41 files changed, 49 insertions, 50 deletions

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 230a88472..5ef75022b 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -34,8 +34,8 @@ shell none
 disable-mnt
 # using a private home directory
 private
-# private-bin Xephyr,sh,xkbcomp
-# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
+# private-bin sh,Xephyr,xkbcomp
+# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 259077d86..3ecda698e 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -37,8 +37,8 @@ shell none
 disable-mnt
 # using a private home directory
 private
-# private-bin Xvfb,sh,xkbcomp
-# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
+# private-bin sh,xkbcomp,Xvfb
+# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
 private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 private-tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 211a32e22..5ebeafa76 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -34,9 +34,9 @@ protocol unix
 seccomp
 shell none
 
-#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
+#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh
 private-cache
 private-dev
-#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
+#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
 private-tmp
 
diff --git a/etc/ark.profile b/etc/ark.profile
index ee0899b1d..7f74a4d49 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -35,7 +35,7 @@ seccomp
 shell none
 
 private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo
-#private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
+#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg
 
 private-dev
 private-tmp
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 8aae5d668..ac1e21ba7 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin bitcoin-qt
 private-dev
 # Causes problem with loading of libGL.so
-#private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/bless.profile b/etc/bless.profile
index d4ac80db1..35235962e 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -33,7 +33,7 @@ protocol unix
 seccomp
 shell none
 
-# private-bin bless,sh,bash,mono
+# private-bin bash,bless,mono,sh
 private-cache
 private-dev
 private-etc alternatives,fonts,mono
diff --git a/etc/cantata.profile b/etc/cantata.profile
index 19abbfea2..c44d56b90 100644
--- a/etc/cantata.profile
+++ b/etc/cantata.profile
@@ -34,6 +34,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
-# private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl
+# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
diff --git a/etc/curl.profile b/etc/curl.profile
index b8b91d278..76beee46a 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -34,5 +34,5 @@ shell none
 # private-bin curl
 private-cache
 private-dev
-# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index fcb448b30..d1fff0004 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -13,7 +13,7 @@ mkdir ${HOME}/.cache/8pecxstudios
 whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
 
-# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
+# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cyberfox
 
diff --git a/etc/dino.profile b/etc/dino.profile
index 2db395e02..f7b220936 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -37,6 +37,6 @@ shell none
 disable-mnt
 private-bin dino
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
 private-tmp
 
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 980fa7617..94f4179c7 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -36,5 +36,5 @@ tracelog
 # private-bin elinks
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
index 46d0bd08e..d64fe830f 100644
--- a/etc/fetchmail.profile
+++ b/etc/fetchmail.profile
@@ -30,5 +30,5 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-#private-bin fetchmail,procmail,bash,chmod
+#private-bin bash,chmod,fetchmail,procmail
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index bccbb3412..49e34f248 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -57,5 +57,5 @@ shell none
 disable-mnt
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 830bbc6a7..84c647cb9 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -15,7 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 
 # firefox requires a shell to launch on Arch.
-#private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
 
diff --git a/etc/gjs.profile b/etc/gjs.profile
index f119e5b34..17b0aa5cf 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -32,7 +32,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
+# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 97de9c2be..1a192cbe5 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -39,8 +39,8 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin gjs gnome-maps
+# private-bin gjs,gnome-maps
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index ef7255130..a43db7e2f 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -37,8 +37,8 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin gjs gnome-weather
+# private-bin gjs,gnome-weather
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
 
diff --git a/etc/goobox.profile b/etc/goobox.profile
index be332665e..c932ad528 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -31,5 +31,5 @@ tracelog
 
 # private-bin goobox
 private-dev
-# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 # private-tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 710c86e9a..361109127 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -35,4 +35,4 @@ shell none
 
 private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
-# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
diff --git a/etc/lynx.profile b/etc/lynx.profile
index 2f043c9b9..063285316 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin lynx
 private-cache
 private-dev
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/minetest.profile b/etc/minetest.profile
index f656d5a87..0439a1ccc 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -45,5 +45,5 @@ private-bin minetest
 private-cache
 private-dev
 # private-etc needs to be updated, see #1702
-#private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
index 0a98de7c4..0b5ebf705 100644
--- a/etc/mpd.profile
+++ b/etc/mpd.profile
@@ -34,7 +34,7 @@ protocol unix,inet,inet6
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
 shell none
 
-#private-bin mpd,bash
+#private-bin bash,mpd
 private-cache
 private-dev
 private-tmp
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
index 98edf273e..e5ef0c202 100644
--- a/etc/multimc5.profile
+++ b/etc/multimc5.profile
@@ -43,7 +43,7 @@ shell none
 
 disable-mnt
 # private-bin works, but causes weirdness
-# private-bin multimc5,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
+# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
 private-dev
 private-tmp
 
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 1d5953ff7..673c9fd0b 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin mupdf,sh,tempfile,rm
+# private-bin mupdf,rm,sh,tempfile
 private-dev
 private-etc alternatives,fonts
 private-tmp
diff --git a/etc/peek.profile b/etc/peek.profile
index fd836560e..8cbff0c64 100644
--- a/etc/peek.profile
+++ b/etc/peek.profile
@@ -34,7 +34,7 @@ seccomp
 shell none
 
 # private-bin breaks gif mode, mp4 and webm mode work fine however
-# private-bin peek,convert,ffmpeg
+# private-bin convert,ffmpeg,peek
 private-dev
 private-tmp
 
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index d5198ef61..fe9caec77 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -53,8 +53,7 @@ shell none
 
 private-bin python*,qbittorrent
 private-dev
-# private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
-# private-lib - problems on Arch
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index e2a3c9c23..ca1abcdc9 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -50,5 +50,5 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
 
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index fc770d62d..1b8fbbc97 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -37,5 +37,5 @@ shell none
 disable-mnt
 private-bin ricochet,tor
 private-dev
-#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
 
diff --git a/etc/scribus.profile b/etc/scribus.profile
index c50e0861c..e20cd1b5a 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -56,7 +56,7 @@ seccomp
 shell none
 tracelog
 
-# private-bin scribus,gs,gimp*
+# private-bin gimp*,gs,scribus
 private-dev
 private-tmp
 
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index ca74efe68..807effbeb 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -52,4 +52,4 @@ seccomp
 tracelog
 
 disable-mnt
-# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 4ad841880..64441483d 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -33,5 +33,5 @@ tracelog
 
 # private-bin simple-scan
 # private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 # private-tmp
diff --git a/etc/skype.profile b/etc/skype.profile
index 55057c546..5fab8bdc7 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -28,7 +28,7 @@ seccomp
 shell none
 
 disable-mnt
-#private-bin skype,bash
+#private-bin bash,skype
 private-cache
 private-dev
 private-tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index df7bfba85..d34b392ad 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -60,7 +60,7 @@ shell none
 #tracelog
 
 # private-bin is disabled while in testing, but has been tested working with multiple games
-#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lspci,lsof,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
 # extra programs are available which might be needed for select games
 #private-bin java,java-config,mono
 # picture viewers are needed for viewing screenshots
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index 33086a99d..30b0ad762 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -31,7 +31,7 @@ protocol unix
 seccomp
 shell none
 
-#private-bin synfigstudio,synfig,ffmpeg
+#private-bin ffmpeg,synfig,synfigstudio
 private-cache
 private-dev
 private-tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index 9e6684824..5b74709e3 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -40,6 +40,6 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 6c2d08988..b62d3111d 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -29,5 +29,5 @@ shell none
 
 # private-bin unknown-horizons
 private-dev
-# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 3dc21958d..b8ee67ae0 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -20,7 +20,7 @@ whitelist ${HOME}/.mozilla
 whitelist ${HOME}/.waterfox
 
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
-#private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash
+#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,which
 # private-etc must first be enabled in firefox-common.profile
 #private-etc waterfox
 
diff --git a/etc/wget.profile b/etc/wget.profile
index ff10b2316..2d5c0c4d6 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -36,6 +36,6 @@ shell none
 
 # private-bin wget
 private-dev
-# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
 # private-tmp
 
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index b44eae128..58ff93750 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -43,6 +43,6 @@ tracelog
 
 # private-bin wireshark
 private-dev
-# private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
 
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 5f4e3bf4c..325ce7627 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -39,6 +39,6 @@ tracelog
 
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 
diff --git a/etc/xpra.profile b/etc/xpra.profile
index dc8d7a665..6f66b9300 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -47,7 +47,7 @@ disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
 # private
 # older Xpra versions also use Xvfb
-# private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
+# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp