367 files changed, 1032 insertions, 399 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f075ec493..f61e19fdc 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,7 +60,7 @@ jobs:
     - name: update package information
       run: sudo apt-get update
     - name: install dependencies
-      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
     - name: configure
       run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
     - name: make
@@ -73,6 +73,8 @@ jobs:
       run: SHELL=/bin/bash make lab-setup
     - name: run sysutils tests
       run: SHELL=/bin/bash make test-sysutils
+    - name: run private-etc tests
+      run: SHELL=/bin/bash make test-private-etc
     - name: run profile tests
       run: SHELL=/bin/bash make test-profiles
     - name: run fcopy tests
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9cf216492..c232f59d9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -88,7 +88,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
+      uses: github/codeql-action/init@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
+      uses: github/codeql-action/autobuild@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
+      uses: github/codeql-action/analyze@17573ee1cc1b9d061760f3a006fc4aac4f944fd5
diff --git a/.gitignore b/.gitignore
index db3b16893..aae7b817d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -47,6 +47,7 @@ src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
 src/profstats/profstats
+src/etc-cleanup/etc-cleanup
 src/bash_completion/firejail.bash_completion
 src/zsh_completion/_firejail
 src/jailcheck/jailcheck
diff --git a/Makefile b/Makefile
index 396313fe9..ad6c39001 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,7 @@ endif
 
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck src/etc-cleanup/etc-cleanup
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
@@ -200,6 +200,7 @@ endif
         install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
         # plugins w/o read permission (non-dumpable)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
@@ -367,7 +368,7 @@ scan-build: clean
 # make test
 #
 
-TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
+TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc
 TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 
 $(TEST_TARGETS):
@@ -375,9 +376,9 @@ $(TEST_TARGETS):
 
 
 # extract some data about the testing setup: kernel, network connectivity, user
-lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts
+lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
 
-test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
         echo "TEST COMPLETE"
 
 test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
diff --git a/README b/README
index 762668a88..13331d2f4 100644
--- a/README
+++ b/README
@@ -147,6 +147,8 @@ announ (https://github.com/announ)
         - mpv and youtube-dl profile fixes
         - git profile fix
         - evince profile fix
+Antoine Catton (https://github.com/acatton)
+        - add keep-shell-rc command and option
 Anton Shestakov (https://github.com/antonv6)
         - add whitelist items for uim
         - allow /etc/vulkan in steam profile
@@ -753,6 +755,7 @@ mjudtmann (https://github.com/mjudtmann)
         - lock firejail configuration in disable-mgmt.inc
 Mohammed Anas  (https://github.com/mhmdanas)
         - fix dbus notifications
+        - fix libEGL warning for abiword
 m00nwtchr (https://github.com/m00nwtchr)
         - Whitelist electron-flags.conf for all versions of electron
         - electron profile updates
diff --git a/README.md b/README.md
index 7d1c88c65..0f6ca9b08 100644
--- a/README.md
+++ b/README.md
@@ -182,6 +182,17 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ## Current development version: 0.9.73
 
+### --keep-shell-rc
+`````
+       --keep-shell-rc
+              By default, when using a private home directory, firejail copies
+              files  from the system's user home template (/etc/skel) into it,
+              which overrides attempts to whitelist the original  files  (such
+              as  ~/.bashrc and ~/.zshrc).  This option disables this feature,
+              and enables the user to whitelist the original files.
+
+`````
+
 ### private-etc rework
 `````
        --private-etc, --private-etc=file,directory,@group
diff --git a/RELNOTES b/RELNOTES
index 9542ec6dc..90a6982e8 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.73) baseline; urgency=low
   * modif: Prevent sandbox name from containing only digits (#5578)
   * bugfix: qutebrowser: links will not open in the existing instance (#5601
     #5618)
+  * feature: added --keep-shell-rc command and profile option (#1127)
   * build: auto-generate syntax files (#5627)
   * build: mark most phony targets as such (#5637)
   * docs: remove apparmor options in --help when building without apparmor
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
index a402671a6..fd1bdb401 100644
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -10,6 +10,7 @@ disable-mnt
 ipc-namespace
 keep-config-pulse
 keep-dev-shm
+keep-shell-rc
 keep-var-tmp
 machine-id
 memory-deny-write-execute
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 03daaa9a6..81f417232 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -450,6 +450,9 @@ blacklist ${HOME}/.vaults
 blacklist /run/timeshift
 blacklist /var/backup
 
+# dm-crypt / LUKS
+blacklist /crypto_keyfile.bin
+
 # Remove environment variables with auth tokens.
 # Note however that the sandbox might still have access to the
 # files where these variables are set.
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile
index bc8bfae0d..b340ad228 100644
--- a/etc/profile-a-l/1password.profile
+++ b/etc/profile-a-l/1password.profile
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.config/1Password
 mkdir ${HOME}/.config/1Password
 whitelist ${HOME}/.config/1Password
 
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
 ignore dbus-user none
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index eb7a5254f..a0eed24ca 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin abiword
 private-cache
 private-dev
-private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
+private-etc @x11
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 96c56d85d..7a36302f1 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -49,7 +49,7 @@ tracelog
 private-bin agetpkg,python3
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 9612ffdd2..22a303cdd 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -52,7 +52,7 @@ disable-mnt
 # private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc @tls-ca,@x11,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 0f7407f05..9f9bd975a 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin alienarena
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11
+private-etc @tls-ca,@x11,bumblebee,glvnd,host.conf,rpc,services
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
index 4e994c025..5ccb9896f 100644
--- a/etc/profile-a-l/alpine.profile
+++ b/etc/profile-a-l/alpine.profile
@@ -90,7 +90,7 @@ disable-mnt
 private-bin alpine
 private-cache
 private-dev
-private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-etc @tls-ca,@x11,c-client.cf,host.conf,krb5.keytab,mailcap,mime.types,pine.conf,pinerc.fixed,rpc,services,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 466f60bda..2d0bfcb6c 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index dab91fe7d..4ad6ac6bc 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -62,7 +62,7 @@ disable-mnt
 private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11
+private-etc @x11,texlive
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index b0f83aa32..ef875c5b7 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -44,6 +44,7 @@ x11 none
 
 private-cache
 private-dev
+private-etc
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 17eb2451c..7f9463c4f 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -45,7 +45,7 @@ private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index ed0629c9b..1c2fbcccc 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,resolv.conf,ssl,tor
+private-etc @tls-ca,tor
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index b1347b0d9..897140857 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-lib libnotify.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index b2bc17c67..672286087 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
+private-etc
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index f24aff108..d0513d2a7 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 371054728..392b189f8 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -50,6 +50,7 @@ tracelog
 
 private-bin audacity
 private-dev
+private-etc @tls-ca,@x11
 private-tmp
 
 # problems on Fedora 27
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 74dba7411..deba11a47 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -43,7 +43,7 @@ tracelog
 disable-mnt
 # private-bin audio-recorder
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 73a2e1806..215f22fd0 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin authenticator-rs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 02c1d8768..96c70a838 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -38,7 +38,7 @@ seccomp
 disable-mnt
 # private-bin authenticator,python*
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index b60b5715c..9ca947106 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin ballbuster
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 85a1a58c7..3fb2a82c3 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -51,7 +51,7 @@ disable-mnt
 # private-bin bibletime
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc @tls-ca,sword,sword.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index b6b52601e..53d212e34 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin bijiben
 # private-cache -- access to .cache/tracker is required
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index f8114c71b..ba30c3654 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -23,7 +23,7 @@ no3d
 nosound
 
 ?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-opt Bitwarden
 
 # Redirect
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 9badb4357..6dd540943 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -34,7 +34,7 @@ seccomp
 # private-bin bash,bless,mono,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
+private-etc mono
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 6e7a87e5f..dccdae924 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -40,7 +40,7 @@ tracelog
 disable-mnt
 private-bin blobby
 private-dev
-private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
+private-etc @x11
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index e6926ee29..fc0a76945 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin blobwars
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index fbc7c9056..c5c2e33eb 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
+private-etc
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index b2248ad06..df94ac859 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -45,7 +45,7 @@ tracelog
 disable-mnt
 private-bin cameramonitor,python*
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 4c8afd895..a0fe8ddf1 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -16,7 +16,7 @@ noblacklist ${HOME}/.cargo/credentials.toml
 #whitelist ${HOME}/.rustup
 
 #private-bin cargo,rustc
-private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,magic,magic.mgc,rpc,services
 
 memory-deny-write-execute
 
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index e4e32b265..17887b6cc 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -38,7 +38,7 @@ disable-mnt
 private-bin cawbird
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 0c4335e8f..7b0f7bdf0 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -52,7 +52,7 @@ tracelog
 
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11,libva.conf,pkcs11
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile
index 4dfd85740..2df03b10b 100644
--- a/etc/profile-a-l/chatterino.profile
+++ b/etc/profile-a-l/chatterino.profile
@@ -70,7 +70,7 @@ private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamli
 # private-cache may cause issues with mpv (see #2838)
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11
+private-etc @tls-ca,@x11,dbus-1,rpc,services
 private-srv none
 private-tmp
 
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 8aed77c04..93d9c9a8b 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin cheese
 private-cache
 private-dev
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11,clutter-1.0
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 4f4e8e7bf..3b8eb7bbd 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index ad6332f78..cc7a43609 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -26,6 +26,6 @@ protocol unix,inet,inet6
 seccomp
 
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 
 restrict-namespaces
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile
index c341c4ea2..aa053e2f7 100644
--- a/etc/profile-a-l/cointop.profile
+++ b/etc/profile-a-l/cointop.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin cointop
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,rpc,services
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index 442d50259..50f8f67f3 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin colorful
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 990b6bc5a..8b7d2317c 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin com.github.bleakgrey.tootle
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 # Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index 5f2a1c3e6..ab389d3ee 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.github.dahenson.agenda
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index 21f37494b..f4533b537 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin com.github.johnfactotum.Foliate,gjs
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11,gconf
 private-tmp
 
 read-only ${HOME}
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index 07a6a6813..22a64cb35 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.github.phase1geo.minder
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg
+private-etc @x11,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
index fd4494e92..eee98ba8d 100644
--- a/etc/profile-a-l/com.github.tchx84.Flatseal.profile
+++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.github.tchx84.Flatseal,gjs
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 793de8ab4..21b576fb7 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -39,7 +39,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 842191f3f..601daacfa 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -38,7 +38,7 @@ seccomp
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 63d89ec36..7dd5ca260 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc dbus-1
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index b259c7e93..80790bb0c 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -50,7 +50,7 @@ private
 private-bin dbus-send
 private-cache
 private-dev
-private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
+private-etc dbus-1
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 876e637b2..e2e2492bc 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
+private-etc @x11
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 5136445da..2b2ada742 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin dconf,gsettings
 private-cache
 private-dev
-private-etc alternatives,dconf,ld.so.cache,ld.so.preload
+private-etc @x11
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 8ea5d178e..9811c90d6 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index ef31fc3eb..066cdc8b0 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin devhelp
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 0579547af..4461c2a82 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 3ee58147a..7c0fee9c3 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bash,dig,sh
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
+private-etc
 # Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038).
 #private-lib
 private-tmp
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index bf49c8d48..c53170126 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 
 private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 
 join-or-start discord
 
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 15f6e441d..bf77828be 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -39,7 +39,7 @@ seccomp
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives,ImageMagick-6,ImageMagick-7,ld.so.cache,ld.so.preload
+private-etc ImageMagick-6,ImageMagick-7
 private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index acaf2e021..9743ebfbd 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -54,7 +54,7 @@ private-bin bash,dolphin-emu,dolphin-emu-x11,sh
 private-cache
 # Add the next line to your dolphin-emu.local if you do not need controller support.
 #private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services
 private-opt none
 private-tmp
 
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 9d9fa291b..79366b8ee 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -44,7 +44,7 @@ seccomp !chroot
 private-bin drawio
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 920eb7697..40fd8be7c 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -44,7 +44,7 @@ disable-mnt
 #private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
+private-etc
 # breaks custom shell command functionality
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/electron-hardened.inc.profile b/etc/profile-a-l/electron-hardened.inc.profile
index eacf5cebe..a9e1756d9 100644
--- a/etc/profile-a-l/electron-hardened.inc.profile
+++ b/etc/profile-a-l/electron-hardened.inc.profile
@@ -7,4 +7,4 @@ include electron-hardened.inc.local
 #include globals.local
 
 # Redirect
-include chrome-common-hardened.inc.profile
+include chromium-common-hardened.inc.profile
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index d0d0f2168..4872223f1 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -29,7 +29,7 @@ read-only ${HOME}/.mozilla/firefox/profiles.ini
 machine-id
 nosound
 
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-opt ElectronMail
 
 dbus-user filter
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 78a996f71..48ce0aa22 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -46,7 +46,7 @@ private-bin electrum,python*
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 0d5d18fe2..86442d441 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -69,7 +69,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,timezone,xdg
+private-etc @tls-ca,@x11,gnupg,hosts.conf,mailname,timezone
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index 37a6c088b..051c75fc1 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -47,7 +47,7 @@ x11 none
 private-bin enchant,enchant-*
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 83abb551e..c487a5add 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -46,7 +46,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index adda53660..8b32d08b1 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -55,7 +55,7 @@ disable-mnt
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+#private-etc @tls-ca,@x11,mailcap,mime.types,os-release
 private-tmp
 
 # breaks preferences
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 2fe0a4af4..8cbdccbb5 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin equalx,gs,pdflatex,pdftocairo
 private-cache
 private-dev
-private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc @x11,equalx,equalx.conf,latexmk.conf,papersize,texlive
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 95115d484..75a3958ad 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -54,7 +54,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
+private-etc
 # private-lib might break two-page-view on some systems
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 45331487c..a8be4828f 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -47,7 +47,7 @@ x11 none
 #private-bin exiftool,perl
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 2daf1ff15..d805766eb 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -47,7 +47,7 @@ disable-mnt
 # private-bin falkon
 private-cache
 private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11,adobe,mailcap,mime.types
 private-tmp
 
 # dbus-user filter
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 248cb5b49..77e16a56b 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -42,7 +42,7 @@ private
 private-bin bash,fdns,sh
 private-cache
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc @tls-ca,fdns
 # private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index 7293e89a8..4b45cd198 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index be5ab8627..82b3f7645 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -35,7 +35,7 @@ seccomp
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc alternatives,feh,ld.so.cache,ld.so.preload
+private-etc feh
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 160f26f78..b7d54f05d 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
+private-etc @tls-ca,pkcs11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 52abb99d4..5cffd4980 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
 ignore nosound
 
 private-bin ffplay
-private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
+private-etc
 
 # Redirect
 include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index ef4e0e117..4f39bec55 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
+private-etc @x11
 # private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 57c9b5dfb..42d12c5d9 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -57,9 +57,7 @@ seccomp !chroot
 
 disable-mnt
 ?BROWSER_DISABLE_U2F: private-dev
-# private-etc below works fine on most distributions. There are some problems on CentOS.
-# Add it to your firefox-common.local if you want to enable it.
-#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+# private-etc below works fine on most distributions. There could be some problems on CentOS.
 private-etc @tls-ca,@x11,mailcap,mime.types,os-release
 private-tmp
 
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 0984055a3..3f4432857 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -51,7 +51,7 @@ tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-dev
 #private-tmp
 
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index a614d7d9f..fe0bc8756 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin fractal
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index ae5843f7f..9bf5a14be 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
 private-cache
 private-dev
-#private-etc alternatives,fonts,java
+#private-etc alternatives,fonts,java*
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index bcde18b36..bdc5fa557 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 
 dbus-user filter
 dbus-user.own org.mpris.MediaPlayer2.chromium.*
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 067fe3caa..d9ee054ab 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin frogatto,sh
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 86a8a8fc6..f162a4a31 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -22,6 +22,7 @@ mkdir ${HOME}/.frozen-bubble
 whitelist ${HOME}/.frozen-bubble
 include whitelist-common.inc
 include whitelist-runuser-common.inc
+whitelist /usr/share/games
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -42,6 +43,7 @@ tracelog
 disable-mnt
 # private-bin frozen-bubble
 private-dev
+private-etc @games,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index d4d578dd4..ed7b32f6e 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -58,7 +58,7 @@ disable-mnt
 private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 0fba8ac07..96ded592d 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin galculator
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 2947873ef..9c8200dc4 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
 
 private-bin gallery-dl
-private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
+private-etc gallery-dl.conf
 
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 106e0eda6..baf8f614e 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -48,7 +48,7 @@ private
 private-bin gapplication
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 # Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 313b34a53..ad37312a8 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -35,7 +35,7 @@ tracelog
 
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index 5b434342b..ead78d983 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
 private-cache
 private-dev
-private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
+private-etc gconf
 private-lib GConf,libpython*,python2*
 private-tmp
 
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 6aaf1ab05..a19a20ba7 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -75,7 +75,7 @@ tracelog
 #private-bin geary,sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,mailcap,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index cda47a7e9..3a929774a 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -47,7 +47,7 @@ disable-mnt
 #private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
+private-etc lsb-release
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d3d49433b..1c97ad21c 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -60,7 +60,7 @@ disable-mnt
 private-bin gfeeds,python3*
 # private-cache -- feeds are stored in ~/.cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index 02c4f9509..11d5f620c 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin gget
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 9c719ddb1..dabf0dd7f 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -51,7 +51,7 @@ private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,p
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
+private-etc @tls-ca,@x11,dbus-1,firejail,gconf,host.conf,mime.types,rpc,services,texlive
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index f29929a72..717519112 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc @x11,gcrypt,python*
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index d315619b7..6eea076f7 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -51,7 +51,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 2f7068d68..49568ba23 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -69,7 +69,7 @@ tracelog
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,ssh
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 0f9ed9592..e3cf87c87 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -36,7 +36,7 @@ seccomp
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 92ba70113..fbfbdd204 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin gl-117
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-etc @x11,bumblebee,glvnd
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index d61b566d8..5aa69f714 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin glaxium
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-etc @x11,bumblebee,glvnd
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index b337dc4d5..f3e045000 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -43,7 +43,7 @@ tracelog
 disable-mnt
 #private-bin gmpc
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf
+private-etc
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 3926146ff..e5c6022e8 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -45,6 +45,7 @@ disable-mnt
 private-bin gnome-calculator
 private-cache
 private-dev
+private-etc @x11
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index b0d3f1d34..70a302138 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -44,7 +44,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 2e11f335b..9e9730e53 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin gjs,gnome-characters
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
+private-etc @x11,gconf,mime.types
 private-tmp
 
 # Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 78bd54b64..9f5174b9e 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11,gnome-chess
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 5563afcbd..f290b26de 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11,pkcs11
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index f0493c645..4f436202c 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -41,7 +41,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 43e0a1ec1..b15439aee 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -47,7 +47,7 @@ tracelog
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
+private-etc @x11,latexmk.conf,texlive
 
 dbus-system none
 
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index b619b0f27..61f4f4107 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -39,7 +39,7 @@ disable-mnt
 private-bin gnome-logs
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
+private-etc
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index d14b2a5a1..17f52e588 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -63,7 +63,7 @@ disable-mnt
 private-bin gjs,gnome-maps
 # private-cache -- gnome-maps cache all maps/satelite-images
 private-dev
-private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index ec033dbf0..22d5f87ea 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -41,7 +41,7 @@ tracelog
 # private-bin calls a file manager - whatever is installed!
 #private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
+private-etc @x11
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 0d7fb2de8..450e76082 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin gnome-passwordsafe,python3*
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 6d90773aa..ac0fb555d 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -33,7 +33,7 @@ seccomp
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index fb019227f..9906b15d9 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin gnome-pomodoro
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 75f3199e2..aa1ded516 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -46,7 +46,7 @@ seccomp
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl
+private-etc @tls-ca
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 74238a109..25be407b5 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-bin gnome-screenshot
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index d07bd80a7..f278b332b 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -39,7 +39,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
+private-etc @games,@x11
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 4c74c0a61..f4e985342 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin gnome-system-log
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
+private-etc
 private-lib
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index ae7ea83d8..5c375de2d 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin gnome-todo
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index c9145d78e..c03d41f06 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -40,7 +40,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11
+private-etc @x11,gconf
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index d7944ae24..c6ce0c2c0 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin gnote
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index bdbcf9baf..025cb74b6 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -42,7 +42,7 @@ private
 private-bin gnubik
 private-cache
 private-dev
-private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 36a2cae07..5e41384ab 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -37,7 +37,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc @games,@tls-ca,@x11,mono
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
index 327648cd1..822e5ffc2 100644
--- a/etc/profile-a-l/goldendict.profile
+++ b/etc/profile-a-l/goldendict.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin goldendict
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index da7c24581..58769643a 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin env,python3*,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,rpc,services
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 1012f5774..0525995c3 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -40,7 +40,7 @@ tracelog
 private-bin gpicview
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
+private-etc
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 53a6f94e2..99c840a27 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -35,7 +35,7 @@ tracelog
 
 private-bin gpredict
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 368482fa3..a0d2247e0 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin gradio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,host.conf
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 02a49134c..19af7c0b9 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -39,7 +39,7 @@ private
 private-bin gravity-beams-and-evaporating-stars
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 5fd92fd4f..eb09fe381 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin gtk-update-icon-cache
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index 68b78ec62..ef4aad4da 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin gnome-character-map,gucharmap
 private-cache
 private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,X11,xdg
+private-etc @x11,dbus-1,gconf,mime.types
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index db307e940..467bee3a0 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin guvcview
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11
+private-etc @x11,bumblebee,glvnd
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 8f7f74e0d..4be71f6d3 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -46,7 +46,7 @@ seccomp
 
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
+private-etc @x11,gimp
 
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index fd8246aae..96e69d6cf 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -48,6 +48,7 @@ x11 none
 # Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache.
 #private-cache
 private-dev
+private-etc
 # Add the next line to your hasher-common.local if you don't need to hash files in /tmp.
 #private-tmp
 
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 91b73e8e9..ccbb66333 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin homebank
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-etc @tls-ca,@x11,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index b33709ef0..3f7901d3f 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private
 private-bin bash,host,sh
-private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
+private-etc
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index 13dc06ecc..72d28ed08 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -43,7 +43,7 @@ private-bin hyperrogue
 private-cache
 private-cwd
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 757af67b0..6ee92e986 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -67,7 +67,7 @@ seccomp
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11,i2p,java*
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile
index cb2f30350..4730802a2 100644
--- a/etc/profile-a-l/io.github.lainsce.Notejot.profile
+++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin io.github.lainsce.Notejot
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index 983c31bcb..7eabbca84 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -49,7 +49,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
 # private-cache
 private-dev
 # empty etc directory
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-opt none
 private-tmp
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 3136b412e..0cdfa2ace 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -33,7 +33,7 @@ tracelog
 
 private-bin bash,jerry,sh,stockfish
 private-dev
-private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index edb7ed840..8c85d1043 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -21,7 +21,7 @@ mkdir ${HOME}/.config/Jitsi Meet
 whitelist ${HOME}/.config/Jitsi Meet
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,glvnd,host.conf,mime.types,rpc,services
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 66d63283a..cefceefed 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -40,7 +40,7 @@ disable-mnt
 private-bin jumpnbump
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index bde52f30e..a4e67cf6b 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin kalgebra,kalgebramobile
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index c01000af1..70414eeea 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -48,7 +48,7 @@ disable-mnt
 # private-bin kazam,python*
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg
+private-etc @x11
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index ea56f2d39..cfb756c43 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -59,7 +59,7 @@ disable-mnt
 private-bin kcalc
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
+private-etc
 # private-lib - problems on Arch
 private-tmp
 
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index e0b3eadfd..d9e4480f5 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -52,6 +52,7 @@ disable-mnt
 private-bin kdiff3
 private-cache
 private-dev
+private-etc @x11
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 935fe3933..4644d598d 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -40,7 +40,7 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 80374690c..f7959ca81 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -89,7 +89,7 @@ private-bin keepassxc,keepassxc-cli,keepassxc-proxy
 # hardware keys) on /dev after it has already started; add "ignore private-dev"
 # to keepassxc.local if this is an issue (see #4883).
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index 424fb006e..651571fd9 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -36,7 +36,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 5a028aeea..2e369b945 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -43,7 +43,7 @@ seccomp !chroot
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index 0785b904d..faf6a2d08 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin bash,klavaro,sh,tclsh,tclsh*
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 68ef6111a..b5ce96e70 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin ktouch
 private-cache
 private-dev
-private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id
+private-etc @x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 0cdfe4f10..5183a9327 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -67,7 +67,7 @@ tracelog
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 7ecf26d8e..589811643 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
+private-etc @x11
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 18a024c7e..34fe2ace6 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -46,7 +46,7 @@ tracelog
 
 private-bin kbuildsycoca4,kdeinit4,kwrite
 private-dev
-private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
+private-etc @x11
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index 518928876..d7144d8c3 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -50,6 +50,7 @@ tracelog
 #private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
 private-cache
 private-dev
+private-etc @tls-ca,@x11,cups,gnupg,libreoffice,papersize,ssh
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
index 025156d2d..4440757ad 100644
--- a/etc/profile-a-l/lifeograph.profile
+++ b/etc/profile-a-l/lifeograph.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin lifeograph
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 22a4a2a2a..838d619b7 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 # Add the next line to your links-common.local to allow external media players.
 # private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 8855f09f5..83f3d11d3 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -23,7 +23,7 @@ noprinters
 
 # If you don't need/want to save anything to disk you can add `private` to your linuxqq.local.
 #private
-private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,host.conf,os-release
 private-opt QQ
 
 dbus-user filter
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 78b78662b..bb13e0301 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -36,7 +36,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,host.conf
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index ae2f2d434..c3366acef 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+private-etc @x11,lyx,mime.types,texmf
 
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index 902fc9a6a..e75de80ac 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -47,7 +47,7 @@ private-bin PCSX2
 private-cache
 # Add the next line to your PCSX2.local if you do not need controller support.
 #private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 22c4c4631..f8b5cec13 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -71,7 +71,7 @@ disable-mnt
 private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 6140de60f..eed839041 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -49,7 +49,7 @@ tracelog
 disable-mnt
 private-bin gio,QOwnNotes
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,host.conf
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 2ea185ec0..34d500bb1 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -32,7 +32,7 @@ seccomp !chroot
 
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-etc @tls-ca,@x11,mailcap,proxychains.conf
 private-tmp
 
 # restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 8bf79f554..ee19fa3b0 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -42,7 +42,7 @@ private
 # private-bin sh,xkbcomp,Xvfb
 # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
-private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
+private-etc gai.conf,host.conf
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index e5d994b57..d9990825a 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin magicor,python2*
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index 0e3f9e6e2..cdf1d807f 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -56,7 +56,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,group,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,login.defs,man_db.conf,manpath.config,passwd,selinux,sysless,xdg
+private-etc @x11,groff,man_db.conf,manpath.config,sysless
 #private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 7066f4229..2fb527ad5 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -53,7 +53,7 @@ tracelog
 private-bin marker,python3*
 private-cache
 private-dev
-private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
+private-etc @x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index 176506ff2..95a16cbb8 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -35,7 +35,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index e3a5c6ab6..ee780333d 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -41,7 +41,7 @@ seccomp
 
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index 337c2d6e5..37cae5c70 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -32,7 +32,7 @@ seccomp
 
 disable-mnt
 private-bin mate-color-select
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-dev
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index e80b220b7..b56317037 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -36,7 +36,7 @@ seccomp
 
 disable-mnt
 private-bin mate-dictionary
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index 3c2bf4fa3..f4eb6d404 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -17,7 +17,7 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Mattermost
 whitelist ${HOME}/.config/Mattermost
 
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Not tested
 #dbus-user filter
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 1ebe9aaba..d880228de 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -30,6 +30,6 @@ seccomp
 
 private-bin mcabber
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
+private-etc @tls-ca
 
 restrict-namespaces
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
index a3ff768b7..a288f1972 100644
--- a/etc/profile-m-z/mcomix.profile
+++ b/etc/profile-m-z/mcomix.profile
@@ -57,7 +57,7 @@ private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
 private-cache
 private-dev
 # mcomix <= 1.2 uses gtk-2.0
-private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-etc @x11,gconf,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index e1025a1fb..d3b3c6d48 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin mdr
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 12d692b72..01edd23ab 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -42,7 +42,7 @@ x11 none
 private-bin mediainfo
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index cd4938ec6..fcac70fb3 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -51,7 +51,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-etc @tls-ca,@x11,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index a26896b19..48ac0ec69 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -41,7 +41,7 @@ private
 private-bin mindless
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index e6bf86802..4f2c89b27 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -50,7 +50,7 @@ private-cache
 private-dev
 # If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>'
 # or 'ignore private-etc' to your minecraft-launcher.local.
-private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
+private-etc @tls-ca,@x11,host.conf,java*,mime.types,services,timezone
 private-opt minecraft-launcher
 private-tmp
 
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index ce938c867..9e72f9996 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin minitube
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index d36c0fc81..665b32ecf 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin ldconfig,mirage
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 34721b4a3..4943a80af 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -43,7 +43,7 @@ private
 private-bin mirrormagic
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index 46320f8ea..2ba03ec97 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 89cee657d..ed344ba3f 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -36,7 +36,7 @@ tracelog
 private-bin mp3splt-gtk
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse
+private-etc @games,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 77ad30d0c..ef4635075 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin flacsplt,mp3splt,mp3wrap,oggsplt
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 94b342865..a9631733c 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -48,7 +48,7 @@ seccomp
 private-bin mpDris2,notify-send,python*
 private-cache
 private-dev
-private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,resolv.conf
+private-etc
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
 
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 4f7ae09b9..fd79e2a80 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin love,mrrescue,sh
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index d979e7401..91e990cf6 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -34,7 +34,7 @@ tracelog
 
 disable-mnt
 private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index 006f64ba8..f8dec6e7d 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
 netfilter
 protocol unix,inet,inet6
 
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 954016c2c..1e92b07bf 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -36,7 +36,7 @@ seccomp
 tracelog
 
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 01b8d20b3..3387ed5de 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin musictube
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index d2032dcf6..7ce7fbd19 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -33,6 +33,6 @@ seccomp !chroot
 
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
+private-etc @tls-ca
 
 # restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 904b0cd7c..288ffedf1 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -124,7 +124,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gai.conf,gnupg,gnutls,hosts.conf,mail,mailname,nntpserver,terminfo
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 18117965e..774865a38 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -42,7 +42,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 74403c335..6b4074dfb 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -48,7 +48,7 @@ private-dev
 # Add the next lines to your nano.local if you want to edit files in /etc directly.
 #ignore private-etc
 #writable-etc
-private-etc alternatives,ld.so.cache,ld.so.preload,nanorc
+private-etc nanorc
 # Add the next line to your nano.local if you want to edit files in /var directly.
 #writable-var
 
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index fde1d4d2c..80e28a5e5 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -53,7 +53,7 @@ tracelog
 disable-mnt
 private-bin neochat
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-etc @tls-ca,@x11,dbus-1,host.conf,mime.types,rpc,services
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index f343226ae..5bd1e7cba 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -116,7 +116,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,Mutt,Muttrc,Muttrc.d,gnupg,hosts.conf,mail,mailname,neomuttrc,neomuttrc.d,nntpserver
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 1ede42405..b0828cd76 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin netactview,netactview_polkit
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf
+private-etc
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index 68b0ce2ea..a7c404201 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin neverball
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index b80a0a151..a08fbad36 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-etc @tls-ca,lynx.cfg,lynx.lss,terminfo
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 59f16bb10..c7c8abc0b 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin com.gitlab.newsflash,newsflash
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index c26942c81..d4bad2f67 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -61,7 +61,7 @@ tracelog
 disable-mnt
 private-bin nextcloud,nextcloud-desktop
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 4e4c7bfe7..cdd2ffc3f 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin nheko
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index cefe9fa79..7a97ca825 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
+private-etc @tls-ca,@x11
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index f185a04ee..f3b0c8a49 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -92,7 +92,7 @@ seccomp.block-secondary
 
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services
 #private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index ac8336331..87373a02b 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -40,7 +40,7 @@ tracelog
 #private-bin nomacs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 11d6bd795..f0f2cca2e 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -48,7 +48,7 @@ private
 private-bin notify-send
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index 5866cda47..dcd76f2ad 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -45,7 +45,7 @@ tracelog
 
 disable-mnt
 private-bin bash,nslookup,sh
-private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
+private-etc
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 9f4a6ec46..6ab21af5b 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
 no3d
 
 # private-bin nuclear
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-opt nuclear
 
 # Redirect
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 4f767f046..4355fd0c7 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor
+private-etc tor
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 87c665cba..830483bd4 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -53,7 +53,7 @@ tracelog
 private-bin ocenaudio,ocenvst
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,mime.types
 private-opt ocenaudio
 private-tmp
 
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 25da2139f..73b72efc2 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -37,7 +37,7 @@ x11 none
 private-bin odt2txt
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 568b6566e..8e0758c37 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -61,7 +61,7 @@ tracelog
 
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
+private-etc @x11,cups
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 
 # dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 913b499d3..f8be5819b 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-cache
 private-bin onboard,python*,tput
 private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-etc @x11,dbus-1,mime.types
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 053f54b48..46d0bb86b 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
+private-etc @games,@x11,udev
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index be97552ab..721b06117 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -52,7 +52,7 @@ tracelog
 private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg
+private-etc @x11,bumblebee,glvnd,mime.types,openmw
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 028c6fe90..a1c0462ba 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin bash,otter-browser,sh,which
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,mailcap,mime.types
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 2610ae67a..0a906718a 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -49,7 +49,7 @@ x11 none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf
+private-etc texlive,texmf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index fb629669a..662896530 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -26,6 +26,6 @@ seccomp
 
 private-bin dbus-launch,parole
 private-cache
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
+private-etc @tls-ca
 
 restrict-namespaces
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 1780f982c..196ce424d 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse,resolv.conf
+private-etc avahi
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index 784d82736..5b3cf0fef 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -47,7 +47,7 @@ private-bin pcsxr
 private-cache
 # Add the next line to your pcsxr.local if you do not need controller support.
 #private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 2e38dde3b..0ab006084 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -33,7 +33,7 @@ seccomp
 
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
+private-etc @x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 7ece10835..cb7e0809f 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin pdftotext
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 24a1bc979..96744e019 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -47,7 +47,7 @@ tracelog
 disable-mnt
 private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
-private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11
+private-etc @x11,firejail
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index dcb52c846..5261093d2 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin photoflare
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
+private-etc @x11,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
index 3664e1469..08aa67bf7 100644
--- a/etc/profile-m-z/pinball.profile
+++ b/etc/profile-m-z/pinball.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin pinball
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index ddb8ff867..dbb333afb 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -56,7 +56,7 @@ private
 #private-bin ping - has mammoth problems with execvp: "No such file or directory"
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,login.defs,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index a86b6da04..3ff033e0b 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin pingus,pingus.bin,sh
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 88173edca..799c8f607 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -43,7 +43,7 @@ private
 private-bin pkglog,python*
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 62927f9f7..34e18cbd7 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin plv
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 8e2c39b83..34199a08d 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -46,7 +46,7 @@ x11 none
 private-bin pngquant
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 58528c372..da16ae912 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -42,7 +42,7 @@ seccomp
 private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
 # Add the next line to your ppsspp.local if you do not need controller support.
 #private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11,host.conf
 private-opt ppsspp
 private-tmp
 
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index 73b377712..6d766b212 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -32,7 +32,7 @@ protocol unix,inet,inet6
 seccomp
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,host.conf
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 279536bb9..c866c3d16 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -43,7 +43,7 @@ seccomp
 private-bin profanity
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index be06c5d89..a1a0606b9 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -70,7 +70,7 @@ disable-mnt
 private-bin getopt,psi
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index ba71ab29d..0789450cb 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -40,7 +40,7 @@ seccomp
 disable-mnt
 private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg
+private-etc @tls-ca,@x11,PyBitmessage,PyBitmessage.conf,sni-qt.conf,system-fips
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
index 71374a8c8..19ef7a464 100644
--- a/etc/profile-m-z/qcomicbook.profile
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -52,7 +52,7 @@ tracelog
 private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-etc @x11,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index d4b71f972..1f378e004 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -51,7 +51,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-etc @tls-ca,@x11,QGIS,QGIS.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index cafdb98e9..1cfbaee6a 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -46,7 +46,7 @@ tracelog
 private-bin 7z,qnapi
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf
+private-etc
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 09b70756b..42c098487 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin qrencode
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index f95720d71..ab0f9425a 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin qtox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index ad45a26d5..fbc003d65 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin quaternion
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index ea49684e3..56bfaa917 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -59,7 +59,7 @@ tracelog
 private-bin exfalso,operon,python*,quodlibet,sh
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,passwd,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index ea0e2afa7..e83484ae5 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -56,7 +56,7 @@ seccomp !chroot,!name_to_handle_at
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile
index e320d82f7..72c5f3979 100644
--- a/etc/profile-m-z/raincat.profile
+++ b/etc/profile-m-z/raincat.profile
@@ -39,7 +39,7 @@ private
 private-bin raincat
 private-cache
 private-dev
-private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg
+private-etc @games,@x11
 #private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
index 1295ce00d..e0dea194a 100644
--- a/etc/profile-m-z/rednotebook.profile
+++ b/etc/profile-m-z/rednotebook.profile
@@ -58,7 +58,7 @@ disable-mnt
 private-bin python3*,rednotebook
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-etc @x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 571381f57..2e962b1ea 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin regextester
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-lib libgranite.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 91b18678f..c908319ca 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin rsync
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,rpc,services
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index 565925e7a..0d57e6916 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -58,7 +58,7 @@ disable-mnt
 private-bin less,python*,rtv,sh,xdg-settings
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-etc @tls-ca,@x11,host.conf,mailcap,mime.types,rpc,services,terminfo
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 6dfb50c5a..fb4325264 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin scorchwentbonkers
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile
index 184a06958..bbf46fe19 100644
--- a/etc/profile-m-z/seafile-applet.profile
+++ b/etc/profile-m-z/seafile-applet.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin seaf-cli,seaf-daemon,seafile-applet
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,rpc,services
 #private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 7ff252ec7..5985e0da3 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -47,7 +47,7 @@ private
 private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index e6f51bff9..190082461 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -57,7 +57,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,login.defs,nsswitch.conf,pango,passwd,pkcs11,pki,protocols,resolv.conf,rpc,services,ssh,ssl,xdg
+private-etc @tls-ca,@x11,gconf,host.conf,pkcs11,rpc,services,ssh
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index cd2a9f13e..87621de69 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin shortwave
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,gconf,host.conf,mime.types
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index d33a97ffc..387d45cdc 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -48,7 +48,7 @@ tracelog
 private-bin shotwell
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index d2b604df5..d881db714 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -46,7 +46,7 @@ private-bin java,sh,signal-cli
 private-cache
 private-dev
 # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
-#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java*,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 2c4bdecd8..4a57bf38c 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -19,7 +19,7 @@ read-only ${HOME}/.mozilla/firefox/profiles.ini
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal
 
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 dbus-user filter
 
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index a511ebb1c..a94176bf7 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 
 private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+private-etc @tls-ca,debian_version,fedora-release,os-release,redhat-release,system-release,system-release-cpe
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index ffed9d44c..89342aad8 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11,mono
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index b4658b7af..f130176c1 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-etc @tls-ca,SoftMaker
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 5a1314315..cf64076e3 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -55,7 +55,7 @@ disable-mnt
 private-bin spectacle
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 4bc23fc04..41b1f6507 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-cache
 private-bin spectral
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index 721e39cd4..f07b10319 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
 # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,spotify-adblock,ssl
+private-etc @tls-ca,host.conf,spotify-adblock
 private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 00df625c0..4e28958e4 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -41,7 +41,7 @@ seccomp.block-secondary
 private-bin sqlitebrowser
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 # breaks proxy creation
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 868c724d2..95dc35741 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,host.conf
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index f807afdc7..a5b4d5d87 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -175,7 +175,7 @@ seccomp.32 !process_vm_readv
 private-dev
 # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
 # to your steam.local to support those.
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan
+private-etc @games,@tls-ca,@x11,bumblebee,dbus-1,host.conf,lsb-release,mime.types,os-release,services
 private-tmp
 
 #dbus-user none
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index e9d2ca430..b6b2c63d3 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin strawberry,strawberry-tagreader
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,host.conf
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 896d4bc3e..6de288c46 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -43,7 +43,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 1f532d76c..2ad107f1a 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -43,7 +43,7 @@ tracelog
 disable-mnt
 # private-bin supertux2
 private-cache
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index b4eb70fcb..0a436b22f 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -53,7 +53,7 @@ private-bin supertuxkart
 private-cache
 # Add the next line to your supertuxkart.local if you do not need controller support.
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
+private-etc @games,@tls-ca,@x11
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 3508e11b0..9be7aaf3c 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -33,7 +33,7 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index cef029401..726baf336 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -62,7 +62,7 @@ disable-mnt
 #private-bin sysprof - breaks help menu
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
+private-etc @tls-ca
 # private-lib - breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index a9d0a60d1..da3b4f782 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -17,7 +17,7 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd
+private-etc
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index 5711c1b36..fd55daa4a 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -22,7 +22,7 @@ mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
 
 private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 886d303c8..ba915c2d4 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin bash,sh,telegram,Telegram,telegram-desktop,xdg-open
 private-cache
 private-dev
-private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,os-release
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index 9249e33c8..ced3aaa8a 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -40,7 +40,7 @@ seccomp
 
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11,dbus-1,host.conf,java*,lsb-release,mime.types
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 11a21c471..54568b7d3 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -54,7 +54,7 @@ x11 none
 private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc
 #private-lib libtesseract.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index f49738f2b..ed8cd7369 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -29,7 +29,7 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 3cbf90660..a03a6caa0 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -57,7 +57,7 @@ disable-mnt
 private-bin rtin,tin
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin
+private-etc terminfo,tin
 private-lib terminfo
 private-tmp
 
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 275b170ff..b58aec926 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -45,7 +45,7 @@ private
 private-bin bash,tor
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
+private-etc @tls-ca,tor
 private-tmp
 writable-var
 
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index fab792826..41ac6f7a7 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -58,7 +58,7 @@ seccomp !chroot
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 6069be500..645c55c3b 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -44,7 +44,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf
+private-etc
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 8a1711e97..5c0690b1d 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -7,8 +7,10 @@ include transmission-cli.local
 # Persistent global definitions
 include globals.local
 
+whitelist /usr/share/transmission
+
 private-bin transmission-cli
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 0a9029c97..d80eb708b 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -44,6 +44,7 @@ tracelog
 
 private-cache
 private-dev
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 5d28f2f10..4fc5a3aa7 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
 
 private-bin transmission-daemon
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 read-write /var/lib/transmission
 writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index f93c4229c..a8dd96001 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
 mkdir ${HOME}/.config/transmission-remote-gtk
 whitelist ${HOME}/.config/transmission-remote-gtk
 
-private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf
+private-etc
 
 ignore memory-deny-write-execute
 
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index 565433d99..a431164f6 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
 include globals.local
 
 private-bin transmission-remote
-private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
+private-etc
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 0a5826ec4..dc667ae05 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
 include globals.local
 
 private-bin transmission-show
-private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
+private-etc
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 63e964355..378c8a1b7 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -53,7 +53,7 @@ tracelog
 private-bin trojita
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index d2cb0cc8a..56eacf338 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -24,7 +24,7 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 ?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-opt tutanota-desktop
 
 # Redirect
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 987a2b719..1f548a92d 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
 
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
 private-opt Twitch
 
 # Redirect
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index 7e3c7ac5a..c182326bb 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -40,7 +40,7 @@ private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udisk
 # private-bin thunar
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+private-etc @x11,mime.types
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 6ec6ea609..aac99aed5 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -48,7 +48,7 @@ private-bin unf
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 443d1f415..43d5dae5e 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
 include globals.local
 
 private-bin unrar
-private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
+private-etc
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 97df693ba..9fefe6ad3 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
 
-private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
+private-etc
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index f85e52273..046b75a87 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin utox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-etc @games,@tls-ca
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 29d88832c..a6d2a65e9 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -40,7 +40,7 @@ x11 none
 private-bin uudeview
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index cdf615a02..aa8199442 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index b9a5c08e8..37e962867 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -44,7 +44,7 @@ tracelog
 #disable-mnt
 #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
-private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11,conf.d
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index ba4136413..c2fd14811 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,gai.conf,gconf,glvnd,host.conf,magic,magic.mgc,mime.types,proxychains.conf,rpc,services,terminfo,vmware,vmware-tools,vmware-vix
 # Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox.
 private-tmp
 
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 74c951fe6..7619ef47b 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mtab,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc @tls-ca,@x11,conf.d,mtab,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 1e111f83e..edc08ca44 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -61,7 +61,7 @@ disable-mnt
 private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,mailcap
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 37a8f78bb..5765613d4 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin warmux
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,rpc,services
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 8a9614fb0..62d667d57 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -22,7 +22,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index d8c72ac8b..8958564ef 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -46,7 +46,7 @@ private
 private-bin bash,sh,whois
 private-cache
 private-dev
-private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf
+private-etc jwhois.conf,services,whois.conf
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index d8742cd71..fc4fa2435 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index ccc2e8dd0..310e8b470 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -44,7 +44,7 @@ private
 private-bin wordwarvi
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index 1b44b63e0..e85bb9f18 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -43,7 +43,7 @@ private
 private-bin xbill
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 95eb2046e..9c4fa8293 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index 575acc9b2..4d841b35c 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-bin xfce4-screenshooter,xfconf-query
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 371db722c..76e58aff3 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin xiphos
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
+private-etc @tls-ca,sword,sword.conf
 private-tmp
 
 restrict-namespaces
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 404baf607..b597dc7a2 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 
 # Redirect
 include links.profile
diff --git a/etc/profile-m-z/xlinks2.profile b/etc/profile-m-z/xlinks2.profile
index d7edd3543..83356fb7b 100644
--- a/etc/profile-m-z/xlinks2.profile
+++ b/etc/profile-m-z/xlinks2.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks2
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 
 # Redirect
 include links2.profile
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index ad1ba8ca3..b8bf0ae96 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -37,7 +37,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 9128c330b..87e75986d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-cache
 private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic*
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11,host.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index a17464a2a..e2e97f028 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin xournal
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
+private-etc
 # TODO should use private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index a23ad68df..e1c9c03e8 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -28,7 +28,7 @@ include whitelist-runuser-common.inc
 #include whitelist-common.inc
 
 private-bin kpsewhich,pdflatex,xournalpp
-private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive
+private-etc latexmk.conf,texlive
 
 # Redirect
 include xournal.profile
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index ff5dc619b..6edbf9357 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -38,7 +38,7 @@ tracelog
 
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 6ea7fdfbd..f5dd0c309 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -55,7 +55,7 @@ disable-mnt
 private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-etc @games,@tls-ca,@x11,cups,groff,man_db.conf,os-release,sgml,xml
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index c846893ef..b706bec4e 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 4f2cc9523..8376b4989 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -57,7 +57,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc @tls-ca,mime.types,youtube-dl.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index f66e2938b..9ef90eb92 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -59,7 +59,7 @@ disable-mnt
 private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index 5c4d697da..9bb1991c2 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
 private-opt Youtube
 
 # Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 2b5ffeaaf..09a8a446f 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
 private-opt youtubemusic-nativefier
 
 # Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 6e835b03f..49d4b3b56 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -15,7 +15,7 @@ noblacklist ${HOME}/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf.txt
 
 private-bin ffprobe,yt-dlp
-private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
+private-etc yt-dlp.conf
 
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index aa466871c..43b624705 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
 
 # private-bin env,ytmdesktop
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,host.conf,mime.types
 # private-opt
 
 # Redirect
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index 1daf89c84..35c3f1300 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -48,7 +48,7 @@ tracelog
 private-bin zathura
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
+private-etc
 # private-lib has problems on Debian 10
 #private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
 private-tmp
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 453f40e73..caf9eab63 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -60,7 +60,7 @@ disable-mnt
 private-bin zeal
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
index a9e5aa5c3..69ec3a706 100644
--- a/etc/profile-m-z/zim.profile
+++ b/etc/profile-m-z/zim.profile
@@ -63,7 +63,7 @@ disable-mnt
 private-bin python*,zim
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-etc @x11,gconf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index b69de3be1..1622b3886 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin locale,zulip
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 restrict-namespaces
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile
new file mode 100644
index 000000000..349da8821
--- /dev/null
+++ b/src/etc-cleanup/Makefile
@@ -0,0 +1,9 @@
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+PROG = etc-cleanup
+TARGET = $(PROG)
+
+MOD_HDRS = ../include/etc-groups.h
+
+include $(ROOT)/src/prog.mk
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c
new file mode 100644
index 000000000..47fe1556b
--- /dev/null
+++ b/src/etc-cleanup/main.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "../include/etc_groups.h"
+#include "../include/common.h"
+#include <stdarg.h>
+
+#define MAX_BUF 4098
+#define MAX_ARR 1024
+char *arr[MAX_ARR] = {NULL};
+int arr_cnt = 0;
+
+static int arr_tls_ca = 0;
+static int arr_x11 = 0;
+static int arr_games = 0;
+static char outbuf[256 * 1024];
+static char *outptr;
+static int arg_replace = 0;
+static int arg_debug = 0;
+
+void outprintf(char* fmt, ...) {
+        va_list args;
+        va_start(args,fmt);
+        outptr += vsprintf(outptr, fmt, args);
+        va_end(args);
+}
+
+
+
+static int arr_check(const char *fname, char **pptr) {
+        assert(fname);
+        assert(pptr);
+
+        while (*pptr != NULL) {
+                if (strcmp(fname, *pptr) == 0)
+                        return 1;
+                pptr++;
+        }
+
+        return 0;
+}
+
+
+
+static void arr_add(const char *fname) {
+        assert(fname);
+        assert(arr_cnt < MAX_ARR);
+
+        int i;
+        for (i = 0; i < arr_cnt; i++)
+                if (strcmp(arr[i], fname) == 0)
+                        return;
+
+        arr[arr_cnt] = strdup(fname);
+        if (!arr[arr_cnt])
+                errExit("strdup");
+        arr_cnt++;
+}
+
+int arr_cmp(const void *p1, const void *p2) {
+        char **ptr1 = (char **) p1;
+        char **ptr2 = (char **) p2;
+
+        return strcmp(*ptr1, *ptr2);
+}
+
+static void arr_sort(void) {
+        qsort(&arr[0], arr_cnt, sizeof(char *), arr_cmp);
+}
+
+static void arr_clean(void) {
+        int i;
+        for (i = 0; i < arr_cnt; i++) {
+                free(arr[i]);
+                arr[i] = NULL;
+        }
+
+        arr_cnt = 0;
+        arr_games = 0;
+        arr_tls_ca = 0;
+        arr_x11 = 0;
+}
+
+static char *arr_print(void) {
+        char *last_line = outptr;
+        outprintf("private-etc ");
+
+        if (arr_games)
+                outprintf("@games,");
+        if (arr_tls_ca)
+                outprintf("@tls-ca,");
+        if (arr_x11)
+                outprintf("@x11,");
+
+        int i;
+        for (i = 0; i < arr_cnt; i++)
+                outprintf("%s,", arr[i]);
+        if (*(outptr - 1) == ' ' || *(outptr - 1) == ',') {
+                outptr--;
+                *outptr = '\0';
+        }
+        outprintf("\n");
+
+        return last_line;
+}
+
+static void process_file(const char *fname) {
+        assert(fname);
+
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s file\n", fname);
+                exit(1);
+        }
+
+        outptr = outbuf;
+        *outptr = '\0';
+        arr_clean();
+
+        char line[MAX_BUF];
+        char orig_line[MAX_BUF];
+        int cnt = 0;
+        int print = 0;
+        while (fgets(line, MAX_BUF, fp)) {
+                cnt++;
+                if (strncmp(line, "private-etc", 11) != 0)  {
+                        outprintf("%s", line);
+                        continue;
+                }
+
+                strcpy(orig_line,line);
+                char *ptr = strchr(line, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                ptr = line + 12;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+
+                // check for blanks and tabs
+                char *ptr2 = ptr;
+                while (*ptr2 != '\0') {
+                        if (*ptr2 == ' ' || *ptr2 == '\t') {
+                                fprintf(stderr, "Error: invalid private-etc line %s:%d\n", fname, cnt);
+                                exit(1);
+                        }
+                        ptr2++;
+                }
+
+                ptr = strtok(ptr, ",");
+                while (ptr) {
+                        if (arg_debug)
+                                printf("%s\n", ptr);
+                        if (arr_check(ptr, &etc_list[0]));
+                        else if (arr_check(ptr, &etc_group_sound[0]));
+                        else if (arr_check(ptr, &etc_group_network[0]));
+                        else if (strcmp(ptr, "@games") == 0)
+                                arr_games = 1;
+                        else if (strcmp(ptr, "@tls-ca") == 0)
+                                arr_tls_ca = 1;
+                        else if (strcmp(ptr, "@x11") == 0)
+                                arr_x11 = 1;
+                        else if (arr_check(ptr, &etc_group_games[0]))
+                                arr_games = 1;
+                        else if (arr_check(ptr, &etc_group_tls_ca[0]))
+                                arr_tls_ca = 1;
+                        else if (arr_check(ptr, &etc_group_x11[0]))
+                                arr_x11 = 1;
+                        else
+                                arr_add(ptr);
+
+                        ptr = strtok(NULL, ",");
+                }
+
+                arr_sort();
+                char *last_line = arr_print();
+                if (strcmp(last_line, orig_line) == 0) {
+                        fclose(fp);
+                        return;
+                }
+                printf("\n********************\nfile: %s\n\nold: %s\nnew: %s\n", fname, orig_line, last_line);
+                print = 1;
+        }
+
+        fclose(fp);
+
+        if (print && arg_replace) {
+                fp = fopen(fname, "w");
+                if (!fp) {
+                        fprintf(stderr, "Error: cannot open profile file\n");
+                        exit(1);
+                }
+                fprintf(fp, "%s", outbuf);
+                fclose(fp);
+        }
+}
+
+static void usage(void) {
+        printf("usage: cleanup-etc [options] file.profile [file.profile]\n");
+        printf("Group and clean private-etc entries in one or more profile files.\n");
+        printf("Options:\n");
+        printf("   --debug - print debug messages\n");
+        printf("   -h, -?, --help - this help screen\n");
+        printf("   --replace - replace profile file\n");
+}
+
+int main(int argc, char **argv) {
+        if (argc < 2) {
+                fprintf(stderr, "Error: invalid number of parameters\n");
+                usage();
+                return 1;
+        }
+
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-h") == 0 ||
+                     strcmp(argv[i], "-?") == 0 ||
+                     strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--replace") == 0)
+                        arg_replace = 1;
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid program option %s\n", argv[i]);
+                        return 1;
+                }
+                else
+                        break;
+        }
+
+        for (; i < argc; i++)
+                process_file(argv[i]);
+
+        return 0;
+}
\ No newline at end of file
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 793ec9a52..db73dd1f6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -519,6 +519,7 @@ matrix-mirage
 mattermost-desktop
 mcabber
 mcomix
+md5sum
 mediainfo
 mediathekview
 megaglest
@@ -736,6 +737,11 @@ seahorse-tool
 seamonkey
 seamonkey-bin
 secret-tool
+sha1sum
+sha224sum
+sha256sum
+sha348sum
+sha512sum
 shellcheck
 shortwave
 shotcut
@@ -775,6 +781,7 @@ straw-viewer
 strings
 studio.sh
 subdownloader
+sum
 supertux2
 supertuxkart
 surf
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 66d2d8b83..a09158e9e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -332,6 +332,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_keep_config_pulse;       // disable automatic ~/.config/pulse init
+extern int arg_keep_shell_rc;   // do not copy shell configuration from /etc/skel
 extern int arg_writable_var;    // writable var
 extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 8c4cb3d4f..8e72f8687 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -361,7 +361,8 @@ void fs_private_homedir(void) {
         }
         EUID_USER();
 
-        skel(homedir);
+        if (!arg_keep_shell_rc)
+                skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -430,7 +431,8 @@ void fs_private(void) {
                 selinux_relabel_path(homedir, homedir);
         }
 
-        skel(homedir);
+        if (!arg_keep_shell_rc)
+                skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -682,7 +684,8 @@ void fs_private_home_list(void) {
                 errExit("mounting tmpfs");
         EUID_USER();
 
-        skel(homedir);
+        if (!arg_keep_shell_rc)
+                skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 02fcb77d7..8df6926ee 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -127,6 +127,7 @@ int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
 int arg_keep_config_pulse = 0;                  // disable automatic ~/.config/pulse init
+int arg_keep_shell_rc = 0;                      // do not copy shell configuration from /etc/skel
 int arg_writable_var = 0;                       // writable var
 int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
@@ -1975,6 +1976,9 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
                         arg_keep_config_pulse = 1;
                 }
+                else if (strcmp(argv[i], "--keep-shell-rc") == 0) {
+                        arg_keep_shell_rc = 1;
+                }
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d01999ec5..3924465e4 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1235,6 +1235,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "keep-shell-rc") == 0) {
+                arg_keep_shell_rc = 1;
+                return 0;
+        }
+
         // writable-var
         if (strcmp(ptr, "writable-var") == 0) {
                 arg_writable_var = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index bf4550dd8..e31293c66 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -129,6 +129,7 @@ static char *usage_str =
         "    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
         "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
         "    --keep-fd - inherit open file descriptors to sandbox.\n"
+        "    --keep-shell-rc - do not copy shell rc files from /etc/skel\n"
         "    --keep-var-tmp - /var/tmp directory is untouched.\n"
         "    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h
index 052b737db..d1182a33d 100644
--- a/src/include/etc_groups.h
+++ b/src/include/etc_groups.h
@@ -20,6 +20,7 @@
 
 #ifndef ETC_GROUPS_H
 #define ETC_GROUPS_H
+#include <stddef.h>
 
 #define ETC_MAX 256
 
@@ -39,6 +40,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
         "login.defs", // firejail reading UID/GID MIN and MAX at startup
         "nsswitch.conf",
         "passwd",
+        "selinux",
         NULL
 };
 
@@ -47,6 +49,7 @@ static char *etc_group_games[] = {
         "openal", // 3D sound
         "timidity", // MIDI
         "timidity.cfg",
+        "vulkan", // next generation OpenGL stack
         NULL
 };
 
@@ -72,7 +75,7 @@ static char *etc_group_sound[] = {
 static char *etc_group_tls_ca[] = {
         "ca-certificates",
         "crypto-policies",
-        "gcrypt",
+        "gcrypt", // GNU crypto library (GPG)
         "pki",
         "ssl",
         NULL
@@ -80,14 +83,17 @@ static char *etc_group_tls_ca[] = {
 
 // @x11
 static char *etc_group_x11[] = {
+        "ati", // 3D
         "dconf",
         "drirc",
         "gtk-2.0",
         "gtk-3.0",
         "kde4rc",
         "kde5rc",
-        "nvidia",
+        "machine-id", // QT dbus lib is crashing without it!
+        "nvidia", // 3D
         "pango", // text rendering/internationalization
+        "Trolltech.conf", // old QT config file
         "X11",
         "xdg",
         NULL
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5b16179ac..3fa07d1ee 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -288,6 +288,9 @@ pulse servers or non-standard socket paths.
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
+\fBkeep-shell-rc
+Do not copy shell rc files (such as ~/.bashrc and ~/.zshrc) from /etc/skel.
+.TP
 \fBkeep-var-tmp
 /var/tmp directory is untouched.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b051ab57..6068c9ff4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1224,6 +1224,14 @@ Example:
 $ firejail --keep-fd=3,4,5
 
 .TP
+\fB\-\-keep-shell-rc
+By default, when using a private home directory, firejail copies files from the
+system's user home template (/etc/skel) into it, which overrides attempts to
+whitelist the original files (such as ~/.bashrc and ~/.zshrc).
+This option disables this feature, and enables the user to whitelist the
+original files.
+
+.TP
 \fB\-\-keep-var-tmp
 /var/tmp directory is untouched.
 .br
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 2b67c2a00..37ce7055b 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -104,6 +104,7 @@ _firejail_args=(
     '--keep-config-pulse[disable automatic ~/.config/pulse init]'
     '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
     '--keep-fd[inherit open file descriptors to sandbox]: :'
+    '--keep-shell-rc[do not copy shell rc files from /etc/skel]'
     '--keep-var-tmp[/var/tmp directory is untouched]'
     '--machine-id[spoof /etc/machine-id with a random id]'
     '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 4b85d3006..affc4bc7e 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -80,12 +80,6 @@ rm -fr ~/_firejail_test_dir1
 rm -f ~/_firejail_test_link1
 rm -f ~/_firejail_test_link2
 
-echo "TESTING: private-etc (test/fs/private-etc.exp)"
-./private-etc.exp
-
-#echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
-#./private-etc-empty.exp
-
 echo "TESTING: private-bin (test/fs/private-bin.exp)"
 ./private-bin.exp
 
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
deleted file mode 100755
index 6878a642c..000000000
--- a/test/fs/private-etc-empty.exp
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2022 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --private-etc=blablabla\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-send -- "ls -l /etc | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "0" {puts "Debian\n"}
-        "1" {puts "Arch\n"}
-}
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --profile=private-etc-empty.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 1
-
-send -- "ls -l /etc | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "0" {puts "Debian\n"}
-        "1" {puts "Arch\n"}
-
-}
-
-after 100
-puts "\nall done\n"
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile
deleted file mode 100644
index 38aa8cd68..000000000
--- a/test/fs/private-etc-empty.profile
+++ /dev/null
@@ -1 +0,0 @@
-private-etc blablabla
diff --git a/test/private-etc/etc-cleanup.exp b/test/private-etc/etc-cleanup.exp
new file mode 100755
index 000000000..eb7eedcf4
--- /dev/null
+++ b/test/private-etc/etc-cleanup.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/lib/firejail/etc-cleanup p1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "old: private-etc passwd,group,resolv.conf,X11"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "new: private-etc @x11"
+}
+after 500
+
+send -- "/usr/lib/firejail/etc-cleanup p3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "old: private-etc @tls-ca,os-release,@x11,mime.types,mailcap"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "new: private-etc @tls-ca,@x11,mailcap,mime.types,os-release"
+}
+after 500
+
+
+puts "\nall done\n"
diff --git a/test/private-etc/groups.exp b/test/private-etc/groups.exp
new file mode 100755
index 000000000..fed6d40b0
--- /dev/null
+++ b/test/private-etc/groups.exp
@@ -0,0 +1,132 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --private-etc ls -l /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Private /etc installed in"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cron" {puts "TESTING ERROR 2\n"; exit}
+        "shadow" {puts "TESTING ERROR 3\n"; exit}
+        "ssl" {puts "TESTING ERROR 4\n"; exit}
+        "ld.so.cache"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "cron" {puts "TESTING ERROR 2\n"; exit}
+        "shadow" {puts "TESTING ERROR 3\n"; exit}
+        "ssl" {puts "TESTING ERROR 4\n"; exit}
+        "nsswitch.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "cron" {puts "TESTING ERROR 2\n"; exit}
+        "shadow" {puts "TESTING ERROR 3\n"; exit}
+        "ssl" {puts "TESTING ERROR 4\n"; exit}
+        "resolv.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "cron" {puts "TESTING ERROR 2\n"; exit}
+        "shadow" {puts "TESTING ERROR 3\n"; exit}
+        "xdg" {puts "TESTING ERROR 4\n"; exit}
+        "Parent is shutting down"
+}
+after 500
+
+
+send -- "firejail --private-etc=@tls-ca ls -l /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Private /etc installed in"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "cron" {puts "TESTING ERROR 12\n"; exit}
+        "shadow" {puts "TESTING ERROR 13\n"; exit}
+        "ca-certificates"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "cron" {puts "TESTING ERROR 12\n"; exit}
+        "shadow" {puts "TESTING ERROR 13\n"; exit}
+        "nsswitch.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "cron" {puts "TESTING ERROR 12\n"; exit}
+        "shadow" {puts "TESTING ERROR 13\n"; exit}
+        "resolv.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "cron" {puts "TESTING ERROR 12\n"; exit}
+        "shadow" {puts "TESTING ERROR 13\n"; exit}
+        "ssl"
+}
+after 500
+
+
+send -- "firejail --private-etc --nosound ls -l /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Private /etc installed in"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "cron" {puts "TESTING ERROR 22\n"; exit}
+        "shadow" {puts "TESTING ERROR 23\n"; exit}
+        "machine-id" {puts "TESTING ERROR 24\n"; exit}
+        "nsswitch.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "Parent is shutting down"
+}
+after 500
+
+send -- "firejail --private-etc --net=none ls -l /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "Private /etc installed in"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "cron" {puts "TESTING ERROR 32\n"; exit}
+        "shadow" {puts "TESTING ERROR 33\n"; exit}
+        "nsswitch.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 34\n";exit}
+        "resolv.conf" {puts "TESTING ERROR 35\n"; exit}
+        "Parent is shutting down"
+}
+after 500
+
+send -- "firejail --private-etc=@x11 ls -l /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 40\n";exit}
+        "Private /etc installed in"
+}
+expect {
+        timeout {puts "TESTING ERROR 41\n";exit}
+        "cron" {puts "TESTING ERROR 42\n"; exit}
+        "shadow" {puts "TESTING ERROR 43\n"; exit}
+        "nsswitch.conf"
+}
+expect {
+        timeout {puts "TESTING ERROR 44\n";exit}
+        "xdg"
+}
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/private-etc/p1.profile b/test/private-etc/p1.profile
new file mode 100644
index 000000000..8929dace1
--- /dev/null
+++ b/test/private-etc/p1.profile
@@ -0,0 +1 @@
+private-etc passwd,group,resolv.conf,X11
diff --git a/test/private-etc/p2.profile b/test/private-etc/p2.profile
new file mode 100644
index 000000000..7193428b9
--- /dev/null
+++ b/test/private-etc/p2.profile
@@ -0,0 +1 @@
+private-etc @x11
diff --git a/test/private-etc/p3.profile b/test/private-etc/p3.profile
new file mode 100644
index 000000000..64e4025d0
--- /dev/null
+++ b/test/private-etc/p3.profile
@@ -0,0 +1 @@
+private-etc @tls-ca,os-release,@x11,mime.types,mailcap
diff --git a/test/fs/private-etc.exp b/test/private-etc/private-etc.exp
index f51fc5221..3aac7cdf2 100755
--- a/test/fs/private-etc.exp
+++ b/test/private-etc/private-etc.exp
@@ -7,7 +7,6 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-# directory with ~
 send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/private-etc/private-etc.sh b/test/private-etc/private-etc.sh
new file mode 100755
index 000000000..67076af95
--- /dev/null
+++ b/test/private-etc/private-etc.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+echo "TESTING: private-etc (test/private-etc/private-etc.exp)"
+./private-etc.exp
+
+echo "TESTING: profile (test/private-etc/profile.exp)"
+./private-etc.exp
+
+echo "TESTING: groups (test/private-etc/groups.exp)"
+./groups.exp
+
+echo "TESTING: etc-cleanup (test/private-etc/etc-cleanup.exp)"
+./etc-cleanup.exp
+
diff --git a/test/private-etc/profile.exp b/test/private-etc/profile.exp
new file mode 100755
index 000000000..d5713fe95
--- /dev/null
+++ b/test/private-etc/profile.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=p1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+send -- "LC_ALL=C ls -al /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "X11"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "group"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "passwd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "resolv.conf"
+}
+
+
+send -- "file /etc/shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=p2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+send -- "LC_ALL=C ls -al /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "X11"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "group"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "passwd"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "resolv.conf"
+}
+
+
+send -- "file /etc/shadow\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+
+
+
+
+
+
+
+
+after 100
+puts "\nall done\n"
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
index 75b51694c..b0c41e429 100755
--- a/test/sysutils/gzip.exp
+++ b/test/sysutils/gzip.exp
@@ -7,20 +7,14 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r"
-sleep 1
+send -- "rm index.html*\r"
+after 500
 
-send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r"
-sleep 1
-
-send -- "diff -s firejail_t1 firejail_t2\r"
+send -- "firejail gzip -c ../../mkdeb.sh | firejail gunzip -c\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "firejail_t1 and firejail_t2 are identical"
+        "This file is part of Firejail project"
 }
-
-send -- "rm firejail_t*\r"
-sleep 1
-
+after 500
 
 puts "\nall done\n"
diff --git a/test/sysutils/md5sum.exp b/test/sysutils/md5sum.exp
new file mode 100755
index 000000000..ab2482808
--- /dev/null
+++ b/test/sysutils/md5sum.exp
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail md5sum ../../COPYING\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "b234ee"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "COPYING"
+}
+
+after 500
+puts "\nall done\n"
diff --git a/test/sysutils/sha512sum.exp b/test/sysutils/sha512sum.exp
new file mode 100755
index 000000000..2a88fef83
--- /dev/null
+++ b/test/sysutils/sha512sum.exp
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail sha512sum ../../COPYING\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "aee80b1f"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "COPYING"
+}
+
+after 500
+puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index bab243c4b..c74a7d9e8 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -7,6 +7,30 @@ export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
+if command -v gzip
+then
+        echo "TESTING: gzip"
+        ./gzip.exp
+else
+        echo "TESTING SKIP: md5sum not found"
+fi
+
+if command -v md5sum
+then
+        echo "TESTING: md5sum"
+        ./md5sum.exp
+else
+        echo "TESTING SKIP: md5sum not found"
+fi
+
+if command -v sha512sum
+then
+        echo "TESTING: sha512sum"
+        ./sha512sum.exp
+else
+        echo "TESTING SKIP: sha512sum not found"
+fi
+
 if command -v cpio
 then
         echo "TESTING: cpio"
@@ -127,3 +151,11 @@ else
         echo "TESTING SKIP: strings not found"
 fi
 
+if command -v whois
+then
+        echo "TESTING: whois"
+        ./whois.exp
+else
+        echo "TESTING SKIP: whois not found"
+fi
+
diff --git a/test/private-lib/whois.exp b/test/sysutils/whois.exp
index 29190253c..1797ca14e 100755
--- a/test/private-lib/whois.exp
+++ b/test/sysutils/whois.exp
@@ -10,7 +10,8 @@ match_max 100000
 send -- "firejail whois debian.org\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Domain Name"
+        "Domain Name" {puts "testing ok\n"}
+        "Connection refused" {puts "TESTING SKIP: connection refused\n"}
 }
 
 after 100