa0f6d8 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -6,7 +6,7 @@ include simutrans.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.simutrans
+noblacklist ${HOME}/.simutrans
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.simutrans
-allow  ${HOME}/.simutrans
+whitelist ${HOME}/.simutrans
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 98ed624f9..093a61398 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -6,7 +6,7 @@ include skanlite.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index e7f70eebe..ed04eda8e 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -21,7 +21,7 @@ ignore dbus-system none
 ignore apparmor
 ignore noexec /tmp
-nodeny  ${HOME}/.config/skypeforlinux
+noblacklist ${HOME}/.config/skypeforlinux
 # private-dev - needs /dev/disk
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index b8299add3..51f6c8b00 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -16,14 +16,14 @@ ignore private-tmp
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/Slack
+noblacklist ${HOME}/.config/Slack
 include allow-bin-sh.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/Slack
-allow  ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
 private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
index 36a0044dc..c5a31c237 100644
--- a/etc/profile-m-z/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -6,7 +6,7 @@ include slashem.local
 # Persistent global definitions
 include globals.local
-nodeny  /var/games/slashem
+noblacklist /var/games/slashem
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /var/games/slashem
+whitelist /var/games/slashem
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 4e4334dc0..01547e5c1 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -6,9 +6,9 @@ include smplayer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/smplayer
-nodeny  ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
-nodeny  ${HOME}/.mplayer
+noblacklist ${HOME}/.mplayer
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -17,8 +17,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -29,9 +29,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/lua*
+whitelist /usr/share/lua*
-allow  /usr/share/smplayer
+whitelist /usr/share/smplayer
-allow  /usr/share/vulkan
+whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index 99d02ffdf..196950eaf 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -6,14 +6,14 @@ include smtube.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/smplayer
-nodeny  ${HOME}/.config/smtube
+noblacklist ${HOME}/.config/smtube
-nodeny  ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/mpv
-nodeny  ${HOME}/.mplayer
+noblacklist ${HOME}/.mplayer
-nodeny  ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/vlc
-nodeny  ${HOME}/.local/share/vlc
+noblacklist ${HOME}/.local/share/vlc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@@ -23,8 +23,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/smplayer
+whitelist /usr/share/smplayer
-allow  /usr/share/smtube
+whitelist /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 3a79890cc..c3a9bb858 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -6,9 +6,9 @@ include smuxi-frontend-gnome.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/smuxi
+noblacklist ${HOME}/.cache/smuxi
-nodeny  ${HOME}/.config/smuxi
+noblacklist ${HOME}/.config/smuxi
-nodeny  ${HOME}/.local/share/smuxi
+noblacklist ${HOME}/.local/share/smuxi
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/smuxi
 mkdir ${HOME}/.config/smuxi
 mkdir ${HOME}/.local/share/smuxi
-allow  ${HOME}/.cache/smuxi
+whitelist ${HOME}/.cache/smuxi
-allow  ${HOME}/.config/smuxi
+whitelist ${HOME}/.config/smuxi
-allow  ${HOME}/.local/share/smuxi
+whitelist ${HOME}/.local/share/smuxi
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 1d315404e..83493652c 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -10,15 +10,15 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/snox
+noblacklist ${HOME}/.cache/snox
-nodeny  ${HOME}/.config/snox
+noblacklist ${HOME}/.config/snox
 #mkdir ${HOME}/.cache/dnox
 #mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/snox
 mkdir ${HOME}/.config/snox
-allow  ${HOME}/.cache/snox
+whitelist ${HOME}/.cache/snox
-allow  ${HOME}/.config/snox
+whitelist ${HOME}/.config/snox
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index bd4991e81..83315231f 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -10,7 +10,7 @@ include softmaker-common.local
 # with an absolute Exec line. These files are NOT handelt by firecfg,
 # therefore you must manualy copy them in you home and remove '/usr/bin/'.
-nodeny  ${HOME}/SoftMaker
+noblacklist ${HOME}/SoftMaker
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /usr/share/office2018
+whitelist /usr/share/office2018
-allow  /usr/share/freeoffice2018
+whitelist /usr/share/freeoffice2018
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index 16ee39e09..ef00fdfff 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -6,8 +6,8 @@ include sound-juicer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/sound-juicer
+noblacklist ${HOME}/.config/sound-juicer
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index 46da7a453..4dbf34100 100644
--- a/etc/profile-m-z/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
@@ -10,7 +10,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${MUSIC}
+whitelist ${MUSIC}
-allow  /usr/share/soundconverter
+whitelist /usr/share/soundconverter
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 08adb5861..4468f21e7 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -12,8 +12,8 @@ include globals.local
 #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
 #protocol unix,inet,inet6
-nodeny  ${HOME}/.config/spectaclerc
+noblacklist ${HOME}/.config/spectaclerc
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 include disable-xdg.inc
 mkfile  ${HOME}/.config/spectaclerc
-allow  ${HOME}/.config/spectaclerc
+whitelist ${HOME}/.config/spectaclerc
-allow  ${PICTURES}
+whitelist ${PICTURES}
-allow  /usr/share/kconf_update/spectacle_newConfig.upd
+whitelist /usr/share/kconf_update/spectacle_newConfig.upd
-allow  /usr/share/kconf_update/spectacle_shortcuts.upd
+whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 4c1b2d3e1..283674517 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -6,8 +6,8 @@ include spectral.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/ENCOM/Spectral
+noblacklist ${HOME}/.cache/ENCOM/Spectral
-nodeny  ${HOME}/.config/ENCOM
+noblacklist ${HOME}/.config/ENCOM
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/ENCOM/Spectral
 mkdir ${HOME}/.config/ENCOM
-allow  ${HOME}/.cache/ENCOM/Spectral
+whitelist ${HOME}/.cache/ENCOM/Spectral
-allow  ${HOME}/.config/ENCOM
+whitelist ${HOME}/.config/ENCOM
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index 3a3fd838d..984461f90 100644
--- a/etc/profile-m-z/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -6,10 +6,10 @@ include spectre-meltdown-checker.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
-nodeny  ${PATH}/mount
+noblacklist ${PATH}/mount
-nodeny  ${PATH}/umount
+noblacklist ${PATH}/umount
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index e1c830268..01bc2bc05 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -5,11 +5,11 @@ include spotify.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/spotify
+noblacklist ${HOME}/.cache/spotify
-nodeny  ${HOME}/.config/spotify
+noblacklist ${HOME}/.config/spotify
-nodeny  ${HOME}/.local/share/spotify
+noblacklist ${HOME}/.local/share/spotify
-deny  ${HOME}/.bashrc
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/spotify
 mkdir ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
-allow  ${HOME}/.cache/spotify
+whitelist ${HOME}/.cache/spotify
-allow  ${HOME}/.config/spotify
+whitelist ${HOME}/.config/spotify
-allow  ${HOME}/.local/share/spotify
+whitelist ${HOME}/.local/share/spotify
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index aa577b63a..4dd2c7262 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -6,8 +6,8 @@ include sqlitebrowser.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/sqlitebrowser
+noblacklist ${HOME}/.config/sqlitebrowser
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index e456ebe07..5802299a3 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -9,8 +9,8 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 8a0d86150..a58642192 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -8,8 +8,8 @@ include ssh.local
 include globals.local
 # nc can be used as ProxyCommand, e.g. when using tor
-nodeny  ${PATH}/nc
+noblacklist ${PATH}/nc
-nodeny  ${PATH}/ncat
+noblacklist ${PATH}/ncat
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -19,8 +19,8 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
-allow  ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 75de118ab..48a532876 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -5,8 +5,8 @@ include standardnotes-desktop.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/Standard Notes Backups
+noblacklist ${HOME}/Standard Notes Backups
-nodeny  ${HOME}/.config/Standard Notes
+noblacklist ${HOME}/.config/Standard Notes
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 mkdir ${HOME}/Standard Notes Backups
 mkdir ${HOME}/.config/Standard Notes
-allow  ${HOME}/Standard Notes Backups
+whitelist ${HOME}/Standard Notes Backups
-allow  ${HOME}/.config/Standard Notes
+whitelist ${HOME}/.config/Standard Notes
 include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 8f75365e8..2f73c9fee 100644
--- a/etc/profile-m-z/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -6,71 +6,71 @@ include start-tor-browser.desktop.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser*
+noblacklist ${HOME}/.tor-browser*
-allow  ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ar
-allow  ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-ca
-allow  ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-cs
-allow  ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-da
-allow  ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-de
-allow  ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-el
-allow  ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en
-allow  ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-en-us
-allow  ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es
-allow  ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-es-es
-allow  ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fa
-allow  ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-fr
-allow  ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-ga-ie
-allow  ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-he
-allow  ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-hu
-allow  ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-id
-allow  ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-is
-allow  ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-it
-allow  ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ja
-allow  ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ka
-allow  ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-ko
-allow  ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nb
-allow  ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-nl
-allow  ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pl
-allow  ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-pt-br
-allow  ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-ru
-allow  ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-sv-se
-allow  ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-tr
-allow  ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-vi
-allow  ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-cn
-allow  ${HOME}/.tor-browser-zh-tw
+whitelist ${HOME}/.tor-browser-zh-tw
-allow  ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ar
-allow  ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_ca
-allow  ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_cs
-allow  ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_da
-allow  ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_de
-allow  ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_el
-allow  ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en
-allow  ${HOME}/.tor-browser_en_US
+whitelist ${HOME}/.tor-browser_en_US
-allow  ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es
-allow  ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_es-ES
-allow  ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fa
-allow  ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_fr
-allow  ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_ga-IE
-allow  ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_he
-allow  ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_hu
-allow  ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_id
-allow  ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_is
-allow  ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_it
-allow  ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ja
-allow  ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ka
-allow  ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_ko
-allow  ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nb
-allow  ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_nl
-allow  ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pl
-allow  ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_pt-BR
-allow  ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_ru
-allow  ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_sv-SE
-allow  ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_tr
-allow  ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_vi
-allow  ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-CN
-allow  ${HOME}/.tor-browser_zh-TW
+whitelist ${HOME}/.tor-browser_zh-TW
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 09e29373d..06d08f3a2 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -6,40 +6,40 @@ include steam.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Epic
+noblacklist ${HOME}/.config/Epic
-nodeny  ${HOME}/.config/Loop_Hero
+noblacklist ${HOME}/.config/Loop_Hero
-nodeny  ${HOME}/.config/ModTheSpire
+noblacklist ${HOME}/.config/ModTheSpire
-nodeny  ${HOME}/.config/RogueLegacy
+noblacklist ${HOME}/.config/RogueLegacy
-nodeny  ${HOME}/.config/RogueLegacyStorageContainer
+noblacklist ${HOME}/.config/RogueLegacyStorageContainer
-nodeny  ${HOME}/.killingfloor
+noblacklist ${HOME}/.killingfloor
-nodeny  ${HOME}/.klei
+noblacklist ${HOME}/.klei
-nodeny  ${HOME}/.local/share/3909/PapersPlease
+noblacklist ${HOME}/.local/share/3909/PapersPlease
-nodeny  ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/aspyr-media
-nodeny  ${HOME}/.local/share/bohemiainteractive
+noblacklist ${HOME}/.local/share/bohemiainteractive
-nodeny  ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/cdprojektred
-nodeny  ${HOME}/.local/share/Dredmor
+noblacklist ${HOME}/.local/share/Dredmor
-nodeny  ${HOME}/.local/share/FasterThanLight
+noblacklist ${HOME}/.local/share/FasterThanLight
-nodeny  ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/feral-interactive
-nodeny  ${HOME}/.local/share/IntoTheBreach
+noblacklist ${HOME}/.local/share/IntoTheBreach
-nodeny  ${HOME}/.local/share/Paradox Interactive
+noblacklist ${HOME}/.local/share/Paradox Interactive
-nodeny  ${HOME}/.local/share/PillarsOfEternity
+noblacklist ${HOME}/.local/share/PillarsOfEternity
-nodeny  ${HOME}/.local/share/RogueLegacy
+noblacklist ${HOME}/.local/share/RogueLegacy
-nodeny  ${HOME}/.local/share/RogueLegacyStorageContainer
+noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
-nodeny  ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/Steam
-nodeny  ${HOME}/.local/share/SteamWorldDig
+noblacklist ${HOME}/.local/share/SteamWorldDig
-nodeny  ${HOME}/.local/share/SteamWorld Dig 2
+noblacklist ${HOME}/.local/share/SteamWorld Dig 2
-nodeny  ${HOME}/.local/share/SuperHexagon
+noblacklist ${HOME}/.local/share/SuperHexagon
-nodeny  ${HOME}/.local/share/Terraria
+noblacklist ${HOME}/.local/share/Terraria
-nodeny  ${HOME}/.local/share/vpltd
+noblacklist ${HOME}/.local/share/vpltd
-nodeny  ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.local/share/vulkan
-nodeny  ${HOME}/.mbwarband
+noblacklist ${HOME}/.mbwarband
-nodeny  ${HOME}/.paradoxinteractive
+noblacklist ${HOME}/.paradoxinteractive
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
-nodeny  ${HOME}/.steampath
+noblacklist ${HOME}/.steampath
-nodeny  ${HOME}/.steampid
+noblacklist ${HOME}/.steampid
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -84,38 +84,38 @@ mkdir ${HOME}/.paradoxinteractive
 mkdir ${HOME}/.steam
 mkfile ${HOME}/.steampath
 mkfile ${HOME}/.steampid
-allow  ${HOME}/.config/Epic
+whitelist ${HOME}/.config/Epic
-allow  ${HOME}/.config/Loop_Hero
+whitelist ${HOME}/.config/Loop_Hero
-allow  ${HOME}/.config/ModTheSpire
+whitelist ${HOME}/.config/ModTheSpire
-allow  ${HOME}/.config/RogueLegacy
+whitelist ${HOME}/.config/RogueLegacy
-allow  ${HOME}/.config/RogueLegacyStorageContainer
+whitelist ${HOME}/.config/RogueLegacyStorageContainer
-allow  ${HOME}/.config/unity3d
+whitelist ${HOME}/.config/unity3d
-allow  ${HOME}/.killingfloor
+whitelist ${HOME}/.killingfloor
-allow  ${HOME}/.klei
+whitelist ${HOME}/.klei
-allow  ${HOME}/.local/share/3909/PapersPlease
+whitelist ${HOME}/.local/share/3909/PapersPlease
-allow  ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/aspyr-media
-allow  ${HOME}/.local/share/bohemiainteractive
+whitelist ${HOME}/.local/share/bohemiainteractive
-allow  ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/cdprojektred
-allow  ${HOME}/.local/share/Dredmor
+whitelist ${HOME}/.local/share/Dredmor
-allow  ${HOME}/.local/share/FasterThanLight
+whitelist ${HOME}/.local/share/FasterThanLight
-allow  ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/feral-interactive
-allow  ${HOME}/.local/share/IntoTheBreach
+whitelist ${HOME}/.local/share/IntoTheBreach
-allow  ${HOME}/.local/share/Paradox Interactive
+whitelist ${HOME}/.local/share/Paradox Interactive
-allow  ${HOME}/.local/share/PillarsOfEternity
+whitelist ${HOME}/.local/share/PillarsOfEternity
-allow  ${HOME}/.local/share/RogueLegacy
+whitelist ${HOME}/.local/share/RogueLegacy
-allow  ${HOME}/.local/share/RogueLegacyStorageContainer
+whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
-allow  ${HOME}/.local/share/Steam
+whitelist ${HOME}/.local/share/Steam
-allow  ${HOME}/.local/share/SteamWorldDig
+whitelist ${HOME}/.local/share/SteamWorldDig
-allow  ${HOME}/.local/share/SteamWorld Dig 2
+whitelist ${HOME}/.local/share/SteamWorld Dig 2
-allow  ${HOME}/.local/share/SuperHexagon
+whitelist ${HOME}/.local/share/SuperHexagon
-allow  ${HOME}/.local/share/Terraria
+whitelist ${HOME}/.local/share/Terraria
-allow  ${HOME}/.local/share/vpltd
+whitelist ${HOME}/.local/share/vpltd
-allow  ${HOME}/.local/share/vulkan
+whitelist ${HOME}/.local/share/vulkan
-allow  ${HOME}/.mbwarband
+whitelist ${HOME}/.mbwarband
-allow  ${HOME}/.paradoxinteractive
+whitelist ${HOME}/.paradoxinteractive
-allow  ${HOME}/.steam
+whitelist ${HOME}/.steam
-allow  ${HOME}/.steampath
+whitelist ${HOME}/.steampath
-allow  ${HOME}/.steampid
+whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
index 003d3a079..a752ab53c 100644
--- a/etc/profile-m-z/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -6,8 +6,8 @@ include stellarium.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/stellarium
+noblacklist ${HOME}/.config/stellarium
-nodeny  ${HOME}/.stellarium
+noblacklist ${HOME}/.stellarium
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 mkdir ${HOME}/.config/stellarium
 mkdir ${HOME}/.stellarium
-allow  ${HOME}/.config/stellarium
+whitelist ${HOME}/.config/stellarium
-allow  ${HOME}/.stellarium
+whitelist ${HOME}/.stellarium
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index dd643bc20..d73927f2a 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -7,13 +7,13 @@ include straw-viewer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.cache/straw-viewer
-nodeny  ${HOME}/.config/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
 mkdir ${HOME}/.config/straw-viewer
 mkdir ${HOME}/.cache/straw-viewer
-allow  ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
-allow  ${HOME}/.config/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
 private-bin gtk-straw-viewer,straw-viewer
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index aed0b7910..b87906f55 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -6,10 +6,10 @@ include strawberry.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/strawberry
+noblacklist ${HOME}/.cache/strawberry
-nodeny  ${HOME}/.config/strawberry
+noblacklist ${HOME}/.config/strawberry
-nodeny  ${HOME}/.local/share/strawberry
+noblacklist ${HOME}/.local/share/strawberry
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 5c820ef81..1ebcded7f 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -7,7 +7,7 @@ include strings.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 0d07b5ea7..bbe92fd38 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -6,8 +6,8 @@ include subdownloader.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/SubDownloader
+noblacklist ${HOME}/.config/SubDownloader
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 8cc547805..cfd7a63ea 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -6,7 +6,7 @@ include supertux2.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/supertux2
+noblacklist ${HOME}/.local/share/supertux2
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
-allow  ${HOME}/.local/share/supertux2
+whitelist ${HOME}/.local/share/supertux2
-allow  /usr/share/supertux2
+whitelist /usr/share/supertux2
-allow  /usr/share/games/supertux2       # Debian version
+whitelist /usr/share/games/supertux2    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 44dc1524f..4eb8f921c 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -6,11 +6,11 @@ include supertuxkart.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/supertuxkart
+noblacklist ${HOME}/.config/supertuxkart
-nodeny  ${HOME}/.cache/supertuxkart
+noblacklist ${HOME}/.cache/supertuxkart
-nodeny  ${HOME}/.local/share/supertuxkart
+noblacklist ${HOME}/.local/share/supertuxkart
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@@ -24,11 +24,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/supertuxkart
 mkdir ${HOME}/.cache/supertuxkart
 mkdir ${HOME}/.local/share/supertuxkart
-allow  ${HOME}/.config/supertuxkart
+whitelist ${HOME}/.config/supertuxkart
-allow  ${HOME}/.cache/supertuxkart
+whitelist ${HOME}/.cache/supertuxkart
-allow  ${HOME}/.local/share/supertuxkart
+whitelist ${HOME}/.local/share/supertuxkart
-allow  /usr/share/supertuxkart
+whitelist /usr/share/supertuxkart
-allow  /usr/share/games/supertuxkart    # Debian version
+whitelist /usr/share/games/supertuxkart # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index fd1e7f9e9..8db7d2433 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -6,7 +6,7 @@ include surf.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.surf
+noblacklist ${HOME}/.surf
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.surf
-allow  ${HOME}/.surf
+whitelist ${HOME}/.surf
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
index 55cd0965a..9efae815d 100644
--- a/etc/profile-m-z/swell-foop.profile
+++ b/etc/profile-m-z/swell-foop.profile
@@ -6,12 +6,12 @@ include swell-foop.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.local/share/swell-foop
+noblacklist ${HOME}/.local/share/swell-foop
 mkdir ${HOME}/.local/share/swell-foop
-allow  ${HOME}/.local/share/swell-foop
+whitelist ${HOME}/.local/share/swell-foop
-allow  /usr/share/swell-foop
+whitelist /usr/share/swell-foop
 private-bin swell-foop
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 447cdc99e..328812b04 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -6,12 +6,12 @@ include sylpheed.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.sylpheed-2.0
+noblacklist ${HOME}/.sylpheed-2.0
 mkdir ${HOME}/.sylpheed-2.0
-allow  ${HOME}/.sylpheed-2.0
+whitelist ${HOME}/.sylpheed-2.0
-allow  /usr/share/sylpheed
+whitelist /usr/share/sylpheed
 # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index 7cbbafd54..c60186c42 100644
--- a/etc/profile-m-z/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -6,8 +6,8 @@ include synfigstudio.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/synfig
+noblacklist ${HOME}/.config/synfig
-nodeny  ${HOME}/.synfig
+noblacklist ${HOME}/.synfig
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index f20f88791..b52b25b96 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -6,7 +6,7 @@ include sysprof.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -24,15 +24,15 @@ include disable-xdg.inc
 #nowhitelist /usr/share/yelp-tools
 #nowhitelist /usr/share/yelp-xsl
-nodeny  ${HOME}/.config/yelp
+noblacklist ${HOME}/.config/yelp
 mkdir ${HOME}/.config/yelp
-allow  ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
-allow  /usr/share/help/C/sysprof
+whitelist /usr/share/help/C/sysprof
-allow  /usr/share/yelp
+whitelist /usr/share/yelp
-allow  /usr/share/yelp-tools
+whitelist /usr/share/yelp-tools
-allow  /usr/share/yelp-xsl
+whitelist /usr/share/yelp-xsl
-allow  ${DOCUMENTS}
+whitelist ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 74c8a0849..0d3a900e9 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -12,7 +12,7 @@ ignore include disable-shell.inc
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
 # all capabilities this is automatically read-only.
-nodeny  /var/lib/pacman
+noblacklist /var/lib/pacman
 private-etc alternatives,group,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
diff --git a/etc/profile-m-z/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
index 691c33191..ffe9605b6 100644
--- a/etc/profile-m-z/tb-starter-wrapper.profile
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
@@ -8,10 +8,10 @@ include tb-starter-wrapper.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tb
+noblacklist ${HOME}/.tb
 mkdir ${HOME}/.tb
-allow  ${HOME}/.tb
+whitelist ${HOME}/.tb
 private-bin tb-starter-wrapper
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index b4c4873b3..e2ba5893c 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -6,9 +6,9 @@ include tcpdump.local
 # Persistent global definitions
 include globals.local
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
-nodeny  ${PATH}/tcpdump
+noblacklist ${PATH}/tcpdump
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index 24cbb42da..eee083332 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -14,10 +14,10 @@ ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/teams-for-linux
+noblacklist ${HOME}/.config/teams-for-linux
 mkdir ${HOME}/.config/teams-for-linux
-allow  ${HOME}/.config/teams-for-linux
+whitelist ${HOME}/.config/teams-for-linux
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index 8639edbc8..c8d98cbaa 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -18,13 +18,13 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/teams
+noblacklist ${HOME}/.config/teams
-nodeny  ${HOME}/.config/Microsoft
+noblacklist ${HOME}/.config/Microsoft
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
-allow  ${HOME}/.config/teams
+whitelist ${HOME}/.config/teams
-allow  ${HOME}/.config/Microsoft
+whitelist ${HOME}/.config/Microsoft
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 781a5f4eb..02a2c8ae4 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -6,8 +6,8 @@ include teamspeak3.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.ts3client
+noblacklist ${HOME}/.ts3client
-nodeny  ${PATH}/openssl
+noblacklist ${PATH}/openssl
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.ts3client
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.ts3client
+whitelist ${HOME}/.ts3client
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index c9c444ffc..be01aee12 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -6,7 +6,7 @@ include teeworlds.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.teeworlds
+noblacklist ${HOME}/.teeworlds
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.teeworlds
-allow  ${HOME}/.teeworlds
+whitelist ${HOME}/.teeworlds
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 92689a461..53f932eef 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -5,8 +5,8 @@ include telegram.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.TelegramDesktop
+noblacklist ${HOME}/.TelegramDesktop
-nodeny  ${HOME}/.local/share/TelegramDesktop
+noblacklist ${HOME}/.local/share/TelegramDesktop
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.TelegramDesktop
 mkdir ${HOME}/.local/share/TelegramDesktop
-allow  ${HOME}/.TelegramDesktop
+whitelist ${HOME}/.TelegramDesktop
-allow  ${HOME}/.local/share/TelegramDesktop
+whitelist ${HOME}/.local/share/TelegramDesktop
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -48,6 +48,7 @@ private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.
 private-tmp
 dbus-user filter
+dbus-user.own org.telegram.desktop.*
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.gnome.Mutter.IdleMonitor
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index b2f98fbac..ce2ca1d17 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -7,7 +7,7 @@ include globals.local
 ignore noexec /tmp
-nodeny  ${HOME}/.local/share/terasology
+noblacklist ${HOME}/.local/share/terasology
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -21,8 +21,8 @@ include disable-programs.inc
 mkdir ${HOME}/.java
 mkdir ${HOME}/.local/share/terasology
-allow  ${HOME}/.java
+whitelist ${HOME}/.java
-allow  ${HOME}/.local/share/terasology
+whitelist ${HOME}/.local/share/terasology
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index a539cadf8..b478fbe1e 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -22,14 +22,14 @@ writable-run-user
 #writable-var
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
-nodeny  ${HOME}/.cache/thunderbird
+noblacklist ${HOME}/.cache/thunderbird
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
 # noblacklist ${HOME}/.icedove
-nodeny  ${HOME}/.thunderbird
+noblacklist ${HOME}/.thunderbird
 include disable-passwdmgr.inc
 include disable-xdg.inc
@@ -42,15 +42,15 @@ mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
 # mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
-allow  ${HOME}/.cache/thunderbird
+whitelist ${HOME}/.cache/thunderbird
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
 # whitelist ${HOME}/.icedove
-allow  ${HOME}/.thunderbird
+whitelist ${HOME}/.thunderbird
-allow  /usr/share/gnupg
+whitelist /usr/share/gnupg
-allow  /usr/share/mozilla
+whitelist /usr/share/mozilla
-allow  /usr/share/thunderbird
+whitelist /usr/share/thunderbird
-allow  /usr/share/webext
+whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
 # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index b0fa54f08..dd4a372c4 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -5,7 +5,7 @@ include tilp.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.tilp
+noblacklist ${HOME}/.tilp
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 3ee696b8b..e0ed3090a 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -6,12 +6,12 @@ include tin.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.newsrc
+noblacklist ${HOME}/.newsrc
-nodeny  ${HOME}/.tin
+noblacklist ${HOME}/.tin
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-deny  /usr/libexec
+blacklist /usr/libexec
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index d2e90e356..0139d7515 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -7,10 +7,10 @@ include tmux.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
-nodeny  /tmp/tmux-*
+noblacklist /tmp/tmux-*
 # include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 49158b93e..59f1bc3b1 100644
--- a/etc/profile-m-z/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -6,10 +6,10 @@ include tor-browser-ar.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ar
+noblacklist ${HOME}/.tor-browser-ar
 mkdir ${HOME}/.tor-browser-ar
-allow  ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ar
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index 612f8bd7c..68577e352 100644
--- a/etc/profile-m-z/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -6,10 +6,10 @@ include tor-browser-ca.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ca
+noblacklist ${HOME}/.tor-browser-ca
 mkdir ${HOME}/.tor-browser-ca
-allow  ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-ca
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index a400fde05..33e51fcd0 100644
--- a/etc/profile-m-z/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -6,10 +6,10 @@ include tor-browser-cs.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-cs
+noblacklist ${HOME}/.tor-browser-cs
 mkdir ${HOME}/.tor-browser-cs
-allow  ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-cs
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 9010025e3..440bb7fc3 100644
--- a/etc/profile-m-z/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -6,10 +6,10 @@ include tor-browser-da.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-da
+noblacklist ${HOME}/.tor-browser-da
 mkdir ${HOME}/.tor-browser-da
-allow  ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-da
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index cd556c32b..b2b98cf82 100644
--- a/etc/profile-m-z/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -6,10 +6,10 @@ include tor-browser-de.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-de
+noblacklist ${HOME}/.tor-browser-de
 mkdir ${HOME}/.tor-browser-de
-allow  ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-de
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index ee2b0fea7..626757dd5 100644
--- a/etc/profile-m-z/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -6,10 +6,10 @@ include tor-browser-el.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-el
+noblacklist ${HOME}/.tor-browser-el
 mkdir ${HOME}/.tor-browser-el
-allow  ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-el
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index 2be71a5aa..15e690748 100644
--- a/etc/profile-m-z/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -6,10 +6,10 @@ include tor-browser-en-us.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-en-us
+noblacklist ${HOME}/.tor-browser-en-us
 mkdir ${HOME}/.tor-browser-en-us
-allow  ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-en-us
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index 633c2f4f9..ef8c1eb8b 100644
--- a/etc/profile-m-z/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -6,10 +6,10 @@ include tor-browser-en.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-en
+noblacklist ${HOME}/.tor-browser-en
 mkdir ${HOME}/.tor-browser-en
-allow  ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index f7c2302a7..ad734662e 100644
--- a/etc/profile-m-z/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -6,10 +6,10 @@ include tor-browser-es-es.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-es-es
+noblacklist ${HOME}/.tor-browser-es-es
 mkdir ${HOME}/.tor-browser-es-es
-allow  ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-es-es
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index d88dcdec1..97d8d8577 100644
--- a/etc/profile-m-z/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -6,10 +6,10 @@ include tor-browser-es.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-es
+noblacklist ${HOME}/.tor-browser-es
 mkdir ${HOME}/.tor-browser-es
-allow  ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 3f7074fdb..095be69e4 100644
--- a/etc/profile-m-z/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -6,10 +6,10 @@ include tor-browser-fa.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-fa
+noblacklist ${HOME}/.tor-browser-fa
 mkdir ${HOME}/.tor-browser-fa
-allow  ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fa
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index ef14f44a2..37f61fc3a 100644
--- a/etc/profile-m-z/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -6,10 +6,10 @@ include tor-browser-fr.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-fr
+noblacklist ${HOME}/.tor-browser-fr
 mkdir ${HOME}/.tor-browser-fr
-allow  ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-fr
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index 06baaf34f..ab7141fc4 100644
--- a/etc/profile-m-z/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -6,10 +6,10 @@ include tor-browser-ga-ie.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ga-ie
+noblacklist ${HOME}/.tor-browser-ga-ie
 mkdir ${HOME}/.tor-browser-ga-ie
-allow  ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-ga-ie
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index 57588ffc7..ae56f3b7f 100644
--- a/etc/profile-m-z/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -6,10 +6,10 @@ include tor-browser-he.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-he
+noblacklist ${HOME}/.tor-browser-he
 mkdir ${HOME}/.tor-browser-he
-allow  ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-he
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index a10b66a24..65cd18ac8 100644
--- a/etc/profile-m-z/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -6,10 +6,10 @@ include tor-browser-hu.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-hu
+noblacklist ${HOME}/.tor-browser-hu
 mkdir ${HOME}/.tor-browser-hu
-allow  ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-hu
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index fcdb822cd..57fe09f47 100644
--- a/etc/profile-m-z/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -6,10 +6,10 @@ include tor-browser-id.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-id
+noblacklist ${HOME}/.tor-browser-id
 mkdir ${HOME}/.tor-browser-id
-allow  ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-id
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 45b47c108..54f1df42d 100644
--- a/etc/profile-m-z/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -6,10 +6,10 @@ include tor-browser-is.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-is
+noblacklist ${HOME}/.tor-browser-is
 mkdir ${HOME}/.tor-browser-is
-allow  ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-is
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index b5a2f7c13..a7d46e875 100644
--- a/etc/profile-m-z/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -6,10 +6,10 @@ include tor-browser-it.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-it
+noblacklist ${HOME}/.tor-browser-it
 mkdir ${HOME}/.tor-browser-it
-allow  ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-it
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index e1f023bd4..b89016141 100644
--- a/etc/profile-m-z/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -6,10 +6,10 @@ include tor-browser-ja.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ja
+noblacklist ${HOME}/.tor-browser-ja
 mkdir ${HOME}/.tor-browser-ja
-allow  ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ja
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index 17930b58e..b57cf10de 100644
--- a/etc/profile-m-z/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -6,10 +6,10 @@ include tor-browser-ka.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ka
+noblacklist ${HOME}/.tor-browser-ka
 mkdir ${HOME}/.tor-browser-ka
-allow  ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ka
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index b33d1edb4..a9bedb6fd 100644
--- a/etc/profile-m-z/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -6,10 +6,10 @@ include tor-browser-ko.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ko
+noblacklist ${HOME}/.tor-browser-ko
 mkdir ${HOME}/.tor-browser-ko
-allow  ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-ko
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index b462eb9ac..fbe9f92bd 100644
--- a/etc/profile-m-z/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -6,10 +6,10 @@ include tor-browser-nb.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-nb
+noblacklist ${HOME}/.tor-browser-nb
 mkdir ${HOME}/.tor-browser-nb
-allow  ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nb
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index 0225eb6fd..678ac1713 100644
--- a/etc/profile-m-z/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -6,10 +6,10 @@ include tor-browser-nl.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-nl
+noblacklist ${HOME}/.tor-browser-nl
 mkdir ${HOME}/.tor-browser-nl
-allow  ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-nl
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 75604b458..25d473b1a 100644
--- a/etc/profile-m-z/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -6,10 +6,10 @@ include tor-browser-pl.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-pl
+noblacklist ${HOME}/.tor-browser-pl
 mkdir ${HOME}/.tor-browser-pl
-allow  ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pl
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 4d50d8034..55adbd5ea 100644
--- a/etc/profile-m-z/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -6,10 +6,10 @@ include tor-browser-pt-br.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-pt-br
+noblacklist ${HOME}/.tor-browser-pt-br
 mkdir ${HOME}/.tor-browser-pt-br
-allow  ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-pt-br
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index 4bca3c46f..aea13be9d 100644
--- a/etc/profile-m-z/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -6,10 +6,10 @@ include tor-browser-ru.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-ru
+noblacklist ${HOME}/.tor-browser-ru
 mkdir ${HOME}/.tor-browser-ru
-allow  ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-ru
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index 1b319dc43..b7882bd04 100644
--- a/etc/profile-m-z/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -6,10 +6,10 @@ include tor-browser-sv-se.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-sv-se
+noblacklist ${HOME}/.tor-browser-sv-se
 mkdir ${HOME}/.tor-browser-sv-se
-allow  ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-sv-se
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index 0775a0c08..c52e8c4c4 100644
--- a/etc/profile-m-z/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -6,10 +6,10 @@ include tor-browser-tr.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-tr
+noblacklist ${HOME}/.tor-browser-tr
 mkdir ${HOME}/.tor-browser-tr
-allow  ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-tr
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index c4d5a7a76..d5bf76655 100644
--- a/etc/profile-m-z/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -6,10 +6,10 @@ include tor-browser-vi.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-vi
+noblacklist ${HOME}/.tor-browser-vi
 mkdir ${HOME}/.tor-browser-vi
-allow  ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-vi
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 4cd287e5d..6c8925a4a 100644
--- a/etc/profile-m-z/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -6,10 +6,10 @@ include tor-browser-zh-cn.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-zh-cn
+noblacklist ${HOME}/.tor-browser-zh-cn
 mkdir ${HOME}/.tor-browser-zh-cn
-allow  ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-cn
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index c75baf522..141a6701e 100644
--- a/etc/profile-m-z/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -6,10 +6,10 @@ include tor-browser-zh-tw.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser-zh-tw
+noblacklist ${HOME}/.tor-browser-zh-tw
 mkdir ${HOME}/.tor-browser-zh-tw
-allow  ${HOME}/.tor-browser-zh-tw
+whitelist ${HOME}/.tor-browser-zh-tw
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 8a2dbda53..76a0e1fa5 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -6,10 +6,10 @@ include tor-browser.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser
+noblacklist ${HOME}/.tor-browser
 mkdir ${HOME}/.tor-browser
-allow  ${HOME}/.tor-browser
+whitelist ${HOME}/.tor-browser
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index 90b5a0960..d811b7549 100644
--- a/etc/profile-m-z/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -6,10 +6,10 @@ include tor-browser_ar.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ar
+noblacklist ${HOME}/.tor-browser_ar
 mkdir ${HOME}/.tor-browser_ar
-allow  ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ar
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index a04207ccd..8bf1f7cd4 100644
--- a/etc/profile-m-z/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -6,10 +6,10 @@ include tor-browser_ca.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ca
+noblacklist ${HOME}/.tor-browser_ca
 mkdir ${HOME}/.tor-browser_ca
-allow  ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_ca
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index b99ad14a8..b41107bf1 100644
--- a/etc/profile-m-z/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -6,10 +6,10 @@ include tor-browser_cs.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_cs
+noblacklist ${HOME}/.tor-browser_cs
 mkdir ${HOME}/.tor-browser_cs
-allow  ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_cs
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index 545e53b7e..cbec4ee2e 100644
--- a/etc/profile-m-z/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -6,10 +6,10 @@ include tor-browser_da.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_da
+noblacklist ${HOME}/.tor-browser_da
 mkdir ${HOME}/.tor-browser_da
-allow  ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_da
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index 545f82f72..ea26765d3 100644
--- a/etc/profile-m-z/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -6,10 +6,10 @@ include tor-browser_de.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_de
+noblacklist ${HOME}/.tor-browser_de
 mkdir ${HOME}/.tor-browser_de
-allow  ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_de
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index 3120b1701..ff57a8722 100644
--- a/etc/profile-m-z/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -6,10 +6,10 @@ include tor-browser_el.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_el
+noblacklist ${HOME}/.tor-browser_el
 mkdir ${HOME}/.tor-browser_el
-allow  ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_el
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index 6719ac057..18c92b638 100644
--- a/etc/profile-m-z/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -6,10 +6,10 @@ include tor-browser_en-US.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_en-US
+noblacklist ${HOME}/.tor-browser_en-US
 mkdir ${HOME}/.tor-browser_en-US
-allow  ${HOME}/.tor-browser_en-US
+whitelist ${HOME}/.tor-browser_en-US
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index 4cbd37109..ebba83cc4 100644
--- a/etc/profile-m-z/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -6,10 +6,10 @@ include tor-browser_en.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_en
+noblacklist ${HOME}/.tor-browser_en
 mkdir ${HOME}/.tor-browser_en
-allow  ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index 6c8a5987c..aecab38d5 100644
--- a/etc/profile-m-z/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -6,10 +6,10 @@ include tor-browser_es-ES.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_es-ES
+noblacklist ${HOME}/.tor-browser_es-ES
 mkdir ${HOME}/.tor-browser_es-ES
-allow  ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_es-ES
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index 7d358b7ca..e19e9b5e6 100644
--- a/etc/profile-m-z/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -6,10 +6,10 @@ include tor-browser_es.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_es
+noblacklist ${HOME}/.tor-browser_es
 mkdir ${HOME}/.tor-browser_es
-allow  ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index fc4285c5d..68414c277 100644
--- a/etc/profile-m-z/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -6,10 +6,10 @@ include tor-browser_fa.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_fa
+noblacklist ${HOME}/.tor-browser_fa
 mkdir ${HOME}/.tor-browser_fa
-allow  ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fa
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index 2d0c0ff1f..0a8bb30b7 100644
--- a/etc/profile-m-z/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -6,10 +6,10 @@ include tor-browser_fr.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_fr
+noblacklist ${HOME}/.tor-browser_fr
 mkdir ${HOME}/.tor-browser_fr
-allow  ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_fr
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 2880e1e2a..12354b900 100644
--- a/etc/profile-m-z/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -6,10 +6,10 @@ include tor-browser_ga-IE.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ga-IE
+noblacklist ${HOME}/.tor-browser_ga-IE
 mkdir ${HOME}/.tor-browser_ga-IE
-allow  ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_ga-IE
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index ac6993019..19cbb0809 100644
--- a/etc/profile-m-z/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -6,10 +6,10 @@ include tor-browser_he.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_he
+noblacklist ${HOME}/.tor-browser_he
 mkdir ${HOME}/.tor-browser_he
-allow  ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_he
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 6877a6be4..62b55e170 100644
--- a/etc/profile-m-z/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -6,10 +6,10 @@ include tor-browser_hu.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_hu
+noblacklist ${HOME}/.tor-browser_hu
 mkdir ${HOME}/.tor-browser_hu
-allow  ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_hu
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index 5f5601f74..2970a7747 100644
--- a/etc/profile-m-z/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -6,10 +6,10 @@ include tor-browser_id.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_id
+noblacklist ${HOME}/.tor-browser_id
 mkdir ${HOME}/.tor-browser_id
-allow  ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_id
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index f0814d16e..f922c7644 100644
--- a/etc/profile-m-z/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -6,10 +6,10 @@ include tor-browser_is.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_is
+noblacklist ${HOME}/.tor-browser_is
 mkdir ${HOME}/.tor-browser_is
-allow  ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_is
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index fa01f6bca..406901759 100644
--- a/etc/profile-m-z/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -6,10 +6,10 @@ include tor-browser_it.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_it
+noblacklist ${HOME}/.tor-browser_it
 mkdir ${HOME}/.tor-browser_it
-allow  ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_it
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index dde107dd3..8f9d8d751 100644
--- a/etc/profile-m-z/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -6,10 +6,10 @@ include tor-browser_ja.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ja
+noblacklist ${HOME}/.tor-browser_ja
 mkdir ${HOME}/.tor-browser_ja
-allow  ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ja
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 7de4dff65..4de4135e1 100644
--- a/etc/profile-m-z/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -6,10 +6,10 @@ include tor-browser_ka.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ka
+noblacklist ${HOME}/.tor-browser_ka
 mkdir ${HOME}/.tor-browser_ka
-allow  ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ka
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 7e3ceb4d9..125c733ce 100644
--- a/etc/profile-m-z/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -6,10 +6,10 @@ include tor-browser_ko.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ko
+noblacklist ${HOME}/.tor-browser_ko
 mkdir ${HOME}/.tor-browser_ko
-allow  ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_ko
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index c11001960..dc6ac876b 100644
--- a/etc/profile-m-z/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -6,10 +6,10 @@ include tor-browser_nb.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_nb
+noblacklist ${HOME}/.tor-browser_nb
 mkdir ${HOME}/.tor-browser_nb
-allow  ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nb
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 2d1044f9d..2a3a5b519 100644
--- a/etc/profile-m-z/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -6,10 +6,10 @@ include tor-browser_nl.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_nl
+noblacklist ${HOME}/.tor-browser_nl
 mkdir ${HOME}/.tor-browser_nl
-allow  ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_nl
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index 2818320a0..b7dec32db 100644
--- a/etc/profile-m-z/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -6,10 +6,10 @@ include tor-browser_pl.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_pl
+noblacklist ${HOME}/.tor-browser_pl
 mkdir ${HOME}/.tor-browser_pl
-allow  ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pl
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 8c33e2545..7a7d4726c 100644
--- a/etc/profile-m-z/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -6,10 +6,10 @@ include tor-browser_pt-BR.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_pt-BR
+noblacklist ${HOME}/.tor-browser_pt-BR
 mkdir ${HOME}/.tor-browser_pt-BR
-allow  ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_pt-BR
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 2553bb031..7d2e6bc97 100644
--- a/etc/profile-m-z/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -6,10 +6,10 @@ include tor-browser_ru.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_ru
+noblacklist ${HOME}/.tor-browser_ru
 mkdir ${HOME}/.tor-browser_ru
-allow  ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_ru
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 3152cb658..585925e81 100644
--- a/etc/profile-m-z/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -6,10 +6,10 @@ include tor-browser_sv-SE.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_sv-SE
+noblacklist ${HOME}/.tor-browser_sv-SE
 mkdir ${HOME}/.tor-browser_sv-SE
-allow  ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_sv-SE
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 9808d4725..4b0cc3821 100644
--- a/etc/profile-m-z/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -6,10 +6,10 @@ include tor-browser_tr.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_tr
+noblacklist ${HOME}/.tor-browser_tr
 mkdir ${HOME}/.tor-browser_tr
-allow  ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_tr
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 364fca40b..4dcfbf56d 100644
--- a/etc/profile-m-z/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -6,10 +6,10 @@ include tor-browser_vi.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_vi
+noblacklist ${HOME}/.tor-browser_vi
 mkdir ${HOME}/.tor-browser_vi
-allow  ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_vi
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index 193e8a399..1e03b8d6b 100644
--- a/etc/profile-m-z/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -6,10 +6,10 @@ include tor-browser_zh-CN.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_zh-CN
+noblacklist ${HOME}/.tor-browser_zh-CN
 mkdir ${HOME}/.tor-browser_zh-CN
-allow  ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-CN
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index 047be9b8e..a2dcf5cf1 100644
--- a/etc/profile-m-z/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -6,10 +6,10 @@ include tor-browser_zh-TW.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.tor-browser_zh-TW
+noblacklist ${HOME}/.tor-browser_zh-TW
 mkdir ${HOME}/.tor-browser_zh-TW
-allow  ${HOME}/.tor-browser_zh-TW
+whitelist ${HOME}/.tor-browser_zh-TW
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 65a37db5f..7659ed1e9 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -8,15 +8,15 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.config/torbrowser
+noblacklist ${HOME}/.config/torbrowser
-nodeny  ${HOME}/.local/share/torbrowser
+noblacklist ${HOME}/.local/share/torbrowser
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-deny  /opt
+blacklist /opt
-deny  /srv
+blacklist /srv
 include disable-common.inc
 include disable-devel.inc
@@ -28,10 +28,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/torbrowser
 mkdir ${HOME}/.local/share/torbrowser
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/torbrowser
+whitelist ${HOME}/.config/torbrowser
-allow  ${HOME}/.local/share/torbrowser
+whitelist ${HOME}/.local/share/torbrowser
-allow  /usr/share/torbrowser-launcher
+whitelist /usr/share/torbrowser-launcher
 include whitelist-common.inc
 include whitelist-var-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index c5d89c3e3..0f98a8f64 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -6,7 +6,7 @@ include torcs.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.torcs
+noblacklist ${HOME}/.torcs
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.torcs
-allow  ${HOME}/.torcs
+whitelist ${HOME}/.torcs
-allow  /usr/share/games/torcs
+whitelist /usr/share/games/torcs
-allow  /var/games/torcs
+whitelist /var/games/torcs
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 77d3c55f8..70d9e0aee 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -13,8 +13,8 @@ include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
-nodeny  ${HOME}/.config/totem
+noblacklist ${HOME}/.config/totem
-nodeny  ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/totem
 include disable-common.inc
 include disable-devel.inc
@@ -27,9 +27,9 @@ include disable-shell.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/totem
 mkdir ${HOME}/.local/share/totem
-allow  ${HOME}/.config/totem
+whitelist ${HOME}/.config/totem
-allow  ${HOME}/.local/share/totem
+whitelist ${HOME}/.local/share/totem
-allow  /usr/share/totem
+whitelist /usr/share/totem
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index 26f4abd0b..87c5de076 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -8,8 +8,8 @@ include globals.local
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index d5920e2a2..ea118a9f0 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -6,7 +6,7 @@ include transgui.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/transgui
+noblacklist ${HOME}/.config/transgui
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/transgui
-allow  ${HOME}/.config/transgui
+whitelist ${HOME}/.config/transgui
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 5c2cf9d9a..82671b709 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -7,8 +7,8 @@ include transmission-common.local
 # added by caller profile
 #include globals.local
-nodeny  ${HOME}/.cache/transmission
+noblacklist ${HOME}/.cache/transmission
-nodeny  ${HOME}/.config/transmission
+noblacklist ${HOME}/.config/transmission
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/transmission
+whitelist ${HOME}/.cache/transmission
-allow  ${HOME}/.config/transmission
+whitelist ${HOME}/.config/transmission
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 9f0c464fc..348d3cb80 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -10,8 +10,8 @@ include globals.local
 ignore caps.drop all
 mkdir ${HOME}/.config/transmission-daemon
-allow  ${HOME}/.config/transmission-daemon
+whitelist ${HOME}/.config/transmission-daemon
-allow  /var/lib/transmission
+whitelist /var/lib/transmission
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index 7c8eddcbc..a6400e2c0 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -7,10 +7,10 @@ include transmission-remote-gtk.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/transmission-remote-gtk
+noblacklist ${HOME}/.config/transmission-remote-gtk
 mkdir ${HOME}/.config/transmission-remote-gtk
-allow  ${HOME}/.config/transmission-remote-gtk
+whitelist ${HOME}/.config/transmission-remote-gtk
 private-etc fonts,hostname,hosts,resolv.conf
 # Problems with private-lib (see issue #2889)
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index c2797ddaa..aba563fac 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -6,7 +6,7 @@ include tremulous.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.tremulous
+noblacklist ${HOME}/.tremulous
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.tremulous
-allow  ${HOME}/.tremulous
+whitelist ${HOME}/.tremulous
-allow  /usr/share/tremulous
+whitelist /usr/share/tremulous
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 95f39b35d..2d95081f6 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -6,10 +6,10 @@ include trojita.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.abook
+noblacklist ${HOME}/.abook
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-nodeny  ${HOME}/.cache/flaska.net/trojita
+noblacklist ${HOME}/.cache/flaska.net/trojita
-nodeny  ${HOME}/.config/flaska.net
+noblacklist ${HOME}/.config/flaska.net
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
-allow  ${HOME}/.abook
+whitelist ${HOME}/.abook
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
-allow  ${HOME}/.cache/flaska.net/trojita
+whitelist ${HOME}/.cache/flaska.net/trojita
-allow  ${HOME}/.config/flaska.net
+whitelist ${HOME}/.config/flaska.net
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
index 76f289a27..749626475 100644
--- a/etc/profile-m-z/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -5,8 +5,8 @@ include truecraft.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/mono
+noblacklist ${HOME}/.config/mono
-nodeny  ${HOME}/.config/truecraft
+noblacklist ${HOME}/.config/truecraft
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 mkdir ${HOME}/.config/mono
 mkdir ${HOME}/.config/truecraft
-allow  ${HOME}/.config/mono
+whitelist ${HOME}/.config/mono
-allow  ${HOME}/.config/truecraft
+whitelist ${HOME}/.config/truecraft
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
index cd6ae96df..8d4675454 100644
--- a/etc/profile-m-z/ts3client_runscript.sh.profile
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -9,11 +9,11 @@ include ts3client_runscript.sh.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/TeamSpeak3-Client-linux_x86
+noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
-nodeny  ${HOME}/TeamSpeak3-Client-linux_amd64
+noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
-allow  ${HOME}/TeamSpeak3-Client-linux_x86
+whitelist ${HOME}/TeamSpeak3-Client-linux_x86
-allow  ${HOME}/TeamSpeak3-Client-linux_amd64
+whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
 # Redirect
 include teamspeak3.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index e59a86ce6..d2cb0cc8a 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -6,8 +6,8 @@ include tutanota-desktop.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/tuta_integration
+noblacklist ${HOME}/.config/tuta_integration
-nodeny  ${HOME}/.config/tutanota-desktop
+noblacklist ${HOME}/.config/tutanota-desktop
 ignore noexec /tmp
@@ -15,12 +15,12 @@ include disable-shell.inc
 mkdir ${HOME}/.config/tuta_integration
 mkdir ${HOME}/.config/tutanota-desktop
-allow  ${HOME}/.config/tuta_integration
+whitelist ${HOME}/.config/tuta_integration
-allow  ${HOME}/.config/tutanota-desktop
+whitelist ${HOME}/.config/tutanota-desktop
 # These lines are needed to allow Firefox to open links
-nodeny  ${HOME}/.mozilla
+noblacklist ${HOME}/.mozilla
-allow  ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 ?HAS_APPIMAGE: ignore private-dev
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index 5bb97e161..3cd496412 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -9,9 +9,9 @@ include globals.local
 # tuxguitar fails to launch
 ignore noexec ${HOME}
-nodeny  ${HOME}/.tuxguitar*
+noblacklist ${HOME}/.tuxguitar*
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 8febcd337..dae7d86da 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -6,8 +6,8 @@ include tvbrowser.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/tvbrowser
+noblacklist ${HOME}/.config/tvbrowser
-nodeny  ${HOME}/.tvbrowser
+noblacklist ${HOME}/.tvbrowser
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/tvbrowser
 mkdir ${HOME}/.tvbrowser
-allow  ${HOME}/.config/tvbrowser
+whitelist ${HOME}/.config/tvbrowser
-allow  ${HOME}/.tvbrowser
+whitelist ${HOME}/.tvbrowser
-allow  /usr/share/tvbrowser
+whitelist /usr/share/tvbrowser
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index abcc885e6..2f573c872 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -10,12 +10,12 @@ include globals.local
 ignore nou2f
 ignore novideo
-nodeny  ${HOME}/.config/Twitch
+noblacklist ${HOME}/.config/Twitch
 include disable-shell.inc
 mkdir ${HOME}/.config/Twitch
-allow  ${HOME}/.config/Twitch
+whitelist ${HOME}/.config/Twitch
 private-bin twitch
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 8c705c95f..3e4fdbb03 100644
--- a/etc/profile-m-z/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -5,7 +5,7 @@ include uefitool.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index eed2db541..4420099ff 100644
--- a/etc/profile-m-z/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -5,7 +5,7 @@ include uget-gtk.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/uGet
+noblacklist ${HOME}/.config/uGet
 include disable-common.inc
 include disable-devel.inc
@@ -14,8 +14,8 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/uGet
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/uGet
+whitelist ${HOME}/.config/uGet
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index 7e7b3fbec..0c077babf 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
-allow  /var/lib/unbound
+whitelist /var/lib/unbound
-allow  /var/run
+whitelist /var/run
 caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
 ipc-namespace
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 846271971..6db7ba362 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -7,7 +7,7 @@ include unf.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 3e1c6264d..956492f52 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -6,7 +6,7 @@ include unknown-horizons.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.unknown-horizons
+noblacklist ${HOME}/.unknown-horizons
 include disable-common.inc
 include disable-exec.inc
@@ -14,10 +14,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.unknown-horizons
-allow  ${HOME}/.unknown-horizons
+whitelist ${HOME}/.unknown-horizons
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-allow  /usr/share/unknown-horizons
+whitelist /usr/share/unknown-horizons
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 99d2415ca..0231e3dba 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -8,7 +8,7 @@ include unzip.local
 include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
-nodeny  ${HOME}/.local/share/gnome-shell
+noblacklist ${HOME}/.local/share/gnome-shell
 private-etc alternatives,group,localtime,passwd
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index 3b0f7c646..dd881f091 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -6,8 +6,8 @@ include utox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/Tox
+noblacklist ${HOME}/.cache/Tox
-nodeny  ${HOME}/.config/tox
+noblacklist ${HOME}/.config/tox
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/tox
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/tox
+whitelist ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 3bda71666..2adc044e5 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -7,7 +7,7 @@ include uudeview.local
 # Persistent global definitions
 include globals.local
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index 6899f4bf7..41487a8f2 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -5,9 +5,9 @@ include uzbl-browser.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/uzbl
+noblacklist ${HOME}/.config/uzbl
-nodeny  ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
-nodeny  ${HOME}/.local/share/uzbl
+noblacklist ${HOME}/.local/share/uzbl
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.config/uzbl
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.local/share/uzbl
 mkdir ${HOME}/.password-store
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.config/uzbl
+whitelist ${HOME}/.config/uzbl
-allow  ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
-allow  ${HOME}/.local/share/uzbl
+whitelist ${HOME}/.local/share/uzbl
-allow  ${HOME}/.password-store
+whitelist ${HOME}/.password-store
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index e0bf02706..a9ba344dd 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -6,11 +6,11 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.config/viewnior
+noblacklist ${HOME}/.config/viewnior
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
-deny  ${HOME}/.bashrc
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
index b16f691d6..8f8ef5939 100644
--- a/etc/profile-m-z/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -6,9 +6,9 @@ include viking.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.viking
+noblacklist ${HOME}/.viking
-nodeny  ${HOME}/.viking-maps
+noblacklist ${HOME}/.viking-maps
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
index b535225dd..c3cfe5980 100644
--- a/etc/profile-m-z/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -6,9 +6,9 @@ include vim.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.vim
+noblacklist ${HOME}/.vim
-nodeny  ${HOME}/.viminfo
+noblacklist ${HOME}/.viminfo
-nodeny  ${HOME}/.vimrc
+noblacklist ${HOME}/.vimrc
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index f28828338..c22fb0ff9 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -6,12 +6,12 @@ include virtualbox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.VirtualBox
+noblacklist ${HOME}/.VirtualBox
-nodeny  ${HOME}/.config/VirtualBox
+noblacklist ${HOME}/.config/VirtualBox
-nodeny  ${HOME}/VirtualBox VMs
+noblacklist ${HOME}/VirtualBox VMs
 # noblacklist /usr/bin/virtualbox
-nodeny  /usr/lib/virtualbox
+noblacklist /usr/lib/virtualbox
-nodeny  /usr/lib64/virtualbox
+noblacklist /usr/lib64/virtualbox
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
-allow  ${HOME}/.config/VirtualBox
+whitelist ${HOME}/.config/VirtualBox
-allow  ${HOME}/VirtualBox VMs
+whitelist ${HOME}/VirtualBox VMs
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  /usr/share/virtualbox
+whitelist /usr/share/virtualbox
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 3858405db..fdeb0307f 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -8,26 +8,26 @@ include globals.local
 # Allow HTML5 Proprietary Media & DRM/EME (Widevine)
 ignore apparmor
 ignore noexec /var
-nodeny  /var/opt
+noblacklist /var/opt
-allow  /var/opt/vivaldi
+whitelist /var/opt/vivaldi
 writable-var
-nodeny  ${HOME}/.cache/vivaldi
+noblacklist ${HOME}/.cache/vivaldi
-nodeny  ${HOME}/.cache/vivaldi-snapshot
+noblacklist ${HOME}/.cache/vivaldi-snapshot
-nodeny  ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.config/vivaldi
-nodeny  ${HOME}/.config/vivaldi-snapshot
+noblacklist ${HOME}/.config/vivaldi-snapshot
-nodeny  ${HOME}/.local/lib/vivaldi
+noblacklist ${HOME}/.local/lib/vivaldi
 mkdir ${HOME}/.cache/vivaldi
 mkdir ${HOME}/.cache/vivaldi-snapshot
 mkdir ${HOME}/.config/vivaldi
 mkdir ${HOME}/.config/vivaldi-snapshot
 mkdir ${HOME}/.local/lib/vivaldi
-allow  ${HOME}/.cache/vivaldi
+whitelist ${HOME}/.cache/vivaldi
-allow  ${HOME}/.cache/vivaldi-snapshot
+whitelist ${HOME}/.cache/vivaldi-snapshot
-allow  ${HOME}/.config/vivaldi
+whitelist ${HOME}/.config/vivaldi
-allow  ${HOME}/.config/vivaldi-snapshot
+whitelist ${HOME}/.config/vivaldi-snapshot
-allow  ${HOME}/.local/lib/vivaldi
+whitelist ${HOME}/.local/lib/vivaldi
 #private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index ede2d4525..cd7dccd8a 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -6,10 +6,10 @@ include vlc.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/vlc
+noblacklist ${HOME}/.cache/vlc
-nodeny  ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/vlc
-nodeny  ${HOME}/.config/aacs
+noblacklist ${HOME}/.config/aacs
-nodeny  ${HOME}/.local/share/vlc
+noblacklist ${HOME}/.local/share/vlc
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.cache/vlc
 mkdir ${HOME}/.config/vlc
 mkdir ${HOME}/.local/share/vlc
-allow  ${HOME}/.cache/vlc
+whitelist ${HOME}/.cache/vlc
-allow  ${HOME}/.config/vlc
+whitelist ${HOME}/.config/vlc
-allow  ${HOME}/.config/aacs
+whitelist ${HOME}/.config/aacs
-allow  ${HOME}/.local/share/vlc
+whitelist ${HOME}/.local/share/vlc
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index f23e90e84..f07c31b68 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -6,10 +6,10 @@ include vmware-view.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.vmware
+noblacklist ${HOME}/.vmware
-nodeny  /sbin
+noblacklist /sbin
-nodeny  /usr/sbin
+noblacklist /usr/sbin
 include allow-bin-sh.inc
@@ -23,7 +23,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.vmware
-allow  ${HOME}/.vmware
+whitelist ${HOME}/.vmware
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 3a535588f..5241e27b3 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -6,8 +6,8 @@ include vmware.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/vmware
+noblacklist ${HOME}/.cache/vmware
-nodeny  ${HOME}/.vmware
+noblacklist ${HOME}/.vmware
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/vmware
 mkdir ${HOME}/.vmware
-allow  ${HOME}/.cache/vmware
+whitelist ${HOME}/.cache/vmware
-allow  ${HOME}/.vmware
+whitelist ${HOME}/.vmware
 # Add the next lines to your vmware.local if you need to use "shared VM".
 #whitelist /var/lib/vmware
 #writable-var
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index 7996113f5..a4a4fb7d8 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -6,7 +6,7 @@ include vscodium.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.VSCodium
+noblacklist ${HOME}/.VSCodium
 # Redirect
 include code.profile
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index a6c38c1f1..fa6ddf1fb 100644
--- a/etc/profile-m-z/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -6,8 +6,8 @@ include vulturesclaw.local
 # added by included profile
 #include globals.local
-nodeny  /var/games/vulturesclaw
+noblacklist /var/games/vulturesclaw
-allow  /var/games/vulturesclaw
+whitelist /var/games/vulturesclaw
 # Redirect
 include nethack-vultures.profile
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 763c50bf6..49d3fa94f 100644
--- a/etc/profile-m-z/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
@@ -6,8 +6,8 @@ include vultureseye.local
 # added by included profile
 #include globals.local
-nodeny  /var/games/vultureseye
+noblacklist /var/games/vultureseye
-allow  /var/games/vultureseye
+whitelist /var/games/vultureseye
 # Redirect
 include nethack-vultures.profile
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
index 1f2462c32..5421c4e4b 100644
--- a/etc/profile-m-z/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -6,7 +6,7 @@ include vym.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/InSilmaril
+noblacklist ${HOME}/.config/InSilmaril
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 6b38bbf13..69b2c6c59 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -12,10 +12,10 @@ include globals.local
 #ignore private-dev
 #ignore private-etc
-nodeny  ${HOME}/.w3m
+noblacklist ${HOME}/.w3m
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}/wayland-*
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -33,9 +33,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.w3m
-allow  /usr/share/w3m
+whitelist /usr/share/w3m
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.w3m
+whitelist ${HOME}/.w3m
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 6658ac5db..1227a202c 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -6,9 +6,9 @@ include warmux.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/wormux
+noblacklist ${HOME}/.config/wormux
-nodeny  ${HOME}/.local/share/wormux
+noblacklist ${HOME}/.local/share/wormux
-nodeny  ${HOME}/.wormux
+noblacklist ${HOME}/.wormux
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/wormux
 mkdir ${HOME}/.local/share/wormux
 mkdir ${HOME}/.wormux
-allow  ${HOME}/.config/wormux
+whitelist ${HOME}/.config/wormux
-allow  ${HOME}/.local/share/wormux
+whitelist ${HOME}/.local/share/wormux
-allow  ${HOME}/.wormux
+whitelist ${HOME}/.wormux
-allow  /usr/share/warmux
+whitelist /usr/share/warmux
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index fac4d0555..e0cd3daad 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -8,8 +8,8 @@ include globals.local
 ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/warsow-2.1
+noblacklist ${HOME}/.cache/warsow-2.1
-nodeny  ${HOME}/.local/share/warsow-2.1
+noblacklist ${HOME}/.local/share/warsow-2.1
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/warsow-2.1
 mkdir ${HOME}/.local/share/warsow-2.1
-allow  ${HOME}/.cache/warsow-2.1
+whitelist ${HOME}/.cache/warsow-2.1
-allow  ${HOME}/.local/share/warsow-2.1
+whitelist ${HOME}/.local/share/warsow-2.1
-allow  /usr/share/warsow
+whitelist /usr/share/warsow
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 081ae349b..420e8927e 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -6,7 +6,7 @@ include warzone2100.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.warzone2100-3.*
+noblacklist ${HOME}/.warzone2100-3.*
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 mkdir ${HOME}/.warzone2100-3.1
 mkdir ${HOME}/.warzone2100-3.2
-allow  ${HOME}/.warzone2100-3.1
+whitelist ${HOME}/.warzone2100-3.1
-allow  ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.warzone2100-3.2
-allow  /usr/share/games
+whitelist /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index 4081b29b9..18f1ca79a 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -5,13 +5,13 @@ include waterfox.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/waterfox
+noblacklist ${HOME}/.cache/waterfox
-nodeny  ${HOME}/.waterfox
+noblacklist ${HOME}/.waterfox
 mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
-allow  ${HOME}/.cache/waterfox
+whitelist ${HOME}/.cache/waterfox
-allow  ${HOME}/.waterfox
+whitelist ${HOME}/.waterfox
 # Add the next lines to your watefox.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 1f42dae2c..69e96d0cd 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -5,12 +5,12 @@ include webstorm.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.WebStorm*
+noblacklist ${HOME}/.WebStorm*
-nodeny  ${HOME}/.android
+noblacklist ${HOME}/.android
-nodeny  ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.local/share/JetBrains
-nodeny  ${HOME}/.tooling
+noblacklist ${HOME}/.tooling
 # Allow KDE file manager to open with log directories (blacklisted by disable-programs.inc)
-nodeny  ${HOME}/.config/dolphinrc
+noblacklist ${HOME}/.config/dolphinrc
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
@@ -18,8 +18,8 @@ include allow-common-devel.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
-nodeny  ${PATH}/node
+noblacklist ${PATH}/node
-nodeny  ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index d1bbcfb67..d5a998f35 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -6,7 +6,7 @@ include webui-aria2.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PATH}/node
+noblacklist ${PATH}/node
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 99941a590..76935212f 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -6,12 +6,12 @@ include weechat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.weechat
+noblacklist ${HOME}/.weechat
 include disable-common.inc
 include disable-programs.inc
-allow  /usr/share/weechat
+whitelist /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 47b923e6a..199b3c6f0 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -6,9 +6,9 @@ include wesnoth.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/wesnoth
+noblacklist ${HOME}/.cache/wesnoth
-nodeny  ${HOME}/.config/wesnoth
+noblacklist ${HOME}/.config/wesnoth
-nodeny  ${HOME}/.local/share/wesnoth
+noblacklist ${HOME}/.local/share/wesnoth
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/wesnoth
 mkdir ${HOME}/.config/wesnoth
 mkdir ${HOME}/.local/share/wesnoth
-allow  ${HOME}/.cache/wesnoth
+whitelist ${HOME}/.cache/wesnoth
-allow  ${HOME}/.config/wesnoth
+whitelist ${HOME}/.config/wesnoth
-allow  ${HOME}/.local/share/wesnoth
+whitelist ${HOME}/.local/share/wesnoth
 include whitelist-common.inc
 caps.drop all
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 3c4a4eb63..53c4711bd 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -7,12 +7,12 @@ include wget.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
-nodeny  ${HOME}/.wget-hsts
+noblacklist ${HOME}/.wget-hsts
-nodeny  ${HOME}/.wgetrc
+noblacklist ${HOME}/.wgetrc
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index fdbd406c2..22a84274d 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -13,10 +13,10 @@ ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/Whalebird
+noblacklist ${HOME}/.config/Whalebird
 mkdir ${HOME}/.config/Whalebird
-allow  ${HOME}/.config/Whalebird
+whitelist ${HOME}/.config/Whalebird
 no3d
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 35d7fe9cb..93871a5a4 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -7,8 +7,8 @@ include whois.local
 # Persistent global definitions
 include globals.local
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
index 8f5adb0fc..0dc26b11d 100644
--- a/etc/profile-m-z/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -6,7 +6,7 @@ include widelands.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.widelands
+noblacklist ${HOME}/.widelands
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.widelands
-allow  ${HOME}/.widelands
+whitelist ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 6bc68c829..0ea24aafd 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,13 +6,13 @@ include wine.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.cache/winetricks
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/Steam
-nodeny  ${HOME}/.local/share/steam
+noblacklist ${HOME}/.local/share/steam
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
-nodeny  ${HOME}/.wine
+noblacklist ${HOME}/.wine
-nodeny  /tmp/.wine-*
+noblacklist /tmp/.wine-*
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 5f40bbd48..151cd2adb 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -20,10 +20,10 @@ ignore private-cache
 ignore dbus-user none
 ignore dbus-system none
-nodeny  ${HOME}/.config/Wire
+noblacklist ${HOME}/.config/Wire
 mkdir ${HOME}/.config/Wire
-allow  ${HOME}/.config/Wire
+whitelist ${HOME}/.config/Wire
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index f3f347283..1824026a8 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -6,9 +6,9 @@ include wireshark.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/wireshark
+noblacklist ${HOME}/.config/wireshark
-nodeny  ${HOME}/.wireshark
+noblacklist ${HOME}/.wireshark
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  /usr/share/wireshark
+whitelist /usr/share/wireshark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 1f1541a20..9c724a5d2 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -6,7 +6,7 @@ include wordwarvi.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.wordwarvi
+noblacklist ${HOME}/.wordwarvi
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.wordwarvi
-allow  ${HOME}/.wordwarvi
+whitelist ${HOME}/.wordwarvi
-allow  /usr/share/wordwarvi
+whitelist /usr/share/wordwarvi
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index 6d16dfb04..a44b6490e 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -6,9 +6,9 @@ include wps.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.kingsoft
+noblacklist ${HOME}/.kingsoft
-nodeny  ${HOME}/.config/Kingsoft
+noblacklist ${HOME}/.config/Kingsoft
-nodeny  ${HOME}/.local/share/Kingsoft
+noblacklist ${HOME}/.local/share/Kingsoft
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index 311746cd9..557f07cd9 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -6,8 +6,8 @@ include x2goclient.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.x2go
+noblacklist ${HOME}/.x2go
-nodeny  ${HOME}/.x2goclient
+noblacklist ${HOME}/.x2goclient
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index e545aa3a0..384f76acc 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -15,8 +15,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/xbill
+whitelist /usr/share/xbill
-allow  /var/games/xbill/scores
+whitelist /var/games/xbill/scores
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile
index 7d0adbcc2..a94444aab 100644
--- a/etc/profile-m-z/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
@@ -6,7 +6,7 @@ include xchat.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xchat
+noblacklist ${HOME}/.config/xchat
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index 5db709bd1..4a3022e83 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -5,10 +5,10 @@ include xed.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xed
+noblacklist ${HOME}/.config/xed
-nodeny  ${HOME}/.python-history
+noblacklist ${HOME}/.python-history
-nodeny  ${HOME}/.python_history
+noblacklist ${HOME}/.python_history
-nodeny  ${HOME}/.pythonhist
+noblacklist ${HOME}/.pythonhist
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 297ff6164..cd9561e74 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -6,7 +6,7 @@ include xfburn.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xfburn
+noblacklist ${HOME}/.config/xfburn
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index 8ecd84116..ecd321c7e 100644
--- a/etc/profile-m-z/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -6,7 +6,7 @@ include xfce4-dict.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xfce4-dict
+noblacklist ${HOME}/.config/xfce4-dict
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 8a6f9e921..bb38dbebd 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -6,7 +6,7 @@ include xfce4-mixer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +18,10 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-allow  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-allow  /usr/share/gstreamer-*
+whitelist /usr/share/gstreamer-*
-allow  /usr/share/xfce4
+whitelist /usr/share/xfce4
-allow  /usr/share/xfce4-mixer
+whitelist /usr/share/xfce4-mixer
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index fe88f9b27..ebfb4333c 100644
--- a/etc/profile-m-z/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -6,9 +6,9 @@ include xfce4-notes.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-nodeny  ${HOME}/.config/xfce4/xfce4-notes.rc
+noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-nodeny  ${HOME}/.local/share/notes
+noblacklist ${HOME}/.local/share/notes
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index baf222354..b1e5bafbf 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -6,7 +6,7 @@ include xfce4-screenshooter.local
 # Persistent global definitions
 include globals.local
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/xfce4
+whitelist /usr/share/xfce4
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 5c11cbd66..81d98db7a 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -6,10 +6,10 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.sword
+noblacklist ${HOME}/.sword
-nodeny  ${HOME}/.xiphos
+noblacklist ${HOME}/.xiphos
-deny  ${HOME}/.bashrc
+blacklist ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.xiphos
-allow  ${HOME}/.sword
+whitelist ${HOME}/.sword
-allow  ${HOME}/.xiphos
+whitelist ${HOME}/.xiphos
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index da4801101..d5e25cfe7 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -7,7 +7,7 @@ include xlinks.local
 # added by included profile
 #include globals.local
-nodeny  /tmp/.X11-unix
+noblacklist /tmp/.X11-unix
 include whitelist-common.inc
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index a7612cb2a..1ae6a60ca 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -7,7 +7,7 @@ include xlinks2.local
 # added by included profile
 #include globals.local
-nodeny  /tmp/.X11-unix
+noblacklist /tmp/.X11-unix
 include whitelist-common.inc
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
index 1ed35f29a..25261d925 100644
--- a/etc/profile-m-z/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -5,8 +5,8 @@ include xmms.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.xmms
+noblacklist ${HOME}/.xmms
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index c97c12f56..e7020f36b 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -5,7 +5,7 @@ include xmr-stak.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.xmr-stak
+noblacklist ${HOME}/.xmr-stak
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 94a09198c..53c9a0a08 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -6,7 +6,7 @@ include xonotic.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.xonotic
+noblacklist ${HOME}/.xonotic
 include allow-bin-sh.inc
 include allow-opengl-game.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.xonotic
-allow  ${HOME}/.xonotic
+whitelist ${HOME}/.xonotic
-allow  /usr/share/xonotic
+whitelist /usr/share/xonotic
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index 34a188a4e..c4f092d50 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -6,7 +6,7 @@ include xournal.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-allow  /usr/share/xournal
+whitelist /usr/share/xournal
-allow  /usr/share/poppler
+whitelist /usr/share/poppler
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index f82d2a5d3..988b878b9 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -7,13 +7,13 @@ include xournalpp.local
 # added by included profile
 #include globals.local
-nodeny  ${HOME}/.xournalpp
+noblacklist ${HOME}/.xournalpp
 include allow-lua.inc
-allow  /usr/share/texlive
+whitelist /usr/share/texlive
-allow  /usr/share/xournalpp
+whitelist /usr/share/xournalpp
-allow  /var/lib/texmf
+whitelist /var/lib/texmf
 include whitelist-runuser-common.inc
 #mkdir ${HOME}/.xournalpp
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 9da63b52a..1447ec9a7 100644
--- a/etc/profile-m-z/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -6,8 +6,8 @@ include xpdf.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.xpdfrc
+noblacklist ${HOME}/.xpdfrc
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 4af4586e3..c3bb3292c 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -5,8 +5,8 @@ include xplayer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/xplayer
+noblacklist ${HOME}/.config/xplayer
-nodeny  ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.local/share/xplayer
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-programs.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/xplayer
 mkdir ${HOME}/.local/share/xplayer
-allow  ${HOME}/.config/xplayer
+whitelist ${HOME}/.config/xplayer
-allow  ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.local/share/xplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 28fbc94dd..6e409e1aa 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -25,7 +25,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-allow  /var/lib/xkb
+whitelist /var/lib/xkb
 # whitelisting home directory, or including whitelist-common.inc
 # will crash xpra on some platforms
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 440f26af2..3ab35edfc 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -6,9 +6,9 @@ include xreader.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/xreader
+noblacklist ${HOME}/.cache/xreader
-nodeny  ${HOME}/.config/xreader
+noblacklist ${HOME}/.config/xreader
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 671e0cf5b..4d454f81c 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -5,10 +5,10 @@ include xviewer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.Steam
+noblacklist ${HOME}/.Steam
-nodeny  ${HOME}/.config/xviewer
+noblacklist ${HOME}/.config/xviewer
-nodeny  ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.local/share/Trash
-nodeny  ${HOME}/.steam
+noblacklist ${HOME}/.steam
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 27d0eb411..81cd021f7 100644
--- a/etc/profile-m-z/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-nodeny  ${HOME}/.cache/yandex-browser
+noblacklist ${HOME}/.cache/yandex-browser
-nodeny  ${HOME}/.cache/yandex-browser-beta
+noblacklist ${HOME}/.cache/yandex-browser-beta
-nodeny  ${HOME}/.config/yandex-browser
+noblacklist ${HOME}/.config/yandex-browser
-nodeny  ${HOME}/.config/yandex-browser-beta
+noblacklist ${HOME}/.config/yandex-browser-beta
 mkdir ${HOME}/.cache/yandex-browser
 mkdir ${HOME}/.cache/yandex-browser-beta
 mkdir ${HOME}/.config/yandex-browser
 mkdir ${HOME}/.config/yandex-browser-beta
-allow  ${HOME}/.cache/yandex-browser
+whitelist ${HOME}/.cache/yandex-browser
-allow  ${HOME}/.cache/yandex-browser-beta
+whitelist ${HOME}/.cache/yandex-browser-beta
-allow  ${HOME}/.config/yandex-browser
+whitelist ${HOME}/.config/yandex-browser
-allow  ${HOME}/.config/yandex-browser-beta
+whitelist ${HOME}/.config/yandex-browser-beta
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index b288993f2..dee154409 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -6,7 +6,7 @@ include yelp.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/yelp
+noblacklist ${HOME}/.config/yelp
 include disable-common.inc
 include disable-devel.inc
@@ -18,15 +18,15 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/yelp
-allow  ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
-allow  /usr/libexec/webkit2gtk-4.0
+whitelist /usr/libexec/webkit2gtk-4.0
-allow  /usr/share/doc
+whitelist /usr/share/doc
-allow  /usr/share/groff
+whitelist /usr/share/groff
-allow  /usr/share/help
+whitelist /usr/share/help
-allow  /usr/share/man
+whitelist /usr/share/man
-allow  /usr/share/yelp
+whitelist /usr/share/yelp
-allow  /usr/share/yelp-tools
+whitelist /usr/share/yelp-tools
-allow  /usr/share/yelp-xsl
+whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index 26ea3acaa..b52271a2c 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -8,7 +8,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
-nodeny  ${HOME}/.config/youtube-dlg
+noblacklist ${HOME}/.config/youtube-dlg
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/youtube-dlg
-allow  ${HOME}/.config/youtube-dlg
+whitelist ${HOME}/.config/youtube-dlg
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 37f87d0b5..24c4d6db3 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -10,18 +10,18 @@ include globals.local
 # breaks when installed under ${HOME} via `pip install --user` (see #2833)
 ignore noexec ${HOME}
-nodeny  ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.cache/youtube-dl
-nodeny  ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
-nodeny  ${HOME}/.netrc
+noblacklist ${HOME}/.netrc
-nodeny  ${MUSIC}
+noblacklist ${MUSIC}
-nodeny  ${VIDEOS}
+noblacklist ${VIDEOS}
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
-deny  /tmp/.X11-unix
+blacklist /tmp/.X11-unix
-deny  ${RUNUSER}
+blacklist ${RUNUSER}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 84b8bbc6a..b54dd37ad 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,13 +7,13 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.cache/youtube-viewer
+noblacklist ${HOME}/.cache/youtube-viewer
-nodeny  ${HOME}/.config/youtube-viewer
+noblacklist ${HOME}/.config/youtube-viewer
 mkdir ${HOME}/.cache/youtube-viewer
 mkdir ${HOME}/.config/youtube-viewer
-allow  ${HOME}/.cache/youtube-viewer
+whitelist ${HOME}/.cache/youtube-viewer
-allow  ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
 private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index f531f815e..25a073d4a 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -7,7 +7,7 @@ include youtube-viewers-common.local
 # added by caller profile
 #include globals.local
-nodeny  ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.cache/youtube-dl
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -27,8 +27,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
-allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index b015fb013..ad7ceaee4 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -9,12 +9,12 @@ include globals.local
 # Disabled until someone reported positive feedback
 ignore nou2f
-nodeny  ${HOME}/.config/Youtube
+noblacklist ${HOME}/.config/Youtube
 include disable-shell.inc
 mkdir ${HOME}/.config/Youtube
-allow  ${HOME}/.config/Youtube
+whitelist ${HOME}/.config/Youtube
 private-bin youtube
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index d594a3d0f..74b0e38b9 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -6,12 +6,12 @@ include youtube.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/youtubemusic-nativefier-040164
+noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
 include disable-shell.inc
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
-allow  ${HOME}/.config/youtubemusic-nativefier-040164
+whitelist ${HOME}/.config/youtubemusic-nativefier-040164
 private-bin youtubemusic-nativefier
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index 9987c953e..ab46fccc2 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -8,10 +8,10 @@ include globals.local
 ignore dbus-user none
-nodeny  ${HOME}/.config/youtube-music-desktop-app
+noblacklist ${HOME}/.config/youtube-music-desktop-app
 mkdir ${HOME}/.config/youtube-music-desktop-app
-allow  ${HOME}/.config/youtube-music-desktop-app
+whitelist ${HOME}/.config/youtube-music-desktop-app
 # private-bin env,ytmdesktop
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 2f18a8c45..5a168feb6 100644
--- a/etc/profile-m-z/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
@@ -6,7 +6,7 @@ include zaproxy.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.ZAP
+noblacklist ${HOME}/.ZAP
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -20,8 +20,8 @@ include disable-programs.inc
 mkdir ${HOME}/.java
 mkdir ${HOME}/.ZAP
-allow  ${HOME}/.java
+whitelist ${HOME}/.java
-allow  ${HOME}/.ZAP
+whitelist ${HOME}/.ZAP
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
index 32ff4f8ed..10f83aa30 100644
--- a/etc/profile-m-z/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -6,8 +6,8 @@ include zart.local
 # Persistent global definitions
 include globals.local
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
-nodeny  ${PICTURES}
+noblacklist ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index 4bc841f63..d0e68c980 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -6,9 +6,9 @@ include zathura.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/zathura
+noblacklist ${HOME}/.config/zathura
-nodeny  ${HOME}/.local/share/zathura
+noblacklist ${HOME}/.local/share/zathura
-nodeny  ${DOCUMENTS}
+noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
-allow  /usr/share/doc
+whitelist /usr/share/doc
-allow  /usr/share/zathura
+whitelist /usr/share/zathura
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile
index 904ea9f05..5de13ab90 100644
--- a/etc/profile-m-z/zcat.profile
+++ b/etc/profile-m-z/zcat.profile
@@ -9,7 +9,7 @@ include zcat.local
 # Allow running kernel config check
 ignore include disable-shell.inc
-nodeny  /proc/config.gz
+noblacklist /proc/config.gz
 # Redirect
 include gzip.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 458df2a46..2c6f6910f 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -6,9 +6,9 @@ include zeal.local
 # Persistent global definitions
 include globals.local
-nodeny  ${HOME}/.config/Zeal
+noblacklist ${HOME}/.config/Zeal
-nodeny  ${HOME}/.cache/Zeal
+noblacklist ${HOME}/.cache/Zeal
-nodeny  ${HOME}/.local/share/Zeal
+noblacklist ${HOME}/.local/share/Zeal
 include disable-common.inc
 include disable-devel.inc
@@ -23,9 +23,9 @@ mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/qt5ct
 mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.local/share/Zeal
-allow  ${HOME}/.cache/Zeal
+whitelist ${HOME}/.cache/Zeal
-allow  ${HOME}/.config/Zeal
+whitelist ${HOME}/.config/Zeal
-allow  ${HOME}/.local/share/Zeal
+whitelist ${HOME}/.local/share/Zeal
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile
index e2dfbd105..f63dc871f 100644
--- a/etc/profile-m-z/zgrep.profile
+++ b/etc/profile-m-z/zgrep.profile
@@ -9,7 +9,7 @@ include zgrep.local
 # Allow running kernel config check
 ignore include disable-shell.inc
-nodeny  /proc/config.gz
+noblacklist /proc/config.gz
 # Redirect
 include gzip.profile
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
new file mode 100644
index 000000000..5ae9cddb3
--- /dev/null
+++ b/etc/profile-m-z/zim.profile
@@ -0,0 +1,72 @@
+# Firejail profile for Zim
+# Description: Desktop wiki & notekeeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zim.local
+# Persistent global definitions
+include globals.local
+nodeny ${HOME}/.cache/zim
+nodeny ${HOME}/.config/zim
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+deny /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+mkdir ${HOME}/.cache/zim
+mkdir ${HOME}/.config/zim
+mkdir ${HOME}/Notebooks
+allow ${HOME}/.cache/zim
+allow ${HOME}/.config/zim
+allow ${HOME}/Notebooks
+allow ${DESKTOP}
+allow ${DOCUMENTS}
+allow ${DOWNLOADS}
+allow ${MUSIC}
+allow ${PICTURES}
+allow ${VIDEOS}
+allow /usr/share/zim
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin python*,zim
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index 6b0417b56..ac615d861 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -16,17 +16,17 @@ ignore dbus-system none
 # If you use such a system, add 'ignore nogroups' to your zoom.local.
 #ignore nogroups
-nodeny  ${HOME}/.config/zoomus.conf
+noblacklist ${HOME}/.config/zoomus.conf
-nodeny  ${HOME}/.zoom
+noblacklist ${HOME}/.zoom
-noallow  ${DOWNLOADS}
+nowhitelist ${DOWNLOADS}
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
-allow  ${HOME}/.cache/zoom
+whitelist ${HOME}/.cache/zoom
-allow  ${HOME}/.config/zoomus.conf
+whitelist ${HOME}/.config/zoomus.conf
-allow  ${HOME}/.zoom
+whitelist ${HOME}/.zoom
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index cdbbdccf1..093da5212 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -8,7 +8,7 @@ include globals.local
 ignore noexec /tmp
-nodeny  ${HOME}/.config/Zulip
+noblacklist ${HOME}/.config/Zulip
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.config/Zulip
-allow  ${HOME}/.config/Zulip
+whitelist ${HOME}/.config/Zulip
-allow  ${DOWNLOADS}
+whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 3992c984a..38f789923 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -89,18 +89,24 @@ Inheritance of groups
 What to do if seccomp breaks a program
 --------------------------------------
+Start `journalctl --grep=SECCOMP --follow` in a terminal and run
+`firejail --seccomp-error-action=log /path/to/program` in a second terminal.
+Now switch back to the first terminal (where `journalctl` is running) and look
+for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
+have found them, you can stop `journalctl` (^C) and execute
+`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
+In the particular case that it is a 32bit syscall on a 64bit system, use `ausyscall i386 NUMBER`.
+Now you can add a seccomp exception using `seccomp !NAME`.
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
 ```
-$ journalctl --grep=syscall --follow
+term1$ journalctl --grep=SECCOMP --follow
-<...> audit[…]: SECCOMP <...> syscall=161 <...>
+term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop
-$ firejail --debug-syscalls | grep 161
+term1$ (journalctl --grep=SECCOMP --follow)
-161 - chroot
+audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ...
+^C
+term1$ firejail --debug-syscalls | grep "^161[[:space:]]"
+161     - chroot
 ```
 Profile: `seccomp -> seccomp !chroot`
-Start `journalctl --grep=syscall --follow` in a terminal, then start the broken
-program. Now you see one or more long lines containing `syscall=NUMBER` somewhere.
-Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You
-will see something like `NUMBER  - NAME`, because you now know the name of the
-syscall, you can add an exception to seccomp by putting `!NAME` to seccomp.
-If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
diff --git a/src/common.mk.in b/src/common.mk.in
index 5ae8bf204..d117433dc 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -40,7 +40,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
-CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
+CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
 MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
diff --git a/src/fids/Makefile.in b/src/fids/Makefile.in
new file mode 100644
index 000000000..5530bcee2
--- /dev/null
+++ b/src/fids/Makefile.in
@@ -0,0 +1,18 @@
+.PHONY: all
+all: fids
+include ../common.mk
+%.o : %.c $(H_FILE_LIST) ../include/common.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+#fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+fids: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+.PHONY: clean
+clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fids/blake2b.c b/src/fids/blake2b.c
new file mode 100644
index 000000000..f2aa5ae66
--- /dev/null
+++ b/src/fids/blake2b.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+/* A simple unkeyed BLAKE2b Implementation based on the official reference
+ * from https://github.com/BLAKE2/BLAKE2.
+ *
+ * The original code was released under CC0 1.0 Universal license (Creative Commons),
+ * a public domain license.
+ */
+#include "fids.h"
+// little-endian vs big-endian is irrelevant since the checksum is calculated and checked on the same computer.
+static inline uint64_t load64( const void *src ) {
+        uint64_t w;
+        memcpy( &w, src, sizeof( w ) );
+        return w;
+}
+// mixing function
+#define ROTR64(x, y)  (((x) >> (y)) ^ ((x) << (64 - (y))))
+#define G(a, b, c, d, x, y) {   \
+                v[a] = v[a] + v[b] + x;         \
+                v[d] = ROTR64(v[d] ^ v[a], 32); \
+                v[c] = v[c] + v[d];             \
+                v[b] = ROTR64(v[b] ^ v[c], 24); \
+                v[a] = v[a] + v[b] + y;         \
+                v[d] = ROTR64(v[d] ^ v[a], 16); \
+                v[c] = v[c] + v[d];             \
+                v[b] = ROTR64(v[b] ^ v[c], 63); }
+// init vector
+static const uint64_t iv[8] = {
+        0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
+        0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
+        0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
+        0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
+};
+const uint8_t sigma[12][16] = {
+        { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+        { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+        { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+        { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+        { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+        { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+        { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+        { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+        { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+        { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
+        { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+        { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+};
+// blake2b context
+typedef struct {
+        uint8_t b[128];                     // input buffer
+        uint64_t h[8];                      // chained state
+        uint64_t t[2];                      // total number of bytes
+        size_t c;                           // pointer for b[]
+        size_t outlen;                      // digest size
+} CTX;
+// compress function
+static void compress(CTX *ctx, int last) {
+        uint64_t m[16];
+        uint64_t v[16];
+        size_t i;
+        for (i = 0; i < 16; i++)
+                m[i] = load64(&ctx->b[8 * i]);
+        for (i = 0; i < 8; i++) {
+                v[i] = ctx->h[i];
+                v[i + 8] = iv[i];
+        }
+        v[12] ^= ctx->t[0];
+        v[13] ^= ctx->t[1];
+        if (last)
+                v[14] = ~v[14];
+        for (i = 0; i < 12; i++) {
+                G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
+                G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
+                G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
+                G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
+                G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
+                G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
+                G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
+                G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
+        }
+        for( i = 0; i < 8; ++i )
+                ctx->h[i] ^= v[i] ^ v[i + 8];
+}
+static int init(CTX *ctx, size_t outlen) {      // (keylen=0: no key)
+        size_t i;
+        if (outlen == 0 || outlen > 64)
+                return -1;
+        for (i = 0; i < 8; i++)
+                ctx->h[i] = iv[i];
+        ctx->h[0] ^= 0x01010000  ^ outlen;
+        ctx->t[0] = 0;
+        ctx->t[1] = 0;
+        ctx->c = 0;
+        ctx->outlen = outlen;
+        return 0;
+}
+static void update(CTX *ctx, const void *in, size_t inlen) {
+        size_t i;
+        for (i = 0; i < inlen; i++) {
+                if (ctx->c == 128) {
+                        ctx->t[0] += ctx->c;
+                        if (ctx->t[0] < ctx->c)
+                                ctx->t[1]++;
+                        compress(ctx, 0);
+                        ctx->c = 0;
+                }
+                ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
+        }
+}
+static void final(CTX *ctx, void *out) {
+        size_t i;
+        ctx->t[0] += ctx->c;
+        if (ctx->t[0] < ctx->c)
+                ctx->t[1]++;
+        while (ctx->c < 128)
+                ctx->b[ctx->c++] = 0;
+        compress(ctx, 1);
+        for (i = 0; i < ctx->outlen; i++) {
+                ((uint8_t *) out)[i] =
+                        (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
+        }
+}
+// public function
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen) {
+        CTX ctx;
+        if (init(&ctx, outlen))
+                return -1;
+        update(&ctx, in, inlen);
+        final(&ctx, out);
+        return 0;
+}
diff --git a/src/fids/config b/src/fids/config
new file mode 100644
index 000000000..c18c97260
--- /dev/null
+++ b/src/fids/config
@@ -0,0 +1,16 @@
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/games
+/opt
+/usr/share/ca-certificates
+/home/netblue/.bashrc
+/home/netblue/.config/firejail
+/home/netblue/.config/autostart
+/home/netblue/Desktop/*.desktop
+/home/netblue/.ssh
+/home/netblue/.gnupg
diff --git a/src/fids/db.c b/src/fids/db.c
new file mode 100644
index 000000000..35caf7eeb
--- /dev/null
+++ b/src/fids/db.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+typedef struct db_t {
+        struct db_t *next;
+        char *fname;
+        char *checksum;
+        char *mode;
+        int checked;
+} DB;
+#define MAXBUF 4096
+static DB *database[HASH_MAX] = {NULL};
+// djb2 hash function by Dan Bernstein
+static unsigned hash(const char *str) {
+        unsigned long hash = 5381;
+        int c;
+        while ((c = *str++) != '\0')
+                hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
+        return hash & (HASH_MAX - 1);
+}
+#if 0
+// for testing the hash table
+static void db_print(void) {
+        int i;
+        for (i = 0; i < HASH_MAX; i++) {
+                int cnt = 0;
+                DB *ptr = database[i];
+                while (ptr) {
+                        cnt++;
+                        ptr = ptr->next;
+                }
+                printf("%d ", cnt);
+                fflush(0);
+        }
+        printf("\n");
+}
+#endif
+static void db_add(const char *fname, const char *checksum, const char *mode) {
+        DB *ptr = malloc(sizeof(DB));
+        if (!ptr)
+                errExit("malloc");
+        ptr->fname = strdup(fname);
+        ptr->checksum = strdup(checksum);
+        ptr->mode = strdup(mode);
+        ptr->checked = 0;
+        if (!ptr->fname || !ptr->checksum || !ptr->mode)
+                errExit("strdup");
+        unsigned h = hash(fname);
+        ptr->next = database[h];
+        database[h] = ptr;
+}
+void db_check(const char *fname, const char *checksum, const char *mode) {
+        assert(fname);
+        assert(checksum);
+        assert(mode);
+        unsigned h =hash(fname);
+        DB *ptr = database[h];
+        while (ptr) {
+                if (strcmp(fname, ptr->fname) == 0) {
+                        ptr->checked = 1;
+                        break;
+                }
+                ptr = ptr->next;
+        }
+        if (ptr ) {
+                if (strcmp(checksum, ptr->checksum)) {
+                        f_modified++;
+                        fprintf(stderr, "\nWarning: modified %s\n", fname);
+                }
+                if (strcmp(mode, ptr->mode)) {
+                        f_permissions++;
+                        fprintf(stderr, "\nWarning: permissions %s: old %s, new %s\n",
+                                fname, ptr->mode, mode);
+                }
+        }
+        else {
+                f_new++;
+                fprintf(stderr, "\nWarning: new file %s\n", fname);
+        }
+}
+void db_missing(void) {
+        int i;
+        for (i = 0; i < HASH_MAX; i++) {
+                DB *ptr = database[i];
+                while (ptr) {
+                        if (!ptr->checked) {
+                                f_removed++;
+                                fprintf(stderr, "Warning: removed %s\n", ptr->fname);
+                        }
+                        ptr = ptr->next;
+                }
+        }
+}
+// return 0 if ok, 1 if error
+int db_init(void) {
+        char buf[MAXBUF];
+        while(fgets(buf, MAXBUF, stdin)) {
+                // split - tab separated
+                char *mode = buf;
+                char *ptr = strchr(buf, '\t');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+                char *checksum = ptr + 1;
+                ptr = strchr(checksum, '\t');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+                char *fname = ptr + 1;
+                ptr = strchr(fname, '\n');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+                db_add(fname, checksum, mode);
+        }
+//      db_print();
+        return 0;
+errexit:
+        fprintf(stderr, "Error fids: database corrupted\n");
+        exit(1);
+}
diff --git a/src/fids/db_exclude.c b/src/fids/db_exclude.c
new file mode 100644
index 000000000..994e6f9df
--- /dev/null
+++ b/src/fids/db_exclude.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+typedef struct db_exclude_t {
+        struct db_exclude_t *next;
+        char *fname;
+        int len;
+} DB_EXCLUDE;
+static DB_EXCLUDE *database = NULL;
+void db_exclude_add(const char *fname) {
+        assert(fname);
+        DB_EXCLUDE *ptr = malloc(sizeof(DB_EXCLUDE));
+        if (!ptr)
+                errExit("malloc");
+        ptr->fname = strdup(fname);
+        if (!ptr->fname)
+                errExit("strdup");
+        ptr->len = strlen(fname);
+        ptr->next = database;
+        database = ptr;
+}
+int db_exclude_check(const char *fname) {
+        assert(fname);
+        DB_EXCLUDE *ptr = database;
+        while (ptr != NULL) {
+                if (strncmp(fname, ptr->fname, ptr->len) == 0)
+                        return 1;
+                ptr = ptr->next;
+        }
+        return 0;
+}
diff --git a/src/fids/fids.h b/src/fids/fids.h
new file mode 100644
index 000000000..a2e2886fe
--- /dev/null
+++ b/src/fids/fids.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FIDS_H
+#define FIDS_H
+#include "../include/common.h"
+// main.c
+#define MAX_DIR_LEVEL 20        // max directory tree depth
+#define MAX_INCLUDE_LEVEL 10    // max include level for config files
+extern int f_scanned;
+extern int f_modified;
+extern int f_new;
+extern int f_removed;
+extern int f_permissions;
+// db.c
+#define HASH_MAX 2048   // power of 2
+int db_init(void);
+void db_check(const char *fname, const char *checksum, const char *mode);
+void db_missing(void);
+// db_exclude.c
+void db_exclude_add(const char *fname);
+int db_exclude_check(const char *fname);
+// blake2b.c
+//#define KEY_SIZE 128 // key size in bytes
+#define KEY_SIZE 256
+//#define KEY_SIZE 512
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
+#endif
+\ No newline at end of file
diff --git a/src/fids/main.c b/src/fids/main.c
new file mode 100644
index 000000000..c899b55e1
--- /dev/null
+++ b/src/fids/main.c
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fids.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <dirent.h>
+#include <glob.h>
+#define MAXBUF 4096
+static int dir_level = 1;
+static int include_level = 0;
+int arg_init = 0;
+int arg_check = 0;
+char *arg_homedir = NULL;
+char *arg_dbfile = NULL;
+int f_scanned = 0;
+int f_modified = 0;
+int f_new = 0;
+int f_removed = 0;
+int f_permissions = 0;
+static inline int is_dir(const char *fname) {
+        assert(fname);
+        struct stat s;
+        if (stat(fname, &s) == 0) {
+                if (S_ISDIR(s.st_mode))
+                        return 1;
+        }
+        return 0;
+}
+static inline int is_link(const char *fname) {
+        assert(fname);
+        char c;
+        ssize_t rv = readlink(fname, &c, 1);
+        return (rv != -1);
+}
+// mode is an array of 10 chars or more
+static inline void file_mode(const char *fname, char *mode) {
+        assert(fname);
+        assert(mode);
+        struct stat s;
+        if (stat(fname, &s)) {
+                *mode = '\0';
+                return;
+        }
+        sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-");
+        sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-");
+        sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-");
+        sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-");
+        sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-");
+        sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-");
+        sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-");
+        sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-");
+        sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-");
+}
+static void file_checksum(const char *fname) {
+        assert(fname);
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                return;
+        off_t size = lseek(fd, 0, SEEK_END);
+        if (size < 0) {
+                close(fd);
+                return;
+        }
+        char *content = "empty";
+        int mmapped = 0;
+        if (size == 0) {
+                // empty files don't mmap - use "empty" string as the file content
+                size = 6; // strlen("empty") + 1
+        }
+        else {
+                content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+                close(fd);
+                mmapped = 1;
+        }
+        unsigned char checksum[KEY_SIZE / 8];
+        blake2b(checksum, sizeof(checksum), content, size);
+        if (mmapped)
+                munmap(content, size);
+        // calculate blake2 checksum
+        char str_checksum[(KEY_SIZE / 8) * 2 + 1];
+        int long unsigned i;
+        char *ptr = str_checksum;
+        for (i = 0; i < sizeof(checksum); i++, ptr += 2)
+                sprintf(ptr, "%02x", (unsigned char ) checksum[i]);
+        // build permissions string
+        char mode[10];
+        file_mode(fname, mode);
+        if (arg_init)
+                printf("%s\t%s\t%s\n", mode, str_checksum, fname);
+        else if (arg_check)
+                db_check(fname, str_checksum, mode);
+        else
+                assert(0);
+        f_scanned++;
+        if (f_scanned % 500 == 0)
+                fprintf(stderr, "%d ", f_scanned);
+        fflush(0);
+}
+void list_directory(const char *fname) {
+        assert(fname);
+        if (dir_level > MAX_DIR_LEVEL) {
+                fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname);
+                return;
+        }
+        if (db_exclude_check(fname))
+                return;
+        if (is_link(fname))
+                return;
+        if (!is_dir(fname)) {
+                file_checksum(fname);
+                return;
+        }
+        DIR *dir;
+        struct dirent *entry;
+        if (!(dir = opendir(fname)))
+                return;
+        dir_level++;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                char *path;
+                if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1)
+                        errExit("asprintf");
+                list_directory(path);
+                free(path);
+        }
+        closedir(dir);
+        dir_level--;
+}
+void globbing(const char *fname) {
+        assert(fname);
+        // filter top directory
+        if (strcmp(fname, "/") == 0)
+                return;
+        glob_t globbuf;
+        int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname);
+                exit(1);
+        }
+        long unsigned i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *path = globbuf.gl_pathv[i];
+                assert(path);
+                list_directory(path);
+        }
+        globfree(&globbuf);
+}
+static void process_config(const char *fname) {
+        assert(fname);
+        if (++include_level >= MAX_INCLUDE_LEVEL) {
+                fprintf(stderr, "Error ids: maximum include level for config files exceeded\n");
+                exit(1);
+        }
+        // make sure the file is owned by root
+        struct stat s;
+        if (stat(fname, &s)) {
+                if (include_level == 1) {
+                        fprintf(stderr, "Error ids: config file not found\n");
+                        exit(1);
+                }
+                return;
+        }
+        if (s.st_uid || s.st_gid) {
+                fprintf(stderr, "Error ids: config file not owned by root\n");
+                exit(1);
+        }
+        fprintf(stderr, "Loading %s config file\n", fname);
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error fids: cannot open config file %s\n", fname);
+                exit(1);
+        }
+        char buf[MAXBUF];
+        int line = 0;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+                // trim \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                // comments
+                ptr = strchr(buf, '#');
+                if (ptr)
+                        *ptr = '\0';
+                // empty space
+                ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                char *start = ptr;
+                // empty line
+                if (*start == '\0')
+                        continue;
+                // trailing spaces
+                ptr = start + strlen(start);
+                ptr--;
+                while (*ptr == ' ' || *ptr == '\t')
+                        *ptr-- = '\0';
+                // replace ${HOME}
+                if (strncmp(start, "include", 7) == 0) {
+                        ptr = start + 7;
+                        if ((*ptr != ' ' && *ptr != '\t') || *ptr == '\0') {
+                                fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname);
+                                exit(1);
+                        }
+                        while (*ptr == ' ' || *ptr == '\t')
+                                ptr++;
+                        if (*ptr == '/')
+                                process_config(ptr);
+                        else {
+                                // assume the file is in /etc/firejail
+                                char *tmp;
+                                if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1)
+                                        errExit("asprintf");
+                                process_config(tmp);
+                                free(tmp);
+                        }
+                }
+                else if (*start == '!') {
+                        // exclude file or dir
+                        start++;
+                        if (strncmp(start, "${HOME}", 7))
+                                db_exclude_add(start);
+                        else {
+                                char *fname;
+                                if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+                                        errExit("asprintf");
+                                db_exclude_add(fname);
+                                free(fname);
+                        }
+                }
+                else if (strncmp(start, "${HOME}", 7))
+                        globbing(start);
+                else {
+                        char *fname;
+                        if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+                                errExit("asprintf");
+                        globbing(fname);
+                        free(fname);
+                }
+        }
+        fclose(fp);
+        include_level--;
+}
+void usage(void) {
+        printf("Usage: fids [--help|-h|-?] --init|--check homedir\n");
+}
+int main(int argc, char **argv) {
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-h") == 0 ||
+                    strcmp(argv[i], "-?") == 0 ||
+                    strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--init") == 0)
+                        arg_init = 1;
+                else if (strcmp(argv[i], "--check") == 0)
+                        arg_check = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]);
+                        exit(1);
+                }
+        }
+        if (argc != 3) {
+                fprintf(stderr, "Error fids: invalid number of arguments\n");
+                exit(1);
+        }
+        arg_homedir = argv[2];
+        int op = arg_check + arg_init;
+        if (op == 0 || op == 2) {
+                fprintf(stderr, "Error fids: use either --init or --check\n");
+                exit(1);
+        }
+        if (arg_init) {
+                process_config(SYSCONFDIR"/ids.config");
+                fprintf(stderr, "\n%d files scanned\n", f_scanned);
+                fprintf(stderr, "IDS database initialized\n");
+        }
+        else if (arg_check) {
+                if (db_init()) {
+                        fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n");
+                        exit(1);
+                }
+                process_config(SYSCONFDIR"/ids.config");
+                fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n",
+                        f_scanned, f_modified, f_permissions, f_new, f_removed);
+                db_missing();
+        }
+        else
+                assert(0);
+        return 0;
+}
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 7052f7509..046cb209a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -45,8 +45,8 @@ amule
 amuled
 android-studio
 anydesk
-apostrophe
 apktool
+apostrophe
 # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
@@ -143,8 +143,8 @@ clawsker
 clementine
 clion
 clion-eap
-clipit
 clipgrab
+clipit
 cliqz
 clocks
 cmus
@@ -168,6 +168,7 @@ crow
 cryptocat
 cvlc
 cyberfox
+d-feet
 darktable
 dconf-editor
 ddgr
@@ -198,13 +199,12 @@ dragon
 drawio
 drill
 dropbox
-d-feet
 easystroke
-ebook-viewer
 ebook-convert
 ebook-edit
 ebook-meta
 ebook-polish
+ebook-viewer
 electron-mail
 electrum
 element-desktop
@@ -295,8 +295,8 @@ gimp-2.10
 gimp-2.8
 gist
 gist-paste
-gitg
 git-cola
+gitg
 github-desktop
 gitter
 # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
@@ -387,14 +387,15 @@ icecat
 icedove
 iceweasel
 idea
-ideaIC
 idea.sh
+ideaIC
 imagej
 img2txt
 impressive
 inkscape
 inkview
 inox
+io.github.lainsce.Notejot
 ipcalc
 ipcalc-ng
 iridium
@@ -453,6 +454,7 @@ librecad
 libreoffice
 librewolf
 librewolf-nightly
+lifeograph
 liferea
 lightsoff
 lincity-ng
@@ -508,6 +510,7 @@ mendeleydesktop
 menulibre
 meteo-qt
 microsoft-edge
+microsoft-edge-beta
 microsoft-edge-dev
 midori
 min
@@ -524,7 +527,6 @@ mp3splt-gtk
 mp3wrap
 mpDris2
 mpg123
-mpg123.bin
 mpg123-alsa
 mpg123-id3dump
 mpg123-jack
@@ -534,6 +536,7 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
+mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -564,6 +567,7 @@ mypaint
 mypaint-ora-thumbnailer
 natron
 ncdu
+ncdu2
 neochat
 neomutt
 netactview
@@ -675,6 +679,7 @@ qupzilla
 qutebrowser
 rambox
 redeclipse
+rednotebook
 redshift
 regextester
 remmina
@@ -735,8 +740,8 @@ steam
 steam-native
 steam-runtime
 stellarium
-strawberry
 straw-viewer
+strawberry
 strings
 studio.sh
 subdownloader
@@ -863,10 +868,10 @@ wire-desktop
 wireshark
 wireshark-gtk
 wireshark-qt
+wordwarvi
 wpp
 wps
 wpspdf
-wordwarvi
 x2goclient
 xbill
 xcalc
@@ -908,6 +913,7 @@ zaproxy
 zart
 zathura
 zeal
+zim
 zoom
 # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 545573c08..2a7d88575 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -835,7 +835,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet")                // when called from main thread
 #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet")        // when called from sandbox thread
-//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
 #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
@@ -848,17 +847,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
 #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
-//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize")
 #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
-//#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
-//#define PATH_FLDD (LIBDIR "/firejail/fldd")
 #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
+#define PATH_FIDS (LIBDIR "/firejail/fids")
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)                      // run the sandbox as root
 #define SBOX_USER (1 << 1)                      // run the sandbox as a regular user
@@ -903,4 +901,7 @@ void dhcp_start(void);
 // selinux.c
 void selinux_relabel_path(const char *path, const char *inside_path);
+// ids.c
+void run_ids(int argc, char **argv);
 #endif
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
new file mode 100644
index 000000000..59acdb1fe
--- /dev/null
+++ b/src/firejail/ids.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+static void ids_init(void) {
+        // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+        char *fname;
+        if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+        int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+        if (fd < 0) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+        // redirect output
+        close(STDOUT_FILENO);
+        if (dup(fd) != STDOUT_FILENO)
+                errExit("dup");
+        close(fd);
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
+}
+static void ids_check(void) {
+        // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+        char *fname;
+        if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+                errExit("asprintf");
+        int fd = open(fname, O_RDONLY);
+        if (fd < 0) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        // redirect input
+        close(STDIN_FILENO);
+        if (dup(fd) != STDIN_FILENO)
+                errExit("dup");
+        close(fd);
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
+}
+void run_ids(int argc, char **argv) {
+        if (argc != 2) {
+                fprintf(stderr, "Error: only one IDS command expected\n");
+                exit(1);
+        }
+        EUID_ROOT();
+        struct stat s;
+        if (stat(VARDIR, &s)) // /var/lib/firejail
+                create_empty_dir_as_root(VARDIR, 0700);
+        if (strcmp(argv[1], "--ids-init") == 0)
+                ids_init();
+        else if (strcmp(argv[1], "--ids-check") == 0)
+                ids_check();
+        else
+                fprintf(stderr, "Error: unrecognized IDS command\n");
+        exit(0);
+}
+\ No newline at end of file
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f64994e02..ef3bf8bf5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -985,24 +985,16 @@ int main(int argc, char **argv, char **envp) {
        int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
        char **ptr;
-#ifndef HAVE_SUID
-        if (geteuid() != 0) {
-                fprintf(stderr, "Error: Firejail needs to be SUID.\n");
-                fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
-                fprintf(stderr, "  chmod u+s /usr/bin/firejail\n");
-        }
-#endif
        // sanitize the umask
        orig_umask = umask(022);
-        // check standard streams before printing anything
-        fix_std_streams();
        // drop permissions by default and rise them when required
        EUID_INIT();
        EUID_USER();
+        // check standard streams before opening any file
+        fix_std_streams();
        // argument count should be larger than 0
        if (argc == 0 || !argv || strlen(argv[0]) == 0) {
                fprintf(stderr, "Error: argv is invalid\n");
@@ -1012,16 +1004,6 @@ int main(int argc, char **argv, char **envp) {
                exit(1);
        }
-        // Stash environment variables
-        for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
-                env_store(*ptr, SETENV);
-        // sanity check for environment variables
-        if (i >= MAX_ENVS) {
-                fprintf(stderr, "Error: too many environment variables\n");
-                exit(1);
-        }
        // sanity check for arguments
        for (i = 0; i < argc; i++) {
                if (*argv[i] == 0) {
@@ -1034,82 +1016,29 @@ int main(int argc, char **argv, char **envp) {
                }
        }
+        // Stash environment variables
+        for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
+                env_store(*ptr, SETENV);
+        // sanity check for environment variables
+        if (i >= MAX_ENVS) {
+                fprintf(stderr, "Error: too many environment variables\n");
+                exit(1);
+        }
        // Reapply a minimal set of environment variables
        env_apply_whitelist();
-        // check if the user is allowed to use firejail
+        // process --quiet
-        init_cfg(argc, argv);
-        // get starting timestamp, process --quiet
-        timetrace_start();
        const char *env_quiet = env_get("FIREJAIL_QUIET");
        if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                arg_quiet = 1;
-        // cleanup at exit
+        // check if the user is allowed to use firejail
-        EUID_ROOT();
+        init_cfg(argc, argv);
-        atexit(clear_atexit);
-        // build /run/firejail directory structure
-        preproc_build_firejail_dir();
-        const char *container_name = env_get("container");
-        if (!container_name || strcmp(container_name, "firejail")) {
-                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
-                if (lockfd_directory != -1) {
-                        int rv = fchown(lockfd_directory, 0, 0);
-                        (void) rv;
-                        flock(lockfd_directory, LOCK_EX);
-                }
-                preproc_clean_run();
-                flock(lockfd_directory, LOCK_UN);
-                close(lockfd_directory);
-        }
-        EUID_USER();
-        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
-        // these paths are disabled in disable-common.inc
-        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
-                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
-                        profile_add("noblacklist /sbin");
-                        profile_add("noblacklist /usr/sbin");
-                }
-        }
-        // for appimages we need to remove "include disable-shell.inc from the profile
-        // a --profile command can show up before --appimage
-        if (check_arg(argc, argv, "--appimage", 1))
-                arg_appimage = 1;
-        // process allow-debuggers
-        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
-                // check kernel version
-                struct utsname u;
-                int rv = uname(&u);
-                if (rv != 0)
-                        errExit("uname");
-                int major;
-                int minor;
-                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
-                        exit(1);
-                }
-                if (major < 4 || (major == 4 && minor < 8)) {
-                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
-                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
-                                "Your current kernel version is %d.%d.\n", major, minor);
-                        exit(1);
-                }
-                arg_allow_debuggers = 1;
-                char *cmd = strdup("noblacklist ${PATH}/strace");
-                if (!cmd)
-                        errExit("strdup");
-                profile_add(cmd);
-        }
-        // profile builder
+        // get starting timestamp
-        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
+        timetrace_start();
-                run_builder(argc, argv); // this function will not return
        // check argv[0] symlink wrapper if this is not a login shell
        if (*argv[0] != '-')
@@ -1134,15 +1063,44 @@ int main(int argc, char **argv, char **envp) {
                        __builtin_unreachable();
                }
        }
-        EUID_ASSERT();
+        // profile builder
+        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
+                run_builder(argc, argv); // this function will not return
+        // intrusion detection system
+        if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
+                run_ids(argc, argv); // this function will not return
-        // check firejail directories
        EUID_ROOT();
-        delete_run_files(sandbox_pid);
+#ifndef HAVE_SUID
+        if (geteuid() != 0) {
+                fprintf(stderr, "Error: Firejail needs to be SUID.\n");
+                fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
+                fprintf(stderr, "  chmod u+s /usr/bin/firejail\n");
+        }
+#endif
+        // build /run/firejail directory structure
+        preproc_build_firejail_dir();
+        const char *container_name = env_get("container");
+        if (!container_name || strcmp(container_name, "firejail")) {
+                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (lockfd_directory != -1) {
+                        int rv = fchown(lockfd_directory, 0, 0);
+                        (void) rv;
+                        flock(lockfd_directory, LOCK_EX);
+                }
+                preproc_clean_run();
+                flock(lockfd_directory, LOCK_UN);
+                close(lockfd_directory);
+        }
+        delete_run_files(getpid());
+        atexit(clear_atexit);
        EUID_USER();
-        //check if the parent is sshd daemon
+        // check if the parent is sshd daemon
        int parent_sshd = 0;
        {
                pid_t ppid = getppid();
@@ -1199,7 +1157,8 @@ int main(int argc, char **argv, char **envp) {
        }
        EUID_ASSERT();
-        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd,
+        // insert command line options from /etc/firejail/login.users
        if (*argv[0] == '-' || parent_sshd) {
                if (argc == 1)
                        login_shell = 1;
@@ -1251,6 +1210,47 @@ int main(int argc, char **argv, char **envp) {
 #endif
        EUID_ASSERT();
+        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+        // these paths are disabled in disable-common.inc
+        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+                        profile_add("noblacklist /sbin");
+                        profile_add("noblacklist /usr/sbin");
+                }
+        }
+        // process allow-debuggers
+        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
+                arg_allow_debuggers = 1;
+                char *cmd = strdup("noblacklist ${PATH}/strace");
+                if (!cmd)
+                        errExit("strdup");
+                profile_add(cmd);
+        }
+        // for appimages we need to remove "include disable-shell.inc from the profile
+        // a --profile command can show up before --appimage
+        if (check_arg(argc, argv, "--appimage", 1))
+                arg_appimage = 1;
        // check for force-nonewprivs in /etc/firejail/firejail.config file
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
@@ -2680,8 +2680,9 @@ int main(int argc, char **argv, char **envp) {
                //*************************************
                else if (strncmp(argv[i], "--timeout=", 10) == 0)
                        cfg.timeout = extract_timeout(argv[i] + 10);
-                else if (strcmp(argv[i], "--appimage") == 0)
+                else if (strcmp(argv[i], "--appimage") == 0) {
-                        arg_appimage = 1;
+                        // already handled
+                }
                else if (strcmp(argv[i], "--shell=none") == 0) {
                        arg_shell_none = 1;
                        if (cfg.shell) {
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 665bef73d..0e5562d90 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -49,6 +49,7 @@ int check_namespace_virt(void) {
        // check PID 1 container environment variable
        EUID_ROOT();
        FILE *fp = fopen("/proc/1/environ", "re");
+        EUID_USER();
        if (fp) {
                int c = 0;
                while (c != EOF) {
@@ -69,7 +70,6 @@ int check_namespace_virt(void) {
                                // found it
                                if (is_container(buf + 10)) {
                                        fclose(fp);
-                                        EUID_USER();
                                        return 1;
                                }
                        }
@@ -79,7 +79,6 @@ int check_namespace_virt(void) {
                fclose(fp);
        }
-        EUID_USER();
        return 0;
 }
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 835dff2db..ce10ab157 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -50,13 +50,21 @@ void check_output(int argc, char **argv) {
        if (!outindex)
                return;
-        // check filename
        drop_privs(0);
        char *outfile = argv[outindex];
        outfile += (enable_stderr)? 16:9;
+        // check filename
        invalid_filename(outfile, 0); // no globbing
+        // expand user home directory
+        if (outfile[0] == '~') {
+                char *full;
+                if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1)
+                        errExit("asprintf");
+                outfile = full;
+        }
        // do not accept directories, links, and files with ".."
        if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
                fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b4f3021c7..d843c74ae 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -98,6 +98,8 @@ static char *usage_str =
        "    --help, -? - this help screen.\n"
        "    --hostname=name - set sandbox hostname.\n"
        "    --hosts-file=file - use file as /etc/hosts.\n"
+        "    --ids-check - verify file system.\n"
+        "    --ids-init - initialize IDS database.\n"
        "    --ignore=command - ignore command in profile files.\n"
 #ifdef HAVE_NETWORK
        "    --interface=name - move interface in sandbox.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index de31ebdd6..094a68c60 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1513,8 +1513,7 @@ void check_homedir(const char *dir) {
                exit(1);
        }
        // symlinks are rejected in many places
-        if (has_link(dir)) {
+        if (has_link(dir))
-                fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
+                fmessage("No full support for symbolic links in path of user directory.\n"
                        "Please provide resolved path in password database (/etc/passwd).\n\n");
-        }
 }
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
index 709008e08..96402aed6 100755
--- a/src/tools/profcleaner.sh
+++ b/src/tools/profcleaner.sh
@@ -38,8 +38,8 @@ else
 fi
 sed -i -E \
-        -e "s/^(# |#)?blacklist/\1deny/" \
+        -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \
-        -e "s/^(# |#)?noblacklist/\1nodeny/" \
+        -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \
-        -e "s/^(# |#)?whitelist/\1allow/" \
+        -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \
-        -e "s/^(# |#)?nowhitelist/\1noallow/" \
+        -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \
        "${profiles[@]}"
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 258089a39..a2cccb0d4 100755
--- a/test/profiles/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -22,7 +22,7 @@ expect {
 }
 sleep 1
-send -- "ls -l /etc/shadow\r"
+send -- "ls -l /dev/console\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "root root"
diff --git a/test/profiles/test.profile b/test/profiles/test.profile
index 26d6de849..27cb99606 100644
--- a/test/profiles/test.profile
+++ b/test/profiles/test.profile
@@ -1,5 +1,5 @@
 blacklist /sbin/iptables
-blacklist /etc/shadow
+blacklist /dev/console
 blacklist /bin/rmdir
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount