846 files changed, 6131 insertions, 5700 deletions

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 000000000..cc0be3b3d
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,2 @@
+# move whitelist/blacklist to allow/deny
+fe0f975f447d59977d90c3226cc8c623b31b20b3
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 688101d13..0f868d6c4 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -34,6 +34,13 @@ If you want to write a new profile, the easiest way to do this is to use the
 [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
 If you have already written a profile, please make sure it follows the rules described in the template.
 
+If you add a new command, here's the checklist:
+
+ - [ ] Update manpages: firejail(1) and firejail-profile(5)
+ - [ ] Update shell completions
+ - [ ] Update vim syntax files
+ - [ ] Update --help
+
 # Editing the wiki
 
 You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/README b/README
index 8284ce825..c6eedbe5f 100644
--- a/README
+++ b/README
@@ -80,6 +80,8 @@ Akhil Hans Maulloo (https://github.com/kouul)
 Albin Kauffmann (https://github.com/albinou)
         - Firefox and Chromium profile fixes
         - info to allow screen sharing in profiles
+Alex Leahu (https://github.com/alxjsn)
+        - fix screen sharing configuration on Wayland
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
         - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
@@ -328,6 +330,7 @@ Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
         - fixed standardnotes-desktop.profile
+        - fix jailprober.py
 floxo (https://github.com/floxo)
         - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
@@ -471,6 +474,8 @@ irregulator (https://github.com/irregulator)
 Irvine (https://github.com/Irvinehimself)
         - added conky profile
         - added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
+Ivan (https://github.com/ordinary-dev)
+        - fix telegram profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
@@ -573,6 +578,8 @@ Kristóf Marussy (https://github.com/kris7t)
         - dns support
 kuesji koesnu (https://github.com/kuesji)
         - unit suffixes for rlimit-fsize and rlimit-as
+        - util.c and firejail.h fixes
+        - better parser for size strings
 Kunal Mehta (https://github.com/legoktm)
         - converted all links to https in manpages
 laniakea64 (https://github.com/laniakea64)
@@ -596,6 +603,8 @@ Lukáš Krejčí (https://github.com/lskrejci)
         - fixed parsing of --keep-var-tmp
 luzpaz (https://github.com/luzpaz)
         - code spelling fixes
+lxeiqr (https://github.com/lxeiqr)
+        - fix sndio support
 Mace Muilman (https://github.com/mace015)
         - google-chrome{,beta,unstable} flags
 maces (https://github.com/maces)
@@ -654,6 +663,8 @@ Neo00001 (https://github.com/Neo00001)
         - update telegram profile
         - add spectacle profile
         - add kdiff3 profile
+NetSysFire (https://github.com/NetSysFire)
+        - update weechat profile
 Nick Fox (https://github.com/njfox)
         - add a profile alias for code-oss
         - add code-oss config directory
@@ -739,8 +750,9 @@ pirate486743186 (https://github.com/pirate486743186)
         - adding qcomicbook and pipe-viewer in disable-programs
         - newsboat/newsbeuter profiles
         - fix atril profile
-        - rtv profile
         - reorganizing links browsers
+        - added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles
+        - w3m, zahura, profile.template fixes
 Pixel Fairy (https://github.com/xahare)
         - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
 PizzaDude (https://github.com/pizzadude)
@@ -1047,6 +1059,7 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20)
 Vladislav Nepogodin (https://github.com/vnepogodin)
         - added Librewolf profiles
         - added Sway profile
+        - fix CLion profile
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
 Ypnose (https://github.com/Ypnose)
diff --git a/README.md b/README.md
index c235759e9..2fd8e3009 100644
--- a/README.md
+++ b/README.md
@@ -189,107 +189,18 @@ You can also use this tool to get a list of syscalls needed by a program: [contr
 
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
 
-## Latest released version: 0.9.64
+## Latest released version: 0.9.66
 
-## Current development version: 0.9.65
+## Current development version: 0.9.67
 
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
 
-### jailcheck
-`````
-JAILCHECK(1)                  JAILCHECK man page                  JAILCHECK(1)
-
-NAME
-       jailcheck - Simple utility program to test running sandboxes
-
-SYNOPSIS
-       sudo jailcheck [OPTIONS] [directory]
-
-DESCRIPTION
-       jailcheck attaches itself to all sandboxes started by the user and per‐
-       forms some basic tests on the sandbox filesystem:
-
-       1. Virtual directories
-              jailcheck extracts a list with the main virtual directories  in‐
-              stalled by the sandbox.  These directories are build by firejail
-              at startup using --private* and --whitelist commands.
-
-       2. Noexec test
-              jailcheck inserts executable programs in  /home/username,  /tmp,
-              and  /var/tmp  directories and tries to run them from inside the
-              sandbox, thus testing if the directory is executable or not.
-
-       3. Read access test
-              jailcheck creates test files in the directories specified by the
-              user and tries to read them from inside the sandbox.
-
-       4. AppArmor test
-
-       5. Seccomp test
-
-       The program is started as root using sudo.
-
-OPTIONS
-       --debug
-              Print debug messages.
-
-       -?, --help
-              Print options and exit.
-
-       --version
-              Print program version and exit.
+Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change!
 
-       [directory]
-              One  or  more  directories in user home to test for read access.
-              ~/.ssh and ~/.gnupg are tested by default.
-
-OUTPUT
-       For each sandbox detected we print the following line:
-
-            PID:USER:Sandbox Name:Command
-
-       It is followed by relevant sandbox information, such as the virtual di‐
-       rectories and various warnings.
-
-EXAMPLE
-       $ sudo jailcheck
-       2014:netblue::firejail /usr/bin/gimp
-          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
-          Warning: I can run programs in /home/netblue
-
-       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
-          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
-          Warning: I can read ~/.ssh
-
-       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
-       pimage
-          Virtual dirs: /tmp, /var/tmp, /dev,
-
-       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
-                        /run/user/1000,
-
-       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
-          Warning: AppArmor not enabled
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
-                        /usr/share, /run/user/1000,
-          Warning: I can run programs in /home/netblue
-
-LICENSE
-       This program is free software; you can redistribute it and/or modify it
-       under  the  terms of the GNU General Public License as published by the
-       Free Software Foundation; either version 2 of the License, or (at  your
-       option) any later version.
-
-       Homepage: https://firejail.wordpress.com
-
-SEE ALSO
-       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
-       gin(5), firejail-users(5),
-
-0.9.65                             May 2021                       JAILCHECK(1)
-`````
+The old whitelist/blacklist will remain as aliasses for the next one or two releases
+in order to give users a chance to switch their local profiles.
+The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
 
 ### Profile Statistics
 
@@ -298,40 +209,32 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
-Stats:
-    profiles                    1135
-    include local profile       1135   (include profile-name.local)
-    include globals             1106   (include globals.local)
-    blacklist ~/.ssh            1009   (include disable-common.inc)
-    seccomp                     1035
-    capabilities                1130
-    noexec                      1011   (include disable-exec.inc)
-    noroot                      944
-    memory-deny-write-execute   242
-    apparmor                    667
-    private-bin                 635
-    private-dev                 992
-    private-etc                 508
-    private-tmp                 866
-    whitelist home directory    542
-    whitelist var               799   (include whitelist-var-common.inc)
-    whitelist run/user          597   (include whitelist-runuser-common.inc
+    profiles                    1150
+    include local profile       1150   (include profile-name.local)
+    include globals             1120   (include globals.local)
+    blacklist ~/.ssh            1026   (include disable-common.inc)
+    seccomp                     1050
+    capabilities                1146
+    noexec                      1030   (include disable-exec.inc)
+    noroot                      959
+    memory-deny-write-execute   253
+    apparmor                    681
+    private-bin                 667
+    private-dev                 1009
+    private-etc                 523
+    private-tmp                 883
+    whitelist home directory    547
+    whitelist var               818   (include whitelist-var-common.inc)
+    whitelist run/user          616   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         569   (include whitelist-usr-share-common.inc
-    net none                    389
-    dbus-user none              619
+    whitelist usr/share         591   (include whitelist-usr-share-common.inc
+    net none                    391
+    dbus-user none              641
     dbus-user filter            105
-    dbus-system none            770
+    dbus-system none            792
     dbus-system filter          7
 ```
 
 ### New profiles:
 
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
-avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
-pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
-sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
-ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon,
-neochat, node, nvm, cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer, links2, xlinks2, googler, ddgr,
-tin
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta
diff --git a/RELNOTES b/RELNOTES
index 0a07e7bda..49b88ac08 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,10 +1,18 @@
-firejail (0.9.65) baseline; urgency=low
+firejail (0.9.67) baseline; urgency=low
+  * work in progress
+  * deprecated --disable-whitelist at compile time
+  * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * new profiles: microsoft-edge-beta
+ -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
+
+firejail (0.9.66) baseline; urgency=low
   * deprecated --audit options, relpaced by jailcheck utility
   * deprecated follow-symlink-as-user from firejail.config
   * new firejail.config settings: private-bin, private-etc
   * new firejail.config settings: private-opt, private-srv
   * new firejail.config settings: whitelist-disable-topdir
   * new firejail.config settings: seccomp-filter-add
+  * removed kcmp syscall from seccomp default filter
   * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
@@ -38,7 +46,7 @@ firejail (0.9.65) baseline; urgency=low
   * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
   * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
   * links2, xlinks2, googler, ddgr, tin
- -- netblue30 <netblue30@yahoo.com>  Wed, 2 Jun 2021 09:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
   * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
diff --git a/configure b/configure
index 9162b6c90..9e883191a 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.66rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.67.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.66rc1'
-PACKAGE_STRING='firejail 0.9.66rc1'
+PACKAGE_VERSION='0.9.67'
+PACKAGE_STRING='firejail 0.9.67'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -634,7 +634,6 @@ HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
 HAVE_SUID
-HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
@@ -726,7 +725,6 @@ enable_network
 enable_userns
 enable_x11
 enable_file_transfer
-enable_whitelist
 enable_suid
 enable_fatal_warnings
 enable_busybox_workaround
@@ -1299,7 +1297,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.66rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.67 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1361,7 +1359,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.66rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.67:";;
    esac
   cat <<\_ACEOF
 
@@ -1385,7 +1383,6 @@ Optional Features:
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
-  --disable-whitelist     disable whitelist
   --disable-suid          install as a non-SUID executable
   --enable-fatal-warnings -W -Wall -Werror
   --enable-busybox-workaround
@@ -1481,7 +1478,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.66rc1
+firejail configure 0.9.67
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1783,7 +1780,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.66rc1, which was
+It was created by firejail $as_me 0.9.67, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3747,19 +3744,6 @@ if test "x$enable_file_transfer" != "xno"; then :
 
 fi
 
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
-  enableval=$enable_whitelist;
-fi
-
-if test "x$enable_whitelist" != "xno"; then :
-
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-
-
-fi
-
 HAVE_SUID=""
 # Check whether --enable-suid was given.
 if test "${enable_suid+set}" = set; then :
@@ -4910,7 +4894,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.66rc1, which was
+This file was extended by firejail $as_me 0.9.67, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4964,7 +4948,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.66rc1
+firejail config.status 0.9.67
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -5572,7 +5556,6 @@ Configuration options:
    network: $HAVE_NETWORK
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
-   whitelisting: $HAVE_WHITELIST
    private home support: $HAVE_PRIVATE_HOME
    file transfer support: $HAVE_FILE_TRANSFER
    overlayfs support: $HAVE_OVERLAYFS
diff --git a/configure.ac b/configure.ac
index f37db5926..1f8e802b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT([firejail],[0.9.66rc1],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
+AC_INIT([firejail],[0.9.67],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
@@ -177,14 +177,6 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
         AC_SUBST(HAVE_FILE_TRANSFER)
 ])
 
-HAVE_WHITELIST=""
-AC_ARG_ENABLE([whitelist],
-    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
-AS_IF([test "x$enable_whitelist" != "xno"], [
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-        AC_SUBST(HAVE_WHITELIST)
-])
-
 HAVE_SUID=""
 AC_ARG_ENABLE([suid],
     AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
@@ -323,7 +315,6 @@ Configuration options:
    network: $HAVE_NETWORK
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11
-   whitelisting: $HAVE_WHITELIST
    private home support: $HAVE_PRIVATE_HOME
    file transfer support: $HAVE_FILE_TRANSFER
    overlayfs support: $HAVE_OVERLAYFS
diff --git a/etc/firejail.config b/etc/firejail.config
index 43db49422..2e355586b 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -123,9 +123,6 @@
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
-# Enable or disable whitelisting support, default enabled.
-# whitelist yes
-
 # Disable whitelist top level directories, in addition to those
 # that are disabled out of the box. None by default; this is an example.
 # whitelist-disable-topdir /etc,/usr/etc
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc
index d6c295414..59cd40878 100644
--- a/etc/inc/allow-bin-sh.inc
+++ b/etc/inc/allow-bin-sh.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-bin-sh.local
 
-noblacklist ${PATH}/bash
-noblacklist ${PATH}/dash
-noblacklist ${PATH}/sh
+nodeny  ${PATH}/bash
+nodeny  ${PATH}/dash
+nodeny  ${PATH}/sh
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..71b1483cd 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -3,29 +3,29 @@
 include allow-common-devel.local
 
 # Git
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
 
 # Java
-noblacklist ${HOME}/.gradle
-noblacklist ${HOME}/.java
+nodeny  ${HOME}/.gradle
+nodeny  ${HOME}/.java
 
 # Node.js
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-noblacklist ${HOME}/.nvm
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
+nodeny  ${HOME}/.node-gyp
+nodeny  ${HOME}/.npm
+nodeny  ${HOME}/.npmrc
+nodeny  ${HOME}/.nvm
+nodeny  ${HOME}/.yarn
+nodeny  ${HOME}/.yarn-config
+nodeny  ${HOME}/.yarncache
+nodeny  ${HOME}/.yarnrc
 
 # Python
-noblacklist ${HOME}/.pylint.d
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
+nodeny  ${HOME}/.pylint.d
+nodeny  ${HOME}/.python-history
+nodeny  ${HOME}/.python_history
+nodeny  ${HOME}/.pythonhist
 
 # Rust
-noblacklist ${HOME}/.cargo/*
+nodeny  ${HOME}/.cargo/*
diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc
index c1366e093..2e2490079 100644
--- a/etc/inc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-gjs.local
 
-noblacklist ${PATH}/gjs
-noblacklist ${PATH}/gjs-console
-noblacklist /usr/lib/gjs
-noblacklist /usr/lib/libgjs*
-noblacklist /usr/lib/libmozjs-*
-noblacklist /usr/lib64/gjs
-noblacklist /usr/lib64/libgjs*
-noblacklist /usr/lib64/libmozjs-*
+nodeny  ${PATH}/gjs
+nodeny  ${PATH}/gjs-console
+nodeny  /usr/lib/gjs
+nodeny  /usr/lib/libgjs*
+nodeny  /usr/lib/libmozjs-*
+nodeny  /usr/lib64/gjs
+nodeny  /usr/lib64/libgjs*
+nodeny  /usr/lib64/libmozjs-*
diff --git a/etc/inc/allow-java.inc b/etc/inc/allow-java.inc
index 24d18fb77..af44f3664 100644
--- a/etc/inc/allow-java.inc
+++ b/etc/inc/allow-java.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-java.local
 
-noblacklist ${HOME}/.java
-noblacklist ${PATH}/java
-noblacklist /etc/java
-noblacklist /usr/lib/java
-noblacklist /usr/share/java
+nodeny  ${HOME}/.java
+nodeny  ${PATH}/java
+nodeny  /etc/java
+nodeny  /usr/lib/java
+nodeny  /usr/share/java
diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc
index 9c47e7a3b..3d0a1997b 100644
--- a/etc/inc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-lua.local
 
-noblacklist ${PATH}/lua*
-noblacklist /usr/include
-noblacklist /usr/lib/liblua*
-noblacklist /usr/lib/lua
-noblacklist /usr/lib64/liblua*
-noblacklist /usr/lib64/lua
-noblacklist /usr/share/lua
-noblacklist /usr/share/lua*
+nodeny  ${PATH}/lua*
+nodeny  /usr/include
+nodeny  /usr/lib/liblua*
+nodeny  /usr/lib/lua
+nodeny  /usr/lib64/liblua*
+nodeny  /usr/lib64/lua
+nodeny  /usr/share/lua
+nodeny  /usr/share/lua*
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 351c94ab8..e915b3866 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
 
-noblacklist ${PATH}/node
-noblacklist /usr/include/node
+nodeny  ${PATH}/node
+nodeny  /usr/include/node
 
 # Allow python for node-gyp (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
index b5ff1bd50..00e35e983 100644
--- a/etc/inc/allow-opengl-game.inc
+++ b/etc/inc/allow-opengl-game.inc
@@ -1,3 +1,7 @@
-noblacklist ${PATH}/bash
-whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-opengl-game.local
+
+nodeny  ${PATH}/bash
+allow  /usr/share/opengl-games-utils/opengl-game-functions.sh
 private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index 5a1952c94..134d27239 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-perl.local
 
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/cpan*
-noblacklist ${PATH}/perl
-noblacklist ${PATH}/site_perl
-noblacklist ${PATH}/vendor_perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/lib64/perl*
-noblacklist /usr/share/perl*
+nodeny  ${PATH}/core_perl
+nodeny  ${PATH}/cpan*
+nodeny  ${PATH}/perl
+nodeny  ${PATH}/site_perl
+nodeny  ${PATH}/vendor_perl
+nodeny  /usr/lib/perl*
+nodeny  /usr/lib64/perl*
+nodeny  /usr/share/perl*
diff --git a/etc/inc/allow-php.inc b/etc/inc/allow-php.inc
index a0950dc26..520c2019e 100644
--- a/etc/inc/allow-php.inc
+++ b/etc/inc/allow-php.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-php.local
 
-noblacklist ${PATH}/php*
-noblacklist /usr/lib/php*
-noblacklist /usr/share/php*
+nodeny  ${PATH}/php*
+nodeny  /usr/lib/php*
+nodeny  /usr/share/php*
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..f1830043a 100644
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
 
-noblacklist ${PATH}/python2*
-noblacklist /usr/include/python2*
-noblacklist /usr/lib/python2*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/share/python2*
+nodeny  ${PATH}/python2*
+nodeny  /usr/include/python2*
+nodeny  /usr/lib/python2*
+nodeny  /usr/local/lib/python2*
+nodeny  /usr/share/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..e4b6ed1a9 100644
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@@ -2,9 +2,9 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
 
-noblacklist ${PATH}/python3*
-noblacklist /usr/include/python3*
-noblacklist /usr/lib/python3*
-noblacklist /usr/lib64/python3*
-noblacklist /usr/local/lib/python3*
-noblacklist /usr/share/python3*
+nodeny  ${PATH}/python3*
+nodeny  /usr/include/python3*
+nodeny  /usr/lib/python3*
+nodeny  /usr/lib64/python3*
+nodeny  /usr/local/lib/python3*
+nodeny  /usr/share/python3*
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..d949bbc84 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -2,5 +2,5 @@
 # Persistent customizations should go in a .local file.
 include allow-ruby.local
 
-noblacklist ${PATH}/ruby
-noblacklist /usr/lib/ruby
+nodeny  ${PATH}/ruby
+nodeny  /usr/lib/ruby
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 67c78a483..44957bf32 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-ssh.local
 
-noblacklist ${HOME}/.ssh
-noblacklist /etc/ssh
-noblacklist /etc/ssh/ssh_config
-noblacklist /tmp/ssh-*
+nodeny  ${HOME}/.ssh
+nodeny  /etc/ssh
+nodeny  /etc/ssh/ssh_config
+nodeny  /tmp/ssh-*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 2dc53d311..1283a3a3d 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -5,63 +5,63 @@ include disable-common.local
 # The following block breaks trash functionality in file managers
 #read-only ${HOME}/.local
 #read-write ${HOME}/.local/share
-blacklist ${HOME}/.local/share/Trash
+deny  ${HOME}/.local/share/Trash
 
 # History files in $HOME and clipboard managers
-blacklist-nolog ${HOME}/.*_history
-blacklist-nolog ${HOME}/.adobe
-blacklist-nolog ${HOME}/.cache/greenclip*
-blacklist-nolog ${HOME}/.histfile
-blacklist-nolog ${HOME}/.history
-blacklist-nolog ${HOME}/.kde/share/apps/klipper
-blacklist-nolog ${HOME}/.kde4/share/apps/klipper
-blacklist-nolog ${HOME}/.local/share/fish/fish_history
-blacklist-nolog ${HOME}/.local/share/klipper
-blacklist-nolog ${HOME}/.macromedia
-blacklist-nolog ${HOME}/.mupdf.history
-blacklist-nolog ${HOME}/.python-history
-blacklist-nolog ${HOME}/.python_history
-blacklist-nolog ${HOME}/.pythonhist
-blacklist-nolog ${HOME}/.lesshst
-blacklist-nolog ${HOME}/.viminfo
-blacklist-nolog /tmp/clipmenu*
+deny-nolog  ${HOME}/.*_history
+deny-nolog  ${HOME}/.adobe
+deny-nolog  ${HOME}/.cache/greenclip*
+deny-nolog  ${HOME}/.histfile
+deny-nolog  ${HOME}/.history
+deny-nolog  ${HOME}/.kde/share/apps/klipper
+deny-nolog  ${HOME}/.kde4/share/apps/klipper
+deny-nolog  ${HOME}/.local/share/fish/fish_history
+deny-nolog  ${HOME}/.local/share/klipper
+deny-nolog  ${HOME}/.macromedia
+deny-nolog  ${HOME}/.mupdf.history
+deny-nolog  ${HOME}/.python-history
+deny-nolog  ${HOME}/.python_history
+deny-nolog  ${HOME}/.pythonhist
+deny-nolog  ${HOME}/.lesshst
+deny-nolog  ${HOME}/.viminfo
+deny-nolog  /tmp/clipmenu*
 
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
-blacklist ${HOME}/.Xsession
-blacklist ${HOME}/.blackbox
-blacklist ${HOME}/.config/autostart
-blacklist ${HOME}/.config/autostart-scripts
-blacklist ${HOME}/.config/awesome
-blacklist ${HOME}/.config/i3
-blacklist ${HOME}/.config/sway
-blacklist ${HOME}/.config/lxsession/LXDE/autostart
-blacklist ${HOME}/.config/openbox
-blacklist ${HOME}/.config/plasma-workspace
-blacklist ${HOME}/.config/startupconfig
-blacklist ${HOME}/.config/startupconfigkeys
-blacklist ${HOME}/.fluxbox
-blacklist ${HOME}/.gnomerc
-blacklist ${HOME}/.kde/Autostart
-blacklist ${HOME}/.kde/env
-blacklist ${HOME}/.kde/share/autostart
-blacklist ${HOME}/.kde/share/config/startupconfig
-blacklist ${HOME}/.kde/share/config/startupconfigkeys
-blacklist ${HOME}/.kde/shutdown
-blacklist ${HOME}/.kde4/env
-blacklist ${HOME}/.kde4/Autostart
-blacklist ${HOME}/.kde4/share/autostart
-blacklist ${HOME}/.kde4/shutdown
-blacklist ${HOME}/.kde4/share/config/startupconfig
-blacklist ${HOME}/.kde4/share/config/startupconfigkeys
-blacklist ${HOME}/.local/share/autostart
-blacklist ${HOME}/.xinitrc
-blacklist ${HOME}/.xprofile
-blacklist ${HOME}/.xserverrc
-blacklist ${HOME}/.xsession
-blacklist ${HOME}/.xsessionrc
-blacklist /etc/X11/Xsession.d
-blacklist /etc/xdg/autostart
+deny  ${HOME}/.Xsession
+deny  ${HOME}/.blackbox
+deny  ${HOME}/.config/autostart
+deny  ${HOME}/.config/autostart-scripts
+deny  ${HOME}/.config/awesome
+deny  ${HOME}/.config/i3
+deny  ${HOME}/.config/sway
+deny  ${HOME}/.config/lxsession/LXDE/autostart
+deny  ${HOME}/.config/openbox
+deny  ${HOME}/.config/plasma-workspace
+deny  ${HOME}/.config/startupconfig
+deny  ${HOME}/.config/startupconfigkeys
+deny  ${HOME}/.fluxbox
+deny  ${HOME}/.gnomerc
+deny  ${HOME}/.kde/Autostart
+deny  ${HOME}/.kde/env
+deny  ${HOME}/.kde/share/autostart
+deny  ${HOME}/.kde/share/config/startupconfig
+deny  ${HOME}/.kde/share/config/startupconfigkeys
+deny  ${HOME}/.kde/shutdown
+deny  ${HOME}/.kde4/env
+deny  ${HOME}/.kde4/Autostart
+deny  ${HOME}/.kde4/share/autostart
+deny  ${HOME}/.kde4/shutdown
+deny  ${HOME}/.kde4/share/config/startupconfig
+deny  ${HOME}/.kde4/share/config/startupconfigkeys
+deny  ${HOME}/.local/share/autostart
+deny  ${HOME}/.xinitrc
+deny  ${HOME}/.xprofile
+deny  ${HOME}/.xserverrc
+deny  ${HOME}/.xsession
+deny  ${HOME}/.xsessionrc
+deny  /etc/X11/Xsession.d
+deny  /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
 
 # Session manager
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
 #?HAS_X11: blacklist /tmp/.ICE-unix
 
 # KDE config
-blacklist ${HOME}/.cache/konsole
-blacklist ${HOME}/.config/khotkeysrc
-blacklist ${HOME}/.config/krunnerrc
-blacklist ${HOME}/.config/kscreenlockerrc
-blacklist ${HOME}/.config/ksslcertificatemanager
-blacklist ${HOME}/.config/kwalletrc
-blacklist ${HOME}/.config/kwinrc
-blacklist ${HOME}/.config/kwinrulesrc
-blacklist ${HOME}/.config/plasma-locale-settings.sh
-blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
-blacklist ${HOME}/.config/plasmashellrc
-blacklist ${HOME}/.config/plasmavaultrc
-blacklist ${HOME}/.kde/share/apps/kwin
-blacklist ${HOME}/.kde/share/apps/plasma
-blacklist ${HOME}/.kde/share/apps/solid
-blacklist ${HOME}/.kde/share/config/khotkeysrc
-blacklist ${HOME}/.kde/share/config/krunnerrc
-blacklist ${HOME}/.kde/share/config/kscreensaverrc
-blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
-blacklist ${HOME}/.kde/share/config/kwalletrc
-blacklist ${HOME}/.kde/share/config/kwinrc
-blacklist ${HOME}/.kde/share/config/kwinrulesrc
-blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.kde4/share/apps/kwin
-blacklist ${HOME}/.kde4/share/apps/plasma
-blacklist ${HOME}/.kde4/share/apps/solid
-blacklist ${HOME}/.kde4/share/config/khotkeysrc
-blacklist ${HOME}/.kde4/share/config/krunnerrc
-blacklist ${HOME}/.kde4/share/config/kscreensaverrc
-blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
-blacklist ${HOME}/.kde4/share/config/kwalletrc
-blacklist ${HOME}/.kde4/share/config/kwinrc
-blacklist ${HOME}/.kde4/share/config/kwinrulesrc
-blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.local/share/kglobalaccel
-blacklist ${HOME}/.local/share/kwin
-blacklist ${HOME}/.local/share/plasma
-blacklist ${HOME}/.local/share/plasmashell
-blacklist ${HOME}/.local/share/solid
-blacklist /tmp/konsole-*.history
+deny  ${HOME}/.cache/konsole
+deny  ${HOME}/.config/khotkeysrc
+deny  ${HOME}/.config/krunnerrc
+deny  ${HOME}/.config/kscreenlockerrc
+deny  ${HOME}/.config/ksslcertificatemanager
+deny  ${HOME}/.config/kwalletrc
+deny  ${HOME}/.config/kwinrc
+deny  ${HOME}/.config/kwinrulesrc
+deny  ${HOME}/.config/plasma-locale-settings.sh
+deny  ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
+deny  ${HOME}/.config/plasmashellrc
+deny  ${HOME}/.config/plasmavaultrc
+deny  ${HOME}/.kde/share/apps/kwin
+deny  ${HOME}/.kde/share/apps/plasma
+deny  ${HOME}/.kde/share/apps/solid
+deny  ${HOME}/.kde/share/config/khotkeysrc
+deny  ${HOME}/.kde/share/config/krunnerrc
+deny  ${HOME}/.kde/share/config/kscreensaverrc
+deny  ${HOME}/.kde/share/config/ksslcertificatemanager
+deny  ${HOME}/.kde/share/config/kwalletrc
+deny  ${HOME}/.kde/share/config/kwinrc
+deny  ${HOME}/.kde/share/config/kwinrulesrc
+deny  ${HOME}/.kde/share/config/plasma-desktop-appletsrc
+deny  ${HOME}/.kde4/share/apps/kwin
+deny  ${HOME}/.kde4/share/apps/plasma
+deny  ${HOME}/.kde4/share/apps/solid
+deny  ${HOME}/.kde4/share/config/khotkeysrc
+deny  ${HOME}/.kde4/share/config/krunnerrc
+deny  ${HOME}/.kde4/share/config/kscreensaverrc
+deny  ${HOME}/.kde4/share/config/ksslcertificatemanager
+deny  ${HOME}/.kde4/share/config/kwalletrc
+deny  ${HOME}/.kde4/share/config/kwinrc
+deny  ${HOME}/.kde4/share/config/kwinrulesrc
+deny  ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
+deny  ${HOME}/.local/share/kglobalaccel
+deny  ${HOME}/.local/share/kwin
+deny  ${HOME}/.local/share/plasma
+deny  ${HOME}/.local/share/plasmashell
+deny  ${HOME}/.local/share/solid
+deny  /tmp/konsole-*.history
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
@@ -138,124 +138,139 @@ read-only ${HOME}/.local/share/kservices5
 read-only ${HOME}/.local/share/kssl
 
 # KDE sockets
-blacklist ${RUNUSER}/*.slave-socket
-blacklist ${RUNUSER}/kdeinit5__*
-blacklist ${RUNUSER}/kdesud_*
+deny  ${RUNUSER}/*.slave-socket
+deny  ${RUNUSER}/kdeinit5__*
+deny  ${RUNUSER}/kdesud_*
 # see #3358
 #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
 #?HAS_NODBUS: blacklist /tmp/ksocket-*
 
 # gnome
 # contains extensions, last used times of applications, and notifications
-blacklist ${HOME}/.local/share/gnome-shell
+deny  ${HOME}/.local/share/gnome-shell
 # contains recently used files and serials of static/removable storage
-blacklist ${HOME}/.local/share/gvfs-metadata
+deny  ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
-blacklist ${RUNUSER}/gnome-session-leader-fifo
-blacklist ${RUNUSER}/gnome-shell
-blacklist ${RUNUSER}/gsconnect
+deny  ${RUNUSER}/gnome-session-leader-fifo
+deny  ${RUNUSER}/gnome-shell
+deny  ${RUNUSER}/gsconnect
 
 # systemd
-blacklist ${HOME}/.config/systemd
-blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
-blacklist ${PATH}/systemd-run
-blacklist ${RUNUSER}/systemd
+deny  ${HOME}/.config/systemd
+deny  ${HOME}/.local/share/systemd
+deny  /var/lib/systemd
+deny  ${PATH}/systemd-run
+deny  ${RUNUSER}/systemd
+deny  ${PATH}/systemctl
+deny  /etc/systemd/system
+deny  /etc/systemd/network
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 
 # openrc
-blacklist /etc/runlevels/
-blacklist /etc/init.d/
-blacklist /etc/rc.conf
+deny  /etc/runlevels/
+deny  /etc/init.d/
+deny  /etc/rc.conf
 
 # VirtualBox
-blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.config/VirtualBox
-blacklist ${HOME}/VirtualBox VMs
+deny  ${HOME}/.VirtualBox
+deny  ${HOME}/.config/VirtualBox
+deny  ${HOME}/VirtualBox VMs
 
 # GNOME Boxes
-blacklist ${HOME}/.config/gnome-boxes
-blacklist ${HOME}/.local/share/gnome-boxes
+deny  ${HOME}/.config/gnome-boxes
+deny  ${HOME}/.local/share/gnome-boxes
 
 # libvirt
-blacklist ${HOME}/.cache/libvirt
-blacklist ${HOME}/.config/libvirt
-blacklist ${RUNUSER}/libvirt
-blacklist /var/cache/libvirt
-blacklist /var/lib/libvirt
-blacklist /var/log/libvirt
+deny  ${HOME}/.cache/libvirt
+deny  ${HOME}/.config/libvirt
+deny  ${RUNUSER}/libvirt
+deny  /var/cache/libvirt
+deny  /var/lib/libvirt
+deny  /var/log/libvirt
 
 # OCI-Containers / Podman
-blacklist ${RUNUSER}/containers
-blacklist ${RUNUSER}/crun
-blacklist ${RUNUSER}/libpod
-blacklist ${RUNUSER}/runc
-blacklist ${RUNUSER}/toolbox
+deny  ${RUNUSER}/containers
+deny  ${RUNUSER}/crun
+deny  ${RUNUSER}/libpod
+deny  ${RUNUSER}/runc
+deny  ${RUNUSER}/toolbox
 
 # VeraCrypt
-blacklist ${HOME}/.VeraCrypt
-blacklist ${PATH}/veracrypt
-blacklist ${PATH}/veracrypt-uninstall.sh
-blacklist /usr/share/applications/veracrypt.*
-blacklist /usr/share/pixmaps/veracrypt.*
-blacklist /usr/share/veracrypt
+deny  ${HOME}/.VeraCrypt
+deny  ${PATH}/veracrypt
+deny  ${PATH}/veracrypt-uninstall.sh
+deny  /usr/share/applications/veracrypt.*
+deny  /usr/share/pixmaps/veracrypt.*
+deny  /usr/share/veracrypt
 
 # TrueCrypt
-blacklist ${HOME}/.TrueCrypt
-blacklist ${PATH}/truecrypt
-blacklist ${PATH}/truecrypt-uninstall.sh
-blacklist /usr/share/applications/truecrypt.*
-blacklist /usr/share/pixmaps/truecrypt.*
-blacklist /usr/share/truecrypt
+deny  ${HOME}/.TrueCrypt
+deny  ${PATH}/truecrypt
+deny  ${PATH}/truecrypt-uninstall.sh
+deny  /usr/share/applications/truecrypt.*
+deny  /usr/share/pixmaps/truecrypt.*
+deny  /usr/share/truecrypt
 
 # zuluCrypt
-blacklist ${HOME}/.zuluCrypt
-blacklist ${HOME}/.zuluCrypt-socket
-blacklist ${PATH}/zuluCrypt-cli
-blacklist ${PATH}/zuluMount-cli
+deny  ${HOME}/.zuluCrypt
+deny  ${HOME}/.zuluCrypt-socket
+deny  ${PATH}/zuluCrypt-cli
+deny  ${PATH}/zuluMount-cli
 
 # var
-blacklist /var/cache/apt
-blacklist /var/cache/pacman
-blacklist /var/lib/apt
-blacklist /var/lib/clamav
-blacklist /var/lib/dkms
-blacklist /var/lib/mysql/mysql.sock
-blacklist /var/lib/mysqld/mysql.sock
-blacklist /var/lib/pacman
-blacklist /var/lib/upower
+deny  /var/cache/apt
+deny  /var/cache/pacman
+deny  /var/lib/apt
+deny  /var/lib/clamav
+deny  /var/lib/dkms
+deny  /var/lib/mysql/mysql.sock
+deny  /var/lib/mysqld/mysql.sock
+deny  /var/lib/pacman
+deny  /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
 # every sandbox, unless --writable-var-log switch is activated
-blacklist /var/mail
-blacklist /var/opt
-blacklist /var/run/acpid.socket
-blacklist /var/run/docker.sock
-blacklist /var/run/minissdpd.sock
-blacklist /var/run/mysql/mysqld.sock
-blacklist /var/run/mysqld/mysqld.sock
-blacklist /var/run/rpcbind.sock
-blacklist /var/run/screens
-blacklist /var/spool/anacron
-blacklist /var/spool/cron
-blacklist /var/spool/mail
+deny  /var/mail
+deny  /var/opt
+deny  /var/run/acpid.socket
+deny  /var/run/docker.sock
+deny  /var/run/minissdpd.sock
+deny  /var/run/mysql/mysqld.sock
+deny  /var/run/mysqld/mysqld.sock
+deny  /var/run/rpcbind.sock
+deny  /var/run/screens
+deny  /var/spool/anacron
+deny  /var/spool/cron
+deny  /var/spool/mail
 
 # etc
-blacklist /etc/anacrontab
-blacklist /etc/cron*
-blacklist /etc/profile.d
-blacklist /etc/rc.local
+deny  /etc/anacrontab
+deny  /etc/cron*
+deny  /etc/profile.d
+deny  /etc/rc.local
 # rc1.d, rc2.d, ...
-blacklist /etc/rc?.d
-blacklist /etc/kernel*
-blacklist /etc/grub*
-blacklist /etc/dkms
-blacklist /etc/apparmor*
-blacklist /etc/selinux
-blacklist /etc/modules*
-blacklist /etc/logrotate*
-blacklist /etc/adduser.conf
+deny  /etc/rc?.d
+deny  /etc/kernel*
+deny  /etc/grub*
+deny  /etc/dkms
+deny  /etc/apparmor*
+deny  /etc/selinux
+deny  /etc/modules*
+deny  /etc/logrotate*
+deny  /etc/adduser.conf
+
+# hide config for various intrusion detection systems
+deny  /etc/rkhunter.conf
+deny  /var/lib/rkhunter
+deny  /etc/chkrootkit.conf
+deny  /etc/lynis
+deny  /etc/aide
+deny  /etc/logcheck
+deny  /etc/tripwire
+deny  /etc/snort
+deny  /etc/fail2ban.conf
+deny  /etc/suricata
 
 # Startup files
 read-only ${HOME}/.antigen
@@ -292,13 +307,13 @@ read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
 # Remote access
-blacklist ${HOME}/.rhosts
-blacklist ${HOME}/.shosts
-blacklist ${HOME}/.ssh/authorized_keys
-blacklist ${HOME}/.ssh/authorized_keys2
-blacklist ${HOME}/.ssh/environment
-blacklist ${HOME}/.ssh/rc
-blacklist /etc/hosts.equiv
+deny  ${HOME}/.rhosts
+deny  ${HOME}/.shosts
+deny  ${HOME}/.ssh/authorized_keys
+deny  ${HOME}/.ssh/authorized_keys2
+deny  ${HOME}/.ssh/environment
+deny  ${HOME}/.ssh/rc
+deny  /etc/hosts.equiv
 read-only ${HOME}/.ssh/config
 read-only ${HOME}/.ssh/config.d
 
@@ -359,200 +374,200 @@ read-only ${HOME}/.local/share/mime
 read-only ${HOME}/.local/share/thumbnailers
 
 # prevent access to ssh-agent
-blacklist /tmp/ssh-*
+deny  /tmp/ssh-*
 
 # top secret
-blacklist ${HOME}/*.kdb
-blacklist ${HOME}/*.kdbx
-blacklist ${HOME}/*.key
-blacklist ${HOME}/.Private
-blacklist ${HOME}/.caff
-blacklist ${HOME}/.cargo/credentials
-blacklist ${HOME}/.cargo/credentials.toml
-blacklist ${HOME}/.cert
-blacklist ${HOME}/.config/keybase
-blacklist ${HOME}/.davfs2/secrets
-blacklist ${HOME}/.ecryptfs
-blacklist ${HOME}/.fetchmailrc
-blacklist ${HOME}/.fscrypt
-blacklist ${HOME}/.git-credential-cache
-blacklist ${HOME}/.git-credentials
-blacklist ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
-blacklist ${HOME}/.kde/share/apps/kwallet
-blacklist ${HOME}/.kde4/share/apps/kwallet
-blacklist ${HOME}/.local/share/keyrings
-blacklist ${HOME}/.local/share/kwalletd
-blacklist ${HOME}/.local/share/plasma-vault
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.mutt
-blacklist ${HOME}/.muttrc
-blacklist ${HOME}/.netrc
-blacklist ${HOME}/.nyx
-blacklist ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
-blacklist ${HOME}/.smbcredentials
-blacklist ${HOME}/.ssh
-blacklist ${HOME}/.vaults
-blacklist /.fscrypt
-blacklist /etc/davfs2/secrets
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /etc/ssh/*
-blacklist /home/.ecryptfs
-blacklist /home/.fscrypt
-blacklist /var/backup
+deny  ${HOME}/*.kdb
+deny  ${HOME}/*.kdbx
+deny  ${HOME}/*.key
+deny  ${HOME}/.Private
+deny  ${HOME}/.caff
+deny  ${HOME}/.cargo/credentials
+deny  ${HOME}/.cargo/credentials.toml
+deny  ${HOME}/.cert
+deny  ${HOME}/.config/keybase
+deny  ${HOME}/.davfs2/secrets
+deny  ${HOME}/.ecryptfs
+deny  ${HOME}/.fetchmailrc
+deny  ${HOME}/.fscrypt
+deny  ${HOME}/.git-credential-cache
+deny  ${HOME}/.git-credentials
+deny  ${HOME}/.gnome2/keyrings
+deny  ${HOME}/.gnupg
+deny  ${HOME}/.config/hub
+deny  ${HOME}/.kde/share/apps/kwallet
+deny  ${HOME}/.kde4/share/apps/kwallet
+deny  ${HOME}/.local/share/keyrings
+deny  ${HOME}/.local/share/kwalletd
+deny  ${HOME}/.local/share/plasma-vault
+deny  ${HOME}/.msmtprc
+deny  ${HOME}/.mutt
+deny  ${HOME}/.muttrc
+deny  ${HOME}/.netrc
+deny  ${HOME}/.nyx
+deny  ${HOME}/.pki
+deny  ${HOME}/.local/share/pki
+deny  ${HOME}/.smbcredentials
+deny  ${HOME}/.ssh
+deny  ${HOME}/.vaults
+deny  /.fscrypt
+deny  /etc/davfs2/secrets
+deny  /etc/group+
+deny  /etc/group-
+deny  /etc/gshadow
+deny  /etc/gshadow+
+deny  /etc/gshadow-
+deny  /etc/passwd+
+deny  /etc/passwd-
+deny  /etc/shadow
+deny  /etc/shadow+
+deny  /etc/shadow-
+deny  /etc/ssh
+deny  /etc/ssh/*
+deny  /home/.ecryptfs
+deny  /home/.fscrypt
+deny  /var/backup
 
 # cloud provider configuration
-blacklist ${HOME}/.aws
-blacklist ${HOME}/.boto
-blacklist ${HOME}/.config/gcloud
-blacklist ${HOME}/.kube
-blacklist ${HOME}/.passwd-s3fs
-blacklist ${HOME}/.s3cmd
-blacklist /etc/boto.cfg
+deny  ${HOME}/.aws
+deny  ${HOME}/.boto
+deny  ${HOME}/.config/gcloud
+deny  ${HOME}/.kube
+deny  ${HOME}/.passwd-s3fs
+deny  ${HOME}/.s3cmd
+deny  /etc/boto.cfg
 
 # system directories
-blacklist /sbin
-blacklist /usr/local/sbin
-blacklist /usr/sbin
+deny  /sbin
+deny  /usr/local/sbin
+deny  /usr/sbin
 
 # system management
-blacklist ${PATH}/at
-blacklist ${PATH}/busybox
-blacklist ${PATH}/chage
-blacklist ${PATH}/chfn
-blacklist ${PATH}/chsh
-blacklist ${PATH}/crontab
-blacklist ${PATH}/evtest
-blacklist ${PATH}/expiry
-blacklist ${PATH}/fusermount
-blacklist ${PATH}/gksu
-blacklist ${PATH}/gksudo
-blacklist ${PATH}/gpasswd
-blacklist ${PATH}/kdesudo
-blacklist ${PATH}/ksu
-blacklist ${PATH}/mount
-blacklist ${PATH}/mount.ecryptfs_private
-blacklist ${PATH}/nc
-blacklist ${PATH}/ncat
-blacklist ${PATH}/nmap
-blacklist ${PATH}/newgidmap
-blacklist ${PATH}/newgrp
-blacklist ${PATH}/newuidmap
-blacklist ${PATH}/ntfs-3g
-blacklist ${PATH}/pkexec
-blacklist ${PATH}/procmail
-blacklist ${PATH}/sg
-blacklist ${PATH}/strace
-blacklist ${PATH}/su
-blacklist ${PATH}/sudo
-blacklist ${PATH}/tcpdump
-blacklist ${PATH}/umount
-blacklist ${PATH}/unix_chkpwd
-blacklist ${PATH}/xev
-blacklist ${PATH}/xinput
+deny  ${PATH}/at
+deny  ${PATH}/busybox
+deny  ${PATH}/chage
+deny  ${PATH}/chfn
+deny  ${PATH}/chsh
+deny  ${PATH}/crontab
+deny  ${PATH}/evtest
+deny  ${PATH}/expiry
+deny  ${PATH}/fusermount
+deny  ${PATH}/gksu
+deny  ${PATH}/gksudo
+deny  ${PATH}/gpasswd
+deny  ${PATH}/kdesudo
+deny  ${PATH}/ksu
+deny  ${PATH}/mount
+deny  ${PATH}/mount.ecryptfs_private
+deny  ${PATH}/nc
+deny  ${PATH}/ncat
+deny  ${PATH}/nmap
+deny  ${PATH}/newgidmap
+deny  ${PATH}/newgrp
+deny  ${PATH}/newuidmap
+deny  ${PATH}/ntfs-3g
+deny  ${PATH}/pkexec
+deny  ${PATH}/procmail
+deny  ${PATH}/sg
+deny  ${PATH}/strace
+deny  ${PATH}/su
+deny  ${PATH}/sudo
+deny  ${PATH}/tcpdump
+deny  ${PATH}/umount
+deny  ${PATH}/unix_chkpwd
+deny  ${PATH}/xev
+deny  ${PATH}/xinput
 
 # other SUID binaries
-blacklist /usr/lib/virtualbox
-blacklist /usr/lib64/virtualbox
+deny  /usr/lib/virtualbox
+deny  /usr/lib64/virtualbox
 
 # prevent lxterminal connecting to an existing lxterminal session
-blacklist /tmp/.lxterminal-socket*
+deny  /tmp/.lxterminal-socket*
 # prevent tmux connecting to an existing session
-blacklist /tmp/tmux-*
+deny  /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
-blacklist ${PATH}/gnome-terminal
-blacklist ${PATH}/gnome-terminal.wrapper
-blacklist ${PATH}/lilyterm
-blacklist ${PATH}/mate-terminal
-blacklist ${PATH}/mate-terminal.wrapper
-blacklist ${PATH}/pantheon-terminal
-blacklist ${PATH}/roxterm
-blacklist ${PATH}/roxterm-config
-blacklist ${PATH}/terminix
-blacklist ${PATH}/tilix
-blacklist ${PATH}/urxvtc
-blacklist ${PATH}/urxvtcd
-blacklist ${PATH}/xfce4-terminal
-blacklist ${PATH}/xfce4-terminal.wrapper
+deny  ${PATH}/lxterminal
+deny  ${PATH}/gnome-terminal
+deny  ${PATH}/gnome-terminal.wrapper
+deny  ${PATH}/lilyterm
+deny  ${PATH}/mate-terminal
+deny  ${PATH}/mate-terminal.wrapper
+deny  ${PATH}/pantheon-terminal
+deny  ${PATH}/roxterm
+deny  ${PATH}/roxterm-config
+deny  ${PATH}/terminix
+deny  ${PATH}/tilix
+deny  ${PATH}/urxvtc
+deny  ${PATH}/urxvtcd
+deny  ${PATH}/xfce4-terminal
+deny  ${PATH}/xfce4-terminal.wrapper
 # blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 
 # kernel files
-blacklist /initrd*
-blacklist /vmlinuz*
+deny  /initrd*
+deny  /vmlinuz*
 
 # snapshot files
-blacklist /.snapshots
+deny  /.snapshots
 
 # flatpak
-blacklist ${HOME}/.cache/flatpak
-blacklist ${HOME}/.config/flatpak
-noblacklist ${HOME}/.local/share/flatpak/exports
+deny  ${HOME}/.cache/flatpak
+deny  ${HOME}/.config/flatpak
+nodeny  ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
-blacklist ${HOME}/.local/share/flatpak/*
-blacklist ${HOME}/.var
-blacklist ${RUNUSER}/app
-blacklist ${RUNUSER}/doc
-blacklist ${RUNUSER}/.dbus-proxy
-blacklist ${RUNUSER}/.flatpak
-blacklist ${RUNUSER}/.flatpak-cache
-blacklist ${RUNUSER}/.flatpak-helper
-blacklist /usr/share/flatpak
-noblacklist /var/lib/flatpak/exports
-blacklist /var/lib/flatpak/*
+deny  ${HOME}/.local/share/flatpak/*
+deny  ${HOME}/.var
+deny  ${RUNUSER}/app
+deny  ${RUNUSER}/doc
+deny  ${RUNUSER}/.dbus-proxy
+deny  ${RUNUSER}/.flatpak
+deny  ${RUNUSER}/.flatpak-cache
+deny  ${RUNUSER}/.flatpak-helper
+deny  /usr/share/flatpak
+nodeny  /var/lib/flatpak/exports
+deny  /var/lib/flatpak/*
 # most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
+deny  ${PATH}/bwrap
 
 # snap
-blacklist ${RUNUSER}/snapd-session-agent.socket
+deny  ${RUNUSER}/snapd-session-agent.socket
 
 # mail directories used by mutt
-blacklist ${HOME}/.Mail
-blacklist ${HOME}/.mail
-blacklist ${HOME}/.signature
-blacklist ${HOME}/Mail
-blacklist ${HOME}/mail
-blacklist ${HOME}/postponed
-blacklist ${HOME}/sent
+deny  ${HOME}/.Mail
+deny  ${HOME}/.mail
+deny  ${HOME}/.signature
+deny  ${HOME}/Mail
+deny  ${HOME}/mail
+deny  ${HOME}/postponed
+deny  ${HOME}/sent
 
 # kernel configuration
-blacklist /proc/config.gz
+deny  /proc/config.gz
 
 # prevent DNS malware attempting to communicate with the server
 # using regular DNS tools
-blacklist ${PATH}/dig
-blacklist ${PATH}/dlint
-blacklist ${PATH}/dns2tcp
-blacklist ${PATH}/dnssec-*
-blacklist ${PATH}/dnswalk
-blacklist ${PATH}/drill
-blacklist ${PATH}/host
-blacklist ${PATH}/iodine
-blacklist ${PATH}/kdig
-blacklist ${PATH}/khost
-blacklist ${PATH}/knsupdate
-blacklist ${PATH}/ldns-*
-blacklist ${PATH}/ldnsd
-blacklist ${PATH}/nslookup
-blacklist ${PATH}/resolvectl
-blacklist ${PATH}/unbound-host
+deny  ${PATH}/dig
+deny  ${PATH}/dlint
+deny  ${PATH}/dns2tcp
+deny  ${PATH}/dnssec-*
+deny  ${PATH}/dnswalk
+deny  ${PATH}/drill
+deny  ${PATH}/host
+deny  ${PATH}/iodine
+deny  ${PATH}/kdig
+deny  ${PATH}/khost
+deny  ${PATH}/knsupdate
+deny  ${PATH}/ldns-*
+deny  ${PATH}/ldnsd
+deny  ${PATH}/nslookup
+deny  ${PATH}/resolvectl
+deny  ${PATH}/unbound-host
 
 # rest of ${RUNUSER}
-blacklist ${RUNUSER}/*.lock
-blacklist ${RUNUSER}/inaccessible
-blacklist ${RUNUSER}/pk-debconf-socket
-blacklist ${RUNUSER}/update-notifier.pid
+deny  ${RUNUSER}/*.lock
+deny  ${RUNUSER}/inaccessible
+deny  ${RUNUSER}/pk-debconf-socket
+deny  ${RUNUSER}/update-notifier.pid
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..a893eb3f3 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -5,65 +5,65 @@ include disable-devel.local
 # development tools
 
 # clang/llvm
-blacklist ${PATH}/clang*
-blacklist ${PATH}/lldb*
-blacklist ${PATH}/llvm*
+deny  ${PATH}/clang*
+deny  ${PATH}/lldb*
+deny  ${PATH}/llvm*
 # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
 # blacklist /usr/lib/llvm*
 
 # GCC
-blacklist ${PATH}/as
-blacklist ${PATH}/cc
-blacklist ${PATH}/c++*
-blacklist ${PATH}/c8*
-blacklist ${PATH}/c9*
-blacklist ${PATH}/cpp*
-blacklist ${PATH}/g++*
-blacklist ${PATH}/gcc*
-blacklist ${PATH}/gdb
-blacklist ${PATH}/ld
-blacklist ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
-blacklist ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
+deny  ${PATH}/as
+deny  ${PATH}/cc
+deny  ${PATH}/c++*
+deny  ${PATH}/c8*
+deny  ${PATH}/c9*
+deny  ${PATH}/cpp*
+deny  ${PATH}/g++*
+deny  ${PATH}/gcc*
+deny  ${PATH}/gdb
+deny  ${PATH}/ld
+deny  ${PATH}/*-gcc*
+deny  ${PATH}/*-g++*
+deny  ${PATH}/*-gcc*
+deny  ${PATH}/*-g++*
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 
 #Go
-blacklist ${PATH}/gccgo
-blacklist ${PATH}/go
-blacklist ${PATH}/gofmt
+deny  ${PATH}/gccgo
+deny  ${PATH}/go
+deny  ${PATH}/gofmt
 
 # Java
-blacklist ${PATH}/java
-blacklist ${PATH}/javac
-blacklist /etc/java
-blacklist /usr/lib/java
-blacklist /usr/share/java
+deny  ${PATH}/java
+deny  ${PATH}/javac
+deny  /etc/java
+deny  /usr/lib/java
+deny  /usr/share/java
 
 #OpenSSL
-blacklist ${PATH}/openssl
-blacklist ${PATH}/openssl-1.0
+deny  ${PATH}/openssl
+deny  ${PATH}/openssl-1.0
 
 #Rust
-blacklist ${PATH}/rust-gdb
-blacklist ${PATH}/rust-lldb
-blacklist ${PATH}/rustc
-blacklist ${HOME}/.rustup
+deny  ${PATH}/rust-gdb
+deny  ${PATH}/rust-lldb
+deny  ${PATH}/rustc
+deny  ${HOME}/.rustup
 
 # tcc - Tiny C Compiler
-blacklist ${PATH}/tcc
-blacklist ${PATH}/x86_64-tcc
-blacklist /usr/lib/tcc
+deny  ${PATH}/tcc
+deny  ${PATH}/x86_64-tcc
+deny  /usr/lib/tcc
 
 # Valgrind
-blacklist ${PATH}/valgrind*
-blacklist /usr/lib/valgrind
+deny  ${PATH}/valgrind*
+deny  /usr/lib/valgrind
 
 
 # Source-Code
 
-blacklist /usr/src
-blacklist /usr/local/src
-blacklist /usr/include
-blacklist /usr/local/include
+deny  /usr/src
+deny  /usr/local/src
+deny  /usr/include
+deny  /usr/local/include
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..c77d9a490 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -3,66 +3,66 @@
 include disable-interpreters.local
 
 # gjs
-blacklist ${PATH}/gjs
-blacklist ${PATH}/gjs-console
-blacklist /usr/lib/gjs
-blacklist /usr/lib/libgjs*
-blacklist /usr/lib64/gjs
-blacklist /usr/lib64/libgjs*
+deny  ${PATH}/gjs
+deny  ${PATH}/gjs-console
+deny  /usr/lib/gjs
+deny  /usr/lib/libgjs*
+deny  /usr/lib64/gjs
+deny  /usr/lib64/libgjs*
 
 # Lua
-blacklist ${PATH}/lua*
-blacklist /usr/include/lua*
-blacklist /usr/lib/liblua*
-blacklist /usr/lib/lua
-blacklist /usr/lib64/liblua*
-blacklist /usr/lib64/lua
-blacklist /usr/share/lua*
+deny  ${PATH}/lua*
+deny  /usr/include/lua*
+deny  /usr/lib/liblua*
+deny  /usr/lib/lua
+deny  /usr/lib64/liblua*
+deny  /usr/lib64/lua
+deny  /usr/share/lua*
 
 # mozjs
-blacklist /usr/lib/libmozjs-*
-blacklist /usr/lib64/libmozjs-*
+deny  /usr/lib/libmozjs-*
+deny  /usr/lib64/libmozjs-*
 
 # Node.js
-blacklist ${PATH}/node
-blacklist /usr/include/node
+deny  ${PATH}/node
+deny  /usr/include/node
 
 # nvm
-blacklist ${HOME}/.nvm
+deny  ${HOME}/.nvm
 
 # Perl
-blacklist ${PATH}/core_perl
-blacklist ${PATH}/cpan*
-blacklist ${PATH}/perl
-blacklist ${PATH}/site_perl
-blacklist ${PATH}/vendor_perl
-blacklist /usr/lib/perl*
-blacklist /usr/lib64/perl*
-blacklist /usr/share/perl*
+deny  ${PATH}/core_perl
+deny  ${PATH}/cpan*
+deny  ${PATH}/perl
+deny  ${PATH}/site_perl
+deny  ${PATH}/vendor_perl
+deny  /usr/lib/perl*
+deny  /usr/lib64/perl*
+deny  /usr/share/perl*
 
 # PHP
-blacklist ${PATH}/php*
-blacklist /usr/lib/php*
-blacklist /usr/share/php*
+deny  ${PATH}/php*
+deny  /usr/lib/php*
+deny  /usr/share/php*
 
 # Ruby
-blacklist ${PATH}/ruby
-blacklist /usr/lib/ruby
+deny  ${PATH}/ruby
+deny  /usr/lib/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
-blacklist ${PATH}/python2*
-blacklist /usr/include/python2*
-blacklist /usr/lib/python2*
-blacklist /usr/local/lib/python2*
-blacklist /usr/share/python2*
+deny  ${PATH}/python2*
+deny  /usr/include/python2*
+deny  /usr/lib/python2*
+deny  /usr/local/lib/python2*
+deny  /usr/share/python2*
 
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 
 # Python 3
-blacklist ${PATH}/python3*
-blacklist /usr/include/python3*
-blacklist /usr/lib/python3*
-blacklist /usr/lib64/python3*
-blacklist /usr/local/lib/python3*
-blacklist /usr/share/python3*
+deny  ${PATH}/python3*
+deny  /usr/include/python3*
+deny  /usr/lib/python3*
+deny  /usr/lib64/python3*
+deny  /usr/local/lib/python3*
+deny  /usr/share/python3*
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 3ed9a1b14..0a61bc46f 100644
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@@ -2,18 +2,18 @@
 # Persistent customizations should go in a .local file.
 include disable-passwdmgr.local
 
-blacklist ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/KeePass
-blacklist ${HOME}/.config/keepass
-blacklist ${HOME}/.config/keepassx
-blacklist ${HOME}/.config/keepassxc
-blacklist ${HOME}/.config/KeePassXCrc
-blacklist ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.fpm
-blacklist ${HOME}/.keepass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.keepassxc
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.local/share/KeePass
-blacklist ${HOME}/.local/share/keepass
-blacklist ${HOME}/.password-store
+deny  ${HOME}/.config/Bitwarden
+deny  ${HOME}/.config/KeePass
+deny  ${HOME}/.config/keepass
+deny  ${HOME}/.config/keepassx
+deny  ${HOME}/.config/keepassxc
+deny  ${HOME}/.config/KeePassXCrc
+deny  ${HOME}/.config/Sinew Software Systems
+deny  ${HOME}/.fpm
+deny  ${HOME}/.keepass
+deny  ${HOME}/.keepassx
+deny  ${HOME}/.keepassxc
+deny  ${HOME}/.lastpass
+deny  ${HOME}/.local/share/KeePass
+deny  ${HOME}/.local/share/keepass
+deny  ${HOME}/.password-store
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 0e575e5eb..7b5bd0387 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -2,1094 +2,1105 @@
 # Persistent customizations should go in a .local file.
 include disable-programs.local
 
-blacklist ${HOME}/Arduino
-blacklist ${HOME}/i2p
-blacklist ${HOME}/Monero/wallets
-blacklist ${HOME}/Nextcloud
-blacklist ${HOME}/Nextcloud/Notes
-blacklist ${HOME}/SoftMaker
-blacklist ${HOME}/Standard Notes Backups
-blacklist ${HOME}/TeamSpeak3-Client-linux_x86
-blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
-blacklist ${HOME}/hyperrogue.ini
-blacklist ${HOME}/mps
-blacklist ${HOME}/wallet.dat
-blacklist ${HOME}/.*coin
-blacklist ${HOME}/.8pecxstudios
-blacklist ${HOME}/.AndroidStudio*
-blacklist ${HOME}/.Atom
-blacklist ${HOME}/.CLion*
-blacklist ${HOME}/.FBReader
-blacklist ${HOME}/.FontForge
-blacklist ${HOME}/.IdeaIC*
-blacklist ${HOME}/.LuminanceHDR
-blacklist ${HOME}/.Mathematica
-blacklist ${HOME}/.Natron
-blacklist ${HOME}/.PlayOnLinux
-blacklist ${HOME}/.PyCharm*
-blacklist ${HOME}/.Sayonara
-blacklist ${HOME}/.Steam
-blacklist ${HOME}/.Steampath
-blacklist ${HOME}/.Steampid
-blacklist ${HOME}/.TelegramDesktop
-blacklist ${HOME}/.VSCodium
-blacklist ${HOME}/.ViberPC
-blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.WebStorm*
-blacklist ${HOME}/.Wolfram Research
-blacklist ${HOME}/.ZAP
-blacklist ${HOME}/.abook
-blacklist ${HOME}/.addressbook
-blacklist ${HOME}/.alpine-smime
-blacklist ${HOME}/.aMule
-blacklist ${HOME}/.android
-blacklist ${HOME}/.anydesk
-blacklist ${HOME}/.arduino15
-blacklist ${HOME}/.aria2
-blacklist ${HOME}/.arm
-blacklist ${HOME}/.asunder_album_artist
-blacklist ${HOME}/.asunder_album_genre
-blacklist ${HOME}/.asunder_album_title
-blacklist ${HOME}/.atom
-blacklist ${HOME}/.attic
-blacklist ${HOME}/.audacity-data
-blacklist ${HOME}/.avidemux6
-blacklist ${HOME}/.ballbuster.hs
-blacklist ${HOME}/.balsa
-blacklist ${HOME}/.bcast5
-blacklist ${HOME}/.bibletime
-blacklist ${HOME}/.bitcoin
-blacklist ${HOME}/.blobby
-blacklist ${HOME}/.bogofilter
-blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/*
-blacklist ${HOME}/.claws-mail
-blacklist ${HOME}/.cliqz
-blacklist ${HOME}/.clonk
-blacklist ${HOME}/.config/0ad
-blacklist ${HOME}/.config/2048-qt
-blacklist ${HOME}/.config/Atom
-blacklist ${HOME}/.config/Audaciousrc
-blacklist ${HOME}/.config/Authenticator
-blacklist ${HOME}/.config/Beaker Browser
-blacklist ${HOME}/.config/Bitcoin
-blacklist ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/Brackets
-blacklist ${HOME}/.config/BraveSoftware
-blacklist ${HOME}/.config/Clementine
-blacklist ${HOME}/.config/Code
-blacklist ${HOME}/.config/Code - OSS
-blacklist ${HOME}/.config/Code Industry
-blacklist ${HOME}/.config/Cryptocat
-blacklist ${HOME}/.config/Debauchee/Barrier.conf
-blacklist ${HOME}/.config/Dharkael
-blacklist ${HOME}/.config/Element
-blacklist ${HOME}/.config/Element (Riot)
-blacklist ${HOME}/.config/ENCOM
-blacklist ${HOME}/.config/Enox
-blacklist ${HOME}/.config/Epic
-blacklist ${HOME}/.config/Ferdi
-blacklist ${HOME}/.config/Flavio Tordini
-blacklist ${HOME}/.config/Franz
-blacklist ${HOME}/.config/FreeCAD
-blacklist ${HOME}/.config/FreeTube
-blacklist ${HOME}/.config/Fritzing
-blacklist ${HOME}/.config/GIMP
-blacklist ${HOME}/.config/GitHub Desktop
-blacklist ${HOME}/.config/Gitter
-blacklist ${HOME}/.config/Google
-blacklist ${HOME}/.config/Google Play Music Desktop Player
-blacklist ${HOME}/.config/Gpredict
-blacklist ${HOME}/.config/INRIA
-blacklist ${HOME}/.config/InSilmaril
-blacklist ${HOME}/.config/Jitsi Meet
-blacklist ${HOME}/.config/KDE/neochat
-blacklist ${HOME}/.config/Kid3
-blacklist ${HOME}/.config/Kingsoft
-blacklist ${HOME}/.config/LibreCAD
-blacklist ${HOME}/.config/Loop_Hero
-blacklist ${HOME}/.config/Luminance
-blacklist ${HOME}/.config/LyX
-blacklist ${HOME}/.config/Mattermost
-blacklist ${HOME}/.config/Meltytech
-blacklist ${HOME}/.config/Mendeley Ltd.
-blacklist ${HOME}/.config/Min
-blacklist ${HOME}/.config/ModTheSpire
-blacklist ${HOME}/.config/Mousepad
-blacklist ${HOME}/.config/Mumble
-blacklist ${HOME}/.config/MusE
-blacklist ${HOME}/.config/MuseScore
-blacklist ${HOME}/.config/MusicBrainz
-blacklist ${HOME}/.config/Nathan Osman
-blacklist ${HOME}/.config/Nextcloud
-blacklist ${HOME}/.config/Nylas Mail
-blacklist ${HOME}/.config/PacmanLogViewer
-blacklist ${HOME}/.config/PawelStolowski
-blacklist ${HOME}/.config/PBE
-blacklist ${HOME}/.config/Philipp Schmieder
-blacklist ${HOME}/.config/QGIS
-blacklist ${HOME}/.config/QMediathekView
-blacklist ${HOME}/.config/Qlipper
-blacklist ${HOME}/.config/QuiteRss
-blacklist ${HOME}/.config/QuiteRssrc
-blacklist ${HOME}/.config/Quotient
-blacklist ${HOME}/.config/Rambox
-blacklist ${HOME}/.config/Riot
-blacklist ${HOME}/.config/Rocket.Chat
-blacklist ${HOME}/.config/RogueLegacy
-blacklist ${HOME}/.config/RogueLegacyStorageContainer
-blacklist ${HOME}/.config/Signal
-blacklist ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.config/Slack
-blacklist ${HOME}/.config/Standard Notes
-blacklist ${HOME}/.config/SubDownloader
-blacklist ${HOME}/.config/Thunar
-blacklist ${HOME}/.config/Twitch
-blacklist ${HOME}/.config/Unknown Organization
-blacklist ${HOME}/.config/VirtualBox
-blacklist ${HOME}/.config/Wire
-blacklist ${HOME}/.config/Youtube
-blacklist ${HOME}/.config/Zeal
-blacklist ${HOME}/.config/ZeGrapher Project
-blacklist ${HOME}/.config/aacs
-blacklist ${HOME}/.config/abiword
-blacklist ${HOME}/.config/agenda
-blacklist ${HOME}/.config/akonadi*
-blacklist ${HOME}/.config/akregatorrc
-blacklist ${HOME}/.config/alacritty
-blacklist ${HOME}/.config/ardour4
-blacklist ${HOME}/.config/ardour5
-blacklist ${HOME}/.config/aria2
-blacklist ${HOME}/.config/arkrc
-blacklist ${HOME}/.config/artha.conf
-blacklist ${HOME}/.config/artha.log
-blacklist ${HOME}/.config/asunder
-blacklist ${HOME}/.config/atril
-blacklist ${HOME}/.config/audacious
-blacklist ${HOME}/.config/autokey
-blacklist ${HOME}/.config/avidemux3_qt5rc
-blacklist ${HOME}/.config/aweather
-blacklist ${HOME}/.config/backintime
-blacklist ${HOME}/.config/baloofilerc
-blacklist ${HOME}/.config/baloorc
-blacklist ${HOME}/.config/bcompare
-blacklist ${HOME}/.config/blender
-blacklist ${HOME}/.config/bless
-blacklist ${HOME}/.config/bnox
-blacklist ${HOME}/.config/borg
-blacklist ${HOME}/.config/brasero
-blacklist ${HOME}/.config/brave
-blacklist ${HOME}/.config/brave-flags.conf
-blacklist ${HOME}/.config/caja
-blacklist ${HOME}/.config/calibre
-blacklist ${HOME}/.config/cantata
-blacklist ${HOME}/.config/catfish
-blacklist ${HOME}/.config/cawbird
-blacklist ${HOME}/.config/celluloid
-blacklist ${HOME}/.config/cherrytree
-blacklist ${HOME}/.config/chrome-beta-flags.conf
-blacklist ${HOME}/.config/chrome-beta-flags.config
-blacklist ${HOME}/.config/chrome-flags.conf
-blacklist ${HOME}/.config/chrome-flags.config
-blacklist ${HOME}/.config/chrome-unstable-flags.conf
-blacklist ${HOME}/.config/chrome-unstable-flags.config
-blacklist ${HOME}/.config/chromium
-blacklist ${HOME}/.config/chromium-dev
-blacklist ${HOME}/.config/chromium-flags.conf
-blacklist ${HOME}/.config/clipit
-blacklist ${HOME}/.config/cliqz
-blacklist ${HOME}/.config/cmus
-blacklist ${HOME}/.config/com.github.bleakgrey.tootle
-blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/cower
-blacklist ${HOME}/.config/coyim
-blacklist ${HOME}/.config/darktable
-blacklist ${HOME}/.config/deadbeef
-blacklist ${HOME}/.config/deluge
-blacklist ${HOME}/.config/devilspie2
-blacklist ${HOME}/.config/digikam
-blacklist ${HOME}/.config/digikamrc
-blacklist ${HOME}/.config/discord
-blacklist ${HOME}/.config/discordcanary
-blacklist ${HOME}/.config/dkl
-blacklist ${HOME}/.config/dnox
-blacklist ${HOME}/.config/dolphin-emu
-blacklist ${HOME}/.config/dolphinrc
-blacklist ${HOME}/.config/dragonplayerrc
-blacklist ${HOME}/.config/draw.io
-blacklist ${HOME}/.config/d-feet
-blacklist ${HOME}/.config/electron-mail
-blacklist ${HOME}/.config/emaildefaults
-blacklist ${HOME}/.config/emailidentities
-blacklist ${HOME}/.config/emilia
-blacklist ${HOME}/.config/enchant
-blacklist ${HOME}/.config/eog
-blacklist ${HOME}/.config/epiphany
-blacklist ${HOME}/.config/equalx
-blacklist ${HOME}/.config/evince
-blacklist ${HOME}/.config/evolution
-blacklist ${HOME}/.config/falkon
-blacklist ${HOME}/.config/filezilla
-blacklist ${HOME}/.config/flameshot
-blacklist ${HOME}/.config/flaska.net
-blacklist ${HOME}/.config/flowblade
-blacklist ${HOME}/.config/font-manager
-blacklist ${HOME}/.config/freecol
-blacklist ${HOME}/.config/gajim
-blacklist ${HOME}/.config/galculator
-blacklist ${HOME}/.config/gconf
-blacklist ${HOME}/.config/geany
-blacklist ${HOME}/.config/geary
-blacklist ${HOME}/.config/gedit
-blacklist ${HOME}/.config/geeqie
-blacklist ${HOME}/.config/ghb
-blacklist ${HOME}/.config/ghostwriter
-blacklist ${HOME}/.config/git
-blacklist ${HOME}/.config/git-cola
-blacklist ${HOME}/.config/glade.conf
-blacklist ${HOME}/.config/globaltime
-blacklist ${HOME}/.config/gmpc
-blacklist ${HOME}/.config/gnome-builder
-blacklist ${HOME}/.config/gnome-chess
-blacklist ${HOME}/.config/gnome-control-center
-blacklist ${HOME}/.config/gnome-initial-setup-done
-blacklist ${HOME}/.config/gnome-latex
-blacklist ${HOME}/.config/gnome-mplayer
-blacklist ${HOME}/.config/gnome-mpv
-blacklist ${HOME}/.config/gnome-pie
-blacklist ${HOME}/.config/gnome-session
-blacklist ${HOME}/.config/gnote
-blacklist ${HOME}/.config/godot
-blacklist ${HOME}/.config/google-chrome
-blacklist ${HOME}/.config/google-chrome-beta
-blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}/.config/gpicview
-blacklist ${HOME}/.config/gthumb
-blacklist ${HOME}/.config/gummi
-blacklist ${HOME}/.config/guvcview2
-blacklist ${HOME}/.config/gwenviewrc
-blacklist ${HOME}/.config/hexchat
-blacklist ${HOME}/.config/homebank
-blacklist ${HOME}/.config/i2p
-blacklist ${HOME}/.config/inkscape
-blacklist ${HOME}/.config/inox
-blacklist ${HOME}/.config/iridium
-blacklist ${HOME}/.config/itch
-blacklist ${HOME}/.config/jami
-blacklist ${HOME}/.config/jd-gui.cfg
-blacklist ${HOME}/.config/k3brc
-blacklist ${HOME}/.config/kaffeinerc
-blacklist ${HOME}/.config/kalgebrarc
-blacklist ${HOME}/.config/katemetainfos
-blacklist ${HOME}/.config/katepartrc
-blacklist ${HOME}/.config/katerc
-blacklist ${HOME}/.config/kateschemarc
-blacklist ${HOME}/.config/katesyntaxhighlightingrc
-blacklist ${HOME}/.config/katevirc
-blacklist ${HOME}/.config/kazam
-blacklist ${HOME}/.config/kdeconnect
-blacklist ${HOME}/.config/kdenliverc
-blacklist ${HOME}/.config/kdiff3fileitemactionrc
-blacklist ${HOME}/.config/kdiff3rc
-blacklist ${HOME}/.config/kfindrc
-blacklist ${HOME}/.config/kgetrc
-blacklist ${HOME}/.config/kid3rc
-blacklist ${HOME}/.config/klavaro
-blacklist ${HOME}/.config/klipperrc
-blacklist ${HOME}/.config/kmail2rc
-blacklist ${HOME}/.config/kmailsearchindexingrc
-blacklist ${HOME}/.config/kmplayerrc
-blacklist ${HOME}/.config/knotesrc
-blacklist ${HOME}/.config/konversationrc
-blacklist ${HOME}/.config/konversation.notifyrc
-blacklist ${HOME}/.config/kritarc
-blacklist ${HOME}/.config/ktorrentrc
-blacklist ${HOME}/.config/ktouch2rc
-blacklist ${HOME}/.config/kube
-blacklist ${HOME}/.config/kwriterc
-blacklist ${HOME}/.config/leafpad
-blacklist ${HOME}/.config/libreoffice
-blacklist ${HOME}/.config/liferea
-blacklist ${HOME}/.config/linphone
-blacklist ${HOME}/.config/lugaru
-blacklist ${HOME}/.config/lutris
-blacklist ${HOME}/.config/lximage-qt
-blacklist ${HOME}/.config/mailtransports
-blacklist ${HOME}/.config/mana
-blacklist ${HOME}/.config/mate-calc
-blacklist ${HOME}/.config/mate/eom
-blacklist ${HOME}/.config/mate/mate-dictionary
-blacklist ${HOME}/.config/matrix-mirage
-blacklist ${HOME}/.config/mcomix
-blacklist ${HOME}/.config/meld
-blacklist ${HOME}/.config/meteo-qt
-blacklist ${HOME}/.config/menulibre.cfg
-blacklist ${HOME}/.config/mfusion
-blacklist ${HOME}/.config/Microsoft
-blacklist ${HOME}/.config/microsoft-edge-dev
-blacklist ${HOME}/.config/midori
-blacklist ${HOME}/.config/mirage
-blacklist ${HOME}/.config/mono
-blacklist ${HOME}/.config/mpDris2
-blacklist ${HOME}/.config/mpd
-blacklist ${HOME}/.config/mps-youtube
-blacklist ${HOME}/.config/mpv
-blacklist ${HOME}/.config/mupen64plus
-blacklist ${HOME}/.config/mutt
-blacklist ${HOME}/.config/mutter
-blacklist ${HOME}/.config/mypaint
-blacklist ${HOME}/.config/nano
-blacklist ${HOME}/.config/nautilus
-blacklist ${HOME}/.config/nemo
-blacklist ${HOME}/.config/neochatrc
-blacklist ${HOME}/.config/neochat.notifyrc
-blacklist ${HOME}/.config/neomutt
-blacklist ${HOME}/.config/netsurf
-blacklist ${HOME}/.config/newsbeuter
-blacklist ${HOME}/.config/newsboat
-blacklist ${HOME}/.config/newsflash
-blacklist ${HOME}/.config/nheko
-blacklist ${HOME}/.config/NitroShare
-blacklist ${HOME}/.config/nomacs
-blacklist ${HOME}/.config/nuclear
-blacklist ${HOME}/.config/obs-studio
-blacklist ${HOME}/.config/okularpartrc
-blacklist ${HOME}/.config/okularrc
-blacklist ${HOME}/.config/onboard
-blacklist ${HOME}/.config/onionshare
-blacklist ${HOME}/.config/onlyoffice
-blacklist ${HOME}/.config/openmw
-blacklist ${HOME}/.config/opera
-blacklist ${HOME}/.config/opera-beta
-blacklist ${HOME}/.config/orage
-blacklist ${HOME}/.config/org.gabmus.gfeeds.json
-blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-blacklist ${HOME}/.config/org.kde.gwenviewrc
-blacklist ${HOME}/.config/otter
-blacklist ${HOME}/.config/pavucontrol-qt
-blacklist ${HOME}/.config/pavucontrol.ini
-blacklist ${HOME}/.config/pcmanfm
-blacklist ${HOME}/.config/pdfmod
-blacklist ${HOME}/.config/Pinta
-blacklist ${HOME}/.config/pipe-viewer
-blacklist ${HOME}/.config/pitivi
-blacklist ${HOME}/.config/pix
-blacklist ${HOME}/.config/pluma
-blacklist ${HOME}/.config/ppsspp
-blacklist ${HOME}/.config/pragha
-blacklist ${HOME}/.config/profanity
-blacklist ${HOME}/.config/psi
-blacklist ${HOME}/.config/psi+
-blacklist ${HOME}/.config/qBittorrent
-blacklist ${HOME}/.config/qBittorrentrc
-blacklist ${HOME}/.config/qnapi.ini
-blacklist ${HOME}/.config/qpdfview
-blacklist ${HOME}/.config/quodlibet
-blacklist ${HOME}/.config/qupzilla
-blacklist ${HOME}/.config/qutebrowser
-blacklist ${HOME}/.config/ranger
-blacklist ${HOME}/.config/redshift
-blacklist ${HOME}/.config/redshift.conf
-blacklist ${HOME}/.config/remmina
-blacklist ${HOME}/.config/ristretto
-blacklist ${HOME}/.config/rtv
-blacklist ${HOME}/.config/scribus
-blacklist ${HOME}/.config/scribusrc
-blacklist ${HOME}/.config/sinew.in
-blacklist ${HOME}/.config/sink
-blacklist ${HOME}/.config/skypeforlinux
-blacklist ${HOME}/.config/slimjet
-blacklist ${HOME}/.config/smplayer
-blacklist ${HOME}/.config/smtube
-blacklist ${HOME}/.config/smuxi
-blacklist ${HOME}/.config/snox
-blacklist ${HOME}/.config/sound-juicer
-blacklist ${HOME}/.config/specialmailcollectionsrc
-blacklist ${HOME}/.config/spectaclerc
-blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/sqlitebrowser
-blacklist ${HOME}/.config/stellarium
-blacklist ${HOME}/.config/strawberry
-blacklist ${HOME}/.config/straw-viewer
-blacklist ${HOME}/.config/supertuxkart
-blacklist ${HOME}/.config/synfig
-blacklist ${HOME}/.config/teams
-blacklist ${HOME}/.config/teams-for-linux
-blacklist ${HOME}/.config/telepathy-account-widgets
-blacklist ${HOME}/.config/torbrowser
-blacklist ${HOME}/.config/totem
-blacklist ${HOME}/.config/tox
-blacklist ${HOME}/.config/transgui
-blacklist ${HOME}/.config/transmission
-blacklist ${HOME}/.config/truecraft
-blacklist ${HOME}/.config/tuta_integration
-blacklist ${HOME}/.config/tutanota-desktop
-blacklist ${HOME}/.config/tvbrowser
-blacklist ${HOME}/.config/uGet
-blacklist ${HOME}/.config/ungoogled-chromium
-blacklist ${HOME}/.config/uzbl
-blacklist ${HOME}/.config/viewnior
-blacklist ${HOME}/.config/vivaldi
-blacklist ${HOME}/.config/vivaldi-snapshot
-blacklist ${HOME}/.config/vlc
-blacklist ${HOME}/.config/wesnoth
-blacklist ${HOME}/.config/wormux
-blacklist ${HOME}/.config/Whalebird
-blacklist ${HOME}/.config/wireshark
-blacklist ${HOME}/.config/xchat
-blacklist ${HOME}/.config/xed
-blacklist ${HOME}/.config/xfburn
-blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-blacklist ${HOME}/.config/xfce4-dict
-blacklist ${HOME}/.config/xiaoyong
-blacklist ${HOME}/.config/xmms2
-blacklist ${HOME}/.config/xplayer
-blacklist ${HOME}/.config/xreader
-blacklist ${HOME}/.config/xviewer
-blacklist ${HOME}/.config/yandex-browser
-blacklist ${HOME}/.config/yandex-browser-beta
-blacklist ${HOME}/.config/yelp
-blacklist ${HOME}/.config/youtube-dl
-blacklist ${HOME}/.config/youtube-dlg
-blacklist ${HOME}/.config/youtubemusic-nativefier-040164
-blacklist ${HOME}/.config/youtube-music-desktop-app
-blacklist ${HOME}/.config/youtube-viewer
-blacklist ${HOME}/.config/zathura
-blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.config/Zulip
-blacklist ${HOME}/.conkeror.mozdev.org
-blacklist ${HOME}/.crawl
-blacklist ${HOME}/.cups
-blacklist ${HOME}/.curl-hsts
-blacklist ${HOME}/.curlrc
-blacklist ${HOME}/.dashcore
-blacklist ${HOME}/.devilspie
-blacklist ${HOME}/.dia
-blacklist ${HOME}/.digrc
-blacklist ${HOME}/.dillo
-blacklist ${HOME}/.dooble
-blacklist ${HOME}/.dosbox
-blacklist ${HOME}/.dropbox*
-blacklist ${HOME}/.easystroke
-blacklist ${HOME}/.electron-cache
-blacklist ${HOME}/.electrum*
-blacklist ${HOME}/.elinks
-blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs.d
-blacklist ${HOME}/.equalx
-blacklist ${HOME}/.ethereum
-blacklist ${HOME}/.etr
-blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.firedragon
-blacklist ${HOME}/.flowblade
-blacklist ${HOME}/.fltk
-blacklist ${HOME}/.fossamail
-blacklist ${HOME}/.freeciv
-blacklist ${HOME}/.freecol
-blacklist ${HOME}/.freemind
-blacklist ${HOME}/.frogatto
-blacklist ${HOME}/.frozen-bubble
-blacklist ${HOME}/.funnyboat
-blacklist ${HOME}/.gimp*
-blacklist ${HOME}/.gist
-blacklist ${HOME}/.gitconfig
-blacklist ${HOME}/.gl-117
-blacklist ${HOME}/.glaxiumrc
-blacklist ${HOME}/.gnome/gnome-schedule
-blacklist ${HOME}/.googleearth
-blacklist ${HOME}/.gradle
-blacklist ${HOME}/.gramps
-blacklist ${HOME}/.guayadeque
-blacklist ${HOME}/.hashcat
-blacklist ${HOME}/.hex-a-hop
-blacklist ${HOME}/.hedgewars
-blacklist ${HOME}/.hugin
-blacklist ${HOME}/.i2p
-blacklist ${HOME}/.icedove
-blacklist ${HOME}/.imagej
-blacklist ${HOME}/.inkscape
-blacklist ${HOME}/.itch
-blacklist ${HOME}/.jack-server
-blacklist ${HOME}/.jack-settings
-blacklist ${HOME}/.jak
-blacklist ${HOME}/.java
-blacklist ${HOME}/.jd
-blacklist ${HOME}/.jitsi
-blacklist ${HOME}/.jumpnbump
-blacklist ${HOME}/.kde/share/apps/digikam
-blacklist ${HOME}/.kde/share/apps/gwenview
-blacklist ${HOME}/.kde/share/apps/kaffeine
-blacklist ${HOME}/.kde/share/apps/kcookiejar
-blacklist ${HOME}/.kde/share/apps/kget
-blacklist ${HOME}/.kde/share/apps/khtml
-blacklist ${HOME}/.kde/share/apps/klatexformula
-blacklist ${HOME}/.kde/share/apps/konqsidebartng
-blacklist ${HOME}/.kde/share/apps/konqueror
-blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/ktorrent
-blacklist ${HOME}/.kde/share/apps/okular
-blacklist ${HOME}/.kde/share/config/baloofilerc
-blacklist ${HOME}/.kde/share/config/baloorc
-blacklist ${HOME}/.kde/share/config/digikam
-blacklist ${HOME}/.kde/share/config/gwenviewrc
-blacklist ${HOME}/.kde/share/config/k3brc
-blacklist ${HOME}/.kde/share/config/kaffeinerc
-blacklist ${HOME}/.kde/share/config/kcookiejarrc
-blacklist ${HOME}/.kde/share/config/kfindrc
-blacklist ${HOME}/.kde/share/config/kgetrc
-blacklist ${HOME}/.kde/share/config/khtmlrc
-blacklist ${HOME}/.kde/share/config/klipperrc
-blacklist ${HOME}/.kde/share/config/kmplayerrc
-blacklist ${HOME}/.kde/share/config/konq_history
-blacklist ${HOME}/.kde/share/config/konqsidebartngrc
-blacklist ${HOME}/.kde/share/config/konquerorrc
-blacklist ${HOME}/.kde/share/config/konversationrc
-blacklist ${HOME}/.kde/share/config/kopeterc
-blacklist ${HOME}/.kde/share/config/ktorrentrc
-blacklist ${HOME}/.kde/share/config/okularpartrc
-blacklist ${HOME}/.kde/share/config/okularrc
-blacklist ${HOME}/.kde4/share/apps/digikam
-blacklist ${HOME}/.kde4/share/apps/gwenview
-blacklist ${HOME}/.kde4/share/apps/kaffeine
-blacklist ${HOME}/.kde4/share/apps/kcookiejar
-blacklist ${HOME}/.kde4/share/apps/kget
-blacklist ${HOME}/.kde4/share/apps/khtml
-blacklist ${HOME}/.kde4/share/apps/konqsidebartng
-blacklist ${HOME}/.kde4/share/apps/konqueror
-blacklist ${HOME}/.kde4/share/apps/kopete
-blacklist ${HOME}/.kde4/share/apps/ktorrent
-blacklist ${HOME}/.kde4/share/apps/okular
-blacklist ${HOME}/.kde4/share/config/baloofilerc
-blacklist ${HOME}/.kde4/share/config/baloorc
-blacklist ${HOME}/.kde4/share/config/digikam
-blacklist ${HOME}/.kde4/share/config/gwenviewrc
-blacklist ${HOME}/.kde4/share/config/k3brc
-blacklist ${HOME}/.kde4/share/config/kaffeinerc
-blacklist ${HOME}/.kde4/share/config/kcookiejarrc
-blacklist ${HOME}/.kde4/share/config/kfindrc
-blacklist ${HOME}/.kde4/share/config/kgetrc
-blacklist ${HOME}/.kde4/share/config/khtmlrc
-blacklist ${HOME}/.kde4/share/config/klipperrc
-blacklist ${HOME}/.kde4/share/config/konq_history
-blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
-blacklist ${HOME}/.kde4/share/config/konquerorrc
-blacklist ${HOME}/.kde4/share/config/konversationrc
-blacklist ${HOME}/.kde4/share/config/kopeterc
-blacklist ${HOME}/.kde4/share/config/ktorrentrc
-blacklist ${HOME}/.kde4/share/config/okularpartrc
-blacklist ${HOME}/.kde4/share/config/okularrc
-blacklist ${HOME}/.killingfloor
-blacklist ${HOME}/.kingsoft
-blacklist ${HOME}/.kino-history
-blacklist ${HOME}/.kinorc
-blacklist ${HOME}/.klatexformula
-blacklist ${HOME}/.klei
-blacklist ${HOME}/.kodi
-blacklist ${HOME}/.librewolf
-blacklist ${HOME}/.lincity-ng
-blacklist ${HOME}/.links
-blacklist ${HOME}/.links2
-blacklist ${HOME}/.linphone-history.db
-blacklist ${HOME}/.linphonerc
-blacklist ${HOME}/.lmmsrc.xml
-blacklist ${HOME}/.local/lib/vivaldi
-blacklist ${HOME}/.local/share/0ad
-blacklist ${HOME}/.local/share/3909/PapersPlease
-blacklist ${HOME}/.local/share/Anki2
-blacklist ${HOME}/.local/share/Dredmor
-blacklist ${HOME}/.local/share/Empathy
-blacklist ${HOME}/.local/share/Enpass
-blacklist ${HOME}/.local/share/Flavio Tordini
-blacklist ${HOME}/.local/share/JetBrains
-blacklist ${HOME}/.local/share/KDE/neochat
-blacklist ${HOME}/.local/share/Kingsoft
-blacklist ${HOME}/.local/share/LibreCAD
-blacklist ${HOME}/.local/share/Mendeley Ltd.
-blacklist ${HOME}/.local/share/Mumble
-blacklist ${HOME}/.local/share/Nextcloud
-blacklist ${HOME}/.local/share/PBE
-blacklist ${HOME}/.local/share/PawelStolowski
-blacklist ${HOME}/.local/share/PillarsOfEternity
-blacklist ${HOME}/.local/share/Psi
-blacklist ${HOME}/.local/share/QGIS
-blacklist ${HOME}/.local/share/QMediathekView
-blacklist ${HOME}/.local/share/QuiteRss
-blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/RogueLegacy
-blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
-blacklist ${HOME}/.local/share/Shortwave
-blacklist ${HOME}/.local/share/Steam
-blacklist ${HOME}/.local/share/SteamWorldDig
-blacklist ${HOME}/.local/share/SteamWorld Dig 2
-blacklist ${HOME}/.local/share/SuperHexagon
-blacklist ${HOME}/.local/share/TelegramDesktop
-blacklist ${HOME}/.local/share/Terraria
-blacklist ${HOME}/.local/share/TpLogger
-blacklist ${HOME}/.local/share/Zeal
-blacklist ${HOME}/.local/share/akonadi*
-blacklist ${HOME}/.local/share/akregator
-blacklist ${HOME}/.local/share/agenda
-blacklist ${HOME}/.local/share/apps/korganizer
-blacklist ${HOME}/.local/share/aspyr-media
-blacklist ${HOME}/.local/share/autokey
-blacklist ${HOME}/.local/share/authenticator-rs
-blacklist ${HOME}/.local/share/backintime
-blacklist ${HOME}/.local/share/baloo
-blacklist ${HOME}/.local/share/barrier
-blacklist ${HOME}/.local/share/bibletime
-blacklist ${HOME}/.local/share/bijiben
-blacklist ${HOME}/.local/share/bohemiainteractive
-blacklist ${HOME}/.local/share/caja-python
-blacklist ${HOME}/.local/share/calligragemini
-blacklist ${HOME}/.local/share/cantata
-blacklist ${HOME}/.local/share/cdprojektred
-blacklist ${HOME}/.local/share/clipit
-blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.local/share/contacts
-blacklist ${HOME}/.local/share/cor-games
-blacklist ${HOME}/.local/share/data/Mendeley Ltd.
-blacklist ${HOME}/.local/share/data/Mumble
-blacklist ${HOME}/.local/share/data/MusE
-blacklist ${HOME}/.local/share/data/MuseScore
-blacklist ${HOME}/.local/share/data/nomacs
-blacklist ${HOME}/.local/share/data/qBittorrent
-blacklist ${HOME}/.local/share/dino
-blacklist ${HOME}/.local/share/dolphin
-blacklist ${HOME}/.local/share/dolphin-emu
-blacklist ${HOME}/.local/share/emailidentities
-blacklist ${HOME}/.local/share/epiphany
-blacklist ${HOME}/.local/share/evolution
-blacklist ${HOME}/.local/share/FasterThanLight
-blacklist ${HOME}/.local/share/feedreader
-blacklist ${HOME}/.local/share/feral-interactive
-blacklist ${HOME}/.local/share/five-or-more
-blacklist ${HOME}/.local/share/freecol
-blacklist ${HOME}/.local/share/gajim
-blacklist ${HOME}/.local/share/geary
-blacklist ${HOME}/.local/share/geeqie
-blacklist ${HOME}/.local/share/ghostwriter
-blacklist ${HOME}/.local/share/gitg
-blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-boxes
-blacklist ${HOME}/.local/share/gnome-builder
-blacklist ${HOME}/.local/share/gnome-chess
-blacklist ${HOME}/.local/share/gnome-klotski
-blacklist ${HOME}/.local/share/gnome-latex
-blacklist ${HOME}/.local/share/gnome-mines
-blacklist ${HOME}/.local/share/gnome-music
-blacklist ${HOME}/.local/share/gnome-nibbles
-blacklist ${HOME}/.local/share/gnome-photos
-blacklist ${HOME}/.local/share/gnome-pomodoro
-blacklist ${HOME}/.local/share/gnome-recipes
-blacklist ${HOME}/.local/share/gnome-ring
-blacklist ${HOME}/.local/share/gnome-sudoku
-blacklist ${HOME}/.local/share/gnome-twitch
-blacklist ${HOME}/.local/share/gnote
-blacklist ${HOME}/.local/share/godot
-blacklist ${HOME}/.local/share/gradio
-blacklist ${HOME}/.local/share/gwenview
-blacklist ${HOME}/.local/share/i2p
-blacklist ${HOME}/.local/share/IntoTheBreach
-blacklist ${HOME}/.local/share/jami
-blacklist ${HOME}/.local/share/kaffeine
-blacklist ${HOME}/.local/share/kalgebra
-blacklist ${HOME}/.local/share/kate
-blacklist ${HOME}/.local/share/kdenlive
-blacklist ${HOME}/.local/share/kget
-blacklist ${HOME}/.local/share/kiwix
-blacklist ${HOME}/.local/share/kiwix-desktop
-blacklist ${HOME}/.local/share/klavaro
-blacklist ${HOME}/.local/share/kmail2
-blacklist ${HOME}/.local/share/kmplayer
-blacklist ${HOME}/.local/share/knotes
-blacklist ${HOME}/.local/share/krita
-blacklist ${HOME}/.local/share/ktorrent
-blacklist ${HOME}/.local/share/ktorrentrc
-blacklist ${HOME}/.local/share/ktouch
-blacklist ${HOME}/.local/share/kube
-blacklist ${HOME}/.local/share/kwrite
-blacklist ${HOME}/.local/share/kxmlgui5/*
-blacklist ${HOME}/.local/share/liferea
-blacklist ${HOME}/.local/share/linphone
-blacklist ${HOME}/.local/share/local-mail
-blacklist ${HOME}/.local/share/lollypop
-blacklist ${HOME}/.local/share/love
-blacklist ${HOME}/.local/share/lugaru
-blacklist ${HOME}/.local/share/lutris
-blacklist ${HOME}/.local/share/man
-blacklist ${HOME}/.local/share/mana
-blacklist ${HOME}/.local/share/maps-places.json
-blacklist ${HOME}/.local/share/matrix-mirage
-blacklist ${HOME}/.local/share/mcomix
-blacklist ${HOME}/.local/share/meld
-blacklist ${HOME}/.local/share/midori
-blacklist ${HOME}/.local/share/minder
-blacklist ${HOME}/.local/share/mirage
-blacklist ${HOME}/.local/share/multimc
-blacklist ${HOME}/.local/share/multimc5
-blacklist ${HOME}/.local/share/mupen64plus
-blacklist ${HOME}/.local/share/mypaint
-blacklist ${HOME}/.local/share/nautilus
-blacklist ${HOME}/.local/share/nautilus-python
-blacklist ${HOME}/.local/share/nemo
-blacklist ${HOME}/.local/share/nemo-python
-blacklist ${HOME}/.local/share/news-flash
-blacklist ${HOME}/.local/share/newsbeuter
-blacklist ${HOME}/.local/share/newsboat
-blacklist ${HOME}/.local/share/nheko
-blacklist ${HOME}/.local/share/nomacs
-blacklist ${HOME}/.local/share/notes
-blacklist ${HOME}/.local/share/ocenaudio
-blacklist ${HOME}/.local/share/okular
-blacklist ${HOME}/.local/share/onlyoffice
-blacklist ${HOME}/.local/share/openmw
-blacklist ${HOME}/.local/share/orage
-blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/Paradox Interactive
-blacklist ${HOME}/.local/share/pix
-blacklist ${HOME}/.local/share/plasma_notes
-blacklist ${HOME}/.local/share/profanity
-blacklist ${HOME}/.local/share/psi
-blacklist ${HOME}/.local/share/psi+
-blacklist ${HOME}/.local/share/quadrapassel
-blacklist ${HOME}/.local/share/qpdfview
-blacklist ${HOME}/.local/share/qutebrowser
-blacklist ${HOME}/.local/share/remmina
-blacklist ${HOME}/.local/share/rhythmbox
-blacklist ${HOME}/.local/share/rtv
-blacklist ${HOME}/.local/share/scribus
-blacklist ${HOME}/.local/share/shotwell
-blacklist ${HOME}/.local/share/signal-cli
-blacklist ${HOME}/.local/share/sink
-blacklist ${HOME}/.local/share/smuxi
-blacklist ${HOME}/.local/share/spotify
-blacklist ${HOME}/.local/share/steam
-blacklist ${HOME}/.local/share/strawberry
-blacklist ${HOME}/.local/share/supertux2
-blacklist ${HOME}/.local/share/supertuxkart
-blacklist ${HOME}/.local/share/swell-foop
-blacklist ${HOME}/.local/share/telepathy
-blacklist ${HOME}/.local/share/terasology
-blacklist ${HOME}/.local/share/torbrowser
-blacklist ${HOME}/.local/share/totem
-blacklist ${HOME}/.local/share/uzbl
-blacklist ${HOME}/.local/share/vlc
-blacklist ${HOME}/.local/share/vpltd
-blacklist ${HOME}/.local/share/vulkan
-blacklist ${HOME}/.local/share/warsow-2.1
-blacklist ${HOME}/.local/share/wesnoth
-blacklist ${HOME}/.local/share/wormux
-blacklist ${HOME}/.local/share/xplayer
-blacklist ${HOME}/.local/share/xreader
-blacklist ${HOME}/.local/share/zathura
-blacklist ${HOME}/.lv2
-blacklist ${HOME}/.lyx
-blacklist ${HOME}/.magicor
-blacklist ${HOME}/.masterpdfeditor
-blacklist ${HOME}/.mbwarband
-blacklist ${HOME}/.mcabber
-blacklist ${HOME}/.mcabberrc
-blacklist ${HOME}/.mediathek3
-blacklist ${HOME}/.megaglest
-blacklist ${HOME}/.minecraft
-blacklist ${HOME}/.minetest
-blacklist ${HOME}/.mirrormagic
-blacklist ${HOME}/.moc
-blacklist ${HOME}/.moonchild productions/basilisk
-blacklist ${HOME}/.moonchild productions/pale moon
-blacklist ${HOME}/.mozilla
-blacklist ${HOME}/.mp3splt-gtk
-blacklist ${HOME}/.mpd
-blacklist ${HOME}/.mpdconf
-blacklist ${HOME}/.mplayer
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.multimc5
-blacklist ${HOME}/.nanorc
-blacklist ${HOME}/.netactview
-blacklist ${HOME}/.neverball
-blacklist ${HOME}/.newsbeuter
-blacklist ${HOME}/.newsboat
-blacklist ${HOME}/.newsrc
-blacklist ${HOME}/.nicotine
-blacklist ${HOME}/.node-gyp
-blacklist ${HOME}/.npm
-blacklist ${HOME}/.npmrc
-blacklist ${HOME}/.nv
-blacklist ${HOME}/.nvm
-blacklist ${HOME}/.nylas-mail
-blacklist ${HOME}/.openarena
-blacklist ${HOME}/.opencity
-blacklist ${HOME}/.openinvaders
-blacklist ${HOME}/.openshot
-blacklist ${HOME}/.openshot_qt
-blacklist ${HOME}/.openttd
-blacklist ${HOME}/.opera
-blacklist ${HOME}/.opera-beta
-blacklist ${HOME}/.ostrichriders
-blacklist ${HOME}/.paradoxinteractive
-blacklist ${HOME}/.parallelrealities/blobwars
-blacklist ${HOME}/.pcsxr
-blacklist ${HOME}/.penguin-command
-blacklist ${HOME}/.pine-crash
-blacklist ${HOME}/.pine-debug1
-blacklist ${HOME}/.pine-debug2
-blacklist ${HOME}/.pine-debug3
-blacklist ${HOME}/.pine-debug4
-blacklist ${HOME}/.pine-interrupted-mail
-blacklist ${HOME}/.pinerc
-blacklist ${HOME}/.pinercex
-blacklist ${HOME}/.pingus
-blacklist ${HOME}/.pioneer
-blacklist ${HOME}/.purple
-blacklist ${HOME}/.pylint.d
-blacklist ${HOME}/.qemu-launcher
-blacklist ${HOME}/.qgis2
-blacklist ${HOME}/.qmmp
-blacklist ${HOME}/.quodlibet
-blacklist ${HOME}/.redeclipse
-blacklist ${HOME}/.remmina
-blacklist ${HOME}/.repo_.gitconfig.json
-blacklist ${HOME}/.repoconfig
-blacklist ${HOME}/.retroshare
-blacklist ${HOME}/.ripperXrc
-blacklist ${HOME}/.scorched3d
-blacklist ${HOME}/.scribus
-blacklist ${HOME}/.scribusrc
-blacklist ${HOME}/.simutrans
-blacklist ${HOME}/.smartgit/*/passwords
-blacklist ${HOME}/.ssr
-blacklist ${HOME}/.steam
-blacklist ${HOME}/.steampath
-blacklist ${HOME}/.steampid
-blacklist ${HOME}/.stellarium
-blacklist ${HOME}/.subversion
-blacklist ${HOME}/.surf
-blacklist ${HOME}/.suve/colorful
-blacklist ${HOME}/.swb.ini
-blacklist ${HOME}/.sword
-blacklist ${HOME}/.sylpheed-2.0
-blacklist ${HOME}/.synfig
-blacklist ${HOME}/.tb
-blacklist ${HOME}/.tconn
-blacklist ${HOME}/.teeworlds
-blacklist ${HOME}/.texlive20*
-blacklist ${HOME}/.thunderbird
-blacklist ${HOME}/.tilp
-blacklist ${HOME}/.tin
-blacklist ${HOME}/.tooling
-blacklist ${HOME}/.tor-browser*
-blacklist ${HOME}/.torcs
-blacklist ${HOME}/.tremulous
-blacklist ${HOME}/.ts3client
-blacklist ${HOME}/.tuxguitar*
-blacklist ${HOME}/.tvbrowser
-blacklist ${HOME}/.unknown-horizons
-blacklist ${HOME}/.viking
-blacklist ${HOME}/.viking-maps
-blacklist ${HOME}/.vim
-blacklist ${HOME}/.vimrc
-blacklist ${HOME}/.vmware
-blacklist ${HOME}/.vscode
-blacklist ${HOME}/.vscode-oss
-blacklist ${HOME}/.vst
-blacklist ${HOME}/.vultures
-blacklist ${HOME}/.w3m
-blacklist ${HOME}/.warzone2100-3.*
-blacklist ${HOME}/.waterfox
-blacklist ${HOME}/.weechat
-blacklist ${HOME}/.wget-hsts
-blacklist ${HOME}/.wgetrc
-blacklist ${HOME}/.widelands
-blacklist ${HOME}/.wine
-blacklist ${HOME}/.wine64
-blacklist ${HOME}/.wireshark
-blacklist ${HOME}/.wordwarvi
-blacklist ${HOME}/.wormux
-blacklist ${HOME}/.xiphos
-blacklist ${HOME}/.xmind
-blacklist ${HOME}/.xmms
-blacklist ${HOME}/.xmr-stak
-blacklist ${HOME}/.xonotic
-blacklist ${HOME}/.xournalpp
-blacklist ${HOME}/.xpdfrc
-blacklist ${HOME}/.yarn
-blacklist ${HOME}/.yarn-config
-blacklist ${HOME}/.yarncache
-blacklist ${HOME}/.yarnrc
-blacklist ${HOME}/.zoom
-blacklist /tmp/akonadi-*
-blacklist /tmp/.wine-*
-blacklist /var/games/nethack
-blacklist /var/games/slashem
-blacklist /var/games/vulturesclaw
-blacklist /var/games/vultureseye
-blacklist /var/lib/games/Maelstrom-Scores
+deny  ${HOME}/.*coin
+deny  ${HOME}/.8pecxstudios
+deny  ${HOME}/.AndroidStudio*
+deny  ${HOME}/.Atom
+deny  ${HOME}/.CLion*
+deny  ${HOME}/.FBReader
+deny  ${HOME}/.FontForge
+deny  ${HOME}/.IdeaIC*
+deny  ${HOME}/.LuminanceHDR
+deny  ${HOME}/.Mathematica
+deny  ${HOME}/.Natron
+deny  ${HOME}/.PlayOnLinux
+deny  ${HOME}/.PyCharm*
+deny  ${HOME}/.Sayonara
+deny  ${HOME}/.Steam
+deny  ${HOME}/.Steampath
+deny  ${HOME}/.Steampid
+deny  ${HOME}/.TelegramDesktop
+deny  ${HOME}/.VSCodium
+deny  ${HOME}/.ViberPC
+deny  ${HOME}/.VirtualBox
+deny  ${HOME}/.WebStorm*
+deny  ${HOME}/.Wolfram Research
+deny  ${HOME}/.ZAP
+deny  ${HOME}/.aMule
+deny  ${HOME}/.abook
+deny  ${HOME}/.addressbook
+deny  ${HOME}/.alpine-smime
+deny  ${HOME}/.android
+deny  ${HOME}/.anydesk
+deny  ${HOME}/.arduino15
+deny  ${HOME}/.aria2
+deny  ${HOME}/.arm
+deny  ${HOME}/.asunder_album_artist
+deny  ${HOME}/.asunder_album_genre
+deny  ${HOME}/.asunder_album_title
+deny  ${HOME}/.atom
+deny  ${HOME}/.attic
+deny  ${HOME}/.audacity-data
+deny  ${HOME}/.avidemux6
+deny  ${HOME}/.ballbuster.hs
+deny  ${HOME}/.balsa
+deny  ${HOME}/.bcast5
+deny  ${HOME}/.bibletime
+deny  ${HOME}/.bitcoin
+deny  ${HOME}/.blobby
+deny  ${HOME}/.bogofilter
+deny  ${HOME}/.bzf
+deny  ${HOME}/.cargo/*
+deny  ${HOME}/.claws-mail
+deny  ${HOME}/.cliqz
+deny  ${HOME}/.clion*
+deny  ${HOME}/.clonk
+deny  ${HOME}/.config/0ad
+deny  ${HOME}/.config/2048-qt
+deny  ${HOME}/.config/Atom
+deny  ${HOME}/.config/Audaciousrc
+deny  ${HOME}/.config/Authenticator
+deny  ${HOME}/.config/Beaker Browser
+deny  ${HOME}/.config/Bitcoin
+deny  ${HOME}/.config/Bitwarden
+deny  ${HOME}/.config/Brackets
+deny  ${HOME}/.config/BraveSoftware
+deny  ${HOME}/.config/Clementine
+deny  ${HOME}/.config/Code
+deny  ${HOME}/.config/Code - OSS
+deny  ${HOME}/.config/Code Industry
+deny  ${HOME}/.config/Cryptocat
+deny  ${HOME}/.config/Debauchee/Barrier.conf
+deny  ${HOME}/.config/Dharkael
+deny  ${HOME}/.config/ENCOM
+deny  ${HOME}/.config/Element
+deny  ${HOME}/.config/Element (Riot)
+deny  ${HOME}/.config/Enox
+deny  ${HOME}/.config/Epic
+deny  ${HOME}/.config/Ferdi
+deny  ${HOME}/.config/Flavio Tordini
+deny  ${HOME}/.config/Franz
+deny  ${HOME}/.config/FreeCAD
+deny  ${HOME}/.config/FreeTube
+deny  ${HOME}/.config/Fritzing
+deny  ${HOME}/.config/GIMP
+deny  ${HOME}/.config/GitHub Desktop
+deny  ${HOME}/.config/Gitter
+deny  ${HOME}/.config/Google
+deny  ${HOME}/.config/Google Play Music Desktop Player
+deny  ${HOME}/.config/Gpredict
+deny  ${HOME}/.config/INRIA
+deny  ${HOME}/.config/InSilmaril
+deny  ${HOME}/.config/Jitsi Meet
+deny  ${HOME}/.config/JetBrains/CLion*
+deny  ${HOME}/.config/KDE/neochat
+deny  ${HOME}/.config/Kid3
+deny  ${HOME}/.config/Kingsoft
+deny  ${HOME}/.config/LibreCAD
+deny  ${HOME}/.config/Loop_Hero
+deny  ${HOME}/.config/Luminance
+deny  ${HOME}/.config/LyX
+deny  ${HOME}/.config/Mattermost
+deny  ${HOME}/.config/Meltytech
+deny  ${HOME}/.config/Mendeley Ltd.
+deny  ${HOME}/.config/Microsoft
+deny  ${HOME}/.config/Min
+deny  ${HOME}/.config/ModTheSpire
+deny  ${HOME}/.config/Mousepad
+deny  ${HOME}/.config/Mumble
+deny  ${HOME}/.config/MusE
+deny  ${HOME}/.config/MuseScore
+deny  ${HOME}/.config/MusicBrainz
+deny  ${HOME}/.config/Nathan Osman
+deny  ${HOME}/.config/Nextcloud
+deny  ${HOME}/.config/NitroShare
+deny  ${HOME}/.config/Nylas Mail
+deny  ${HOME}/.config/PBE
+deny  ${HOME}/.config/PacmanLogViewer
+deny  ${HOME}/.config/PawelStolowski
+deny  ${HOME}/.config/Philipp Schmieder
+deny  ${HOME}/.config/Pinta
+deny  ${HOME}/.config/QGIS
+deny  ${HOME}/.config/QMediathekView
+deny  ${HOME}/.config/Qlipper
+deny  ${HOME}/.config/QuiteRss
+deny  ${HOME}/.config/QuiteRssrc
+deny  ${HOME}/.config/Quotient
+deny  ${HOME}/.config/Rambox
+deny  ${HOME}/.config/Riot
+deny  ${HOME}/.config/Rocket.Chat
+deny  ${HOME}/.config/RogueLegacy
+deny  ${HOME}/.config/RogueLegacyStorageContainer
+deny  ${HOME}/.config/Signal
+deny  ${HOME}/.config/Sinew Software Systems
+deny  ${HOME}/.config/Slack
+deny  ${HOME}/.config/Standard Notes
+deny  ${HOME}/.config/SubDownloader
+deny  ${HOME}/.config/Thunar
+deny  ${HOME}/.config/Twitch
+deny  ${HOME}/.config/Unknown Organization
+deny  ${HOME}/.config/VirtualBox
+deny  ${HOME}/.config/Whalebird
+deny  ${HOME}/.config/Wire
+deny  ${HOME}/.config/Youtube
+deny  ${HOME}/.config/ZeGrapher Project
+deny  ${HOME}/.config/Zeal
+deny  ${HOME}/.config/Zulip
+deny  ${HOME}/.config/aacs
+deny  ${HOME}/.config/abiword
+deny  ${HOME}/.config/agenda
+deny  ${HOME}/.config/akonadi*
+deny  ${HOME}/.config/akregatorrc
+deny  ${HOME}/.config/alacritty
+deny  ${HOME}/.config/ardour4
+deny  ${HOME}/.config/ardour5
+deny  ${HOME}/.config/aria2
+deny  ${HOME}/.config/arkrc
+deny  ${HOME}/.config/artha.conf
+deny  ${HOME}/.config/artha.log
+deny  ${HOME}/.config/asunder
+deny  ${HOME}/.config/atril
+deny  ${HOME}/.config/audacious
+deny  ${HOME}/.config/autokey
+deny  ${HOME}/.config/avidemux3_qt5rc
+deny  ${HOME}/.config/aweather
+deny  ${HOME}/.config/backintime
+deny  ${HOME}/.config/baloofilerc
+deny  ${HOME}/.config/baloorc
+deny  ${HOME}/.config/bcompare
+deny  ${HOME}/.config/blender
+deny  ${HOME}/.config/bless
+deny  ${HOME}/.config/bnox
+deny  ${HOME}/.config/borg
+deny  ${HOME}/.config/brasero
+deny  ${HOME}/.config/brave
+deny  ${HOME}/.config/brave-flags.conf
+deny  ${HOME}/.config/caja
+deny  ${HOME}/.config/calibre
+deny  ${HOME}/.config/cantata
+deny  ${HOME}/.config/catfish
+deny  ${HOME}/.config/cawbird
+deny  ${HOME}/.config/celluloid
+deny  ${HOME}/.config/cherrytree
+deny  ${HOME}/.config/chrome-beta-flags.conf
+deny  ${HOME}/.config/chrome-beta-flags.config
+deny  ${HOME}/.config/chrome-flags.conf
+deny  ${HOME}/.config/chrome-flags.config
+deny  ${HOME}/.config/chrome-unstable-flags.conf
+deny  ${HOME}/.config/chrome-unstable-flags.config
+deny  ${HOME}/.config/chromium
+deny  ${HOME}/.config/chromium-dev
+deny  ${HOME}/.config/chromium-flags.conf
+deny  ${HOME}/.config/clipit
+deny  ${HOME}/.config/cliqz
+deny  ${HOME}/.config/cmus
+deny  ${HOME}/.config/com.github.bleakgrey.tootle
+deny  ${HOME}/.config/corebird
+deny  ${HOME}/.config/cower
+deny  ${HOME}/.config/coyim
+deny  ${HOME}/.config/d-feet
+deny  ${HOME}/.config/darktable
+deny  ${HOME}/.config/deadbeef
+deny  ${HOME}/.config/deluge
+deny  ${HOME}/.config/devilspie2
+deny  ${HOME}/.config/digikam
+deny  ${HOME}/.config/digikamrc
+deny  ${HOME}/.config/discord
+deny  ${HOME}/.config/discordcanary
+deny  ${HOME}/.config/dkl
+deny  ${HOME}/.config/dnox
+deny  ${HOME}/.config/dolphin-emu
+deny  ${HOME}/.config/dolphinrc
+deny  ${HOME}/.config/dragonplayerrc
+deny  ${HOME}/.config/draw.io
+deny  ${HOME}/.config/electron-mail
+deny  ${HOME}/.config/emaildefaults
+deny  ${HOME}/.config/emailidentities
+deny  ${HOME}/.config/emilia
+deny  ${HOME}/.config/enchant
+deny  ${HOME}/.config/eog
+deny  ${HOME}/.config/epiphany
+deny  ${HOME}/.config/equalx
+deny  ${HOME}/.config/evince
+deny  ${HOME}/.config/evolution
+deny  ${HOME}/.config/falkon
+deny  ${HOME}/.config/filezilla
+deny  ${HOME}/.config/flameshot
+deny  ${HOME}/.config/flaska.net
+deny  ${HOME}/.config/flowblade
+deny  ${HOME}/.config/font-manager
+deny  ${HOME}/.config/freecol
+deny  ${HOME}/.config/gajim
+deny  ${HOME}/.config/galculator
+deny  ${HOME}/.config/gconf
+deny  ${HOME}/.config/geany
+deny  ${HOME}/.config/geary
+deny  ${HOME}/.config/gedit
+deny  ${HOME}/.config/geeqie
+deny  ${HOME}/.config/ghb
+deny  ${HOME}/.config/ghostwriter
+deny  ${HOME}/.config/git
+deny  ${HOME}/.config/git-cola
+deny  ${HOME}/.config/glade.conf
+deny  ${HOME}/.config/globaltime
+deny  ${HOME}/.config/gmpc
+deny  ${HOME}/.config/gnome-builder
+deny  ${HOME}/.config/gnome-chess
+deny  ${HOME}/.config/gnome-control-center
+deny  ${HOME}/.config/gnome-initial-setup-done
+deny  ${HOME}/.config/gnome-latex
+deny  ${HOME}/.config/gnome-mplayer
+deny  ${HOME}/.config/gnome-mpv
+deny  ${HOME}/.config/gnome-pie
+deny  ${HOME}/.config/gnome-session
+deny  ${HOME}/.config/gnote
+deny  ${HOME}/.config/godot
+deny  ${HOME}/.config/google-chrome
+deny  ${HOME}/.config/google-chrome-beta
+deny  ${HOME}/.config/google-chrome-unstable
+deny  ${HOME}/.config/gpicview
+deny  ${HOME}/.config/gthumb
+deny  ${HOME}/.config/gummi
+deny  ${HOME}/.config/guvcview2
+deny  ${HOME}/.config/gwenviewrc
+deny  ${HOME}/.config/hexchat
+deny  ${HOME}/.config/homebank
+deny  ${HOME}/.config/i2p
+deny  ${HOME}/.config/inkscape
+deny  ${HOME}/.config/inox
+deny  ${HOME}/.config/iridium
+deny  ${HOME}/.config/itch
+deny  ${HOME}/.config/jami
+deny  ${HOME}/.config/jd-gui.cfg
+deny  ${HOME}/.config/k3brc
+deny  ${HOME}/.config/kaffeinerc
+deny  ${HOME}/.config/kalgebrarc
+deny  ${HOME}/.config/katemetainfos
+deny  ${HOME}/.config/katepartrc
+deny  ${HOME}/.config/katerc
+deny  ${HOME}/.config/kateschemarc
+deny  ${HOME}/.config/katesyntaxhighlightingrc
+deny  ${HOME}/.config/katevirc
+deny  ${HOME}/.config/kazam
+deny  ${HOME}/.config/kdeconnect
+deny  ${HOME}/.config/kdenliverc
+deny  ${HOME}/.config/kdiff3fileitemactionrc
+deny  ${HOME}/.config/kdiff3rc
+deny  ${HOME}/.config/kfindrc
+deny  ${HOME}/.config/kgetrc
+deny  ${HOME}/.config/kid3rc
+deny  ${HOME}/.config/klavaro
+deny  ${HOME}/.config/klipperrc
+deny  ${HOME}/.config/kmail2rc
+deny  ${HOME}/.config/kmailsearchindexingrc
+deny  ${HOME}/.config/kmplayerrc
+deny  ${HOME}/.config/knotesrc
+deny  ${HOME}/.config/konversation.notifyrc
+deny  ${HOME}/.config/konversationrc
+deny  ${HOME}/.config/kritarc
+deny  ${HOME}/.config/ktorrentrc
+deny  ${HOME}/.config/ktouch2rc
+deny  ${HOME}/.config/kube
+deny  ${HOME}/.config/kwriterc
+deny  ${HOME}/.config/leafpad
+deny  ${HOME}/.config/libreoffice
+deny  ${HOME}/.config/liferea
+deny  ${HOME}/.config/linphone
+deny  ${HOME}/.config/lugaru
+deny  ${HOME}/.config/lutris
+deny  ${HOME}/.config/lximage-qt
+deny  ${HOME}/.config/mailtransports
+deny  ${HOME}/.config/mana
+deny  ${HOME}/.config/mate-calc
+deny  ${HOME}/.config/mate/eom
+deny  ${HOME}/.config/mate/mate-dictionary
+deny  ${HOME}/.config/matrix-mirage
+deny  ${HOME}/.config/mcomix
+deny  ${HOME}/.config/meld
+deny  ${HOME}/.config/menulibre.cfg
+deny  ${HOME}/.config/meteo-qt
+deny  ${HOME}/.config/mfusion
+deny  ${HOME}/.config/microsoft-edge-beta
+deny  ${HOME}/.config/microsoft-edge-dev
+deny  ${HOME}/.config/midori
+deny  ${HOME}/.config/mirage
+deny  ${HOME}/.config/mono
+deny  ${HOME}/.config/mpDris2
+deny  ${HOME}/.config/mpd
+deny  ${HOME}/.config/mps-youtube
+deny  ${HOME}/.config/mpv
+deny  ${HOME}/.config/mupen64plus
+deny  ${HOME}/.config/mutt
+deny  ${HOME}/.config/mutter
+deny  ${HOME}/.config/mypaint
+deny  ${HOME}/.config/nano
+deny  ${HOME}/.config/nautilus
+deny  ${HOME}/.config/nemo
+deny  ${HOME}/.config/neochat.notifyrc
+deny  ${HOME}/.config/neochatrc
+deny  ${HOME}/.config/neomutt
+deny  ${HOME}/.config/netsurf
+deny  ${HOME}/.config/newsbeuter
+deny  ${HOME}/.config/newsboat
+deny  ${HOME}/.config/newsflash
+deny  ${HOME}/.config/nheko
+deny  ${HOME}/.config/nomacs
+deny  ${HOME}/.config/nuclear
+deny  ${HOME}/.config/obs-studio
+deny  ${HOME}/.config/okularpartrc
+deny  ${HOME}/.config/okularrc
+deny  ${HOME}/.config/onboard
+deny  ${HOME}/.config/onionshare
+deny  ${HOME}/.config/onlyoffice
+deny  ${HOME}/.config/openmw
+deny  ${HOME}/.config/opera
+deny  ${HOME}/.config/opera-beta
+deny  ${HOME}/.config/orage
+deny  ${HOME}/.config/org.gabmus.gfeeds.json
+deny  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+deny  ${HOME}/.config/org.kde.gwenviewrc
+deny  ${HOME}/.config/otter
+deny  ${HOME}/.config/pavucontrol-qt
+deny  ${HOME}/.config/pavucontrol.ini
+deny  ${HOME}/.config/pcmanfm
+deny  ${HOME}/.config/pdfmod
+deny  ${HOME}/.config/pipe-viewer
+deny  ${HOME}/.config/pitivi
+deny  ${HOME}/.config/pix
+deny  ${HOME}/.config/pluma
+deny  ${HOME}/.config/ppsspp
+deny  ${HOME}/.config/pragha
+deny  ${HOME}/.config/profanity
+deny  ${HOME}/.config/psi
+deny  ${HOME}/.config/psi+
+deny  ${HOME}/.config/qBittorrent
+deny  ${HOME}/.config/qBittorrentrc
+deny  ${HOME}/.config/qnapi.ini
+deny  ${HOME}/.config/qpdfview
+deny  ${HOME}/.config/quodlibet
+deny  ${HOME}/.config/qupzilla
+deny  ${HOME}/.config/qutebrowser
+deny  ${HOME}/.config/ranger
+deny  ${HOME}/.config/redshift
+deny  ${HOME}/.config/redshift.conf
+deny  ${HOME}/.config/remmina
+deny  ${HOME}/.config/ristretto
+deny  ${HOME}/.config/rtv
+deny  ${HOME}/.config/scribus
+deny  ${HOME}/.config/scribusrc
+deny  ${HOME}/.config/sinew.in
+deny  ${HOME}/.config/sink
+deny  ${HOME}/.config/skypeforlinux
+deny  ${HOME}/.config/slimjet
+deny  ${HOME}/.config/smplayer
+deny  ${HOME}/.config/smtube
+deny  ${HOME}/.config/smuxi
+deny  ${HOME}/.config/snox
+deny  ${HOME}/.config/sound-juicer
+deny  ${HOME}/.config/specialmailcollectionsrc
+deny  ${HOME}/.config/spectaclerc
+deny  ${HOME}/.config/spotify
+deny  ${HOME}/.config/sqlitebrowser
+deny  ${HOME}/.config/stellarium
+deny  ${HOME}/.config/straw-viewer
+deny  ${HOME}/.config/strawberry
+deny  ${HOME}/.config/supertuxkart
+deny  ${HOME}/.config/synfig
+deny  ${HOME}/.config/teams
+deny  ${HOME}/.config/teams-for-linux
+deny  ${HOME}/.config/telepathy-account-widgets
+deny  ${HOME}/.config/torbrowser
+deny  ${HOME}/.config/totem
+deny  ${HOME}/.config/tox
+deny  ${HOME}/.config/transgui
+deny  ${HOME}/.config/transmission
+deny  ${HOME}/.config/truecraft
+deny  ${HOME}/.config/tuta_integration
+deny  ${HOME}/.config/tutanota-desktop
+deny  ${HOME}/.config/tvbrowser
+deny  ${HOME}/.config/uGet
+deny  ${HOME}/.config/ungoogled-chromium
+deny  ${HOME}/.config/uzbl
+deny  ${HOME}/.config/viewnior
+deny  ${HOME}/.config/vivaldi
+deny  ${HOME}/.config/vivaldi-snapshot
+deny  ${HOME}/.config/vlc
+deny  ${HOME}/.config/wesnoth
+deny  ${HOME}/.config/wireshark
+deny  ${HOME}/.config/wormux
+deny  ${HOME}/.config/xchat
+deny  ${HOME}/.config/xed
+deny  ${HOME}/.config/xfburn
+deny  ${HOME}/.config/xfce4-dict
+deny  ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+deny  ${HOME}/.config/xfce4/xfce4-notes.rc
+deny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+deny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+deny  ${HOME}/.config/xiaoyong
+deny  ${HOME}/.config/xmms2
+deny  ${HOME}/.config/xplayer
+deny  ${HOME}/.config/xreader
+deny  ${HOME}/.config/xviewer
+deny  ${HOME}/.config/yandex-browser
+deny  ${HOME}/.config/yandex-browser-beta
+deny  ${HOME}/.config/yelp
+deny  ${HOME}/.config/youtube-dl
+deny  ${HOME}/.config/youtube-dlg
+deny  ${HOME}/.config/youtube-music-desktop-app
+deny  ${HOME}/.config/youtube-viewer
+deny  ${HOME}/.config/youtubemusic-nativefier-040164
+deny  ${HOME}/.config/zathura
+deny  ${HOME}/.config/zim
+deny  ${HOME}/.config/zoomus.conf
+deny  ${HOME}/.conkeror.mozdev.org
+deny  ${HOME}/.crawl
+deny  ${HOME}/.cups
+deny  ${HOME}/.curl-hsts
+deny  ${HOME}/.curlrc
+deny  ${HOME}/.dashcore
+deny  ${HOME}/.devilspie
+deny  ${HOME}/.dia
+deny  ${HOME}/.digrc
+deny  ${HOME}/.dillo
+deny  ${HOME}/.dooble
+deny  ${HOME}/.dosbox
+deny  ${HOME}/.dropbox*
+deny  ${HOME}/.easystroke
+deny  ${HOME}/.electron-cache
+deny  ${HOME}/.electrum*
+deny  ${HOME}/.elinks
+deny  ${HOME}/.emacs
+deny  ${HOME}/.emacs.d
+deny  ${HOME}/.equalx
+deny  ${HOME}/.ethereum
+deny  ${HOME}/.etr
+deny  ${HOME}/.filezilla
+deny  ${HOME}/.firedragon
+deny  ${HOME}/.flowblade
+deny  ${HOME}/.fltk
+deny  ${HOME}/.fossamail
+deny  ${HOME}/.freeciv
+deny  ${HOME}/.freecol
+deny  ${HOME}/.freemind
+deny  ${HOME}/.frogatto
+deny  ${HOME}/.frozen-bubble
+deny  ${HOME}/.funnyboat
+deny  ${HOME}/.gimp*
+deny  ${HOME}/.gist
+deny  ${HOME}/.gitconfig
+deny  ${HOME}/.gl-117
+deny  ${HOME}/.glaxiumrc
+deny  ${HOME}/.gnome/gnome-schedule
+deny  ${HOME}/.googleearth
+deny  ${HOME}/.gradle
+deny  ${HOME}/.gramps
+deny  ${HOME}/.guayadeque
+deny  ${HOME}/.hashcat
+deny  ${HOME}/.hedgewars
+deny  ${HOME}/.hex-a-hop
+deny  ${HOME}/.hugin
+deny  ${HOME}/.i2p
+deny  ${HOME}/.icedove
+deny  ${HOME}/.imagej
+deny  ${HOME}/.inkscape
+deny  ${HOME}/.itch
+deny  ${HOME}/.jack-server
+deny  ${HOME}/.jack-settings
+deny  ${HOME}/.jak
+deny  ${HOME}/.java
+deny  ${HOME}/.jd
+deny  ${HOME}/.jitsi
+deny  ${HOME}/.jumpnbump
+deny  ${HOME}/.kde/share/apps/digikam
+deny  ${HOME}/.kde/share/apps/gwenview
+deny  ${HOME}/.kde/share/apps/kaffeine
+deny  ${HOME}/.kde/share/apps/kcookiejar
+deny  ${HOME}/.kde/share/apps/kget
+deny  ${HOME}/.kde/share/apps/khtml
+deny  ${HOME}/.kde/share/apps/klatexformula
+deny  ${HOME}/.kde/share/apps/konqsidebartng
+deny  ${HOME}/.kde/share/apps/konqueror
+deny  ${HOME}/.kde/share/apps/kopete
+deny  ${HOME}/.kde/share/apps/ktorrent
+deny  ${HOME}/.kde/share/apps/okular
+deny  ${HOME}/.kde/share/config/baloofilerc
+deny  ${HOME}/.kde/share/config/baloorc
+deny  ${HOME}/.kde/share/config/digikam
+deny  ${HOME}/.kde/share/config/gwenviewrc
+deny  ${HOME}/.kde/share/config/k3brc
+deny  ${HOME}/.kde/share/config/kaffeinerc
+deny  ${HOME}/.kde/share/config/kcookiejarrc
+deny  ${HOME}/.kde/share/config/kfindrc
+deny  ${HOME}/.kde/share/config/kgetrc
+deny  ${HOME}/.kde/share/config/khtmlrc
+deny  ${HOME}/.kde/share/config/klipperrc
+deny  ${HOME}/.kde/share/config/kmplayerrc
+deny  ${HOME}/.kde/share/config/konq_history
+deny  ${HOME}/.kde/share/config/konqsidebartngrc
+deny  ${HOME}/.kde/share/config/konquerorrc
+deny  ${HOME}/.kde/share/config/konversationrc
+deny  ${HOME}/.kde/share/config/kopeterc
+deny  ${HOME}/.kde/share/config/ktorrentrc
+deny  ${HOME}/.kde/share/config/okularpartrc
+deny  ${HOME}/.kde/share/config/okularrc
+deny  ${HOME}/.kde4/share/apps/digikam
+deny  ${HOME}/.kde4/share/apps/gwenview
+deny  ${HOME}/.kde4/share/apps/kaffeine
+deny  ${HOME}/.kde4/share/apps/kcookiejar
+deny  ${HOME}/.kde4/share/apps/kget
+deny  ${HOME}/.kde4/share/apps/khtml
+deny  ${HOME}/.kde4/share/apps/konqsidebartng
+deny  ${HOME}/.kde4/share/apps/konqueror
+deny  ${HOME}/.kde4/share/apps/kopete
+deny  ${HOME}/.kde4/share/apps/ktorrent
+deny  ${HOME}/.kde4/share/apps/okular
+deny  ${HOME}/.kde4/share/config/baloofilerc
+deny  ${HOME}/.kde4/share/config/baloorc
+deny  ${HOME}/.kde4/share/config/digikam
+deny  ${HOME}/.kde4/share/config/gwenviewrc
+deny  ${HOME}/.kde4/share/config/k3brc
+deny  ${HOME}/.kde4/share/config/kaffeinerc
+deny  ${HOME}/.kde4/share/config/kcookiejarrc
+deny  ${HOME}/.kde4/share/config/kfindrc
+deny  ${HOME}/.kde4/share/config/kgetrc
+deny  ${HOME}/.kde4/share/config/khtmlrc
+deny  ${HOME}/.kde4/share/config/klipperrc
+deny  ${HOME}/.kde4/share/config/konq_history
+deny  ${HOME}/.kde4/share/config/konqsidebartngrc
+deny  ${HOME}/.kde4/share/config/konquerorrc
+deny  ${HOME}/.kde4/share/config/konversationrc
+deny  ${HOME}/.kde4/share/config/kopeterc
+deny  ${HOME}/.kde4/share/config/ktorrentrc
+deny  ${HOME}/.kde4/share/config/okularpartrc
+deny  ${HOME}/.kde4/share/config/okularrc
+deny  ${HOME}/.killingfloor
+deny  ${HOME}/.kingsoft
+deny  ${HOME}/.kino-history
+deny  ${HOME}/.kinorc
+deny  ${HOME}/.klatexformula
+deny  ${HOME}/.klei
+deny  ${HOME}/.kodi
+deny  ${HOME}/.librewolf
+deny  ${HOME}/.lincity-ng
+deny  ${HOME}/.links
+deny  ${HOME}/.links2
+deny  ${HOME}/.linphone-history.db
+deny  ${HOME}/.linphonerc
+deny  ${HOME}/.lmmsrc.xml
+deny  ${HOME}/.local/lib/vivaldi
+deny  ${HOME}/.local/share/0ad
+deny  ${HOME}/.local/share/3909/PapersPlease
+deny  ${HOME}/.local/share/Anki2
+deny  ${HOME}/.local/share/Dredmor
+deny  ${HOME}/.local/share/Empathy
+deny  ${HOME}/.local/share/Enpass
+deny  ${HOME}/.local/share/FasterThanLight
+deny  ${HOME}/.local/share/Flavio Tordini
+deny  ${HOME}/.local/share/IntoTheBreach
+deny  ${HOME}/.local/share/JetBrains
+deny  ${HOME}/.local/share/KDE/neochat
+deny  ${HOME}/.local/share/Kingsoft
+deny  ${HOME}/.local/share/LibreCAD
+deny  ${HOME}/.local/share/Mendeley Ltd.
+deny  ${HOME}/.local/share/Mumble
+deny  ${HOME}/.local/share/Nextcloud
+deny  ${HOME}/.local/share/PBE
+deny  ${HOME}/.local/share/Paradox Interactive
+deny  ${HOME}/.local/share/PawelStolowski
+deny  ${HOME}/.local/share/PillarsOfEternity
+deny  ${HOME}/.local/share/Psi
+deny  ${HOME}/.local/share/QGIS
+deny  ${HOME}/.local/share/QMediathekView
+deny  ${HOME}/.local/share/QuiteRss
+deny  ${HOME}/.local/share/Ricochet
+deny  ${HOME}/.local/share/RogueLegacy
+deny  ${HOME}/.local/share/RogueLegacyStorageContainer
+deny  ${HOME}/.local/share/Shortwave
+deny  ${HOME}/.local/share/Steam
+deny  ${HOME}/.local/share/SteamWorld Dig 2
+deny  ${HOME}/.local/share/SteamWorldDig
+deny  ${HOME}/.local/share/SuperHexagon
+deny  ${HOME}/.local/share/TelegramDesktop
+deny  ${HOME}/.local/share/Terraria
+deny  ${HOME}/.local/share/TpLogger
+deny  ${HOME}/.local/share/Zeal
+deny  ${HOME}/.local/share/agenda
+deny  ${HOME}/.local/share/akonadi*
+deny  ${HOME}/.local/share/akregator
+deny  ${HOME}/.local/share/apps/korganizer
+deny  ${HOME}/.local/share/aspyr-media
+deny  ${HOME}/.local/share/authenticator-rs
+deny  ${HOME}/.local/share/autokey
+deny  ${HOME}/.local/share/backintime
+deny  ${HOME}/.local/share/baloo
+deny  ${HOME}/.local/share/barrier
+deny  ${HOME}/.local/share/bibletime
+deny  ${HOME}/.local/share/bijiben
+deny  ${HOME}/.local/share/bohemiainteractive
+deny  ${HOME}/.local/share/caja-python
+deny  ${HOME}/.local/share/calligragemini
+deny  ${HOME}/.local/share/cantata
+deny  ${HOME}/.local/share/cdprojektred
+deny  ${HOME}/.local/share/clipit
+deny  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+deny  ${HOME}/.local/share/contacts
+deny  ${HOME}/.local/share/cor-games
+deny  ${HOME}/.local/share/data/Mendeley Ltd.
+deny  ${HOME}/.local/share/data/Mumble
+deny  ${HOME}/.local/share/data/MusE
+deny  ${HOME}/.local/share/data/MuseScore
+deny  ${HOME}/.local/share/data/nomacs
+deny  ${HOME}/.local/share/data/qBittorrent
+deny  ${HOME}/.local/share/dino
+deny  ${HOME}/.local/share/dolphin
+deny  ${HOME}/.local/share/dolphin-emu
+deny  ${HOME}/.local/share/emailidentities
+deny  ${HOME}/.local/share/epiphany
+deny  ${HOME}/.local/share/evolution
+deny  ${HOME}/.local/share/feedreader
+deny  ${HOME}/.local/share/feral-interactive
+deny  ${HOME}/.local/share/five-or-more
+deny  ${HOME}/.local/share/freecol
+deny  ${HOME}/.local/share/gajim
+deny  ${HOME}/.local/share/geary
+deny  ${HOME}/.local/share/geeqie
+deny  ${HOME}/.local/share/ghostwriter
+deny  ${HOME}/.local/share/gitg
+deny  ${HOME}/.local/share/gnome-2048
+deny  ${HOME}/.local/share/gnome-boxes
+deny  ${HOME}/.local/share/gnome-builder
+deny  ${HOME}/.local/share/gnome-chess
+deny  ${HOME}/.local/share/gnome-klotski
+deny  ${HOME}/.local/share/gnome-latex
+deny  ${HOME}/.local/share/gnome-mines
+deny  ${HOME}/.local/share/gnome-music
+deny  ${HOME}/.local/share/gnome-nibbles
+deny  ${HOME}/.local/share/gnome-photos
+deny  ${HOME}/.local/share/gnome-pomodoro
+deny  ${HOME}/.local/share/gnome-recipes
+deny  ${HOME}/.local/share/gnome-ring
+deny  ${HOME}/.local/share/gnome-sudoku
+deny  ${HOME}/.local/share/gnome-twitch
+deny  ${HOME}/.local/share/gnote
+deny  ${HOME}/.local/share/godot
+deny  ${HOME}/.local/share/gradio
+deny  ${HOME}/.local/share/gwenview
+deny  ${HOME}/.local/share/i2p
+deny  ${HOME}/.local/share/io.github.lainsce.Notejot
+deny  ${HOME}/.local/share/jami
+deny  ${HOME}/.local/share/kaffeine
+deny  ${HOME}/.local/share/kalgebra
+deny  ${HOME}/.local/share/kate
+deny  ${HOME}/.local/share/kdenlive
+deny  ${HOME}/.local/share/kget
+deny  ${HOME}/.local/share/kiwix
+deny  ${HOME}/.local/share/kiwix-desktop
+deny  ${HOME}/.local/share/klavaro
+deny  ${HOME}/.local/share/kmail2
+deny  ${HOME}/.local/share/kmplayer
+deny  ${HOME}/.local/share/knotes
+deny  ${HOME}/.local/share/krita
+deny  ${HOME}/.local/share/ktorrent
+deny  ${HOME}/.local/share/ktorrentrc
+deny  ${HOME}/.local/share/ktouch
+deny  ${HOME}/.local/share/kube
+deny  ${HOME}/.local/share/kwrite
+deny  ${HOME}/.local/share/kxmlgui5/*
+deny  ${HOME}/.local/share/liferea
+deny  ${HOME}/.local/share/linphone
+deny  ${HOME}/.local/share/local-mail
+deny  ${HOME}/.local/share/lollypop
+deny  ${HOME}/.local/share/love
+deny  ${HOME}/.local/share/lugaru
+deny  ${HOME}/.local/share/lutris
+deny  ${HOME}/.local/share/man
+deny  ${HOME}/.local/share/mana
+deny  ${HOME}/.local/share/maps-places.json
+deny  ${HOME}/.local/share/matrix-mirage
+deny  ${HOME}/.local/share/mcomix
+deny  ${HOME}/.local/share/meld
+deny  ${HOME}/.local/share/midori
+deny  ${HOME}/.local/share/minder
+deny  ${HOME}/.local/share/mirage
+deny  ${HOME}/.local/share/multimc
+deny  ${HOME}/.local/share/multimc5
+deny  ${HOME}/.local/share/mupen64plus
+deny  ${HOME}/.local/share/mypaint
+deny  ${HOME}/.local/share/nautilus
+deny  ${HOME}/.local/share/nautilus-python
+deny  ${HOME}/.local/share/nemo
+deny  ${HOME}/.local/share/nemo-python
+deny  ${HOME}/.local/share/news-flash
+deny  ${HOME}/.local/share/newsbeuter
+deny  ${HOME}/.local/share/newsboat
+deny  ${HOME}/.local/share/nheko
+deny  ${HOME}/.local/share/nomacs
+deny  ${HOME}/.local/share/notes
+deny  ${HOME}/.local/share/ocenaudio
+deny  ${HOME}/.local/share/okular
+deny  ${HOME}/.local/share/onlyoffice
+deny  ${HOME}/.local/share/openmw
+deny  ${HOME}/.local/share/orage
+deny  ${HOME}/.local/share/org.kde.gwenview
+deny  ${HOME}/.local/share/pix
+deny  ${HOME}/.local/share/plasma_notes
+deny  ${HOME}/.local/share/profanity
+deny  ${HOME}/.local/share/psi
+deny  ${HOME}/.local/share/psi+
+deny  ${HOME}/.local/share/qpdfview
+deny  ${HOME}/.local/share/quadrapassel
+deny  ${HOME}/.local/share/qutebrowser
+deny  ${HOME}/.local/share/remmina
+deny  ${HOME}/.local/share/rhythmbox
+deny  ${HOME}/.local/share/rtv
+deny  ${HOME}/.local/share/scribus
+deny  ${HOME}/.local/share/shotwell
+deny  ${HOME}/.local/share/signal-cli
+deny  ${HOME}/.local/share/sink
+deny  ${HOME}/.local/share/smuxi
+deny  ${HOME}/.local/share/spotify
+deny  ${HOME}/.local/share/steam
+deny  ${HOME}/.local/share/strawberry
+deny  ${HOME}/.local/share/supertux2
+deny  ${HOME}/.local/share/supertuxkart
+deny  ${HOME}/.local/share/swell-foop
+deny  ${HOME}/.local/share/telepathy
+deny  ${HOME}/.local/share/terasology
+deny  ${HOME}/.local/share/torbrowser
+deny  ${HOME}/.local/share/totem
+deny  ${HOME}/.local/share/uzbl
+deny  ${HOME}/.local/share/vlc
+deny  ${HOME}/.local/share/vpltd
+deny  ${HOME}/.local/share/vulkan
+deny  ${HOME}/.local/share/warsow-2.1
+deny  ${HOME}/.local/share/wesnoth
+deny  ${HOME}/.local/share/wormux
+deny  ${HOME}/.local/share/xplayer
+deny  ${HOME}/.local/share/xreader
+deny  ${HOME}/.local/share/zathura
+deny  ${HOME}/.lv2
+deny  ${HOME}/.lyx
+deny  ${HOME}/.magicor
+deny  ${HOME}/.masterpdfeditor
+deny  ${HOME}/.mbwarband
+deny  ${HOME}/.mcabber
+deny  ${HOME}/.mcabberrc
+deny  ${HOME}/.mediathek3
+deny  ${HOME}/.megaglest
+deny  ${HOME}/.minecraft
+deny  ${HOME}/.minetest
+deny  ${HOME}/.mirrormagic
+deny  ${HOME}/.moc
+deny  ${HOME}/.moonchild productions/basilisk
+deny  ${HOME}/.moonchild productions/pale moon
+deny  ${HOME}/.mozilla
+deny  ${HOME}/.mp3splt-gtk
+deny  ${HOME}/.mpd
+deny  ${HOME}/.mpdconf
+deny  ${HOME}/.mplayer
+deny  ${HOME}/.msmtprc
+deny  ${HOME}/.multimc5
+deny  ${HOME}/.nanorc
+deny  ${HOME}/.netactview
+deny  ${HOME}/.neverball
+deny  ${HOME}/.newsbeuter
+deny  ${HOME}/.newsboat
+deny  ${HOME}/.newsrc
+deny  ${HOME}/.nicotine
+deny  ${HOME}/.node-gyp
+deny  ${HOME}/.npm
+deny  ${HOME}/.npmrc
+deny  ${HOME}/.nv
+deny  ${HOME}/.nvm
+deny  ${HOME}/.nylas-mail
+deny  ${HOME}/.openarena
+deny  ${HOME}/.opencity
+deny  ${HOME}/.openinvaders
+deny  ${HOME}/.openshot
+deny  ${HOME}/.openshot_qt
+deny  ${HOME}/.openttd
+deny  ${HOME}/.opera
+deny  ${HOME}/.opera-beta
+deny  ${HOME}/.ostrichriders
+deny  ${HOME}/.paradoxinteractive
+deny  ${HOME}/.parallelrealities/blobwars
+deny  ${HOME}/.pcsxr
+deny  ${HOME}/.penguin-command
+deny  ${HOME}/.pine-crash
+deny  ${HOME}/.pine-debug1
+deny  ${HOME}/.pine-debug2
+deny  ${HOME}/.pine-debug3
+deny  ${HOME}/.pine-debug4
+deny  ${HOME}/.pine-interrupted-mail
+deny  ${HOME}/.pinerc
+deny  ${HOME}/.pinercex
+deny  ${HOME}/.pingus
+deny  ${HOME}/.pioneer
+deny  ${HOME}/.purple
+deny  ${HOME}/.pylint.d
+deny  ${HOME}/.qemu-launcher
+deny  ${HOME}/.qgis2
+deny  ${HOME}/.qmmp
+deny  ${HOME}/.quodlibet
+deny  ${HOME}/.redeclipse
+deny  ${HOME}/.rednotebook
+deny  ${HOME}/.remmina
+deny  ${HOME}/.repo_.gitconfig.json
+deny  ${HOME}/.repoconfig
+deny  ${HOME}/.retroshare
+deny  ${HOME}/.ripperXrc
+deny  ${HOME}/.scorched3d
+deny  ${HOME}/.scribus
+deny  ${HOME}/.scribusrc
+deny  ${HOME}/.simutrans
+deny  ${HOME}/.smartgit/*/passwords
+deny  ${HOME}/.ssr
+deny  ${HOME}/.steam
+deny  ${HOME}/.steampath
+deny  ${HOME}/.steampid
+deny  ${HOME}/.stellarium
+deny  ${HOME}/.subversion
+deny  ${HOME}/.surf
+deny  ${HOME}/.suve/colorful
+deny  ${HOME}/.swb.ini
+deny  ${HOME}/.sword
+deny  ${HOME}/.sylpheed-2.0
+deny  ${HOME}/.synfig
+deny  ${HOME}/.tb
+deny  ${HOME}/.tconn
+deny  ${HOME}/.teeworlds
+deny  ${HOME}/.texlive20*
+deny  ${HOME}/.thunderbird
+deny  ${HOME}/.tilp
+deny  ${HOME}/.tin
+deny  ${HOME}/.tooling
+deny  ${HOME}/.tor-browser*
+deny  ${HOME}/.torcs
+deny  ${HOME}/.tremulous
+deny  ${HOME}/.ts3client
+deny  ${HOME}/.tuxguitar*
+deny  ${HOME}/.tvbrowser
+deny  ${HOME}/.unknown-horizons
+deny  ${HOME}/.viking
+deny  ${HOME}/.viking-maps
+deny  ${HOME}/.vim
+deny  ${HOME}/.vimrc
+deny  ${HOME}/.vmware
+deny  ${HOME}/.vscode
+deny  ${HOME}/.vscode-oss
+deny  ${HOME}/.vst
+deny  ${HOME}/.vultures
+deny  ${HOME}/.w3m
+deny  ${HOME}/.warzone2100-3.*
+deny  ${HOME}/.waterfox
+deny  ${HOME}/.weechat
+deny  ${HOME}/.wget-hsts
+deny  ${HOME}/.wgetrc
+deny  ${HOME}/.widelands
+deny  ${HOME}/.wine
+deny  ${HOME}/.wine64
+deny  ${HOME}/.wireshark
+deny  ${HOME}/.wordwarvi
+deny  ${HOME}/.wormux
+deny  ${HOME}/.xiphos
+deny  ${HOME}/.xmind
+deny  ${HOME}/.xmms
+deny  ${HOME}/.xmr-stak
+deny  ${HOME}/.xonotic
+deny  ${HOME}/.xournalpp
+deny  ${HOME}/.xpdfrc
+deny  ${HOME}/.yarn
+deny  ${HOME}/.yarn-config
+deny  ${HOME}/.yarncache
+deny  ${HOME}/.yarnrc
+deny  ${HOME}/.zoom
+deny  ${HOME}/Arduino
+deny  ${HOME}/Monero/wallets
+deny  ${HOME}/Nextcloud
+deny  ${HOME}/Nextcloud/Notes
+deny  ${HOME}/SoftMaker
+deny  ${HOME}/Standard Notes Backups
+deny  ${HOME}/TeamSpeak3-Client-linux_amd64
+deny  ${HOME}/TeamSpeak3-Client-linux_x86
+deny  ${HOME}/hyperrogue.ini
+deny  ${HOME}/i2p
+deny  ${HOME}/mps
+deny  ${HOME}/wallet.dat
+deny  /tmp/.wine-*
+deny  /tmp/akonadi-*
+deny  /var/games/nethack
+deny  /var/games/slashem
+deny  /var/games/vulturesclaw
+deny  /var/games/vultureseye
+deny  /var/lib/games/Maelstrom-Scores
 
 # ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
+deny  ${HOME}/.cache/0ad
+deny  ${HOME}/.cache/8pecxstudios
+deny  ${HOME}/.cache/Authenticator
+deny  ${HOME}/.cache/BraveSoftware
+deny  ${HOME}/.cache/Clementine
+deny  ${HOME}/.cache/ENCOM/Spectral
+deny  ${HOME}/.cache/Enox
+deny  ${HOME}/.cache/Enpass
+deny  ${HOME}/.cache/Ferdi
+deny  ${HOME}/.cache/Flavio Tordini
+deny  ${HOME}/.cache/Franz
+deny  ${HOME}/.cache/INRIA
+deny  ${HOME}/.cache/INRIA/Natron
+deny  ${HOME}/.cache/KDE/neochat
+deny  ${HOME}/.cache/Mendeley Ltd.
+deny  ${HOME}/.cache/MusicBrainz
+deny  ${HOME}/.cache/NewsFlashGTK
+deny  ${HOME}/.cache/Otter
+deny  ${HOME}/.cache/PawelStolowski
+deny  ${HOME}/.cache/Psi
+deny  ${HOME}/.cache/QuiteRss
+deny  ${HOME}/.cache/Quotient/quaternion
+deny  ${HOME}/.cache/Shortwave
+deny  ${HOME}/.cache/Tox
+deny  ${HOME}/.cache/Zeal
+deny  ${HOME}/.cache/agenda
+deny  ${HOME}/.cache/akonadi*
+deny  ${HOME}/.cache/atril
+deny  ${HOME}/.cache/attic
+deny  ${HOME}/.cache/babl
+deny  ${HOME}/.cache/bnox
+deny  ${HOME}/.cache/borg
+deny  ${HOME}/.cache/calibre
+deny  ${HOME}/.cache/cantata
+deny  ${HOME}/.cache/champlain
+deny  ${HOME}/.cache/chromium
+deny  ${HOME}/.cache/chromium-dev
+deny  ${HOME}/.cache/cliqz
+deny  ${HOME}/.cache/com.github.johnfactotum.Foliate
+deny  ${HOME}/.cache/darktable
+deny  ${HOME}/.cache/deja-dup
+deny  ${HOME}/.cache/discover
+deny  ${HOME}/.cache/dnox
+deny  ${HOME}/.cache/dolphin
+deny  ${HOME}/.cache/dolphin-emu
+deny  ${HOME}/.cache/ephemeral
+deny  ${HOME}/.cache/epiphany
+deny  ${HOME}/.cache/evolution
+deny  ${HOME}/.cache/falkon
+deny  ${HOME}/.cache/feedreader
+deny  ${HOME}/.cache/firedragon
+deny  ${HOME}/.cache/flaska.net/trojita
+deny  ${HOME}/.cache/folks
+deny  ${HOME}/.cache/font-manager
+deny  ${HOME}/.cache/fossamail
+deny  ${HOME}/.cache/fractal
+deny  ${HOME}/.cache/freecol
+deny  ${HOME}/.cache/gajim
+deny  ${HOME}/.cache/geary
+deny  ${HOME}/.cache/geeqie
+deny  ${HOME}/.cache/gegl-0.4
+deny  ${HOME}/.cache/gfeeds
+deny  ${HOME}/.cache/gimp
+deny  ${HOME}/.cache/gnome-boxes
+deny  ${HOME}/.cache/gnome-builder
+deny  ${HOME}/.cache/gnome-control-center
+deny  ${HOME}/.cache/gnome-recipes
+deny  ${HOME}/.cache/gnome-screenshot
+deny  ${HOME}/.cache/gnome-software
+deny  ${HOME}/.cache/gnome-twitch
+deny  ${HOME}/.cache/godot
+deny  ${HOME}/.cache/google-chrome
+deny  ${HOME}/.cache/google-chrome-beta
+deny  ${HOME}/.cache/google-chrome-unstable
+deny  ${HOME}/.cache/gradio
+deny  ${HOME}/.cache/gummi
+deny  ${HOME}/.cache/icedove
+deny  ${HOME}/.cache/inkscape
+deny  ${HOME}/.cache/inox
+deny  ${HOME}/.cache/io.github.lainsce.Notejot
+deny  ${HOME}/.cache/iridium
+deny  ${HOME}/.cache/JetBrains/CLion*
+deny  ${HOME}/.cache/kcmshell5
+deny  ${HOME}/.cache/kdenlive
+deny  ${HOME}/.cache/keepassxc
+deny  ${HOME}/.cache/kfind
+deny  ${HOME}/.cache/kinfocenter
+deny  ${HOME}/.cache/kmail2
+deny  ${HOME}/.cache/krunner
+deny  ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+deny  ${HOME}/.cache/kscreenlocker_greet
+deny  ${HOME}/.cache/ksmserver-logout-greeter
+deny  ${HOME}/.cache/ksplashqml
+deny  ${HOME}/.cache/kube
+deny  ${HOME}/.cache/kwin
+deny  ${HOME}/.cache/libgweather
+deny  ${HOME}/.cache/librewolf
+deny  ${HOME}/.cache/liferea
+deny  ${HOME}/.cache/lutris
+deny  ${HOME}/.cache/marker
+deny  ${HOME}/.cache/matrix-mirage
+deny  ${HOME}/.cache/microsoft-edge-beta
+deny  ${HOME}/.cache/microsoft-edge-dev
+deny  ${HOME}/.cache/midori
+deny  ${HOME}/.cache/minetest
+deny  ${HOME}/.cache/mirage
+deny  ${HOME}/.cache/moonchild productions/basilisk
+deny  ${HOME}/.cache/moonchild productions/pale moon
+deny  ${HOME}/.cache/mozilla
+deny  ${HOME}/.cache/ms-excel-online
+deny  ${HOME}/.cache/ms-office-online
+deny  ${HOME}/.cache/ms-onenote-online
+deny  ${HOME}/.cache/ms-outlook-online
+deny  ${HOME}/.cache/ms-powerpoint-online
+deny  ${HOME}/.cache/ms-skype-online
+deny  ${HOME}/.cache/ms-word-online
+deny  ${HOME}/.cache/mutt
+deny  ${HOME}/.cache/mypaint
+deny  ${HOME}/.cache/netsurf
+deny  ${HOME}/.cache/nheko
+deny  ${HOME}/.cache/okular
+deny  ${HOME}/.cache/opera
+deny  ${HOME}/.cache/opera-beta
+deny  ${HOME}/.cache/org.gabmus.gfeeds
+deny  ${HOME}/.cache/org.gnome.Books
+deny  ${HOME}/.cache/org.gnome.Maps
+deny  ${HOME}/.cache/pdfmod
+deny  ${HOME}/.cache/peek
+deny  ${HOME}/.cache/pip
+deny  ${HOME}/.cache/pipe-viewer
+deny  ${HOME}/.cache/plasmashell
+deny  ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+deny  ${HOME}/.cache/psi
+deny  ${HOME}/.cache/qBittorrent
+deny  ${HOME}/.cache/quodlibet
+deny  ${HOME}/.cache/qupzilla
+deny  ${HOME}/.cache/qutebrowser
+deny  ${HOME}/.cache/rednotebook
+deny  ${HOME}/.cache/rhythmbox
+deny  ${HOME}/.cache/shotwell
+deny  ${HOME}/.cache/simple-scan
+deny  ${HOME}/.cache/slimjet
+deny  ${HOME}/.cache/smuxi
+deny  ${HOME}/.cache/snox
+deny  ${HOME}/.cache/spotify
+deny  ${HOME}/.cache/straw-viewer
+deny  ${HOME}/.cache/strawberry
+deny  ${HOME}/.cache/supertuxkart
+deny  ${HOME}/.cache/systemsettings
+deny  ${HOME}/.cache/telepathy
+deny  ${HOME}/.cache/thunderbird
+deny  ${HOME}/.cache/torbrowser
+deny  ${HOME}/.cache/transmission
+deny  ${HOME}/.cache/ungoogled-chromium
+deny  ${HOME}/.cache/vivaldi
+deny  ${HOME}/.cache/vivaldi-snapshot
+deny  ${HOME}/.cache/vlc
+deny  ${HOME}/.cache/vmware
+deny  ${HOME}/.cache/warsow-2.1
+deny  ${HOME}/.cache/waterfox
+deny  ${HOME}/.cache/wesnoth
+deny  ${HOME}/.cache/winetricks
+deny  ${HOME}/.cache/xmms2
+deny  ${HOME}/.cache/xreader
+deny  ${HOME}/.cache/yandex-browser
+deny  ${HOME}/.cache/yandex-browser-beta
+deny  ${HOME}/.cache/youtube-dl
+deny  ${HOME}/.cache/youtube-viewer
+deny  ${HOME}/.cache/zim
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index 8274b0215..da6fb31a3 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -2,14 +2,14 @@
 # Persistent customizations should go in a .local file.
 include disable-shell.local
 
-blacklist ${PATH}/bash
-blacklist ${PATH}/csh
-blacklist ${PATH}/dash
-blacklist ${PATH}/fish
-blacklist ${PATH}/ksh
-blacklist ${PATH}/mksh
-blacklist ${PATH}/oksh
-blacklist ${PATH}/sh
-blacklist ${PATH}/tclsh
-blacklist ${PATH}/tcsh
-blacklist ${PATH}/zsh
+deny  ${PATH}/bash
+deny  ${PATH}/csh
+deny  ${PATH}/dash
+deny  ${PATH}/fish
+deny  ${PATH}/ksh
+deny  ${PATH}/mksh
+deny  ${PATH}/oksh
+deny  ${PATH}/sh
+deny  ${PATH}/tclsh
+deny  ${PATH}/tcsh
+deny  ${PATH}/zsh
diff --git a/etc/inc/disable-xdg.inc b/etc/inc/disable-xdg.inc
index 22acf272d..32aa8c7f6 100644
--- a/etc/inc/disable-xdg.inc
+++ b/etc/inc/disable-xdg.inc
@@ -2,10 +2,10 @@
 # Persistent customizations should go in a .local file.
 include disable-xdg.local
 
-blacklist ${DOCUMENTS}
-blacklist ${MUSIC}
-blacklist ${PICTURES}
-blacklist ${VIDEOS}
+deny  ${DOCUMENTS}
+deny  ${MUSIC}
+deny  ${PICTURES}
+deny  ${VIDEOS}
 
 # The following should be considered catch-all directories
 #blacklist ${DESKTOP}
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc
index 862837f12..06a424440 100644
--- a/etc/inc/whitelist-1793-workaround.inc
+++ b/etc/inc/whitelist-1793-workaround.inc
@@ -3,27 +3,27 @@
 include whitelist-1793-workaround.local
 # This works around bug 1793, and allows whitelisting to be used for some KDE applications.
 
-noblacklist ${HOME}/.config/ibus
-noblacklist ${HOME}/.config/mimeapps.list
-noblacklist ${HOME}/.config/pkcs11
-noblacklist ${HOME}/.config/user-dirs.dirs
-noblacklist ${HOME}/.config/user-dirs.locale
-noblacklist ${HOME}/.config/dconf
-noblacklist ${HOME}/.config/fontconfig
-noblacklist ${HOME}/.config/gtk-2.0
-noblacklist ${HOME}/.config/gtk-3.0
-noblacklist ${HOME}/.config/gtk-4.0
-noblacklist ${HOME}/.config/gtkrc
-noblacklist ${HOME}/.config/gtkrc-2.0
-noblacklist ${HOME}/.config/Kvantum
-noblacklist ${HOME}/.config/Trolltech.conf
-noblacklist ${HOME}/.config/QtProject.conf
-noblacklist ${HOME}/.config/kdeglobals
-noblacklist ${HOME}/.config/kio_httprc
-noblacklist ${HOME}/.config/kioslaverc
-noblacklist ${HOME}/.config/ksslcablacklist
-noblacklist ${HOME}/.config/qt5ct
-noblacklist ${HOME}/.config/qtcurve
+nodeny  ${HOME}/.config/ibus
+nodeny  ${HOME}/.config/mimeapps.list
+nodeny  ${HOME}/.config/pkcs11
+nodeny  ${HOME}/.config/user-dirs.dirs
+nodeny  ${HOME}/.config/user-dirs.locale
+nodeny  ${HOME}/.config/dconf
+nodeny  ${HOME}/.config/fontconfig
+nodeny  ${HOME}/.config/gtk-2.0
+nodeny  ${HOME}/.config/gtk-3.0
+nodeny  ${HOME}/.config/gtk-4.0
+nodeny  ${HOME}/.config/gtkrc
+nodeny  ${HOME}/.config/gtkrc-2.0
+nodeny  ${HOME}/.config/Kvantum
+nodeny  ${HOME}/.config/Trolltech.conf
+nodeny  ${HOME}/.config/QtProject.conf
+nodeny  ${HOME}/.config/kdeglobals
+nodeny  ${HOME}/.config/kio_httprc
+nodeny  ${HOME}/.config/kioslaverc
+nodeny  ${HOME}/.config/ksslcablacklist
+nodeny  ${HOME}/.config/qt5ct
+nodeny  ${HOME}/.config/qtcurve
 
-blacklist ${HOME}/.config/*
-whitelist ${HOME}/.config
+deny  ${HOME}/.config/*
+allow  ${HOME}/.config
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 1d3728521..11070e372 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -4,81 +4,82 @@ include whitelist-common.local
 
 # common whitelist for all profiles
 
-whitelist ${HOME}/.XCompose
-whitelist ${HOME}/.alsaequal.bin
-whitelist ${HOME}/.asoundrc
-whitelist ${HOME}/.config/ibus
-whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.config/pkcs11
+allow  ${HOME}/.XCompose
+allow  ${HOME}/.alsaequal.bin
+allow  ${HOME}/.asoundrc
+allow  ${HOME}/.config/ibus
+allow  ${HOME}/.config/mimeapps.list
+allow  ${HOME}/.config/pkcs11
 read-only ${HOME}/.config/pkcs11
-whitelist ${HOME}/.config/user-dirs.dirs
+allow  ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.dirs
-whitelist ${HOME}/.config/user-dirs.locale
+allow  ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.config/user-dirs.locale
-whitelist ${HOME}/.drirc
-whitelist ${HOME}/.icons
+allow  ${HOME}/.drirc
+allow  ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
-whitelist ${HOME}/.local/share/applications
+allow  ${HOME}/.local/share/applications
 read-only ${HOME}/.local/share/applications
-whitelist ${HOME}/.local/share/icons
-whitelist ${HOME}/.local/share/mime
-whitelist ${HOME}/.mime.types
-whitelist ${HOME}/.uim.d
+allow  ${HOME}/.local/share/icons
+allow  ${HOME}/.local/share/mime
+allow  ${HOME}/.mime.types
+allow  ${HOME}/.sndio/cookie
+allow  ${HOME}/.uim.d
 
 # dconf
 mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
+allow  ${HOME}/.config/dconf
 
 # fonts
-whitelist ${HOME}/.cache/fontconfig
-whitelist ${HOME}/.config/fontconfig
-whitelist ${HOME}/.fontconfig
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.fonts.conf
-whitelist ${HOME}/.fonts.conf.d
-whitelist ${HOME}/.fonts.d
-whitelist ${HOME}/.local/share/fonts
-whitelist ${HOME}/.pangorc
+allow  ${HOME}/.cache/fontconfig
+allow  ${HOME}/.config/fontconfig
+allow  ${HOME}/.fontconfig
+allow  ${HOME}/.fonts
+allow  ${HOME}/.fonts.conf
+allow  ${HOME}/.fonts.conf.d
+allow  ${HOME}/.fonts.d
+allow  ${HOME}/.local/share/fonts
+allow  ${HOME}/.pangorc
 
 # gtk
-whitelist ${HOME}/.config/gtk-2.0
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/gtk-4.0
-whitelist ${HOME}/.config/gtkrc
-whitelist ${HOME}/.config/gtkrc-2.0
-whitelist ${HOME}/.gnome2
-whitelist ${HOME}/.gnome2-private
-whitelist ${HOME}/.gtk-2.0
-whitelist ${HOME}/.gtkrc
-whitelist ${HOME}/.gtkrc-2.0
-whitelist ${HOME}/.kde/share/config/gtkrc
-whitelist ${HOME}/.kde/share/config/gtkrc-2.0
-whitelist ${HOME}/.kde4/share/config/gtkrc
-whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
-whitelist ${HOME}/.local/share/themes
-whitelist ${HOME}/.themes
+allow  ${HOME}/.config/gtk-2.0
+allow  ${HOME}/.config/gtk-3.0
+allow  ${HOME}/.config/gtk-4.0
+allow  ${HOME}/.config/gtkrc
+allow  ${HOME}/.config/gtkrc-2.0
+allow  ${HOME}/.gnome2
+allow  ${HOME}/.gnome2-private
+allow  ${HOME}/.gtk-2.0
+allow  ${HOME}/.gtkrc
+allow  ${HOME}/.gtkrc-2.0
+allow  ${HOME}/.kde/share/config/gtkrc
+allow  ${HOME}/.kde/share/config/gtkrc-2.0
+allow  ${HOME}/.kde4/share/config/gtkrc
+allow  ${HOME}/.kde4/share/config/gtkrc-2.0
+allow  ${HOME}/.local/share/themes
+allow  ${HOME}/.themes
 
 # qt/kde
-whitelist ${HOME}/.cache/kioexec/krun
-whitelist ${HOME}/.config/Kvantum
-whitelist ${HOME}/.config/Trolltech.conf
-whitelist ${HOME}/.config/QtProject.conf
-whitelist ${HOME}/.config/kdeglobals
-whitelist ${HOME}/.config/kio_httprc
-whitelist ${HOME}/.config/kioslaverc
-whitelist ${HOME}/.config/ksslcablacklist
-whitelist ${HOME}/.config/qt5ct
-whitelist ${HOME}/.config/qtcurve
-whitelist ${HOME}/.kde/share/config/kdeglobals
-whitelist ${HOME}/.kde/share/config/kio_httprc
-whitelist ${HOME}/.kde/share/config/kioslaverc
-whitelist ${HOME}/.kde/share/config/ksslcablacklist
-whitelist ${HOME}/.kde/share/config/oxygenrc
-whitelist ${HOME}/.kde/share/icons
-whitelist ${HOME}/.kde4/share/config/kdeglobals
-whitelist ${HOME}/.kde4/share/config/kio_httprc
-whitelist ${HOME}/.kde4/share/config/kioslaverc
-whitelist ${HOME}/.kde4/share/config/ksslcablacklist
-whitelist ${HOME}/.kde4/share/config/oxygenrc
-whitelist ${HOME}/.kde4/share/icons
-whitelist ${HOME}/.local/share/qt5ct
+allow  ${HOME}/.cache/kioexec/krun
+allow  ${HOME}/.config/Kvantum
+allow  ${HOME}/.config/Trolltech.conf
+allow  ${HOME}/.config/QtProject.conf
+allow  ${HOME}/.config/kdeglobals
+allow  ${HOME}/.config/kio_httprc
+allow  ${HOME}/.config/kioslaverc
+allow  ${HOME}/.config/ksslcablacklist
+allow  ${HOME}/.config/qt5ct
+allow  ${HOME}/.config/qtcurve
+allow  ${HOME}/.kde/share/config/kdeglobals
+allow  ${HOME}/.kde/share/config/kio_httprc
+allow  ${HOME}/.kde/share/config/kioslaverc
+allow  ${HOME}/.kde/share/config/ksslcablacklist
+allow  ${HOME}/.kde/share/config/oxygenrc
+allow  ${HOME}/.kde/share/icons
+allow  ${HOME}/.kde4/share/config/kdeglobals
+allow  ${HOME}/.kde4/share/config/kio_httprc
+allow  ${HOME}/.kde4/share/config/kioslaverc
+allow  ${HOME}/.kde4/share/config/ksslcablacklist
+allow  ${HOME}/.kde4/share/config/oxygenrc
+allow  ${HOME}/.kde4/share/icons
+allow  ${HOME}/.local/share/qt5ct
diff --git a/etc/inc/whitelist-player-common.inc b/etc/inc/whitelist-player-common.inc
index e5bf36804..d6ae8eab6 100644
--- a/etc/inc/whitelist-player-common.inc
+++ b/etc/inc/whitelist-player-common.inc
@@ -4,8 +4,8 @@ include whitelist-player-common.local
 
 # common whitelist for all media players
 
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
+allow  ${DESKTOP}
+allow  ${DOWNLOADS}
+allow  ${MUSIC}
+allow  ${PICTURES}
+allow  ${VIDEOS}
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
new file mode 100644
index 000000000..a1345eb43
--- /dev/null
+++ b/etc/inc/whitelist-run-common.inc
@@ -0,0 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-run-common.local
+
+whitelist /run/NetworkManager/resolv.conf
+whitelist /run/cups/cups.sock
+whitelist /run/dbus/system_bus_socket
+whitelist /run/systemd/resolve/resolv.conf
+whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 48309ffe3..86e5264b9 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -4,13 +4,13 @@ include whitelist-runuser-common.local
 
 # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
 
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/dconf
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/ICEauthority
-whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
-whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
-whitelist ${RUNUSER}/xauth_*
-whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+allow  ${RUNUSER}/bus
+allow  ${RUNUSER}/dconf
+allow  ${RUNUSER}/gdm/Xauthority
+allow  ${RUNUSER}/ICEauthority
+allow  ${RUNUSER}/.mutter-Xwaylandauth.*
+allow  ${RUNUSER}/pulse/native
+allow  ${RUNUSER}/wayland-0
+allow  ${RUNUSER}/wayland-1
+allow  ${RUNUSER}/xauth_*
+allow  ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index fe0097934..64296da15 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
 
 # common /usr/share whitelist for all profiles
 
-whitelist /usr/share/alsa
-whitelist /usr/share/applications
-whitelist /usr/share/ca-certificates
-whitelist /usr/share/crypto-policies
-whitelist /usr/share/cursors
-whitelist /usr/share/dconf
-whitelist /usr/share/distro-info
-whitelist /usr/share/drirc.d
-whitelist /usr/share/enchant
-whitelist /usr/share/enchant-2
-whitelist /usr/share/file
-whitelist /usr/share/fontconfig
-whitelist /usr/share/fonts
-whitelist /usr/share/fonts-config
-whitelist /usr/share/gir-1.0
-whitelist /usr/share/gjs-1.0
-whitelist /usr/share/glib-2.0
-whitelist /usr/share/glvnd
-whitelist /usr/share/gtk-2.0
-whitelist /usr/share/gtk-3.0
-whitelist /usr/share/gtk-engines
-whitelist /usr/share/gtksourceview-3.0
-whitelist /usr/share/gtksourceview-4
-whitelist /usr/share/hunspell
-whitelist /usr/share/hwdata
-whitelist /usr/share/icons
-whitelist /usr/share/icu
-whitelist /usr/share/knotifications5
-whitelist /usr/share/kservices5
-whitelist /usr/share/Kvantum
-whitelist /usr/share/kxmlgui5
-whitelist /usr/share/libdrm
-whitelist /usr/share/libthai
-whitelist /usr/share/locale
-whitelist /usr/share/mime
-whitelist /usr/share/misc
-whitelist /usr/share/Modules
-whitelist /usr/share/myspell
-whitelist /usr/share/p11-kit
-whitelist /usr/share/perl
-whitelist /usr/share/perl5
-whitelist /usr/share/pixmaps
-whitelist /usr/share/pki
-whitelist /usr/share/plasma
-whitelist /usr/share/publicsuffix
-whitelist /usr/share/qt
-whitelist /usr/share/qt4
-whitelist /usr/share/qt5
-whitelist /usr/share/qt5ct
-whitelist /usr/share/sounds
-whitelist /usr/share/tcl8.6
-whitelist /usr/share/tcltk
-whitelist /usr/share/terminfo
-whitelist /usr/share/texlive
-whitelist /usr/share/texmf
-whitelist /usr/share/themes
-whitelist /usr/share/thumbnail.so
-whitelist /usr/share/uim
-whitelist /usr/share/vulkan
-whitelist /usr/share/X11
-whitelist /usr/share/xml
-whitelist /usr/share/zenity
-whitelist /usr/share/zoneinfo
+allow  /usr/share/alsa
+allow  /usr/share/applications
+allow  /usr/share/ca-certificates
+allow  /usr/share/crypto-policies
+allow  /usr/share/cursors
+allow  /usr/share/dconf
+allow  /usr/share/distro-info
+allow  /usr/share/drirc.d
+allow  /usr/share/enchant
+allow  /usr/share/enchant-2
+allow  /usr/share/file
+allow  /usr/share/fontconfig
+allow  /usr/share/fonts
+allow  /usr/share/fonts-config
+allow  /usr/share/gir-1.0
+allow  /usr/share/gjs-1.0
+allow  /usr/share/glib-2.0
+allow  /usr/share/glvnd
+allow  /usr/share/gtk-2.0
+allow  /usr/share/gtk-3.0
+allow  /usr/share/gtk-engines
+allow  /usr/share/gtksourceview-3.0
+allow  /usr/share/gtksourceview-4
+allow  /usr/share/hunspell
+allow  /usr/share/hwdata
+allow  /usr/share/icons
+allow  /usr/share/icu
+allow  /usr/share/knotifications5
+allow  /usr/share/kservices5
+allow  /usr/share/Kvantum
+allow  /usr/share/kxmlgui5
+allow  /usr/share/libdrm
+allow  /usr/share/libthai
+allow  /usr/share/locale
+allow  /usr/share/mime
+allow  /usr/share/misc
+allow  /usr/share/Modules
+allow  /usr/share/myspell
+allow  /usr/share/p11-kit
+allow  /usr/share/perl
+allow  /usr/share/perl5
+allow  /usr/share/pixmaps
+allow  /usr/share/pki
+allow  /usr/share/plasma
+allow  /usr/share/publicsuffix
+allow  /usr/share/qt
+allow  /usr/share/qt4
+allow  /usr/share/qt5
+allow  /usr/share/qt5ct
+allow  /usr/share/sounds
+allow  /usr/share/tcl8.6
+allow  /usr/share/tcltk
+allow  /usr/share/terminfo
+allow  /usr/share/texlive
+allow  /usr/share/texmf
+allow  /usr/share/themes
+allow  /usr/share/thumbnail.so
+allow  /usr/share/uim
+allow  /usr/share/vulkan
+allow  /usr/share/X11
+allow  /usr/share/xml
+allow  /usr/share/zenity
+allow  /usr/share/zoneinfo
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index d8ba84ad0..c449e8905 100644
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@@ -4,12 +4,12 @@ include whitelist-var-common.local
 
 # common /var whitelist for all profiles
 
-whitelist /var/lib/aspell
-whitelist /var/lib/ca-certificates
-whitelist /var/lib/dbus
-whitelist /var/lib/menu-xdg
-whitelist /var/lib/uim
-whitelist /var/cache/fontconfig
-whitelist /var/tmp
-whitelist /var/run
-whitelist /var/lock
+allow  /var/lib/aspell
+allow  /var/lib/ca-certificates
+allow  /var/lib/dbus
+allow  /var/lib/menu-xdg
+allow  /var/lib/uim
+allow  /var/cache/fontconfig
+allow  /var/tmp
+allow  /var/run
+allow  /var/lock
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 4009853d3..6f493fff1 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -6,11 +6,11 @@ include 0ad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/0ad
-noblacklist ${HOME}/.config/0ad
-noblacklist ${HOME}/.local/share/0ad
+nodeny  ${HOME}/.cache/0ad
+nodeny  ${HOME}/.config/0ad
+nodeny  ${HOME}/.local/share/0ad
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,11 +23,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
 mkdir ${HOME}/.local/share/0ad
-whitelist ${HOME}/.cache/0ad
-whitelist ${HOME}/.config/0ad
-whitelist ${HOME}/.local/share/0ad
-whitelist /usr/share/0ad
-whitelist /usr/share/games
+allow  ${HOME}/.cache/0ad
+allow  ${HOME}/.config/0ad
+allow  ${HOME}/.local/share/0ad
+allow  /usr/share/0ad
+allow  /usr/share/games
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 1d787cba7..3a7b331a7 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -6,8 +6,8 @@ include 2048-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/2048-qt
-noblacklist ${HOME}/.config/xiaoyong
+nodeny  ${HOME}/.config/2048-qt
+nodeny  ${HOME}/.config/xiaoyong
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/2048-qt
 mkdir ${HOME}/.config/xiaoyong
-whitelist ${HOME}/.config/2048-qt
-whitelist ${HOME}/.config/xiaoyong
+allow  ${HOME}/.config/2048-qt
+allow  ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index 1d86b0fbf..def0ec111 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -5,7 +5,7 @@ include Cryptocat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Cryptocat
+nodeny  ${HOME}/.config/Cryptocat
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile
index 3f274b21c..1d3ae49ca 100644
--- a/etc/profile-a-l/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
@@ -5,10 +5,10 @@ include Discord.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discord
+nodeny  ${HOME}/.config/discord
 
 mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
+allow  ${HOME}/.config/discord
 
 private-bin Discord
 private-opt Discord
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
index d24e73ed8..3c85f187b 100644
--- a/etc/profile-a-l/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
@@ -5,10 +5,10 @@ include DiscordCanary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discordcanary
+nodeny  ${HOME}/.config/discordcanary
 
 mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
+allow  ${HOME}/.config/discordcanary
 
 private-bin DiscordCanary
 private-opt DiscordCanary
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index 7dc6b5ff0..8f746581f 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -6,8 +6,8 @@ include Fritzing.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Fritzing
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/Fritzing
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index d10b70796..9a00c3230 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -5,7 +5,7 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.jd
+nodeny  ${HOME}/.jd
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.jd
-whitelist ${HOME}/.jd
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.jd
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 75da9a956..2a92c7db4 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -6,7 +6,7 @@ include abiword.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/abiword
+nodeny  ${HOME}/.config/abiword
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist /usr/share/abiword-3.0
+allow  /usr/share/abiword-3.0
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 2e6e8f1af..70ddcec20 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -5,13 +5,13 @@ include abrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
 
 mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/abrowser
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.cache/mozilla/abrowser
+allow  ${HOME}/.mozilla
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc abrowser
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 34f59769e..d32586c5b 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -7,8 +7,8 @@ include agetpkg.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -23,7 +23,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 37fdb38b5..7b1d1445f 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -4,22 +4,22 @@ include akonadi_control.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/akonadi*
-noblacklist ${HOME}/.config/akonadi*
-noblacklist ${HOME}/.config/baloorc
-noblacklist ${HOME}/.config/emaildefaults
-noblacklist ${HOME}/.config/emailidentities
-noblacklist ${HOME}/.config/kmail2rc
-noblacklist ${HOME}/.config/mailtransports
-noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.local/share/akonadi*
-noblacklist ${HOME}/.local/share/apps/korganizer
-noblacklist ${HOME}/.local/share/contacts
-noblacklist ${HOME}/.local/share/local-mail
-noblacklist ${HOME}/.local/share/notes
-noblacklist /sbin
-noblacklist /tmp/akonadi-*
-noblacklist /usr/sbin
+nodeny  ${HOME}/.cache/akonadi*
+nodeny  ${HOME}/.config/akonadi*
+nodeny  ${HOME}/.config/baloorc
+nodeny  ${HOME}/.config/emaildefaults
+nodeny  ${HOME}/.config/emailidentities
+nodeny  ${HOME}/.config/kmail2rc
+nodeny  ${HOME}/.config/mailtransports
+nodeny  ${HOME}/.config/specialmailcollectionsrc
+nodeny  ${HOME}/.local/share/akonadi*
+nodeny  ${HOME}/.local/share/apps/korganizer
+nodeny  ${HOME}/.local/share/contacts
+nodeny  ${HOME}/.local/share/local-mail
+nodeny  ${HOME}/.local/share/notes
+nodeny  /sbin
+nodeny  /tmp/akonadi-*
+nodeny  /usr/sbin
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index 38fcd2dc1..b2323547c 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -6,9 +6,9 @@ include akregator.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/akregatorrc
-noblacklist ${HOME}/.local/share/akregator
-noblacklist ${HOME}/.local/share/kxmlgui5/akregator
+nodeny  ${HOME}/.config/akregatorrc
+nodeny  ${HOME}/.local/share/akregator
+nodeny  ${HOME}/.local/share/kxmlgui5/akregator
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-shell.inc
 mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
 mkdir ${HOME}/.local/share/kxmlgui5/akregator
-whitelist ${HOME}/.config/akregatorrc
-whitelist ${HOME}/.local/share/akregator
-whitelist ${HOME}/.local/share/kssl
-whitelist ${HOME}/.local/share/kxmlgui5/akregator
+allow  ${HOME}/.config/akregatorrc
+allow  ${HOME}/.local/share/akregator
+allow  ${HOME}/.local/share/kssl
+allow  ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 4c6d68020..ca6c8d887 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # Whitelist your system icon directory,varies by distro
-whitelist /usr/share/alacarte
-whitelist /usr/share/app-info
-whitelist /usr/share/desktop-directories
-whitelist /usr/share/icons
-whitelist /var/lib/app-info/icons
-whitelist /var/lib/flatpak/exports/share/applications
-whitelist /var/lib/flatpak/exports/share/icons
+allow  /usr/share/alacarte
+allow  /usr/share/app-info
+allow  /usr/share/desktop-directories
+allow  /usr/share/icons
+allow  /var/lib/app-info/icons
+allow  /var/lib/flatpak/exports/share/applications
+allow  /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 81ee6bd46..220c3345d 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -6,7 +6,7 @@ include alienarena.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/cor-games
+nodeny  ${HOME}/.local/share/cor-games
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/cor-games
-whitelist ${HOME}/.local/share/cor-games
-whitelist /usr/share/alienarena
+allow  ${HOME}/.local/share/cor-games
+allow  /usr/share/alienarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
index 0b5cf0df0..6fa3edfa1 100644
--- a/etc/profile-a-l/alpine.profile
+++ b/etc/profile-a-l/alpine.profile
@@ -10,28 +10,28 @@ include globals.local
 # Workaround for bug https://github.com/netblue30/firejail/issues/2747
 # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.addressbook
-noblacklist ${HOME}/.alpine-smime
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.mh_profile
-noblacklist ${HOME}/.mime.types
-noblacklist ${HOME}/.newsrc
-noblacklist ${HOME}/.pine-crash
-noblacklist ${HOME}/.pine-debug1
-noblacklist ${HOME}/.pine-debug2
-noblacklist ${HOME}/.pine-debug3
-noblacklist ${HOME}/.pine-debug4
-noblacklist ${HOME}/.pine-interrupted-mail
-noblacklist ${HOME}/.pinerc
-noblacklist ${HOME}/.pinercex
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/mail
+nodeny  /var/mail
+nodeny  /var/spool/mail
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.addressbook
+nodeny  ${HOME}/.alpine-smime
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.mh_profile
+nodeny  ${HOME}/.mime.types
+nodeny  ${HOME}/.newsrc
+nodeny  ${HOME}/.pine-crash
+nodeny  ${HOME}/.pine-debug1
+nodeny  ${HOME}/.pine-debug2
+nodeny  ${HOME}/.pine-debug3
+nodeny  ${HOME}/.pine-debug4
+nodeny  ${HOME}/.pine-interrupted-mail
+nodeny  ${HOME}/.pinerc
+nodeny  ${HOME}/.pinercex
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/mail
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -60,8 +60,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.pine-debug4
 #whitelist ${HOME}/.signature
 #whitelist ${HOME}/mail
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  /var/mail
+allow  /var/spool/mail
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index a7caddc4c..03aba36e4 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -6,7 +6,7 @@ include amarok.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index e3c4164ee..00039a7e9 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -6,7 +6,7 @@ include amule.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.aMule
+nodeny  ${HOME}/.aMule
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.aMule
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.aMule
+allow  ${DOWNLOADS}
+allow  ${HOME}/.aMule
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 5a21744cf..5bf6ed773 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -5,13 +5,13 @@ include android-studio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.AndroidStudio*
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.config/Google
+nodeny  ${HOME}/.AndroidStudio*
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-settings
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index ef60e91c2..c1aa18ff3 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -6,8 +6,8 @@ include anki.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.local/share/Anki2
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.local/share/Anki2
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -23,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/Anki2
-whitelist ${DOCUMENTS}
-whitelist ${HOME}/.local/share/Anki2
+allow  ${DOCUMENTS}
+allow  ${HOME}/.local/share/Anki2
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -46,7 +46,6 @@ protocol unix,inet,inet6
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
 shell none
-tracelog
 
 disable-mnt
 private-bin anki,python*
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index fdaf10259..cb30ed8da 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -5,7 +5,7 @@ include anydesk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.anydesk
+nodeny  ${HOME}/.anydesk
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.anydesk
-whitelist ${HOME}/.anydesk
+allow  ${HOME}/.anydesk
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index e7b09283e..d647a4657 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -5,13 +5,13 @@ include aosp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.bash_history
-noblacklist ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.repo_.gitconfig.json
-noblacklist ${HOME}/.repoconfig
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.bash_history
+nodeny  ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-settings
+nodeny  ${HOME}/.repo_.gitconfig.json
+nodeny  ${HOME}/.repoconfig
+nodeny  ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 01566314f..020ae2812 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -6,9 +6,9 @@ include apostrophe.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.texlive20*
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.texlive20*
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -31,12 +31,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/apostrophe
-whitelist /usr/share/texlive
-whitelist /usr/share/texmf
-whitelist /usr/share/pandoc-*
-whitelist /usr/share/perl5
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/apostrophe
+allow  /usr/share/texlive
+allow  /usr/share/texmf
+allow  /usr/share/pandoc-*
+allow  /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index accabb6f5..8c71dd574 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -7,7 +7,7 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/arch-audit
+allow  /usr/share/arch-audit
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 19c37f90e..0915ede33 100644
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -6,7 +6,7 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 1fab4606b..5b859ceb1 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -4,7 +4,7 @@ include archiver-common.local
 
 # common profile for archiver/compression tools
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 # Comment/uncomment the relevant include file(s) in your archiver-common.local
 # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index 84b1d6c18..960948afc 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -5,12 +5,12 @@ include ardour5.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ardour4
-noblacklist ${HOME}/.config/ardour5
-noblacklist ${HOME}/.lv2
-noblacklist ${HOME}/.vst
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/ardour4
+nodeny  ${HOME}/.config/ardour5
+nodeny  ${HOME}/.lv2
+nodeny  ${HOME}/.vst
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index fd1ca9a09..88f14fbfe 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -6,9 +6,9 @@ include arduino.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.arduino15
-noblacklist ${HOME}/Arduino
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.arduino15
+nodeny  ${HOME}/Arduino
+nodeny  ${DOCUMENTS}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 22b8ecd65..be56011f0 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -6,12 +6,12 @@ include aria2c.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.aria2
-noblacklist ${HOME}/.config/aria2
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.aria2
+nodeny  ${HOME}/.config/aria2
+nodeny  ${HOME}/.netrc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index a63dd8f5f..031c57080 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -6,8 +6,8 @@ include ark.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/arkrc
-noblacklist ${HOME}/.local/share/kxmlgui5/ark
+nodeny  ${HOME}/.config/arkrc
+nodeny  ${HOME}/.local/share/kxmlgui5/ark
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/ark
+allow  /usr/share/ark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 2c8b630ce..9ed8076be 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -6,7 +6,7 @@ include arm.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.arm
+nodeny  ${HOME}/.arm
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.arm
-whitelist ${HOME}/.arm
+allow  ${HOME}/.arm
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index fab72b7d3..7cfac4915 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -6,12 +6,12 @@ include artha.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/artha.conf
-noblacklist ${HOME}/.config/artha.log
-noblacklist ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/artha.conf
+nodeny  ${HOME}/.config/artha.log
+nodeny  ${HOME}/.config/enchant
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,8 +28,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/artha.conf
 #whitelist ${HOME}/.config/artha.log
 #whitelist ${HOME}/.config/enchant
-whitelist /usr/share/artha
-whitelist /usr/share/wordnet
+allow  /usr/share/artha
+allow  /usr/share/wordnet
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 977fe30a4..f2251c210 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -6,7 +6,7 @@ include assogiate.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${PICTURES}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c97fd691a..e65072266 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -6,11 +6,11 @@ include asunder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/asunder
-noblacklist ${HOME}/.asunder_album_genre
-noblacklist ${HOME}/.asunder_album_title
-noblacklist ${HOME}/.asunder_album_artist
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/asunder
+nodeny  ${HOME}/.asunder_album_genre
+nodeny  ${HOME}/.asunder_album_title
+nodeny  ${HOME}/.asunder_album_artist
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 5f237ac59..ea3038537 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
 ignore apparmor
 ignore disable-mnt
 
-noblacklist ${HOME}/.atom
-noblacklist ${HOME}/.config/Atom
+nodeny  ${HOME}/.atom
+nodeny  ${HOME}/.config/Atom
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 1c3ed66ff..8ae8617cf 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -6,9 +6,9 @@ include atril.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/atril
-noblacklist ${HOME}/.config/atril
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/atril
+nodeny  ${HOME}/.config/atril
+nodeny  ${DOCUMENTS}
 
 #noblacklist ${HOME}/.local/share
 # it seems to use only ${HOME}/.local/share/webkitgtk
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index f9f209786..53baf0a2a 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -6,9 +6,9 @@ include audacious.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Audaciousrc
-noblacklist ${HOME}/.config/audacious
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/Audaciousrc
+nodeny  ${HOME}/.config/audacious
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index a2de8436a..c244846e1 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -6,9 +6,9 @@ include audacity.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.audacity-data
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.audacity-data
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 2c7fdc812..534792cc6 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -7,7 +7,7 @@ include audio-recorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,10 +17,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${MUSIC}
-whitelist ${DOWNLOADS}
-whitelist /usr/share/audio-recorder
-whitelist /usr/share/gstreamer-1.0
+allow  ${MUSIC}
+allow  ${DOWNLOADS}
+allow  /usr/share/audio-recorder
+allow  /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 2ebe35dd5..0d6eb6a21 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -6,7 +6,7 @@ include authenticator-rs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/authenticator-rs
+nodeny  ${HOME}/.local/share/authenticator-rs
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/authenticator-rs
-whitelist ${HOME}/.local/share/authenticator-rs
-whitelist ${DOWNLOADS}
-whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+allow  ${HOME}/.local/share/authenticator-rs
+allow  ${DOWNLOADS}
+allow  /usr/share/uk.co.grumlimited.authenticator-rs
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 42d9cd56a..55d967e3e 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -6,8 +6,8 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Authenticator
-noblacklist ${HOME}/.config/Authenticator
+nodeny  ${HOME}/.cache/Authenticator
+nodeny  ${HOME}/.config/Authenticator
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 891928e5a..a5b3b22f6 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -7,8 +7,8 @@ include autokey-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.config/autokey
-noblacklist ${HOME}/.local/share/autokey
+nodeny  ${HOME}/.config/autokey
+nodeny  ${HOME}/.local/share/autokey
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 1ecc03da1..023ed1ce2 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -5,9 +5,9 @@ include avidemux.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.avidemux6
-noblacklist ${HOME}/.config/avidemux3_qt5rc
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.avidemux6
+nodeny  ${HOME}/.config/avidemux3_qt5rc
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.avidemux6
-mkdir ${HOME}/.config/avidemux3_qt5rc
-whitelist ${HOME}/.avidemux6
-whitelist ${HOME}/.config/avidemux3_qt5rc
-whitelist ${VIDEOS}
+mkfile ${HOME}/.config/avidemux3_qt5rc
+allow  ${HOME}/.avidemux6
+allow  ${HOME}/.config/avidemux3_qt5rc
+allow  ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index a57ad4014..abe9fdb24 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -6,7 +6,7 @@ include aweather.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/aweather
+nodeny  ${HOME}/.config/aweather
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/aweather
-whitelist ${HOME}/.config/aweather
+allow  ${HOME}/.config/aweather
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index 5d1bf5071..58f4f5e96 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -7,7 +7,7 @@ include awesome.local
 include globals.local
 
 # all applications started in awesome will run in this profile
-noblacklist ${HOME}/.config/awesome
+nodeny  ${HOME}/.config/awesome
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index 3952921a3..46bb0b44e 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -6,7 +6,7 @@ include ballbuster.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ballbuster.hs
+nodeny  ${HOME}/.ballbuster.hs
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.ballbuster.hs
-whitelist ${HOME}/.ballbuster.hs
-whitelist /usr/share/ballbuster
+allow  ${HOME}/.ballbuster.hs
+allow  /usr/share/ballbuster
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index fe86d9b80..2b10883f7 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -12,12 +12,12 @@ include globals.local
 # read-write ${HOME}/.local/share/baloo
 # ignore read-write
 
-noblacklist ${HOME}/.config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
-noblacklist ${HOME}/.local/share/baloo
+nodeny  ${HOME}/.config/baloofilerc
+nodeny  ${HOME}/.kde/share/config/baloofilerc
+nodeny  ${HOME}/.kde/share/config/baloorc
+nodeny  ${HOME}/.kde4/share/config/baloofilerc
+nodeny  ${HOME}/.kde4/share/config/baloorc
+nodeny  ${HOME}/.local/share/baloo
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 8c69652c5..1e74443aa 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -6,13 +6,13 @@ include balsa.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.balsa
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/mail
-noblacklist /var/mail
-noblacklist /var/spool/mail
+nodeny  ${HOME}/.balsa
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/mail
+nodeny  /var/mail
+nodeny  /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
-whitelist ${HOME}/.balsa
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.signature
-whitelist ${HOME}/mail
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/balsa
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  ${HOME}/.balsa
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.signature
+allow  ${HOME}/mail
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/balsa
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /var/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index 7b50e9199..fcea9b3ba 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -6,9 +6,9 @@ include barrier.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Debauchee/Barrier.conf
-noblacklist ${HOME}/.local/share/barrier
-noblacklist ${PATH}/openssl
+nodeny  ${HOME}/.config/Debauchee/Barrier.conf
+nodeny  ${HOME}/.local/share/barrier
+nodeny  ${PATH}/openssl
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 8dc3847a0..547c67fc8 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -5,13 +5,13 @@ include basilisk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/moonchild productions/basilisk
-noblacklist ${HOME}/.moonchild productions/basilisk
+nodeny  ${HOME}/.cache/moonchild productions/basilisk
+nodeny  ${HOME}/.moonchild productions/basilisk
 
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-whitelist ${HOME}/.cache/moonchild productions/basilisk
-whitelist ${HOME}/.moonchild productions
+allow  ${HOME}/.cache/moonchild productions/basilisk
+allow  ${HOME}/.moonchild productions
 
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index 3ecaea7fe..a1d2b1e73 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -7,10 +7,10 @@ include bcompare.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/bcompare
+nodeny  ${HOME}/.config/bcompare
 # In case the user decides to include disable-programs.inc, still allow
 # KDE's Gwenview to view images via right click -> Open With -> Associated Application
-noblacklist ${HOME}/.config/gwenviewrc
+nodeny  ${HOME}/.config/gwenviewrc
 
 # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index f3a9568bd..588f460a8 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -19,10 +19,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
 
-noblacklist ${HOME}/.config/Beaker Browser
+nodeny  ${HOME}/.config/Beaker Browser
 
 mkdir ${HOME}/.config/Beaker Browser
-whitelist ${HOME}/.config/Beaker Browser
+allow  ${HOME}/.config/Beaker Browser
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index c7a82afbd..717d7258d 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -6,11 +6,11 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bibletime
-noblacklist ${HOME}/.sword
-noblacklist ${HOME}/.local/share/bibletime
+nodeny  ${HOME}/.bibletime
+nodeny  ${HOME}/.sword
+nodeny  ${HOME}/.local/share/bibletime
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,12 +22,12 @@ include disable-programs.inc
 mkdir ${HOME}/.bibletime
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.local/share/bibletime
-whitelist ${HOME}/.bibletime
-whitelist ${HOME}/.sword
-whitelist ${HOME}/.local/share/bibletime
-whitelist /usr/share/bibletime
-whitelist /usr/share/doc/bibletime
-whitelist /usr/share/sword
+allow  ${HOME}/.bibletime
+allow  ${HOME}/.sword
+allow  ${HOME}/.local/share/bibletime
+allow  /usr/share/bibletime
+allow  /usr/share/doc/bibletime
+allow  /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 854fe5cb9..b02fcc3e0 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -6,7 +6,7 @@ include bijiben.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/bijiben
+nodeny  ${HOME}/.local/share/bijiben
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,12 +18,12 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/bijiben
-whitelist ${HOME}/.local/share/bijiben
-whitelist ${HOME}/.cache/tracker
-whitelist /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/bijiben
-whitelist /usr/share/tracker
-whitelist /usr/share/tracker3
+allow  ${HOME}/.local/share/bijiben
+allow  ${HOME}/.cache/tracker
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/bijiben
+allow  /usr/share/tracker
+allow  /usr/share/tracker3
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index 932db9b73..c4ec0f820 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -6,8 +6,8 @@ include bitcoin-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bitcoin
-noblacklist ${HOME}/.config/Bitcoin
+nodeny  ${HOME}/.bitcoin
+nodeny  ${HOME}/.config/Bitcoin
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 
 mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
-whitelist ${HOME}/.bitcoin
-whitelist ${HOME}/.config/Bitcoin
+allow  ${HOME}/.bitcoin
+allow  ${HOME}/.config/Bitcoin
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index dd7651979..0f000b26b 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -8,8 +8,8 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 # noblacklist /var/log
 
 include disable-common.inc
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index bef25276d..4b292d72a 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -6,54 +6,25 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include whitelist-usr-share-common.inc
+
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Bitwarden
+nodeny  ${HOME}/.config/Bitwarden
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/Bitwarden
-whitelist ${HOME}/.config/Bitwarden
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
+allow  ${HOME}/.config/Bitwarden
 
-apparmor
-caps.drop all
 machine-id
-netfilter
 no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-#tracelog - breaks on Arch
-
-private-bin bitwarden
-private-cache
+
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
-private-tmp
-
-# breaks appindicator (tray) functionality
-# dbus-user none
-# dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 233f9a96f..616ad6801 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -7,7 +7,7 @@ include blackbox.local
 include globals.local
 
 # all applications started in blackbox will run in this profile
-noblacklist ${HOME}/.blackbox
+nodeny  ${HOME}/.blackbox
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 701ae431e..8d0b5616f 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -6,7 +6,7 @@ include blender.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/blender
+nodeny  ${HOME}/.config/blender
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 # Allow usage of AMD GPU by OpenCL
-noblacklist /sys/module
-whitelist /sys/module/amdgpu
+nodeny  /sys/module
+allow  /sys/module/amdgpu
 read-only /sys/module/amdgpu
 
 caps.drop all
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 80dc750f7..ca5f96eee 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -6,7 +6,7 @@ include bless.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/bless
+nodeny  ${HOME}/.config/bless
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 229c20293..ee2a73b54 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -4,7 +4,7 @@ include blobby.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.blobby
+nodeny  ${HOME}/.blobby
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.blobby
-whitelist ${HOME}/.blobby
+allow  ${HOME}/.blobby
 include whitelist-common.inc
-whitelist /usr/share/blobby
+allow  /usr/share/blobby
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 904710cb5..e0be5261e 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -6,7 +6,7 @@ include blobwars.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.parallelrealities/blobwars
+nodeny  ${HOME}/.parallelrealities/blobwars
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.parallelrealities/blobwars
-whitelist ${HOME}/.parallelrealities/blobwars
-whitelist /usr/share/blobwars
+allow  ${HOME}/.parallelrealities/blobwars
+allow  /usr/share/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index 6e8f0d7d1..dcfd5d8d2 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/bnox
-noblacklist ${HOME}/.config/bnox
+nodeny  ${HOME}/.cache/bnox
+nodeny  ${HOME}/.config/bnox
 
 mkdir ${HOME}/.cache/bnox
 mkdir ${HOME}/.config/bnox
-whitelist ${HOME}/.cache/bnox
-whitelist ${HOME}/.config/bnox
+allow  ${HOME}/.cache/bnox
+allow  ${HOME}/.config/bnox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index 0cbac049a..a14bb8fef 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -5,7 +5,7 @@ include brackets.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Brackets
+nodeny  ${HOME}/.config/Brackets
 #noblacklist /opt/brackets
 #noblacklist /opt/google
 
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 417a6b3e0..a78882409 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -6,7 +6,7 @@ include brasero.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/brasero
+nodeny  ${HOME}/.config/brasero
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 09548c761..bc2d7a6a1 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -14,24 +14,24 @@ ignore noexec /tmp
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/BraveSoftware
-noblacklist ${HOME}/.config/BraveSoftware
-noblacklist ${HOME}/.config/brave
-noblacklist ${HOME}/.config/brave-flags.conf
+nodeny  ${HOME}/.cache/BraveSoftware
+nodeny  ${HOME}/.config/BraveSoftware
+nodeny  ${HOME}/.config/brave
+nodeny  ${HOME}/.config/brave-flags.conf
 # brave uses gpg for built-in password manager
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 mkdir ${HOME}/.cache/BraveSoftware
 mkdir ${HOME}/.config/BraveSoftware
 mkdir ${HOME}/.config/brave
-whitelist ${HOME}/.cache/BraveSoftware
-whitelist ${HOME}/.config/BraveSoftware
-whitelist ${HOME}/.config/brave
-whitelist ${HOME}/.config/brave-flags.conf
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.cache/BraveSoftware
+allow  ${HOME}/.config/BraveSoftware
+allow  ${HOME}/.config/brave
+allow  ${HOME}/.config/brave-flags.conf
+allow  ${HOME}/.gnupg
 
 # Brave sandbox needs read access to /proc/config.gz
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index bda96bbb3..62ca041c2 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -6,7 +6,7 @@ include bzflag.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bzf
+nodeny  ${HOME}/.bzf
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.bzf
-whitelist ${HOME}/.bzf
+allow  ${HOME}/.bzf
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index 83571397b..99706620c 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -6,9 +6,9 @@ include calibre.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/calibre
-noblacklist ${HOME}/.config/calibre
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/calibre
+nodeny  ${HOME}/.config/calibre
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index fcff47662..36ecc06a0 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -6,7 +6,7 @@ include calligra.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligra
+nodeny  ${HOME}/.local/share/kxmlgui5/calligra
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile
index 006c307ab..76123c96a 100644
--- a/etc/profile-a-l/calligragemini.profile
+++ b/etc/profile-a-l/calligragemini.profile
@@ -6,7 +6,7 @@ include calligragemini.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/calligragemini
+nodeny  ${HOME}/.local/share/calligragemini
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 81dbd4dcd..5fb1e16da 100644
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -6,7 +6,7 @@ include calligraplan.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
+nodeny  ${HOME}/.local/share/kxmlgui5/calligraplan
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index bba91b66b..c176bfea1 100644
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -6,7 +6,7 @@ include calligraplanwork.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
+nodeny  ${HOME}/.local/share/kxmlgui5/calligraplanwork
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 7bc296047..b7ac68945 100644
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -6,7 +6,7 @@ include calligrasheets.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrasheets
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index 7694abbe4..1258fec56 100644
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -6,7 +6,7 @@ include calligrastage.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrastage
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index d69d56a95..c2b6c8041 100644
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -6,7 +6,7 @@ include calligrawords.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrawords
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index 74c7cc34b..390ae383c 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/cameramonitor
+allow  /usr/share/cameramonitor
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 96f88a7c4..77bdc09e0 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -6,10 +6,10 @@ include cantata.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/cantata
-noblacklist ${HOME}/.config/cantata
-noblacklist ${HOME}/.local/share/cantata
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/cantata
+nodeny  ${HOME}/.config/cantata
+nodeny  ${HOME}/.local/share/cantata
+nodeny  ${MUSIC}
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 7cf04c550..9c53af84f 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -10,11 +10,11 @@ include globals.local
 ignore noexec ${HOME}
 ignore noexec /tmp
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.cargo/credentials
-noblacklist ${HOME}/.cargo/credentials.toml
+nodeny  ${HOME}/.cargo/credentials
+nodeny  ${HOME}/.cargo/credentials.toml
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
@@ -34,7 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
-whitelist /usr/share/pkgconfig
+allow  /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index 009d3a049..4ea53ea6b 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -9,7 +9,7 @@ include globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
 
-noblacklist ${HOME}/.config/catfish
+nodeny  ${HOME}/.config/catfish
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,7 +21,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 # include disable-programs.inc
 
-whitelist /var/lib/mlocate
+allow  /var/lib/mlocate
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 6e137010c..d7aee1902 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -6,7 +6,7 @@ include cawbird.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cawbird
+nodeny  ${HOME}/.config/cawbird
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 1c539cc93..d6f4306ba 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -6,9 +6,9 @@ include celluloid.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/celluloid
-noblacklist ${HOME}/.config/gnome-mpv
-noblacklist ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.config/celluloid
+nodeny  ${HOME}/.config/gnome-mpv
+nodeny  ${HOME}/.config/youtube-dl
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -17,7 +17,7 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -30,9 +30,9 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/celluloid
 mkdir ${HOME}/.config/gnome-mpv
 mkdir ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.config/celluloid
-whitelist ${HOME}/.config/gnome-mpv
-whitelist ${HOME}/.config/youtube-dl
+allow  ${HOME}/.config/celluloid
+allow  ${HOME}/.config/gnome-mpv
+allow  ${HOME}/.config/youtube-dl
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index 24939fc70..0f61084e0 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -7,9 +7,9 @@ include checkbashisms.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index aca1f5876..bde3e1311 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -6,8 +6,8 @@ include cheese.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${VIDEOS}
-noblacklist ${PICTURES}
+nodeny  ${VIDEOS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${VIDEOS}
-whitelist ${PICTURES}
-whitelist /usr/share/gnome-video-effects
+allow  ${VIDEOS}
+allow  ${PICTURES}
+allow  /usr/share/gnome-video-effects
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index 7621b3c8c..d5dedd81d 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -6,8 +6,8 @@ include cherrytree.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cherrytree
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/cherrytree
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 8803a4d9d..64c45772a 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -3,15 +3,15 @@
 # Persistent local customizations
 include chromium-browser-privacy.local
 
-noblacklist ${HOME}/.cache/ungoogled-chromium
-noblacklist ${HOME}/.config/ungoogled-chromium
+nodeny  ${HOME}/.cache/ungoogled-chromium
+nodeny  ${HOME}/.config/ungoogled-chromium
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 mkdir ${HOME}/.cache/ungoogled-chromium
 mkdir ${HOME}/.config/ungoogled-chromium
-whitelist ${HOME}/.cache/ungoogled-chromium
-whitelist ${HOME}/.config/ungoogled-chromium
+allow  ${HOME}/.cache/ungoogled-chromium
+allow  ${HOME}/.config/ungoogled-chromium
 
 # private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index b0e0254d4..dbeb715d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -9,8 +9,8 @@ include chromium-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
@@ -26,9 +26,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 9ac33aa1c..ea92e90a8 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -6,17 +6,17 @@ include chromium.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/chromium
-noblacklist ${HOME}/.config/chromium
-noblacklist ${HOME}/.config/chromium-flags.conf
+nodeny  ${HOME}/.cache/chromium
+nodeny  ${HOME}/.config/chromium
+nodeny  ${HOME}/.config/chromium-flags.conf
 
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
-whitelist ${HOME}/.cache/chromium
-whitelist ${HOME}/.config/chromium
-whitelist ${HOME}/.config/chromium-flags.conf
-whitelist /usr/share/chromium
-whitelist /usr/share/mozilla/extensions
+allow  ${HOME}/.cache/chromium
+allow  ${HOME}/.config/chromium
+allow  ${HOME}/.config/chromium-flags.conf
+allow  /usr/share/chromium
+allow  /usr/share/mozilla/extensions
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index e1f9523c4..c967e1c96 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -5,7 +5,7 @@ include cin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bcast5
+nodeny  ${HOME}/.bcast5
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
index e403c2c41..0efbcd4f2 100644
--- a/etc/profile-a-l/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -7,7 +7,7 @@ include clamav.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-exec.inc
 
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 691657fa0..3e4e1f2a1 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -6,17 +6,17 @@ include claws-mail.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.claws-mail
+nodeny  ${HOME}/.claws-mail
 
 mkdir ${HOME}/.claws-mail
-whitelist ${HOME}/.claws-mail
+allow  ${HOME}/.claws-mail
 
 # Add the below lines to your claws-mail.local if you use python-based plugins.
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
 #include allow-python3.inc
 
-whitelist /usr/share/doc/claws-mail
+allow  /usr/share/doc/claws-mail
 
 # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
 
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 9b62a1f73..ee64391d9 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -6,7 +6,7 @@ include clawsker.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.claws-mail
+nodeny  ${HOME}/.claws-mail
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.claws-mail
-whitelist ${HOME}/.claws-mail
+allow  ${HOME}/.claws-mail
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index fa33795c1..f9c0006f9 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -6,9 +6,9 @@ include clementine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Clementine
-noblacklist ${HOME}/.config/Clementine
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/Clementine
+nodeny  ${HOME}/.config/Clementine
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clion-eap.profile b/etc/profile-a-l/clion-eap.profile
new file mode 100644
index 000000000..3602c3e7b
--- /dev/null
+++ b/etc/profile-a-l/clion-eap.profile
@@ -0,0 +1,10 @@
+# Firejail profile for CLion EAP
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion-eap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clion.profile
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 22cecff09..5c5399069 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -5,13 +5,16 @@ include clion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.CLion*
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.java
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.config/JetBrains/CLion*
+nodeny  ${HOME}/.cache/JetBrains/CLion*
+nodeny  ${HOME}/.clion*
+nodeny  ${HOME}/.CLion*
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.java
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index c8258da07..89f8d96f0 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -6,9 +6,9 @@ include clipgrab.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Philipp Schmieder
-noblacklist ${HOME}/.pki
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/Philipp Schmieder
+nodeny  ${HOME}/.pki
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index d421903a3..4a2a5171b 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -6,8 +6,8 @@ include clipit.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/clipit
-noblacklist ${HOME}/.local/share/clipit
+nodeny  ${HOME}/.config/clipit
+nodeny  ${HOME}/.local/share/clipit
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/clipit
 mkdir ${HOME}/.local/share/clipit
-whitelist ${HOME}/.config/clipit
-whitelist ${HOME}/.local/share/clipit
+allow  ${HOME}/.config/clipit
+allow  ${HOME}/.local/share/clipit
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0b8cc0ef..22c6ef882 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -5,16 +5,16 @@ include cliqz.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/cliqz
-noblacklist ${HOME}/.cliqz
-noblacklist ${HOME}/.config/cliqz
+nodeny  ${HOME}/.cache/cliqz
+nodeny  ${HOME}/.cliqz
+nodeny  ${HOME}/.config/cliqz
 
 mkdir ${HOME}/.cache/cliqz
 mkdir ${HOME}/.cliqz
 mkdir ${HOME}/.config/cliqz
-whitelist ${HOME}/.cache/cliqz
-whitelist ${HOME}/.cliqz
-whitelist ${HOME}/.config/cliqz
+allow  ${HOME}/.cache/cliqz
+allow  ${HOME}/.cliqz
+allow  ${HOME}/.config/cliqz
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cliqz
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index bcd557787..51e53209f 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -6,8 +6,8 @@ include cmus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cmus
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/cmus
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index e19b78908..1933c66fa 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -5,10 +5,10 @@ include code.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Code
-noblacklist ${HOME}/.config/Code - OSS
-noblacklist ${HOME}/.vscode
-noblacklist ${HOME}/.vscode-oss
+nodeny  ${HOME}/.config/Code
+nodeny  ${HOME}/.config/Code - OSS
+nodeny  ${HOME}/.vscode
+nodeny  ${HOME}/.vscode-oss
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index bd6d8f5b0..efa7f516c 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -6,7 +6,7 @@ include colorful.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.suve/colorful
+nodeny  ${HOME}/.suve/colorful
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.suve/colorful
-whitelist ${HOME}/.suve/colorful
-whitelist /usr/share/suve
+allow  ${HOME}/.suve/colorful
+allow  /usr/share/suve
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index c8bdfec23..34b662959 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -6,7 +6,7 @@ include com.github.bleakgrey.tootle.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+nodeny  ${HOME}/.config/com.github.bleakgrey.tootle
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/com.github.bleakgrey.tootle
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/com.github.bleakgrey.tootle
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index b467a0f7a..4e26e4925 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -6,9 +6,9 @@ include com.github.dahenson.agenda.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/agenda
-noblacklist ${HOME}/.config/agenda
-noblacklist ${HOME}/.local/share/agenda
+nodeny  ${HOME}/.cache/agenda
+nodeny  ${HOME}/.config/agenda
+nodeny  ${HOME}/.local/share/agenda
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/agenda
 mkdir ${HOME}/.config/agenda
 mkdir ${HOME}/.local/share/agenda
-whitelist ${HOME}/.cache/agenda
-whitelist ${HOME}/.config/agenda
-whitelist ${HOME}/.local/share/agenda
+allow  ${HOME}/.cache/agenda
+allow  ${HOME}/.config/agenda
+allow  ${HOME}/.local/share/agenda
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index c13f9618b..bbfc1fe41 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -6,9 +6,9 @@ include foliate.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.cache/com.github.johnfactotum.Foliate
+nodeny  ${HOME}/.local/share/com.github.johnfactotum.Foliate
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
@@ -24,12 +24,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
 mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
-whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
-whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist /usr/share/com.github.johnfactotum.Foliate
-whitelist /usr/share/hyphen
+allow  ${HOME}/.cache/com.github.johnfactotum.Foliate
+allow  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  /usr/share/com.github.johnfactotum.Foliate
+allow  /usr/share/hyphen
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index d0402d188..3e9acc6c8 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -6,9 +6,9 @@ include com.github.phase1geo.minder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/minder
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.local/share/minder
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/minder
-whitelist ${HOME}/.local/share/minder
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist ${PICTURES}
+allow  ${HOME}/.local/share/minder
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 38edf0d21..6cc9ec551 100644
--- a/etc/profile-a-l/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
@@ -5,23 +5,23 @@ include conkeror.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.conkeror.mozdev.org
+nodeny  ${HOME}/.conkeror.mozdev.org
 
 include disable-common.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.conkeror.mozdev.org
 mkfile ${HOME}/.conkerorrc
-whitelist ${HOME}/.conkeror.mozdev.org
-whitelist ${HOME}/.conkerorrc
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.conkeror.mozdev.org
+allow  ${HOME}/.conkerorrc
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.pentadactyl
+allow  ${HOME}/.pentadactylrc
+allow  ${HOME}/.vimperator
+allow  ${HOME}/.vimperatorrc
+allow  ${HOME}/.zotero
+allow  ${HOME}/dwhelper
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index eaa18739d..1b3fe6651 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -6,7 +6,7 @@ include conky.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 2fb446e2a..266c404ee 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -6,7 +6,7 @@ include corebird.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/corebird
+nodeny  ${HOME}/.config/corebird
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 1635995dc..0a1353e40 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -7,8 +7,8 @@ include cower.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cower
-noblacklist /var/lib/pacman
+nodeny  ${HOME}/.config/cower
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 7ece35c2b..5e48c8022 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -6,7 +6,7 @@ include coyim.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/coyim
+nodeny  ${HOME}/.config/coyim
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/coyim
-whitelist ${HOME}/.config/coyim
+allow  ${HOME}/.config/coyim
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index bdc4f21a6..dec8c086b 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -7,8 +7,8 @@ include cpio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index b10216895..81292c01c 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -6,7 +6,7 @@ include crawl-tiles.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.crawl
+nodeny  ${HOME}/.crawl
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.crawl
-whitelist ${HOME}/.crawl
+allow  ${HOME}/.crawl
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 02b15ecc2..36bd93778 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -8,8 +8,8 @@ include globals.local
 
 mkdir ${HOME}/.config/crow
 mkdir ${HOME}/.cache/gstreamer-1.0
-whitelist ${HOME}/.config/crow
-whitelist ${HOME}/.cache/gstreamer-1.0
+allow  ${HOME}/.config/crow
+allow  ${HOME}/.cache/gstreamer-1.0
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index c9867c5d7..4950b7a4c 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -12,11 +12,11 @@ include globals.local
 # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
 # If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
 # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
-noblacklist ${HOME}/.curl-hsts
-noblacklist ${HOME}/.curlrc
+nodeny  ${HOME}/.curl-hsts
+nodeny  ${HOME}/.curlrc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index d1fff0004..49f972e4a 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -5,13 +5,13 @@ include cyberfox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.8pecxstudios
-noblacklist ${HOME}/.cache/8pecxstudios
+nodeny  ${HOME}/.8pecxstudios
+nodeny  ${HOME}/.cache/8pecxstudios
 
 mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
-whitelist ${HOME}/.8pecxstudios
-whitelist ${HOME}/.cache/8pecxstudios
+allow  ${HOME}/.8pecxstudios
+allow  ${HOME}/.cache/8pecxstudios
 
 # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index ba1e7adad..c7ce1730a 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -6,7 +6,7 @@ include d-feet.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/d-feet
+nodeny  ${HOME}/.config/d-feet
 
 # Allow python (disabled by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/d-feet
-whitelist ${HOME}/.config/d-feet
-whitelist /usr/share/d-feet
+allow  ${HOME}/.config/d-feet
+allow  /usr/share/d-feet
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 61fa52928..4d51c255e 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -6,9 +6,9 @@ include darktable.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/darktable
-noblacklist ${HOME}/.config/darktable
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/darktable
+nodeny  ${HOME}/.config/darktable
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 67a61bb60..745042d6f 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -7,8 +7,8 @@ include dbus-send.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 0c221850a..c1231c6cf 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.local/share/glib-2.0
+allow  ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index be7514cbf..b9d385adf 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -6,7 +6,7 @@ include dconf.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.local/share/glib-2.0
+allow  ${HOME}/.local/share/glib-2.0
 # dconf paths are whitelisted by the following
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 5b95b74be..09fa7a07a 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -18,8 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
-whitelist /usr/share/ddgtk
+allow  ${DOWNLOADS}
+allow  /usr/share/ddgtk
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index a221ebbd7..25fa944a1 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -6,8 +6,8 @@ include deadbeef.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/deadbeef
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/deadbeef
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ad7aa6ed5..d41a4a023 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -6,7 +6,7 @@ include deluge.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/deluge
+nodeny  ${HOME}/.config/deluge
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/deluge
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/deluge
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index 212cdab60..aed4355d5 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -6,9 +6,9 @@ include desktopeditors.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/onlyoffice
-noblacklist ${HOME}/.local/share/onlyoffice
-noblacklist ${HOME}/.pki
+nodeny  ${HOME}/.config/onlyoffice
+nodeny  ${HOME}/.local/share/onlyoffice
+nodeny  ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 5007f8e74..dc0f290fb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -16,9 +16,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/devhelp
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
+allow  /usr/share/devhelp
+allow  /usr/share/doc
+allow  /usr/share/gtk-doc/html
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 6267b5709..631f15f93 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -6,9 +6,9 @@ include devilspie.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.devilspie
+nodeny  ${HOME}/.devilspie
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.devilspie
-whitelist ${HOME}/.devilspie
+allow  ${HOME}/.devilspie
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
index 9eab3f536..140c9da0f 100644
--- a/etc/profile-a-l/devilspie2.profile
+++ b/etc/profile-a-l/devilspie2.profile
@@ -6,17 +6,17 @@ include devilspie2.local
 # Persistent global definitions
 #include globals.local
 
-blacklist ${HOME}/.devilspie
+deny  ${HOME}/.devilspie
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/devilspie2
+nodeny  ${HOME}/.config/devilspie2
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
 mkdir ${HOME}/.config/devilspie2
-whitelist ${HOME}/.config/devilspie2
+allow  ${HOME}/.config/devilspie2
 
 private-bin devilspie2
 
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 531734b7d..2a808238b 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -6,8 +6,8 @@ include dia.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dia
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.dia
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -25,7 +25,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.dia
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
-whitelist /usr/share/dia
+allow  /usr/share/dia
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 247159a8a..2d683b811 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -7,11 +7,11 @@ include dig.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.digrc
-noblacklist ${PATH}/dig
+nodeny  ${HOME}/.digrc
+nodeny  ${PATH}/dig
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 #mkfile ${HOME}/.digrc - see #903
-whitelist ${HOME}/.digrc
+allow  ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 2ca7bd400..124b50952 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -6,12 +6,12 @@ include digikam.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/digikam
-noblacklist ${HOME}/.config/digikamrc
-noblacklist ${HOME}/.kde/share/apps/digikam
-noblacklist ${HOME}/.kde4/share/apps/digikam
-noblacklist ${HOME}/.local/share/kxmlgui5/digikam
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/digikam
+nodeny  ${HOME}/.config/digikamrc
+nodeny  ${HOME}/.kde/share/apps/digikam
+nodeny  ${HOME}/.kde4/share/apps/digikam
+nodeny  ${HOME}/.local/share/kxmlgui5/digikam
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 9871a6095..883466f4d 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -6,7 +6,7 @@ include dillo.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dillo
+nodeny  ${HOME}/.dillo
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.dillo
 mkdir ${HOME}/.fltk
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.dillo
-whitelist ${HOME}/.fltk
+allow  ${DOWNLOADS}
+allow  ${HOME}/.dillo
+allow  ${HOME}/.fltk
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index c3174b35f..3078bef71 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -6,7 +6,7 @@ include dino.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/dino
+nodeny  ${HOME}/.local/share/dino
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.local/share/dino
-whitelist ${HOME}/.local/share/dino
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.local/share/dino
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 43db95b8a..1c53cd211 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -5,10 +5,10 @@ include discord-canary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discordcanary
+nodeny  ${HOME}/.config/discordcanary
 
 mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
+allow  ${HOME}/.config/discordcanary
 
 private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
 private-opt discord-canary
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 19e7bd9ab..6bee1901c 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -20,8 +20,8 @@ ignore dbus-system none
 ignore noexec ${HOME}
 ignore novideo
 
-whitelist ${HOME}/.config/BetterDiscord
-whitelist ${HOME}/.local/share/betterdiscordctl
+allow  ${HOME}/.config/BetterDiscord
+allow  ${HOME}/.local/share/betterdiscordctl
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 8ef02a30f..658d3fc83 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -5,10 +5,10 @@ include discord.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discord
+nodeny  ${HOME}/.config/discord
 
 mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
+allow  ${HOME}/.config/discord
 
 private-bin discord
 private-opt discord
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 11f3fd36e..4474b97d2 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -5,7 +5,7 @@ include display.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index 51ba6f8b7..8c3d6211b 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/dnox
-noblacklist ${HOME}/.config/dnox
+nodeny  ${HOME}/.cache/dnox
+nodeny  ${HOME}/.config/dnox
 
 mkdir ${HOME}/.cache/dnox
 mkdir ${HOME}/.config/dnox
-whitelist ${HOME}/.cache/dnox
-whitelist ${HOME}/.config/dnox
+allow  ${HOME}/.cache/dnox
+allow  ${HOME}/.config/dnox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index f8fb1a331..dbcef36f8 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -7,11 +7,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/dnscrypt-proxy
+allow  /usr/share/dnscrypt-proxy
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 01398c2b2..b1acbf392 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -7,11 +7,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 49feec32e..15b312ecb 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -8,9 +8,9 @@ include globals.local
 
 # Note: you must whitelist your games folder in your dolphin-emu.local.
 
-noblacklist ${HOME}/.cache/dolphin-emu
-noblacklist ${HOME}/.config/dolphin-emu
-noblacklist ${HOME}/.local/share/dolphin-emu
+nodeny  ${HOME}/.cache/dolphin-emu
+nodeny  ${HOME}/.config/dolphin-emu
+nodeny  ${HOME}/.local/share/dolphin-emu
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/dolphin-emu
 mkdir ${HOME}/.config/dolphin-emu
 mkdir ${HOME}/.local/share/dolphin-emu
-whitelist ${HOME}/.cache/dolphin-emu
-whitelist ${HOME}/.config/dolphin-emu
-whitelist ${HOME}/.local/share/dolphin-emu
-whitelist /usr/share/dolphin-emu
+allow  ${HOME}/.cache/dolphin-emu
+allow  ${HOME}/.config/dolphin-emu
+allow  ${HOME}/.local/share/dolphin-emu
+allow  /usr/share/dolphin-emu
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index 37a4113cb..3b0adcc36 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -7,7 +7,7 @@ include dooble-qt4.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dooble
+nodeny  ${HOME}/.dooble
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.dooble
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.dooble
+allow  ${DOWNLOADS}
+allow  ${HOME}/.dooble
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 988f66f28..29e506764 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -6,8 +6,8 @@ include dosbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dosbox
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.dosbox
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 8fa01d504..90ca11774 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -6,9 +6,9 @@ include dragon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/dragonplayerrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/dragonplayerrc
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/dragonplayer
+allow  /usr/share/dragonplayer
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 82d96e405..84a77ce34 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -6,7 +6,7 @@ include drawio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/draw.io
+nodeny  ${HOME}/.config/draw.io
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/draw.io
-whitelist ${HOME}/.config/draw.io
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/draw.io
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index 068bd88d8..e177fd60e 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -7,10 +7,10 @@ include drill.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/drill
+nodeny  ${PATH}/drill
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index b3b2aaf40..274cdd478 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -5,9 +5,9 @@ include dropbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
-noblacklist ${HOME}/.dropbox
-noblacklist ${HOME}/.dropbox-dist
+nodeny  ${HOME}/.config/autostart
+nodeny  ${HOME}/.dropbox
+nodeny  ${HOME}/.dropbox-dist
 
 # Allow python3 (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -22,10 +22,10 @@ mkdir ${HOME}/.dropbox
 mkdir ${HOME}/.dropbox-dist
 mkdir ${HOME}/Dropbox
 mkfile ${HOME}/.config/autostart/dropbox.desktop
-whitelist ${HOME}/.config/autostart/dropbox.desktop
-whitelist ${HOME}/.dropbox
-whitelist ${HOME}/.dropbox-dist
-whitelist ${HOME}/Dropbox
+allow  ${HOME}/.config/autostart/dropbox.desktop
+allow  ${HOME}/.dropbox
+allow  ${HOME}/.dropbox-dist
+allow  ${HOME}/Dropbox
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 38e4b16f7..da54fec34 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -6,7 +6,7 @@ include easystroke.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.easystroke
+nodeny  ${HOME}/.easystroke
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.easystroke
-whitelist ${HOME}/.easystroke
+allow  ${HOME}/.easystroke
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 278dd6cbd..10e57371e 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -6,7 +6,7 @@ include electron-mail.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/electron-mail
+nodeny  ${HOME}/.config/electron-mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/electron-mail
-whitelist ${HOME}/.config/electron-mail
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/electron-mail
+allow  ${DOWNLOADS}
 
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 493af79d4..e8d8d35c4 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -12,7 +12,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index ad636d71a..f6691017c 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -6,7 +6,7 @@ include electrum.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.electrum
+nodeny  ${HOME}/.electrum
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,7 +22,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.electrum
-whitelist ${HOME}/.electrum
+allow  ${HOME}/.electrum
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 48a826f2e..ec28866b8 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -9,11 +9,11 @@ include element-desktop.local
 
 ignore dbus-user none
 
-noblacklist ${HOME}/.config/Element
+nodeny  ${HOME}/.config/Element
 
 mkdir ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element
-whitelist /opt/Element
+allow  ${HOME}/.config/Element
+allow  /opt/Element
 
 private-opt Element
 
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 5a29eb24b..30dca05cb 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -7,10 +7,10 @@ include elinks.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.elinks
+nodeny  ${HOME}/.elinks
 
 mkdir ${HOME}/.elinks
-whitelist ${HOME}/.elinks
+allow  ${HOME}/.elinks
 
 private-bin elinks
 
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 55bf743ef..f0e0e2830 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -6,8 +6,8 @@ include emacs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
 # Add the next line to your emacs.local if you need gpg support.
 #noblacklist ${HOME}/.gnupg
 
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 6c9a8a6ea..5fc72d340 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -7,14 +7,14 @@ include email-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-noblacklist ${HOME}/Mail
+nodeny  ${HOME}/Mail
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,17 +27,17 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
-whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.signature
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/mimeapps.list
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.signature
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
-whitelist ${HOME}/Mail
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/Mail
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index ac17b1726..36015b702 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -6,9 +6,9 @@ include enchant.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/enchant
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/enchant
-whitelist ${HOME}/.config/enchant
+allow  ${HOME}/.config/enchant
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index d982433e2..9a1d89bba 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -10,15 +10,15 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/Enox
-noblacklist ${HOME}/.config/Enox
+nodeny  ${HOME}/.cache/Enox
+nodeny  ${HOME}/.config/Enox
 
 #mkdir ${HOME}/.cache/dnox
 #mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/Enox
 mkdir ${HOME}/.config/Enox
-whitelist ${HOME}/.cache/Enox
-whitelist ${HOME}/.config/Enox
+allow  ${HOME}/.cache/Enox
+allow  ${HOME}/.config/Enox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index c4123b4c2..5d8f8a0b9 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -6,11 +6,11 @@ include enpass.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Enpass
-noblacklist ${HOME}/.config/sinew.in
-noblacklist ${HOME}/.config/Sinew Software Systems
-noblacklist ${HOME}/.local/share/Enpass
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/Enpass
+nodeny  ${HOME}/.config/sinew.in
+nodeny  ${HOME}/.config/Sinew Software Systems
+nodeny  ${HOME}/.local/share/Enpass
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,11 +24,11 @@ mkdir ${HOME}/.cache/Enpass
 mkfile ${HOME}/.config/sinew.in
 mkdir ${HOME}/.config/Sinew Software Systems
 mkdir ${HOME}/.local/share/Enpass
-whitelist ${HOME}/.cache/Enpass
-whitelist ${HOME}/.config/sinew.in
-whitelist ${HOME}/.config/Sinew Software Systems
-whitelist ${HOME}/.local/share/Enpass
-whitelist ${DOCUMENTS}
+allow  ${HOME}/.cache/Enpass
+allow  ${HOME}/.config/sinew.in
+allow  ${HOME}/.config/Sinew Software Systems
+allow  ${HOME}/.local/share/Enpass
+allow  ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index fe7913e77..ff7040e5c 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -7,11 +7,11 @@ include eo-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.local/share/Trash
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..e8592c7df 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -6,9 +6,9 @@ include eog.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/eog
+nodeny  ${HOME}/.config/eog
 
-whitelist /usr/share/eog
+allow  /usr/share/eog
 
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
 # Add the next lines to your eog.local if you need that functionality.
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
index 7143a8e03..323f5ade2 100644
--- a/etc/profile-a-l/eom.profile
+++ b/etc/profile-a-l/eom.profile
@@ -6,9 +6,9 @@ include eom.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mate/eom
+nodeny  ${HOME}/.config/mate/eom
 
-whitelist /usr/share/eom
+allow  /usr/share/eom
 
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
 # Add the next lines to your eom.local if you need that functionality.
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 131d68951..3657742b9 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -9,8 +9,8 @@ include globals.local
 # enforce private-cache
 #noblacklist ${HOME}/.cache/ephemeral
 
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
@@ -27,9 +27,9 @@ mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 # enforce private-cache
 #whitelist ${HOME}/.cache/ephemeral
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 225811226..daedb2193 100644
--- a/etc/profile-a-l/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
@@ -9,9 +9,9 @@ include globals.local
 # Note: Epiphany use bwrap since 3.34 and can not be firejailed any more.
 # See https://github.com/netblue30/firejail/issues/2995
 
-noblacklist ${HOME}/.cache/epiphany
-noblacklist ${HOME}/.config/epiphany
-noblacklist ${HOME}/.local/share/epiphany
+nodeny  ${HOME}/.cache/epiphany
+nodeny  ${HOME}/.config/epiphany
+nodeny  ${HOME}/.local/share/epiphany
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/epiphany
 mkdir ${HOME}/.config/epiphany
 mkdir ${HOME}/.local/share/epiphany
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/epiphany
-whitelist ${HOME}/.config/epiphany
-whitelist ${HOME}/.local/share/epiphany
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/epiphany
+allow  ${HOME}/.config/epiphany
+allow  ${HOME}/.local/share/epiphany
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 964d3b7ca..ac957870c 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -6,8 +6,8 @@ include equalx.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/equalx
-noblacklist ${HOME}/.equalx
+nodeny  ${HOME}/.config/equalx
+nodeny  ${HOME}/.equalx
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/equalx
 mkdir ${HOME}/.equalx
-whitelist ${HOME}/.config/equalx
-whitelist ${HOME}/.equalx
-whitelist /usr/share/poppler
-whitelist /usr/share/ghostscript
-whitelist /usr/share/texlive
-whitelist /usr/share/equalx
-whitelist /var/lib/texmf
+allow  ${HOME}/.config/equalx
+allow  ${HOME}/.equalx
+allow  /usr/share/poppler
+allow  /usr/share/ghostscript
+allow  /usr/share/texlive
+allow  /usr/share/equalx
+allow  /var/lib/texmf
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index fdff1e4b5..a2f46b757 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -6,9 +6,9 @@ include etr.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.etr
+nodeny  ${HOME}/.etr
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.etr
-whitelist ${HOME}/.etr
-whitelist /usr/share/etr
+allow  ${HOME}/.etr
+allow  /usr/share/etr
 # Debian version
-whitelist /usr/share/games/etr
+allow  /usr/share/games/etr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index a9e39b15c..ce2617ad6 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -10,10 +10,10 @@ include globals.local
 # Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
 #noblacklist ${HOME}/.local/share/gvfs-metadata
 
-noblacklist ${HOME}/.config/evince
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/evince
+nodeny  ${DOCUMENTS}
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/doc
-whitelist /usr/share/evince
-whitelist /usr/share/poppler
-whitelist /usr/share/tracker
+allow  /usr/share/doc
+allow  /usr/share/evince
+allow  /usr/share/poppler
+allow  /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 7222493ac..142498a28 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,15 @@ include evolution.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ${HOME}/.bogofilter
-noblacklist ${HOME}/.cache/evolution
-noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  /var/mail
+nodeny  /var/spool/mail
+nodeny  ${HOME}/.bogofilter
+nodeny  ${HOME}/.cache/evolution
+nodeny  ${HOME}/.config/evolution
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.local/share/evolution
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 7b09a2c64..216814989 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -6,7 +6,7 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -18,7 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/perl-image-exiftool
+allow  /usr/share/perl-image-exiftool
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index b2061db79..9bb42945b 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -6,8 +6,8 @@ include falkon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/falkon
-noblacklist ${HOME}/.config/falkon
+nodeny  ${HOME}/.cache/falkon
+nodeny  ${HOME}/.config/falkon
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/falkon
-whitelist ${HOME}/.config/falkon
-whitelist /usr/share/falkon
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/falkon
+allow  ${HOME}/.config/falkon
+allow  /usr/share/falkon
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 8e81000fd..d141c6ed5 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -6,8 +6,8 @@ include fbreader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.FBReader
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.FBReader
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 31cb1776c..17a365053 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -5,11 +5,11 @@ include fdns.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 664ec2da6..359be083e 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -6,8 +6,8 @@ include feedreader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/feedreader
-noblacklist ${HOME}/.local/share/feedreader
+nodeny  ${HOME}/.cache/feedreader
+nodeny  ${HOME}/.local/share/feedreader
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/feedreader
 mkdir ${HOME}/.local/share/feedreader
-whitelist ${HOME}/.cache/feedreader
-whitelist ${HOME}/.local/share/feedreader
-whitelist /usr/share/feedreader
+allow  ${HOME}/.cache/feedreader
+allow  ${HOME}/.local/share/feedreader
+allow  /usr/share/feedreader
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index a2372ec8a..f60055f37 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -7,10 +7,10 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.cache/Ferdi
-noblacklist ${HOME}/.config/Ferdi
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/Ferdi
+nodeny  ${HOME}/.config/Ferdi
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.cache/Ferdi
 mkdir ${HOME}/.config/Ferdi
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/Ferdi
-whitelist ${HOME}/.config/Ferdi
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/Ferdi
+allow  ${HOME}/.config/Ferdi
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index 7358ed5c7..1e06ec29a 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -6,8 +6,8 @@ include fetchmail.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.fetchmailrc
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.fetchmailrc
+nodeny  ${HOME}/.netrc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 13ef1beb9..1a64183ab 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -7,8 +7,8 @@ include ffmpeg.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/devedeng
-whitelist /usr/share/ffmpeg
-whitelist /usr/share/qtchooser
+allow  /usr/share/devedeng
+allow  /usr/share/ffmpeg
+allow  /usr/share/qtchooser
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 4e651ed61..f7a938f24 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -13,8 +13,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/libexec/file-roller
-whitelist /usr/share/file-roller
+allow  /usr/libexec/file-roller
+allow  /usr/libexec/p7zip
+allow  /usr/share/file-roller
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index 5c7583605..426d1e72d 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -7,7 +7,7 @@ include file.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index dc5def54f..d9e0e9da0 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -6,8 +6,8 @@ include filezilla.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/filezilla
-noblacklist ${HOME}/.filezilla
+nodeny  ${HOME}/.config/filezilla
+nodeny  ${HOME}/.filezilla
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
index 77487161e..e22424794 100644
--- a/etc/profile-a-l/firedragon.profile
+++ b/etc/profile-a-l/firedragon.profile
@@ -6,13 +6,13 @@ include firedragon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/firedragon
-noblacklist ${HOME}/.firedragon
+nodeny  ${HOME}/.cache/firedragon
+nodeny  ${HOME}/.firedragon
 
 mkdir ${HOME}/.cache/firedragon
 mkdir ${HOME}/.firedragon
-whitelist ${HOME}/.cache/firedragon
-whitelist ${HOME}/.firedragon
+allow  ${HOME}/.cache/firedragon
+allow  ${HOME}/.firedragon
 
 # Add the next lines to your firedragon.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index d282f9a60..7e2e8760d 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -5,74 +5,74 @@ include firefox-common-addons.local
 ignore include whitelist-runuser-common.inc
 ignore private-cache
 
-noblacklist ${HOME}/.cache/youtube-dl
-noblacklist ${HOME}/.config/kgetrc
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.kde/share/apps/kget
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/kgetrc
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/kget
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/kgetrc
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-noblacklist ${HOME}/.local/share/kget
-noblacklist ${HOME}/.local/share/kxmlgui5/okular
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.cache/youtube-dl
+nodeny  ${HOME}/.config/kgetrc
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/okularpartrc
+nodeny  ${HOME}/.config/okularrc
+nodeny  ${HOME}/.config/qpdfview
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.kde/share/apps/kget
+nodeny  ${HOME}/.kde/share/apps/okular
+nodeny  ${HOME}/.kde/share/config/kgetrc
+nodeny  ${HOME}/.kde/share/config/okularpartrc
+nodeny  ${HOME}/.kde/share/config/okularrc
+nodeny  ${HOME}/.kde4/share/apps/kget
+nodeny  ${HOME}/.kde4/share/apps/okular
+nodeny  ${HOME}/.kde4/share/config/kgetrc
+nodeny  ${HOME}/.kde4/share/config/okularpartrc
+nodeny  ${HOME}/.kde4/share/config/okularrc
+nodeny  ${HOME}/.local/share/kget
+nodeny  ${HOME}/.local/share/kxmlgui5/okular
+nodeny  ${HOME}/.local/share/okular
+nodeny  ${HOME}/.local/share/qpdfview
+nodeny  ${HOME}/.netrc
 
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/kgetrc
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.kde/share/apps/kget
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/kgetrc
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/kget
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/kgetrc
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/kget
-whitelist ${HOME}/.local/share/kxmlgui5/okular
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
-whitelist ${HOME}/.local/share/tridactyl
-whitelist ${HOME}/.netrc
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.tridactylrc
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-whitelist /usr/share/lua
-whitelist /usr/share/lua*
-whitelist /usr/share/vulkan
+allow  ${HOME}/.cache/gnome-mplayer/plugin
+allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+allow  ${HOME}/.config/gnome-mplayer
+allow  ${HOME}/.config/kgetrc
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.config/okularpartrc
+allow  ${HOME}/.config/okularrc
+allow  ${HOME}/.config/pipelight-silverlight5.1
+allow  ${HOME}/.config/pipelight-widevine
+allow  ${HOME}/.config/qpdfview
+allow  ${HOME}/.config/youtube-dl
+allow  ${HOME}/.kde/share/apps/kget
+allow  ${HOME}/.kde/share/apps/okular
+allow  ${HOME}/.kde/share/config/kgetrc
+allow  ${HOME}/.kde/share/config/okularpartrc
+allow  ${HOME}/.kde/share/config/okularrc
+allow  ${HOME}/.kde4/share/apps/kget
+allow  ${HOME}/.kde4/share/apps/okular
+allow  ${HOME}/.kde4/share/config/kgetrc
+allow  ${HOME}/.kde4/share/config/okularpartrc
+allow  ${HOME}/.kde4/share/config/okularrc
+allow  ${HOME}/.keysnail.js
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.local/share/kget
+allow  ${HOME}/.local/share/kxmlgui5/okular
+allow  ${HOME}/.local/share/okular
+allow  ${HOME}/.local/share/qpdfview
+allow  ${HOME}/.local/share/tridactyl
+allow  ${HOME}/.netrc
+allow  ${HOME}/.pentadactyl
+allow  ${HOME}/.pentadactylrc
+allow  ${HOME}/.tridactylrc
+allow  ${HOME}/.vimperator
+allow  ${HOME}/.vimperatorrc
+allow  ${HOME}/.wine-pipelight
+allow  ${HOME}/.wine-pipelight64
+allow  ${HOME}/.zotero
+allow  ${HOME}/dwhelper
+allow  /usr/share/lua
+allow  /usr/share/lua*
+allow  /usr/share/vulkan
 
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
-noblacklist ${HOME}/.local/share/gnome-shell
-whitelist ${HOME}/.local/share/gnome-shell
+nodeny  ${HOME}/.local/share/gnome-shell
+allow  ${HOME}/.local/share/gnome-shell
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.ChromeGnomeShell
 dbus-user.talk org.gnome.Shell
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 8b74ed979..cb0fae5dc 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -12,8 +12,8 @@ include firefox-common.local
 # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
 
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,9 +23,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
index 5e69fdb51..4fd315fdf 100644
--- a/etc/profile-a-l/firefox-esr.profile
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -6,7 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
 
-whitelist /usr/share/firefox-esr
+allow  /usr/share/firefox-esr
 
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 3ad67734d..8acfe7c2a 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,27 +14,27 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/firefox
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.cache/mozilla/firefox
+allow  ${HOME}/.mozilla
 
 # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
 # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/firefox
-whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
+allow  /usr/share/doc
+allow  /usr/share/firefox
+allow  /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
+allow  /usr/share/gtk-doc/html
+allow  /usr/share/mozilla
+allow  /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
index 2c86d3ac7..bd1becaf0 100644
--- a/etc/profile-a-l/five-or-more.profile
+++ b/etc/profile-a-l/five-or-more.profile
@@ -6,12 +6,12 @@ include five-or-more.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/five-or-more
+nodeny  ${HOME}/.local/share/five-or-more
 
 mkdir ${HOME}/.local/share/five-or-more
-whitelist ${HOME}/.local/share/five-or-more
+allow  ${HOME}/.local/share/five-or-more
 
-whitelist /usr/share/five-or-more
+allow  /usr/share/five-or-more
 
 private-bin five-or-more
 
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 55af96c84..f16a65536 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -7,9 +7,9 @@ include flameshot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
-noblacklist ${HOME}/.config/Dharkael
-noblacklist ${HOME}/.config/flameshot
+nodeny  ${PICTURES}
+nodeny  ${HOME}/.config/Dharkael
+nodeny  ${HOME}/.config/flameshot
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,7 +25,7 @@ include disable-xdg.inc
 #whitelist ${PICTURES}
 #whitelist ${HOME}/.config/Dharkael
 #whitelist ${HOME}/.config/flameshot
-whitelist /usr/share/flameshot
+allow  /usr/share/flameshot
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index 310fb378f..af114e129 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/slimjet
-noblacklist ${HOME}/.config/slimjet
+nodeny  ${HOME}/.cache/slimjet
+nodeny  ${HOME}/.config/slimjet
 
 mkdir ${HOME}/.cache/slimjet
 mkdir ${HOME}/.config/slimjet
-whitelist ${HOME}/.cache/slimjet
-whitelist ${HOME}/.config/slimjet
+allow  ${HOME}/.cache/slimjet
+allow  ${HOME}/.config/slimjet
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index a4421e3ce..505763fb9 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -6,8 +6,8 @@ include flowblade.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/flowblade
-noblacklist ${HOME}/.flowblade
+nodeny  ${HOME}/.config/flowblade
+nodeny  ${HOME}/.flowblade
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index 1210f365c..a22c0e103 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -7,7 +7,7 @@ include fluxbox.local
 include globals.local
 
 # all applications started in fluxbox will run in this profile
-noblacklist ${HOME}/.fluxbox
+nodeny  ${HOME}/.fluxbox
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index cd0129436..ff9167c1a 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -6,8 +6,8 @@ include font-manager.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/font-manager
-noblacklist ${HOME}/.config/font-manager
+nodeny  ${HOME}/.cache/font-manager
+nodeny  ${HOME}/.config/font-manager
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -24,9 +24,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/font-manager
 mkdir ${HOME}/.config/font-manager
-whitelist ${HOME}/.cache/font-manager
-whitelist ${HOME}/.config/font-manager
-whitelist /usr/share/font-manager
+allow  ${HOME}/.cache/font-manager
+allow  ${HOME}/.config/font-manager
+allow  /usr/share/font-manager
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index bd1495877..64c7655e2 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -6,8 +6,8 @@ include fontforge.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.FontForge
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.FontForge
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/fossamail.profile b/etc/profile-a-l/fossamail.profile
index 2d700d336..5e5a12794 100644
--- a/etc/profile-a-l/fossamail.profile
+++ b/etc/profile-a-l/fossamail.profile
@@ -6,16 +6,16 @@ include fossamail.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/fossamail
-noblacklist ${HOME}/.fossamail
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.cache/fossamail
+nodeny  ${HOME}/.fossamail
+nodeny  ${HOME}/.gnupg
 
 mkdir ${HOME}/.cache/fossamail
 mkdir ${HOME}/.fossamail
 mkdir ${HOME}/.gnupg
-whitelist ${HOME}/.cache/fossamail
-whitelist ${HOME}/.fossamail
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.cache/fossamail
+allow  ${HOME}/.fossamail
+allow  ${HOME}/.gnupg
 include whitelist-common.inc
 
 # allow browsers
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
index eb0c43ca5..97fd4a626 100644
--- a/etc/profile-a-l/four-in-a-row.profile
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-whitelist /usr/share/four-in-a-row
+allow  /usr/share/four-in-a-row
 
 private-bin four-in-a-row
 
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index 1b1d031b4..8edc9b02d 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -6,7 +6,7 @@ include fractal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/fractal
+nodeny  ${HOME}/.cache/fractal
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/fractal
-whitelist ${HOME}/.cache/fractal
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/fractal
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 9b780a572..1a8ec8f99 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -7,10 +7,10 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.cache/Franz
-noblacklist ${HOME}/.config/Franz
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/Franz
+nodeny  ${HOME}/.config/Franz
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.cache/Franz
 mkdir ${HOME}/.config/Franz
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/Franz
-whitelist ${HOME}/.config/Franz
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/Franz
+allow  ${HOME}/.config/Franz
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index 8043d0530..a45ad4c7a 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -6,8 +6,8 @@ include freecad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/FreeCAD
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/FreeCAD
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 23c19682c..20abd4056 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -6,7 +6,7 @@ include freeciv.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.freeciv
+nodeny  ${HOME}/.freeciv
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.freeciv
-whitelist ${HOME}/.freeciv
+allow  ${HOME}/.freeciv
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 93fa7da03..79ccf4101 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -6,10 +6,10 @@ include freecol.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.freecol
-noblacklist ${HOME}/.cache/freecol
-noblacklist ${HOME}/.config/freecol
-noblacklist ${HOME}/.local/share/freecol
+nodeny  ${HOME}/.freecol
+nodeny  ${HOME}/.cache/freecol
+nodeny  ${HOME}/.config/freecol
+nodeny  ${HOME}/.local/share/freecol
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -26,11 +26,11 @@ mkdir ${HOME}/.java
 mkdir ${HOME}/.cache/freecol
 mkdir ${HOME}/.config/freecol
 mkdir ${HOME}/.local/share/freecol
-whitelist ${HOME}/.freecol
-whitelist ${HOME}/.java
-whitelist ${HOME}/.cache/freecol
-whitelist ${HOME}/.config/freecol
-whitelist ${HOME}/.local/share/freecol
+allow  ${HOME}/.freecol
+allow  ${HOME}/.java
+allow  ${HOME}/.cache/freecol
+allow  ${HOME}/.config/freecol
+allow  ${HOME}/.local/share/freecol
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 699177039..ba52dd208 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -6,8 +6,8 @@ include freemind.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.freemind
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.freemind
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index e6aff533d..4c321322c 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -6,12 +6,12 @@ include freetube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/FreeTube
+nodeny  ${HOME}/.config/FreeTube
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
-whitelist ${HOME}/.config/FreeTube
+allow  ${HOME}/.config/FreeTube
 
 private-bin freetube
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index b4ad81046..3a6dfcfd6 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -6,7 +6,7 @@ include frogatto.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.frogatto
+nodeny  ${HOME}/.frogatto
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.frogatto
-whitelist ${HOME}/.frogatto
-whitelist /usr/libexec/frogatto
-whitelist /usr/share/frogatto
+allow  ${HOME}/.frogatto
+allow  /usr/libexec/frogatto
+allow  /usr/share/frogatto
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 76352e41e..12eca8eb0 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -6,7 +6,7 @@ include frozen-bubble.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.frozen-bubble
+nodeny  ${HOME}/.frozen-bubble
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.frozen-bubble
-whitelist ${HOME}/.frozen-bubble
+allow  ${HOME}/.frozen-bubble
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 8852925b1..07030df4b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -5,7 +5,7 @@ include funnyboat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.funnyboat
+nodeny  ${HOME}/.funnyboat
 
 ignore noexec /dev/shm
 include allow-python2.inc
@@ -21,12 +21,12 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.funnyboat
-whitelist ${HOME}/.funnyboat
+allow  ${HOME}/.funnyboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-whitelist /usr/share/funnyboat
+allow  /usr/share/funnyboat
 # Debian:
-whitelist /usr/share/games/funnyboat
+allow  /usr/share/games/funnyboat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index ed3f0357d..4cd2cb1e6 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,10 +6,10 @@ include gajim.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.cache/gajim
-noblacklist ${HOME}/.config/gajim
-noblacklist ${HOME}/.local/share/gajim
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.cache/gajim
+nodeny  ${HOME}/.config/gajim
+nodeny  ${HOME}/.local/share/gajim
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -28,14 +28,14 @@ mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.cache/gajim
-whitelist ${HOME}/.config/gajim
-whitelist ${HOME}/.local/share/gajim
-whitelist ${DOWNLOADS}
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.cache/gajim
+allow  ${HOME}/.config/gajim
+allow  ${HOME}/.local/share/gajim
+allow  ${DOWNLOADS}
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 550b3808b..0b1b595a6 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -6,7 +6,7 @@ include galculator.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/galculator
+nodeny  ${HOME}/.config/galculator
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/galculator
-whitelist ${HOME}/.config/galculator
+allow  ${HOME}/.config/galculator
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 3a8c055f2..00b830234 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -6,8 +6,8 @@ include gapplication.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
-blacklist /usr/libexec
+deny  ${RUNUSER}/wayland-*
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..896a100fc 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -8,9 +8,9 @@ include globals.local
 # noexec ${HOME} will break user-local installs of gcloud tooling
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.boto
-noblacklist ${HOME}/.config/gcloud
-noblacklist /var/run/docker.sock
+nodeny  ${HOME}/.boto
+nodeny  ${HOME}/.config/gcloud
+nodeny  /var/run/docker.sock
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
index cb39174e5..8f72f0b34 100644
--- a/etc/profile-a-l/gconf-editor.profile
+++ b/etc/profile-a-l/gconf-editor.profile
@@ -7,9 +7,9 @@ include gconf-editor.local
 # added by included profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
 
-whitelist /usr/share/gconf-editor
+allow  /usr/share/gconf-editor
 
 ignore x11 none
 
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index fec1a555a..8c7013574 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -6,9 +6,9 @@ include gconf.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/gconf
+nodeny  ${HOME}/.config/gconf
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -23,9 +23,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/gconf
-whitelist ${HOME}/.config/gconf
-whitelist /usr/share/GConf
-whitelist /usr/share/gconf
+allow  ${HOME}/.config/gconf
+allow  /usr/share/GConf
+allow  /usr/share/gconf
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 6fdb9b37a..706a85c75 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -6,7 +6,7 @@ include geany.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/geany
+nodeny  ${HOME}/.config/geany
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 74e135a7c..512fc1e59 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -6,14 +6,14 @@ include geary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/evolution
-noblacklist ${HOME}/.cache/folks
-noblacklist ${HOME}/.cache/geary
-noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.config/geary
-noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.local/share/geary
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/evolution
+nodeny  ${HOME}/.cache/folks
+nodeny  ${HOME}/.cache/geary
+nodeny  ${HOME}/.config/evolution
+nodeny  ${HOME}/.config/geary
+nodeny  ${HOME}/.local/share/evolution
+nodeny  ${HOME}/.local/share/geary
+nodeny  ${HOME}/.mozilla
 
 include disable-common.inc
 include disable-devel.inc
@@ -31,16 +31,16 @@ mkdir ${HOME}/.config/evolution
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/evolution
 mkdir ${HOME}/.local/share/geary
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/evolution
-whitelist ${HOME}/.cache/folks
-whitelist ${HOME}/.cache/geary
-whitelist ${HOME}/.config/evolution
-whitelist ${HOME}/.config/geary
-whitelist ${HOME}/.local/share/evolution
-whitelist ${HOME}/.local/share/geary
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist /usr/share/geary
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/evolution
+allow  ${HOME}/.cache/folks
+allow  ${HOME}/.cache/geary
+allow  ${HOME}/.config/evolution
+allow  ${HOME}/.config/geary
+allow  ${HOME}/.local/share/evolution
+allow  ${HOME}/.local/share/geary
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  /usr/share/geary
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 108b7041d..f11540374 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -6,8 +6,8 @@ include gedit.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/enchant
-noblacklist ${HOME}/.config/gedit
+nodeny  ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/gedit
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index dd33b3fb5..8ec3bbaf9 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -6,9 +6,9 @@ include geeqie.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/geeqie
-noblacklist ${HOME}/.config/geeqie
-noblacklist ${HOME}/.local/share/geeqie
+nodeny  ${HOME}/.cache/geeqie
+nodeny  ${HOME}/.config/geeqie
+nodeny  ${HOME}/.local/share/geeqie
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index f894a42ca..1661da639 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -6,10 +6,10 @@ include gfeeds.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gfeeds
-noblacklist ${HOME}/.cache/org.gabmus.gfeeds
-noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
-noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+nodeny  ${HOME}/.cache/gfeeds
+nodeny  ${HOME}/.cache/org.gabmus.gfeeds
+nodeny  ${HOME}/.config/org.gabmus.gfeeds.json
+nodeny  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -27,12 +27,12 @@ mkdir ${HOME}/.cache/gfeeds
 mkdir ${HOME}/.cache/org.gabmus.gfeeds
 mkfile ${HOME}/.config/org.gabmus.gfeeds.json
 mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-whitelist ${HOME}/.cache/gfeeds
-whitelist ${HOME}/.cache/org.gabmus.gfeeds
-whitelist ${HOME}/.config/org.gabmus.gfeeds.json
-whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-whitelist /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/gfeeds
+allow  ${HOME}/.cache/gfeeds
+allow  ${HOME}/.cache/org.gabmus.gfeeds
+allow  ${HOME}/.config/org.gabmus.gfeeds.json
+allow  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/gfeeds
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index d9c5a0d9a..06929dbe3 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -7,8 +7,8 @@ include gget.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 276ab76df..0577fe24f 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -6,10 +6,10 @@ include ghostwriter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ghostwriter
-noblacklist ${HOME}/.local/share/ghostwriter
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/ghostwriter
+nodeny  ${HOME}/.local/share/ghostwriter
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include allow-lua.inc
 
@@ -22,10 +22,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/ghostwriter
-whitelist /usr/share/mozilla-dicts
-whitelist /usr/share/texlive
-whitelist /usr/share/pandoc*
+allow  /usr/share/ghostwriter
+allow  /usr/share/mozilla-dicts
+allow  /usr/share/texlive
+allow  /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index dfc1304d1..de9db8d0f 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -18,13 +18,13 @@ include globals.local
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/babl
-noblacklist ${HOME}/.cache/gegl-0.4
-noblacklist ${HOME}/.cache/gimp
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.gimp*
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/babl
+nodeny  ${HOME}/.cache/gegl-0.4
+nodeny  ${HOME}/.cache/gimp
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.gimp*
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-exec.inc
@@ -33,10 +33,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gegl-0.4
-whitelist /usr/share/gimp
-whitelist /usr/share/mypaint-data
-whitelist /usr/share/lensfun
+allow  /usr/share/gegl-0.4
+allow  /usr/share/gimp
+allow  /usr/share/mypaint-data
+allow  /usr/share/lensfun
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 661c3a375..e601d3ab0 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -7,10 +7,10 @@ include gist.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.gist
+nodeny  ${HOME}/.gist
 
 # Allow ruby (blacklisted by disable-interpreters.inc)
 include allow-ruby.inc
@@ -24,8 +24,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gist
-whitelist ${HOME}/.gist
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.gist
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 5e4249376..74b7506cf 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -8,12 +8,12 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.subversion
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.config/git-cola
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.subversion
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.config/git-cola
 # Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings.
 #noblacklist ${HOME}/
 
@@ -32,17 +32,17 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
 # Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer.
-whitelist /usr/share/git
-whitelist /usr/share/git-cola
-whitelist /usr/share/git-core
-whitelist /usr/share/git-gui
-whitelist /usr/share/gitk
-whitelist /usr/share/gitweb
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  /usr/share/git
+allow  /usr/share/git-cola
+allow  /usr/share/git-core
+allow  /usr/share/git-gui
+allow  /usr/share/gitk
+allow  /usr/share/gitweb
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index bfa0081c6..680e91085 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -7,33 +7,33 @@ include git.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.nanorc
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/git
-whitelist /usr/share/git-core
-whitelist /usr/share/gitgui
-whitelist /usr/share/gitweb
-whitelist /usr/share/nano
+allow  /usr/share/git
+allow  /usr/share/git-core
+allow  /usr/share/gitgui
+allow  /usr/share/gitweb
+allow  /usr/share/nano
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 05d7dffa9..d313b5022 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -6,10 +6,10 @@ include gitg.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.local/share/gitg
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.local/share/gitg
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -29,7 +29,7 @@ include disable-programs.inc
 #whitelist ${HOME}/.ssh
 #include whitelist-common.inc
 
-whitelist /usr/share/gitg
+allow  /usr/share/gitg
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 325c54ced..81b534a74 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -22,10 +22,10 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/GitHub Desktop
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+nodeny  ${HOME}/.config/GitHub Desktop
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
 
 # no3d
 nosound
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 460e2b990..2d1694ef7 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -5,8 +5,8 @@ include gitter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
-noblacklist ${HOME}/.config/Gitter
+nodeny  ${HOME}/.config/autostart
+nodeny  ${HOME}/.config/Gitter
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Gitter
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/autostart
-whitelist ${HOME}/.config/Gitter
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/autostart
+allow  ${HOME}/.config/Gitter
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index ed68b3c2d..e00bb1dbf 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -8,10 +8,10 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/libgweather
-noblacklist ${HOME}/.cache/org.gnome.Books
-noblacklist ${HOME}/.config/libreoffice
-noblacklist ${HOME}/.local/share/gnome-photos
+nodeny  ${HOME}/.cache/libgweather
+nodeny  ${HOME}/.cache/org.gnome.Books
+nodeny  ${HOME}/.config/libreoffice
+nodeny  ${HOME}/.local/share/gnome-photos
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index c8cefc67e..a3236c2be 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -6,7 +6,7 @@ include gl-117.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gl-117
+nodeny  ${HOME}/.gl-117
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gl-117
-whitelist ${HOME}/.gl-117
-whitelist /usr/share/gl-117
+allow  ${HOME}/.gl-117
+allow  /usr/share/gl-117
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index ee7af0546..ec894a5f3 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -6,7 +6,7 @@ include glaxium.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.glaxiumrc
+nodeny  ${HOME}/.glaxiumrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.glaxiumrc
-whitelist ${HOME}/.glaxiumrc
-whitelist /usr/share/glaxium
+allow  ${HOME}/.glaxiumrc
+allow  /usr/share/glaxium
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index 14b3ef811..e091b811f 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -5,7 +5,7 @@ include globaltime.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/globaltime
+nodeny  ${HOME}/.config/globaltime
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index b3aad8b2c..79397d28f 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -6,8 +6,8 @@ include gmpc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gmpc
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/gmpc
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/gmpc
-whitelist ${HOME}/.config/gmpc
-whitelist ${MUSIC}
-whitelist /usr/share/gmpc
+allow  ${HOME}/.config/gmpc
+allow  ${MUSIC}
+allow  /usr/share/gmpc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
index 777c81dbe..c723f6e46 100644
--- a/etc/profile-a-l/gnome-2048.profile
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -6,10 +6,10 @@ include gnome-2048.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-2048
+nodeny  ${HOME}/.local/share/gnome-2048
 
 mkdir ${HOME}/.local/share/gnome-2048
-whitelist ${HOME}/.local/share/gnome-2048
+allow  ${HOME}/.local/share/gnome-2048
 
 private-bin gnome-2048
 
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 34a7f557c..2ed5fa76b 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -7,8 +7,8 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/org.gnome.Books
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/org.gnome.Books
+nodeny  ${DOCUMENTS}
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 37ca5aeff..7dd1c6e22 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -6,11 +6,11 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bash_history
+nodeny  ${HOME}/.bash_history
 
-noblacklist ${HOME}/.cache/gnome-builder
-noblacklist ${HOME}/.config/gnome-builder
-noblacklist ${HOME}/.local/share/gnome-builder
+nodeny  ${HOME}/.cache/gnome-builder
+nodeny  ${HOME}/.config/gnome-builder
+nodeny  ${HOME}/.local/share/gnome-builder
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index eaf25b177..d91fbaa4b 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/libgweather
+allow  /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -46,7 +46,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,nsswitch.conf,pki,resolv.conf,ssl
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 741fe9bf7..806d7e571 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/org.gnome.Characters
+allow  /usr/share/org.gnome.Characters
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index bd39f625c..095210565 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -6,8 +6,8 @@ include gnome-chess.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-chess
-noblacklist ${HOME}/.local/share/gnome-chess
+nodeny  ${HOME}/.config/gnome-chess
+nodeny  ${HOME}/.local/share/gnome-chess
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.local/share/gnome-chess
 #include whitelist-common.inc
 
-whitelist /usr/share/gnuchess
-whitelist /usr/share/gnome-chess
+allow  /usr/share/gnuchess
+allow  /usr/share/gnome-chess
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 1e7c70b84..7e2d458fd 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -15,8 +15,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnome-clocks
-whitelist /usr/share/libgweather
+allow  /usr/share/gnome-clocks
+allow  /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index dcc6163b6..7902fa169 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -6,7 +6,7 @@ include gnome-contacts.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 29ad67af8..0f601149f 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -8,8 +8,8 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.config/libreoffice
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/libreoffice
+nodeny  ${DOCUMENTS}
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 2db956faf..50c3e2c6f 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -16,7 +16,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist /usr/share/gnome-hexgl
+allow  /usr/share/gnome-hexgl
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 25b4c47de..62a5a34ea 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -7,7 +7,7 @@ include gnome-keyring.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,12 +18,12 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${DOWNLOADS}
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
index c67a5c0da..ed074f944 100644
--- a/etc/profile-a-l/gnome-klotski.profile
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -6,10 +6,10 @@ include gnome-klotski.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-klotski
+nodeny  ${HOME}/.local/share/gnome-klotski
 
 mkdir ${HOME}/.local/share/gnome-klotski
-whitelist ${HOME}/.local/share/gnome-klotski
+allow  ${HOME}/.local/share/gnome-klotski
 
 private-bin gnome-klotski
 
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 1a7eafeca..4a03a7ff5 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -6,8 +6,8 @@ include gnome-latex.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-latex
-noblacklist ${HOME}/.local/share/gnome-latex
+nodeny  ${HOME}/.config/gnome-latex
+nodeny  ${HOME}/.local/share/gnome-latex
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/gnome-latex
-whitelist /usr/share/texlive
+allow  /usr/share/gnome-latex
+allow  /usr/share/texlive
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 9d2ea7b7b..fcc02dc76 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /var/log/journal
+allow  /var/log/journal
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
index 42409dce8..e21f03efe 100644
--- a/etc/profile-a-l/gnome-mahjongg.profile
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -6,7 +6,7 @@ include gnome-mahjongg.local
 # Persistent global definitions
 include globals.local
 
-whitelist /usr/share/gnome-mahjongg
+allow  /usr/share/gnome-mahjongg
 
 private-bin gnome-mahjongg
 
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 23aab343f..cf4eceee3 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -11,14 +11,14 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/champlain
-noblacklist ${HOME}/.cache/org.gnome.Maps
-noblacklist ${HOME}/.local/share/maps-places.json
+nodeny  ${HOME}/.cache/champlain
+nodeny  ${HOME}/.cache/org.gnome.Maps
+nodeny  ${HOME}/.local/share/maps-places.json
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -31,12 +31,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/champlain
 mkfile ${HOME}/.local/share/maps-places.json
-whitelist ${HOME}/.cache/champlain
-whitelist ${HOME}/.local/share/maps-places.json
-whitelist ${DOWNLOADS}
-whitelist ${PICTURES}
-whitelist /usr/share/gnome-maps
-whitelist /usr/share/libgweather
+allow  ${HOME}/.cache/champlain
+allow  ${HOME}/.local/share/maps-places.json
+allow  ${DOWNLOADS}
+allow  ${PICTURES}
+allow  /usr/share/gnome-maps
+allow  /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
index 4fe8986c2..1b2949bc5 100644
--- a/etc/profile-a-l/gnome-mines.profile
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -6,11 +6,11 @@ include gnome-mines.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-mines
+nodeny  ${HOME}/.local/share/gnome-mines
 
 mkdir ${HOME}/.local/share/gnome-mines
-whitelist ${HOME}/.local/share/gnome-mines
-whitelist /usr/share/gnome-mines
+allow  ${HOME}/.local/share/gnome-mines
+allow  /usr/share/gnome-mines
 
 private-bin gnome-mines
 
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 43fe71f5e..c1cbc796a 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -6,9 +6,9 @@ include gnome-mplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-mplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/gnome-mplayer
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 2fcbe9910..8fd0826c4 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -6,8 +6,8 @@ include gnome-music.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-music
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.local/share/gnome-music
+nodeny  ${MUSIC}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 814751db3..a929582f8 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnome-nettool
+allow  /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
index b22810d34..d4c037a41 100644
--- a/etc/profile-a-l/gnome-nibbles.profile
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -9,11 +9,11 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-noblacklist ${HOME}/.local/share/gnome-nibbles
+nodeny  ${HOME}/.local/share/gnome-nibbles
 
 mkdir ${HOME}/.local/share/gnome-nibbles
-whitelist ${HOME}/.local/share/gnome-nibbles
-whitelist /usr/share/gnome-nibbles
+allow  ${HOME}/.local/share/gnome-nibbles
+allow  /usr/share/gnome-nibbles
 
 private-bin gnome-nibbles
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index fee5f88b9..d2cf828cc 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -6,14 +6,14 @@ include gnome-passwordsafe.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,8 +24,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/cracklib
-whitelist /usr/share/passwordsafe
+allow  /usr/share/cracklib
+allow  /usr/share/passwordsafe
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 58bf3f349..3702da2c7 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.local/share/gnome-photos
+nodeny  ${HOME}/.local/share/gnome-photos
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 41903b136..e9ae2bcb0 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -6,7 +6,7 @@ include gnome-pie.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-pie
+nodeny  ${HOME}/.config/gnome-pie
 
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index c2ba7556d..bec23910c 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -6,7 +6,7 @@ include gnome-pomodoro.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-pomodoro
+nodeny  ${HOME}/.local/share/gnome-pomodoro
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/gnome-pomodoro
-whitelist ${HOME}/.local/share/gnome-pomodoro
-whitelist /usr/share/gnome-pomodoro
+allow  ${HOME}/.local/share/gnome-pomodoro
+allow  /usr/share/gnome-pomodoro
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 48c98ebe0..5ef33fdd8 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -7,8 +7,8 @@ include gnome-recipes.local
 include globals.local
 
 
-noblacklist ${HOME}/.cache/gnome-recipes
-noblacklist ${HOME}/.local/share/gnome-recipes
+nodeny  ${HOME}/.cache/gnome-recipes
+nodeny  ${HOME}/.local/share/gnome-recipes
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-shell.inc
 
 mkdir ${HOME}/.cache/gnome-recipes
 mkdir ${HOME}/.local/share/gnome-recipes
-whitelist ${HOME}/.cache/gnome-recipes
-whitelist ${HOME}/.local/share/gnome-recipes
-whitelist /usr/share/gnome-recipes
+allow  ${HOME}/.cache/gnome-recipes
+allow  ${HOME}/.local/share/gnome-recipes
+allow  /usr/share/gnome-recipes
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 78ceb9c4f..b34d264f4 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -5,7 +5,7 @@ include gnome-ring.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-ring
+nodeny  ${HOME}/.local/share/gnome-ring
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
index 8835f2b93..836d4e2b2 100644
--- a/etc/profile-a-l/gnome-robots.profile
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-whitelist /usr/share/gnome-robots
+allow  /usr/share/gnome-robots
 
 private-bin gnome-robots
 
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 69c90b33d..146f8bc4e 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -6,17 +6,17 @@ include gnome-schedule.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnome/gnome-schedule
+nodeny  ${HOME}/.gnome/gnome-schedule
 
 # Needs at and crontab to read/write user cron
-noblacklist ${PATH}/at
-noblacklist ${PATH}/crontab
+nodeny  ${PATH}/at
+nodeny  ${PATH}/crontab
 
 # Needs access to these files/dirs
-noblacklist /etc/cron.allow
-noblacklist /etc/cron.deny
-noblacklist /etc/shadow
-noblacklist /var/spool/cron
+nodeny  /etc/cron.allow
+nodeny  /etc/cron.deny
+nodeny  /etc/shadow
+nodeny  /var/spool/cron
 
 # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
 # add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
@@ -34,10 +34,10 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.gnome/gnome-schedule
-whitelist ${HOME}/.gnome/gnome-schedule
-whitelist /usr/share/gnome-schedule
-whitelist /var/spool/atd
-whitelist /var/spool/cron
+allow  ${HOME}/.gnome/gnome-schedule
+allow  /usr/share/gnome-schedule
+allow  /var/spool/atd
+allow  /var/spool/cron
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index b683b6f6c..175549e99 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -6,8 +6,8 @@ include gnome-screenshot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
-noblacklist ${HOME}/.cache/gnome-screenshot
+nodeny  ${PICTURES}
+nodeny  ${HOME}/.cache/gnome-screenshot
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 34f5fdeff..c2fb14fa4 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -6,8 +6,8 @@ include gnome-sound-recorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${HOME}/.local/share/Trash
+nodeny  ${MUSIC}
+nodeny  ${HOME}/.local/share/Trash
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
index 12fd48a86..3b7835e52 100644
--- a/etc/profile-a-l/gnome-sudoku.profile
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -6,10 +6,10 @@ include gnome-sudoku.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-sudoku
+nodeny  ${HOME}/.local/share/gnome-sudoku
 
 mkdir ${HOME}/.local/share/gnome-sudoku
-whitelist ${HOME}/.local/share/gnome-sudoku
+allow  ${HOME}/.local/share/gnome-sudoku
 
 private-bin gnome-sudoku
 
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 8a818695d..6978f7cab 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /var/log
+allow  /var/log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
index 2341334f7..ac87cf70f 100644
--- a/etc/profile-a-l/gnome-taquin.profile
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-whitelist /usr/share/gnome-taquin
+allow  /usr/share/gnome-taquin
 
 private-bin gnome-taquin
 
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 3b147cd48..092fd58a3 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnome-todo
+allow  /usr/share/gnome-todo
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index b8ec195d3..d76872ea6 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -6,8 +6,8 @@ include gnome-twitch.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gnome-twitch
-noblacklist ${HOME}/.local/share/gnome-twitch
+nodeny  ${HOME}/.cache/gnome-twitch
+nodeny  ${HOME}/.local/share/gnome-twitch
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/gnome-twitch
 mkdir ${HOME}/.local/share/gnome-twitch
-whitelist ${HOME}/.cache/gnome-twitch
-whitelist ${HOME}/.local/share/gnome-twitch
+allow  ${HOME}/.cache/gnome-twitch
+allow  ${HOME}/.local/share/gnome-twitch
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 2e08fa41d..6f557ff8d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/libgweather
+nodeny  ${HOME}/.cache/libgweather
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index c3014a288..261efefac 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -6,8 +6,8 @@ include gnote.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnote
-noblacklist ${HOME}/.local/share/gnote
+nodeny  ${HOME}/.config/gnote
+nodeny  ${HOME}/.local/share/gnote
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/gnote
 mkdir ${HOME}/.local/share/gnote
-whitelist ${HOME}/.config/gnote
-whitelist ${HOME}/.local/share/gnote
-whitelist /usr/share/gnote
+allow  ${HOME}/.config/gnote
+allow  ${HOME}/.local/share/gnote
+allow  /usr/share/gnote
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 22851ce9f..e6fbca26f 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnubik
+allow  /usr/share/gnubik
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 09ca17caa..f35a53ca4 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -6,9 +6,9 @@ include godot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/godot
-noblacklist ${HOME}/.config/godot
-noblacklist ${HOME}/.local/share/godot
+nodeny  ${HOME}/.cache/godot
+nodeny  ${HOME}/.config/godot
+nodeny  ${HOME}/.local/share/godot
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8399d77c4..95dd41c2a 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -6,7 +6,7 @@ include goobox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index ebe5e870b..07f0e587d 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/google-chrome-beta
-noblacklist ${HOME}/.config/google-chrome-beta
+nodeny  ${HOME}/.cache/google-chrome-beta
+nodeny  ${HOME}/.config/google-chrome-beta
 
-noblacklist ${HOME}/.config/chrome-beta-flags.conf
-noblacklist ${HOME}/.config/chrome-beta-flags.config
+nodeny  ${HOME}/.config/chrome-beta-flags.conf
+nodeny  ${HOME}/.config/chrome-beta-flags.config
 
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
-whitelist ${HOME}/.cache/google-chrome-beta
-whitelist ${HOME}/.config/google-chrome-beta
+allow  ${HOME}/.cache/google-chrome-beta
+allow  ${HOME}/.config/google-chrome-beta
 
-whitelist ${HOME}/.config/chrome-beta-flags.conf
-whitelist ${HOME}/.config/chrome-beta-flags.config
+allow  ${HOME}/.config/chrome-beta-flags.conf
+allow  ${HOME}/.config/chrome-beta-flags.config
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 4d303f71b..229904411 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/google-chrome-unstable
-noblacklist ${HOME}/.config/google-chrome-unstable
+nodeny  ${HOME}/.cache/google-chrome-unstable
+nodeny  ${HOME}/.config/google-chrome-unstable
 
-noblacklist ${HOME}/.config/chrome-unstable-flags.conf
-noblacklist ${HOME}/.config/chrome-unstable-flags.config
+nodeny  ${HOME}/.config/chrome-unstable-flags.conf
+nodeny  ${HOME}/.config/chrome-unstable-flags.config
 
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
-whitelist ${HOME}/.cache/google-chrome-unstable
-whitelist ${HOME}/.config/google-chrome-unstable
+allow  ${HOME}/.cache/google-chrome-unstable
+allow  ${HOME}/.config/google-chrome-unstable
 
-whitelist ${HOME}/.config/chrome-unstable-flags.conf
-whitelist ${HOME}/.config/chrome-unstable-flags.config
+allow  ${HOME}/.config/chrome-unstable-flags.conf
+allow  ${HOME}/.config/chrome-unstable-flags.config
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index ed2595f72..f61642f17 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/google-chrome
-noblacklist ${HOME}/.config/google-chrome
+nodeny  ${HOME}/.cache/google-chrome
+nodeny  ${HOME}/.config/google-chrome
 
-noblacklist ${HOME}/.config/chrome-flags.conf
-noblacklist ${HOME}/.config/chrome-flags.config
+nodeny  ${HOME}/.config/chrome-flags.conf
+nodeny  ${HOME}/.config/chrome-flags.config
 
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
-whitelist ${HOME}/.cache/google-chrome
-whitelist ${HOME}/.config/google-chrome
+allow  ${HOME}/.cache/google-chrome
+allow  ${HOME}/.config/google-chrome
 
-whitelist ${HOME}/.config/chrome-flags.conf
-whitelist ${HOME}/.config/chrome-flags.config
+allow  ${HOME}/.config/chrome-flags.conf
+allow  ${HOME}/.config/chrome-flags.config
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 65ac04771..6039f7cbd 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -5,8 +5,8 @@ include google-earth.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.googleearth
+nodeny  ${HOME}/.config/Google
+nodeny  ${HOME}/.googleearth
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/Google
 mkdir ${HOME}/.googleearth
-whitelist ${HOME}/.config/Google
-whitelist ${HOME}/.googleearth
+allow  ${HOME}/.config/Google
+allow  ${HOME}/.googleearth
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index a7aabe105..fdb65b93c 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -8,7 +8,7 @@ include globals.local
 # noexec /tmp breaks mpris support
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Google Play Music Desktop Player
+nodeny  ${HOME}/.config/Google Play Music Desktop Player
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,7 +20,7 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
-whitelist ${HOME}/.config/Google Play Music Desktop Player
+allow  ${HOME}/.config/Google Play Music Desktop Player
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index 2d0bce52b..952c9c1d4 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -7,10 +7,10 @@ include googler-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.w3m
+nodeny  ${HOME}/.w3m
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -26,7 +26,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.w3m
+allow  ${HOME}/.w3m
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index 37b4f0b1c..9b8da361b 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -6,7 +6,7 @@ include gpa.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 7f0b614b1..5fa66bb55 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -7,10 +7,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,11 +20,11 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
-whitelist ${HOME}/.gnupg
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 4a4d6527c..2ad896abe 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -7,10 +7,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/pacman/keyrings
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/pacman/keyrings
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index fa53c26c8..0552dc3d7 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -6,7 +6,7 @@ include gpicview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gpicview
+nodeny  ${HOME}/.config/gpicview
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist /usr/share/gpicview
+allow  /usr/share/gpicview
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 253d644f1..c9e62a73f 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -6,7 +6,7 @@ include gpredict.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Gpredict
+nodeny  ${HOME}/.config/Gpredict
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Gpredict
-whitelist ${HOME}/.config/Gpredict
+allow  ${HOME}/.config/Gpredict
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 2b4c536d2..2aebe2338 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -5,8 +5,8 @@ include gradio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gradio
-noblacklist ${HOME}/.local/share/gradio
+nodeny  ${HOME}/.cache/gradio
+nodeny  ${HOME}/.local/share/gradio
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/gradio
 mkdir ${HOME}/.local/share/gradio
-whitelist ${HOME}/.cache/gradio
-whitelist ${HOME}/.local/share/gradio
+allow  ${HOME}/.cache/gradio
+allow  ${HOME}/.local/share/gradio
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index c7e0c2977..53f0baccb 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -6,7 +6,7 @@ include gramps.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gramps
+nodeny  ${HOME}/.gramps
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -21,7 +21,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gramps
-whitelist ${HOME}/.gramps
+allow  ${HOME}/.gramps
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 890ba2560..ecc871c2e 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gravity-beams-and-evaporating-stars
+allow  /usr/share/gravity-beams-and-evaporating-stars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 5927e8c4d..9a4f7b4fb 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -6,9 +6,9 @@ include gthumb.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gthumb
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.config/gthumb
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index c8addae75..d6bb9902a 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -7,7 +7,7 @@ include gtk-update-icon-cache.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 787c7bd90..8241de43a 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -8,8 +8,8 @@ include gtk2-youtube-viewer.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
+nodeny  /tmp/.X11-unix
+nodeny  ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 988882622..6ea4ebbdc 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -8,8 +8,8 @@ include gtk3-youtube-viewer.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
+nodeny  /tmp/.X11-unix
+nodeny  ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 3d2b71e9d..731bcad1d 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -5,8 +5,8 @@ include guayadeque.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.guayadeque
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.guayadeque
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
index 2223c37a1..5cdc2cc18 100644
--- a/etc/profile-a-l/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -5,8 +5,8 @@ include gummi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gummi
-noblacklist ${HOME}/.config/gummi
+nodeny  ${HOME}/.cache/gummi
+nodeny  ${HOME}/.config/gummi
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 9221ca31c..3404f5177 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -6,10 +6,10 @@ include guvcview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/guvcview2
+nodeny  ${HOME}/.config/guvcview2
 
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/guvcview2
-whitelist ${HOME}/.config/guvcview2
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
+allow  ${HOME}/.config/guvcview2
+allow  ${PICTURES}
+allow  ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index d33e2a673..132b5a2e2 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -6,17 +6,17 @@ include gwenview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.config/gwenviewrc
-noblacklist ${HOME}/.config/org.kde.gwenviewrc
-noblacklist ${HOME}/.gimp*
-noblacklist ${HOME}/.kde/share/apps/gwenview
-noblacklist ${HOME}/.kde/share/config/gwenviewrc
-noblacklist ${HOME}/.kde4/share/apps/gwenview
-noblacklist ${HOME}/.kde4/share/config/gwenviewrc
-noblacklist ${HOME}/.local/share/gwenview
-noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
-noblacklist ${HOME}/.local/share/org.kde.gwenview
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.config/gwenviewrc
+nodeny  ${HOME}/.config/org.kde.gwenviewrc
+nodeny  ${HOME}/.gimp*
+nodeny  ${HOME}/.kde/share/apps/gwenview
+nodeny  ${HOME}/.kde/share/config/gwenviewrc
+nodeny  ${HOME}/.kde4/share/apps/gwenview
+nodeny  ${HOME}/.kde4/share/config/gwenviewrc
+nodeny  ${HOME}/.local/share/gwenview
+nodeny  ${HOME}/.local/share/kxmlgui5/gwenview
+nodeny  ${HOME}/.local/share/org.kde.gwenview
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index b261c16f4..46c98bdc2 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -9,7 +9,7 @@ include globals.local
 
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
 # all capabilities this is automatically read-only.
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 847e1ec1e..c102ac4cb 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -6,9 +6,9 @@ include handbrake.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ghb
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/ghb
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index aab4b0c21..d98a1b554 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -7,11 +7,11 @@ include hashcat.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.hashcat
-noblacklist /usr/include
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.hashcat
+nodeny  /usr/include
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 44584f26b..1c2a44e06 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -4,7 +4,7 @@ include hasher-common.local
 
 # common profile for hasher/checksum tools
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 # Comment/uncomment the relevant include file(s) in your hasher-common.local
 # to (un)restrict file access for **all** hashers. Another option is to do this **per hasher**
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index c0675d8ec..90833af91 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -6,7 +6,7 @@ include hedgewars.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.hedgewars
+nodeny  ${HOME}/.hedgewars
 
 include allow-lua.inc
 
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.hedgewars
-whitelist ${HOME}/.hedgewars
+allow  ${HOME}/.hedgewars
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index b887de147..993efb591 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -6,7 +6,7 @@ include hexchat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/hexchat
+nodeny  ${HOME}/.config/hexchat
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -28,7 +28,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
-whitelist ${HOME}/.config/hexchat
+allow  ${HOME}/.config/hexchat
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 643736ac7..53db642dc 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -6,7 +6,7 @@ include highlight.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 199b1a5e5..ef259cc00 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -6,7 +6,7 @@ include homebank.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/homebank
+nodeny  ${HOME}/.config/homebank
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/homebank
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/homebank
-whitelist /usr/share/homebank
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/homebank
+allow  /usr/share/homebank
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index 00d9f7a76..63e1be259 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -7,8 +7,8 @@ include host.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
-noblacklist ${PATH}/host
+deny  ${RUNUSER}
+nodeny  ${PATH}/host
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index 267712c87..db5cd29cc 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -6,9 +6,9 @@ include hugin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.hugin
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.hugin
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index e66ffd7e1..1fb33ceb8 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -6,7 +6,7 @@ include hyperrogue.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/hyperrogue.ini
+nodeny  ${HOME}/hyperrogue.ini
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/hyperrogue.ini
-whitelist ${HOME}/hyperrogue.ini
-whitelist /usr/share/hyperrogue
+allow  ${HOME}/hyperrogue.ini
+allow  /usr/share/hyperrogue
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 47c984175..c8a2e8a04 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -14,12 +14,12 @@ include globals.local
 # Only needed when i2prouter binary resides in home directory (official I2P java installer does so).
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/i2p
-noblacklist ${HOME}/.i2p
-noblacklist ${HOME}/.local/share/i2p
-noblacklist ${HOME}/i2p
+nodeny  ${HOME}/.config/i2p
+nodeny  ${HOME}/.i2p
+nodeny  ${HOME}/.local/share/i2p
+nodeny  ${HOME}/i2p
 # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
-noblacklist /usr/sbin
+nodeny  /usr/sbin
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -36,12 +36,12 @@ mkdir ${HOME}/.config/i2p
 mkdir ${HOME}/.i2p
 mkdir ${HOME}/.local/share/i2p
 mkdir ${HOME}/i2p
-whitelist ${HOME}/.config/i2p
-whitelist ${HOME}/.i2p
-whitelist ${HOME}/.local/share/i2p
-whitelist ${HOME}/i2p
+allow  ${HOME}/.config/i2p
+allow  ${HOME}/.i2p
+allow  ${HOME}/.local/share/i2p
+allow  ${HOME}/i2p
 # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
-whitelist /usr/sbin/wrapper*
+allow  /usr/sbin/wrapper*
 
 include whitelist-common.inc
 
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index e96b1843c..95ddad221 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -7,7 +7,7 @@ include i3.local
 include globals.local
 
 # all applications started in i3 will run in this profile
-noblacklist ${HOME}/.config/i3
+nodeny  ${HOME}/.config/i3
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index 660343a29..0de2f658b 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -5,13 +5,13 @@ include icecat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
 
 mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/icecat
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.cache/mozilla/icecat
+allow  ${HOME}/.mozilla
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc icecat
diff --git a/etc/profile-a-l/icedove.profile b/etc/profile-a-l/icedove.profile
index 19690cd5a..0c22d87d0 100644
--- a/etc/profile-a-l/icedove.profile
+++ b/etc/profile-a-l/icedove.profile
@@ -9,16 +9,16 @@ include icedove.local
 # Users have icedove set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
 
-noblacklist ${HOME}/.cache/icedove
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.icedove
+nodeny  ${HOME}/.cache/icedove
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.icedove
 
 mkdir ${HOME}/.cache/icedove
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.icedove
-whitelist ${HOME}/.cache/icedove
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.icedove
+allow  ${HOME}/.cache/icedove
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.icedove
 include whitelist-common.inc
 
 ignore private-tmp
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 680b8e777..180b62ec2 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -5,12 +5,12 @@ include idea.sh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.IdeaIC*
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.IdeaIC*
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-settings
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 12ce7976b..5d28e7aca 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -6,7 +6,7 @@ include imagej.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.imagej
+nodeny  ${HOME}/.imagej
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index c26958d06..70d56a7dc 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -5,10 +5,10 @@ include img2txt.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/imlib2
+allow  /usr/share/imlib2
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index c152be01c..4914cd9d0 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -6,9 +6,9 @@ include impressive.local
 # Persistent global definitions
 #include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  ${DOCUMENTS}
+nodeny  /sbin
+nodeny  /usr/sbin
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -23,8 +23,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist /usr/share/opengl-games-utils
-whitelist /usr/share/zenity
+allow  /usr/share/opengl-games-utils
+allow  /usr/share/zenity
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 35dd86b32..1a949b300 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -6,14 +6,14 @@ include inkscape.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/inkscape
-noblacklist ${HOME}/.config/inkscape
-noblacklist ${HOME}/.inkscape
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/inkscape
+nodeny  ${HOME}/.config/inkscape
+nodeny  ${HOME}/.inkscape
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 # Allow exporting .xcf files
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.gimp*
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.gimp*
 
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -28,7 +28,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/inkscape
+allow  /usr/share/inkscape
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
index a5cac12f2..1591ed7ea 100644
--- a/etc/profile-a-l/inox.profile
+++ b/etc/profile-a-l/inox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/inox
-noblacklist ${HOME}/.config/inox
+nodeny  ${HOME}/.cache/inox
+nodeny  ${HOME}/.config/inox
 
 mkdir ${HOME}/.cache/inox
 mkdir ${HOME}/.config/inox
-whitelist ${HOME}/.cache/inox
-whitelist ${HOME}/.config/inox
+allow  ${HOME}/.cache/inox
+allow  ${HOME}/.config/inox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index 3037d00e9..f361fd663 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/iridium
-noblacklist ${HOME}/.config/iridium
+nodeny  ${HOME}/.cache/iridium
+nodeny  ${HOME}/.config/iridium
 
 mkdir ${HOME}/.cache/iridium
 mkdir ${HOME}/.config/iridium
-whitelist ${HOME}/.cache/iridium
-whitelist ${HOME}/.config/iridium
+allow  ${HOME}/.cache/iridium
+allow  ${HOME}/.config/iridium
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index e02dcbdb1..fa0bcf986 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -8,8 +8,8 @@ include globals.local
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
 
-noblacklist ${HOME}/.itch
-noblacklist ${HOME}/.config/itch
+nodeny  ${HOME}/.itch
+nodeny  ${HOME}/.config/itch
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
-whitelist ${HOME}/.itch
-whitelist ${HOME}/.config/itch
+allow  ${HOME}/.itch
+allow  ${HOME}/.config/itch
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index 3e9abf369..e4be574df 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -6,8 +6,8 @@ include jami-gnome.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/jami
-noblacklist ${HOME}/.local/share/jami
+nodeny  ${HOME}/.config/jami
+nodeny  ${HOME}/.local/share/jami
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/jami
 mkdir ${HOME}/.local/share/jami
-whitelist ${HOME}/.config/jami
-whitelist ${HOME}/.local/share/jami
+allow  ${HOME}/.config/jami
+allow  ${HOME}/.local/share/jami
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 7d29f1068..bfea84c69 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -5,7 +5,7 @@ include jd-gui.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/jd-gui.cfg
+nodeny  ${HOME}/.config/jd-gui.cfg
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 85b1f2120..c41027618 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -6,7 +6,7 @@ include jerry.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/dkl
+nodeny  ${HOME}/.config/dkl
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index edb7ed840..9ca30c36d 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -13,12 +13,12 @@ ignore shell none
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Jitsi Meet
+nodeny  ${HOME}/.config/Jitsi Meet
 
-nowhitelist ${DOWNLOADS}
+noallow  ${DOWNLOADS}
 
 mkdir ${HOME}/.config/Jitsi Meet
-whitelist ${HOME}/.config/Jitsi Meet
+allow  ${HOME}/.config/Jitsi Meet
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 223c360b8..f53e6ca32 100644
--- a/etc/profile-a-l/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -5,7 +5,7 @@ include jitsi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.jitsi
+nodeny  ${HOME}/.jitsi
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 9954b8aea..c0a78ecc0 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -6,7 +6,7 @@ include jumpnbump.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.jumpnbump
+nodeny  ${HOME}/.jumpnbump
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.jumpnbump
-whitelist ${HOME}/.jumpnbump
-whitelist /usr/share/jumpnbump
+allow  ${HOME}/.jumpnbump
+allow  /usr/share/jumpnbump
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 5ae90dff6..73ce8670f 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -6,11 +6,11 @@ include k3b.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/k3brc
-noblacklist ${HOME}/.kde/share/config/k3brc
-noblacklist ${HOME}/.kde4/share/config/k3brc
-noblacklist ${HOME}/.local/share/kxmlgui5/k3b
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/k3brc
+nodeny  ${HOME}/.kde/share/config/k3brc
+nodeny  ${HOME}/.kde4/share/config/k3brc
+nodeny  ${HOME}/.local/share/kxmlgui5/k3b
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index d55fd22cb..e6a00e350 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -6,14 +6,14 @@ include kaffeine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kaffeinerc
-noblacklist ${HOME}/.kde/share/apps/kaffeine
-noblacklist ${HOME}/.kde/share/config/kaffeinerc
-noblacklist ${HOME}/.kde4/share/apps/kaffeine
-noblacklist ${HOME}/.kde4/share/config/kaffeinerc
-noblacklist ${HOME}/.local/share/kaffeine
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/kaffeinerc
+nodeny  ${HOME}/.kde/share/apps/kaffeine
+nodeny  ${HOME}/.kde/share/config/kaffeinerc
+nodeny  ${HOME}/.kde4/share/apps/kaffeine
+nodeny  ${HOME}/.kde4/share/config/kaffeinerc
+nodeny  ${HOME}/.local/share/kaffeine
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 503dac4b6..98b04353e 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -6,8 +6,8 @@ include kalgebra.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kalgebrarc
-noblacklist ${HOME}/.local/share/kalgebra
+nodeny  ${HOME}/.config/kalgebrarc
+nodeny  ${HOME}/.local/share/kalgebra
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/kalgebramobile
+allow  /usr/share/kalgebramobile
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
index 231299a2f..db5394550 100644
--- a/etc/profile-a-l/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -6,7 +6,7 @@ include karbon.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/karbon
+nodeny  ${HOME}/.local/share/kxmlgui5/karbon
 
 # Redirect
 include krita.profile
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 27b87e7c3..d2b180492 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -8,20 +8,20 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/katemetainfos
-noblacklist ${HOME}/.config/katepartrc
-noblacklist ${HOME}/.config/katerc
-noblacklist ${HOME}/.config/kateschemarc
-noblacklist ${HOME}/.config/katesyntaxhighlightingrc
-noblacklist ${HOME}/.config/katevirc
-noblacklist ${HOME}/.local/share/kate
-noblacklist ${HOME}/.local/share/kxmlgui5/kate
-noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
-noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
-noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
-noblacklist ${HOME}/.local/share/kxmlgui5/katepart
-noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
-noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
+nodeny  ${HOME}/.config/katemetainfos
+nodeny  ${HOME}/.config/katepartrc
+nodeny  ${HOME}/.config/katerc
+nodeny  ${HOME}/.config/kateschemarc
+nodeny  ${HOME}/.config/katesyntaxhighlightingrc
+nodeny  ${HOME}/.config/katevirc
+nodeny  ${HOME}/.local/share/kate
+nodeny  ${HOME}/.local/share/kxmlgui5/kate
+nodeny  ${HOME}/.local/share/kxmlgui5/katefiletree
+nodeny  ${HOME}/.local/share/kxmlgui5/katekonsole
+nodeny  ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
+nodeny  ${HOME}/.local/share/kxmlgui5/katepart
+nodeny  ${HOME}/.local/share/kxmlgui5/kateproject
+nodeny  ${HOME}/.local/share/kxmlgui5/katesearch
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9795cf168..a4e2e64f4 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -8,9 +8,9 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
-noblacklist ${HOME}/.config/kazam
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
+nodeny  ${HOME}/.config/kazam
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/kazam
+allow  /usr/share/kazam
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index e36ee5ed2..fcb168d4d 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -6,7 +6,7 @@ include kcalc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/kcalc
+nodeny  ${HOME}/.local/share/kxmlgui5/kcalc
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,13 +21,13 @@ mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
 mkfile ${HOME}/.kde/share/config/kcalcrc
 mkfile ${HOME}/.kde4/share/config/kcalcrc
-whitelist ${HOME}/.config/kcalcrc
-whitelist ${HOME}/.kde/share/config/kcalcrc
-whitelist ${HOME}/.kde4/share/config/kcalcrc
-whitelist ${HOME}/.local/share/kxmlgui5/kcalc
-whitelist /usr/share/config.kcfg/kcalc.kcfg
-whitelist /usr/share/kcalc
-whitelist /usr/share/kconf_update/kcalcrc.upd
+allow  ${HOME}/.config/kcalcrc
+allow  ${HOME}/.kde/share/config/kcalcrc
+allow  ${HOME}/.kde4/share/config/kcalcrc
+allow  ${HOME}/.local/share/kxmlgui5/kcalc
+allow  /usr/share/config.kcfg/kcalc.kcfg
+allow  /usr/share/kcalc
+allow  /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d2a08a269..4acafbf2a 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -8,10 +8,10 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/kdenlive
-noblacklist ${HOME}/.config/kdenliverc
-noblacklist ${HOME}/.local/share/kdenlive
-noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
+nodeny  ${HOME}/.cache/kdenlive
+nodeny  ${HOME}/.config/kdenliverc
+nodeny  ${HOME}/.local/share/kdenlive
+nodeny  ${HOME}/.local/share/kxmlgui5/kdenlive
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c1cb2294..0c37f7968 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -6,14 +6,14 @@ include kdiff3.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kdiff3fileitemactionrc
-noblacklist ${HOME}/.config/kdiff3rc
+nodeny  ${HOME}/.config/kdiff3fileitemactionrc
+nodeny  ${HOME}/.config/kdiff3rc
 
 # Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc.
 # By default we deny access only to .ssh and .gnupg.
 #include disable-common.inc
-blacklist ${HOME}/.ssh
-blacklist ${HOME}/.gnupg
+deny  ${HOME}/.ssh
+deny  ${HOME}/.gnupg
 
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index ae8971ab4..9c06962bc 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -6,14 +6,14 @@ include keepass.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/KeePass
-noblacklist ${HOME}/.config/keepass
-noblacklist ${HOME}/.keepass
-noblacklist ${HOME}/.local/share/KeePass
-noblacklist ${HOME}/.local/share/keepass
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
+nodeny  ${HOME}/.config/KeePass
+nodeny  ${HOME}/.config/keepass
+nodeny  ${HOME}/.keepass
+nodeny  ${HOME}/.local/share/KeePass
+nodeny  ${HOME}/.local/share/keepass
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index ac364986d..2772fa8bf 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -6,11 +6,11 @@ include keepassx.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/keepassx
-noblacklist ${HOME}/.keepassx
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
+nodeny  ${HOME}/.config/keepassx
+nodeny  ${HOME}/.keepassx
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index f71dcf82b..9c530b20d 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -6,23 +6,23 @@ include keepassxc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.cache/keepassxc
-noblacklist ${HOME}/.config/keepassxc
-noblacklist ${HOME}/.config/KeePassXCrc
-noblacklist ${HOME}/.keepassxc
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
+nodeny  ${HOME}/.cache/keepassxc
+nodeny  ${HOME}/.config/keepassxc
+nodeny  ${HOME}/.config/KeePassXCrc
+nodeny  ${HOME}/.keepassxc
+nodeny  ${DOCUMENTS}
 
 # Allow browser profiles, required for browser integration.
-noblacklist ${HOME}/.config/BraveSoftware
-noblacklist ${HOME}/.config/chromium
-noblacklist ${HOME}/.config/google-chrome
-noblacklist ${HOME}/.config/vivaldi
-noblacklist ${HOME}/.local/share/torbrowser
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.config/BraveSoftware
+nodeny  ${HOME}/.config/chromium
+nodeny  ${HOME}/.config/google-chrome
+nodeny  ${HOME}/.config/vivaldi
+nodeny  ${HOME}/.local/share/torbrowser
+nodeny  ${HOME}/.mozilla
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -57,7 +57,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/KeePassXCrc
 #include whitelist-common.inc
 
-whitelist /usr/share/keepassxc
+allow  /usr/share/keepassxc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 2c684504b..30c041cbc 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -6,13 +6,13 @@ include kget.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kgetrc
-noblacklist ${HOME}/.kde/share/apps/kget
-noblacklist ${HOME}/.kde/share/config/kgetrc
-noblacklist ${HOME}/.kde4/share/apps/kget
-noblacklist ${HOME}/.kde4/share/config/kgetrc
-noblacklist ${HOME}/.local/share/kget
-noblacklist ${HOME}/.local/share/kxmlgui5/kget
+nodeny  ${HOME}/.config/kgetrc
+nodeny  ${HOME}/.kde/share/apps/kget
+nodeny  ${HOME}/.kde/share/config/kgetrc
+nodeny  ${HOME}/.kde4/share/apps/kget
+nodeny  ${HOME}/.kde4/share/config/kgetrc
+nodeny  ${HOME}/.local/share/kget
+nodeny  ${HOME}/.local/share/kxmlgui5/kget
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
index 9bcede077..84d135fc3 100644
--- a/etc/profile-a-l/kid3-qt.profile
+++ b/etc/profile-a-l/kid3-qt.profile
@@ -2,7 +2,7 @@
 # This file is overwritten after every install/update
 include kid3-qt.local
 
-noblacklist ${HOME}/.config/Kid3
+nodeny  ${HOME}/.config/Kid3
 
 # Redirect
 include kid3.profile
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e18292e99..0ef2a7845 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -6,9 +6,9 @@ include kid3.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${HOME}/.config/kid3rc
-noblacklist ${HOME}/.local/share/kxmlgui5/kid3
+nodeny  ${MUSIC}
+nodeny  ${HOME}/.config/kid3rc
+nodeny  ${HOME}/.local/share/kxmlgui5/kid3
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index 74014ffe6..833c1d22a 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -6,8 +6,8 @@ include kino.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kino-history
-noblacklist ${HOME}/.kinorc
+nodeny  ${HOME}/.kino-history
+nodeny  ${HOME}/.kinorc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 40ee0bbc7..b188ba0e3 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -6,8 +6,8 @@ include kiwix-desktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/kiwix
-noblacklist ${HOME}/.local/share/kiwix-desktop
+nodeny  ${HOME}/.local/share/kiwix
+nodeny  ${HOME}/.local/share/kiwix-desktop
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/kiwix
 mkdir ${HOME}/.local/share/kiwix-desktop
-whitelist ${HOME}/.local/share/kiwix
-whitelist ${HOME}/.local/share/kiwix-desktop
+allow  ${HOME}/.local/share/kiwix
+allow  ${HOME}/.local/share/kiwix-desktop
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index c6a9023f1..e087e4973 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -6,8 +6,8 @@ include klatexformula.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kde/share/apps/klatexformula
-noblacklist ${HOME}/.klatexformula
+nodeny  ${HOME}/.kde/share/apps/klatexformula
+nodeny  ${HOME}/.klatexformula
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f5cd3a48c..ec3912419 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -6,8 +6,8 @@ include klavaro.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/klavaro
-noblacklist ${HOME}/.local/share/klavaro
+nodeny  ${HOME}/.config/klavaro
+nodeny  ${HOME}/.local/share/klavaro
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/klavaro
 mkdir ${HOME}/.config/klavaro
-whitelist ${HOME}/.local/share/klavaro
-whitelist ${HOME}/.config/klavaro
+allow  ${HOME}/.local/share/klavaro
+allow  ${HOME}/.config/klavaro
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 95ae98e53..3c582c08c 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,27 +9,27 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
 
-noblacklist ${HOME}/.cache/akonadi*
-noblacklist ${HOME}/.cache/kmail2
-noblacklist ${HOME}/.config/akonadi*
-noblacklist ${HOME}/.config/baloorc
-noblacklist ${HOME}/.config/emaildefaults
-noblacklist ${HOME}/.config/emailidentities
-noblacklist ${HOME}/.config/kmail2rc
-noblacklist ${HOME}/.config/kmailsearchindexingrc
-noblacklist ${HOME}/.config/mailtransports
-noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.local/share/akonadi*
-noblacklist ${HOME}/.local/share/apps/korganizer
-noblacklist ${HOME}/.local/share/contacts
-noblacklist ${HOME}/.local/share/emailidentities
-noblacklist ${HOME}/.local/share/kmail2
-noblacklist ${HOME}/.local/share/kxmlgui5/kmail
-noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
-noblacklist ${HOME}/.local/share/local-mail
-noblacklist ${HOME}/.local/share/notes
-noblacklist /tmp/akonadi-*
+nodeny  ${HOME}/.cache/akonadi*
+nodeny  ${HOME}/.cache/kmail2
+nodeny  ${HOME}/.config/akonadi*
+nodeny  ${HOME}/.config/baloorc
+nodeny  ${HOME}/.config/emaildefaults
+nodeny  ${HOME}/.config/emailidentities
+nodeny  ${HOME}/.config/kmail2rc
+nodeny  ${HOME}/.config/kmailsearchindexingrc
+nodeny  ${HOME}/.config/mailtransports
+nodeny  ${HOME}/.config/specialmailcollectionsrc
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.local/share/akonadi*
+nodeny  ${HOME}/.local/share/apps/korganizer
+nodeny  ${HOME}/.local/share/contacts
+nodeny  ${HOME}/.local/share/emailidentities
+nodeny  ${HOME}/.local/share/kmail2
+nodeny  ${HOME}/.local/share/kxmlgui5/kmail
+nodeny  ${HOME}/.local/share/kxmlgui5/kmail2
+nodeny  ${HOME}/.local/share/local-mail
+nodeny  ${HOME}/.local/share/notes
+nodeny  /tmp/akonadi-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index e88b53499..d2ce14ab6 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -6,11 +6,11 @@ include kmplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kmplayerrc
-noblacklist ${HOME}/.kde/share/config/kmplayerrc
-noblacklist ${HOME}/.local/share/kmplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/kmplayerrc
+nodeny  ${HOME}/.kde/share/config/kmplayerrc
+nodeny  ${HOME}/.local/share/kmplayer
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile
index f155d0ad6..5a9ac34da 100644
--- a/etc/profile-a-l/knotes.profile
+++ b/etc/profile-a-l/knotes.profile
@@ -10,9 +10,9 @@ include knotes.local
 # knotes has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when knotes is started
 
-noblacklist ${HOME}/.config/knotesrc
-noblacklist ${HOME}/.local/share/knotes
-noblacklist ${HOME}/.local/share/kxmlgui5/knotes
+nodeny  ${HOME}/.config/knotesrc
+nodeny  ${HOME}/.local/share/knotes
+nodeny  ${HOME}/.local/share/kxmlgui5/knotes
 
 # Redirect
 include kmail.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b7091f1fc..2725c87be 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -13,10 +13,10 @@ ignore noexec ${HOME}
 #ignore noroot
 #ignore private-dev
 
-noblacklist ${HOME}/.kodi
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.kodi
+nodeny  ${MUSIC}
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 5b5ed6e24..d8ce33838 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -6,11 +6,11 @@ include konversation.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/konversationrc
-noblacklist ${HOME}/.config/konversation.notifyrc
-noblacklist ${HOME}/.kde/share/config/konversationrc
-noblacklist ${HOME}/.kde4/share/config/konversationrc
-noblacklist ${HOME}/.local/share/kxmlgui5/konversation
+nodeny  ${HOME}/.config/konversationrc
+nodeny  ${HOME}/.config/konversation.notifyrc
+nodeny  ${HOME}/.kde/share/config/konversationrc
+nodeny  ${HOME}/.kde4/share/config/konversationrc
+nodeny  ${HOME}/.local/share/kxmlgui5/konversation
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index 88f47d1bf..749591f32 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -6,11 +6,11 @@ include kopete.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kde/share/apps/kopete
-noblacklist ${HOME}/.kde/share/config/kopeterc
-noblacklist ${HOME}/.kde4/share/apps/kopete
-noblacklist ${HOME}/.kde4/share/config/kopeterc
-noblacklist ${HOME}/.local/share/kxmlgui5/kopete
+nodeny  ${HOME}/.kde/share/apps/kopete
+nodeny  ${HOME}/.kde/share/config/kopeterc
+nodeny  ${HOME}/.kde4/share/apps/kopete
+nodeny  ${HOME}/.kde4/share/config/kopeterc
+nodeny  ${HOME}/.local/share/kxmlgui5/kopete
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/lib/winpopup
+allow  /var/lib/winpopup
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index 8604e63d0..950341def 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -9,10 +9,10 @@ include globals.local
 # noexec ${HOME} may break krita, see issue #1953
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/kritarc
-noblacklist ${HOME}/.local/share/krita
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/kritarc
+nodeny  ${HOME}/.local/share/krita
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 9cb5eff87..7b325d273 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -13,9 +13,9 @@ include globals.local
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
 # noblacklist ${HOME}/.config/chromium
-noblacklist ${HOME}/.config/krunnerrc
-noblacklist ${HOME}/.kde/share/config/krunnerrc
-noblacklist ${HOME}/.kde4/share/config/krunnerrc
+nodeny  ${HOME}/.config/krunnerrc
+nodeny  ${HOME}/.kde/share/config/krunnerrc
+nodeny  ${HOME}/.kde4/share/config/krunnerrc
 # noblacklist ${HOME}/.local/share/baloo
 # noblacklist ${HOME}/.mozilla
 
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 5a85194e0..ac9fee585 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -6,13 +6,13 @@ include ktorrent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ktorrentrc
-noblacklist ${HOME}/.kde/share/apps/ktorrent
-noblacklist ${HOME}/.kde/share/config/ktorrentrc
-noblacklist ${HOME}/.kde4/share/apps/ktorrent
-noblacklist ${HOME}/.kde4/share/config/ktorrentrc
-noblacklist ${HOME}/.local/share/ktorrent
-noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent
+nodeny  ${HOME}/.config/ktorrentrc
+nodeny  ${HOME}/.kde/share/apps/ktorrent
+nodeny  ${HOME}/.kde/share/config/ktorrentrc
+nodeny  ${HOME}/.kde4/share/apps/ktorrent
+nodeny  ${HOME}/.kde4/share/config/ktorrentrc
+nodeny  ${HOME}/.local/share/ktorrent
+nodeny  ${HOME}/.local/share/kxmlgui5/ktorrent
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,14 +29,14 @@ mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
 mkfile ${HOME}/.config/ktorrentrc
 mkfile ${HOME}/.kde/share/config/ktorrentrc
 mkfile ${HOME}/.kde4/share/config/ktorrentrc
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/ktorrentrc
-whitelist ${HOME}/.kde/share/apps/ktorrent
-whitelist ${HOME}/.kde/share/config/ktorrentrc
-whitelist ${HOME}/.kde4/share/apps/ktorrent
-whitelist ${HOME}/.kde4/share/config/ktorrentrc
-whitelist ${HOME}/.local/share/ktorrent
-whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/ktorrentrc
+allow  ${HOME}/.kde/share/apps/ktorrent
+allow  ${HOME}/.kde/share/config/ktorrentrc
+allow  ${HOME}/.kde4/share/apps/ktorrent
+allow  ${HOME}/.kde4/share/config/ktorrentrc
+allow  ${HOME}/.local/share/ktorrent
+allow  ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 4cf72b74c..71f8e4977 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -6,8 +6,8 @@ include ktouch.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ktouch2rc
-noblacklist ${HOME}/.local/share/ktouch
+nodeny  ${HOME}/.config/ktouch2rc
+nodeny  ${HOME}/.local/share/ktouch
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/ktouch2rc
 mkdir ${HOME}/.local/share/ktouch
-whitelist ${HOME}/.config/ktouch2rc
-whitelist ${HOME}/.local/share/ktouch
+allow  ${HOME}/.config/ktouch2rc
+allow  ${HOME}/.local/share/ktouch
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 4e9a12e5f..74ffd1162 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -6,13 +6,13 @@ include kube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.cache/kube
-noblacklist ${HOME}/.config/kube
-noblacklist ${HOME}/.config/sink
-noblacklist ${HOME}/.local/share/kube
-noblacklist ${HOME}/.local/share/sink
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/kube
+nodeny  ${HOME}/.config/kube
+nodeny  ${HOME}/.config/sink
+nodeny  ${HOME}/.local/share/kube
+nodeny  ${HOME}/.local/share/sink
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,17 +29,17 @@ mkdir ${HOME}/.config/kube
 mkdir ${HOME}/.config/sink
 mkdir ${HOME}/.local/share/kube
 mkdir ${HOME}/.local/share/sink
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.cache/kube
-whitelist ${HOME}/.config/kube
-whitelist ${HOME}/.config/sink
-whitelist ${HOME}/.local/share/kube
-whitelist ${HOME}/.local/share/sink
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/kube
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.cache/kube
+allow  ${HOME}/.config/kube
+allow  ${HOME}/.config/sink
+allow  ${HOME}/.local/share/kube
+allow  ${HOME}/.local/share/sink
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/kube
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 15e7ceb17..580f93736 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -8,10 +8,10 @@ include globals.local
 # fix automatical kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
 
-noblacklist ${HOME}/.cache/kwin
-noblacklist ${HOME}/.config/kwinrc
-noblacklist ${HOME}/.config/kwinrulesrc
-noblacklist ${HOME}/.local/share/kwin
+nodeny  ${HOME}/.cache/kwin
+nodeny  ${HOME}/.config/kwinrc
+nodeny  ${HOME}/.config/kwinrulesrc
+nodeny  ${HOME}/.local/share/kwin
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 804ffafeb..08b0e0224 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -6,15 +6,15 @@ include kwrite.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/katepartrc
-noblacklist ${HOME}/.config/katerc
-noblacklist ${HOME}/.config/kateschemarc
-noblacklist ${HOME}/.config/katesyntaxhighlightingrc
-noblacklist ${HOME}/.config/katevirc
-noblacklist ${HOME}/.config/kwriterc
-noblacklist ${HOME}/.local/share/kwrite
-noblacklist ${HOME}/.local/share/kxmlgui5/kwrite
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/katepartrc
+nodeny  ${HOME}/.config/katerc
+nodeny  ${HOME}/.config/kateschemarc
+nodeny  ${HOME}/.config/katesyntaxhighlightingrc
+nodeny  ${HOME}/.config/katevirc
+nodeny  ${HOME}/.config/kwriterc
+nodeny  ${HOME}/.local/share/kwrite
+nodeny  ${HOME}/.local/share/kxmlgui5/kwrite
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index ac1b8785d..91693bfc1 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -13,7 +13,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/lib
+allow  /var/lib
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 4bbb0a86d..e154708eb 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -6,7 +6,7 @@ include leafpad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/leafpad
+nodeny  ${HOME}/.config/leafpad
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 8eb5ad0c2..abee392de 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -7,9 +7,9 @@ include less.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.lesshst
+nodeny  ${HOME}/.lesshst
 
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
index c57eae73d..8ec41eee3 100644
--- a/etc/profile-a-l/librecad.profile
+++ b/etc/profile-a-l/librecad.profile
@@ -4,8 +4,8 @@ include librecad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/LibreCAD
-noblacklist ${HOME}/.local/share/LibreCAD
+nodeny  ${HOME}/.config/LibreCAD
+nodeny  ${HOME}/.local/share/LibreCAD
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/librecad
+allow  /usr/share/librecad
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index b1a24888c..ae01d39b8 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -6,15 +6,15 @@ include libreoffice.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /usr/local/sbin
-noblacklist ${HOME}/.config/libreoffice
+nodeny  /usr/local/sbin
+nodeny  ${HOME}/.config/libreoffice
 
 # libreoffice uses java for some functionality.
 # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index da047357a..5c614ab8e 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -6,13 +6,13 @@ include librewolf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/librewolf
-noblacklist ${HOME}/.librewolf
+nodeny  ${HOME}/.cache/librewolf
+nodeny  ${HOME}/.librewolf
 
 mkdir ${HOME}/.cache/librewolf
 mkdir ${HOME}/.librewolf
-whitelist ${HOME}/.cache/librewolf
-whitelist ${HOME}/.librewolf
+allow  ${HOME}/.cache/librewolf
+allow  ${HOME}/.librewolf
 
 # Add the next lines to your librewolf.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
@@ -23,10 +23,10 @@ whitelist ${HOME}/.librewolf
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
+allow  /usr/share/doc
+allow  /usr/share/gtk-doc/html
+allow  /usr/share/mozilla
+allow  /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
new file mode 100644
index 000000000..b9ed0de8e
--- /dev/null
+++ b/etc/profile-a-l/lifeograph.profile
@@ -0,0 +1,58 @@
+# Firejail profile for lifeograph
+# Description: Lifeograph is a diary program to take personal notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lifeograph.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${DOCUMENTS}
+
+deny /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+allow ${DOCUMENTS}
+allow /usr/share/lifeograph
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin lifeograph
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 7afca1d5f..595ecc257 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -6,9 +6,9 @@ include liferea.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/liferea
-noblacklist ${HOME}/.config/liferea
-noblacklist ${HOME}/.local/share/liferea
+nodeny  ${HOME}/.cache/liferea
+nodeny  ${HOME}/.config/liferea
+nodeny  ${HOME}/.local/share/liferea
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/liferea
 mkdir ${HOME}/.config/liferea
 mkdir ${HOME}/.local/share/liferea
-whitelist ${HOME}/.cache/liferea
-whitelist ${HOME}/.config/liferea
-whitelist ${HOME}/.local/share/liferea
-whitelist /usr/share/liferea
+allow  ${HOME}/.cache/liferea
+allow  ${HOME}/.config/liferea
+allow  ${HOME}/.local/share/liferea
+allow  /usr/share/liferea
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
index c065c44a9..58d5bcd6d 100644
--- a/etc/profile-a-l/lightsoff.profile
+++ b/etc/profile-a-l/lightsoff.profile
@@ -6,7 +6,7 @@ include lightsoff.local
 # Persistent global definitions
 include globals.local
 
-whitelist /usr/share/lightsoff
+allow  /usr/share/lightsoff
 
 private-bin lightsoff
 
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index 4254b7f33..e14c50d77 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -6,7 +6,7 @@ include lincity-ng.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.lincity-ng
+nodeny  ${HOME}/.lincity-ng
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.lincity-ng
-whitelist ${HOME}/.lincity-ng
+allow  ${HOME}/.lincity-ng
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index cd885b1d4..51e3d5b94 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -4,8 +4,8 @@ include links-common.local
 
 # common profile for links browsers
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index 8ce39cc7f..ae57601ca 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -7,10 +7,10 @@ include links.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.links
+nodeny  ${HOME}/.links
 
 mkdir ${HOME}/.links
-whitelist ${HOME}/.links
+allow  ${HOME}/.links
 
 private-bin links
 
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
index 5f91dfcd2..eb349c73a 100644
--- a/etc/profile-a-l/links2.profile
+++ b/etc/profile-a-l/links2.profile
@@ -7,10 +7,10 @@ include links2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.links2
+nodeny  ${HOME}/.links2
 
 mkdir ${HOME}/.links2
-whitelist ${HOME}/.links2
+allow  ${HOME}/.links2
 
 private-bin links2
 
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index 7ebdbef4c..dd1dac05b 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -6,10 +6,10 @@ include linphone.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/linphone
-noblacklist ${HOME}/.linphone-history.db
-noblacklist ${HOME}/.linphonerc
-noblacklist ${HOME}/.local/share/linphone
+nodeny  ${HOME}/.config/linphone
+nodeny  ${HOME}/.linphone-history.db
+nodeny  ${HOME}/.linphonerc
+nodeny  ${HOME}/.local/share/linphone
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,11 +23,11 @@ include disable-programs.inc
 # ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
 mkdir ${HOME}/.config/linphone
 mkdir ${HOME}/.local/share/linphone
-whitelist ${HOME}/.config/linphone
-whitelist ${HOME}/.linphone-history.db
-whitelist ${HOME}/.linphonerc
-whitelist ${HOME}/.local/share/linphone
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/linphone
+allow  ${HOME}/.linphone-history.db
+allow  ${HOME}/.linphonerc
+allow  ${HOME}/.local/share/linphone
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index 48b0e14dc..b22110fdc 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -6,9 +6,9 @@ include lmms.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.lmmsrc.xml
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.lmmsrc.xml
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index f2676fec5..0a7ce86e8 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -6,8 +6,8 @@ include lollypop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/lollypop
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.local/share/lollypop
+nodeny  ${MUSIC}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index 174c65a65..30802b3b7 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -8,8 +8,8 @@ include globals.local
 
 # note: crashes after entering
 
-noblacklist ${HOME}/.config/lugaru
-noblacklist ${HOME}/.local/share/lugaru
+nodeny  ${HOME}/.config/lugaru
+nodeny  ${HOME}/.local/share/lugaru
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/lugaru
 mkdir ${HOME}/.local/share/lugaru
-whitelist ${HOME}/.config/lugaru
-whitelist ${HOME}/.local/share/lugaru
+allow  ${HOME}/.config/lugaru
+allow  ${HOME}/.local/share/lugaru
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 31067034e..73400dbd6 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -6,8 +6,8 @@ include luminance-hdr.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Luminance
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/Luminance
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 80a3aba86..9d5169b80 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -6,18 +6,18 @@ include lutris.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/llvm*
-noblacklist ${HOME}/Games
-noblacklist ${HOME}/.cache/lutris
-noblacklist ${HOME}/.cache/winetricks
-noblacklist ${HOME}/.config/lutris
-noblacklist ${HOME}/.local/share/lutris
+nodeny  ${PATH}/llvm*
+nodeny  ${HOME}/Games
+nodeny  ${HOME}/.cache/lutris
+nodeny  ${HOME}/.cache/winetricks
+nodeny  ${HOME}/.config/lutris
+nodeny  ${HOME}/.local/share/lutris
 # noblacklist ${HOME}/.wine
-noblacklist /tmp/.wine-*
+nodeny  /tmp/.wine-*
 # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
 # Lutris won't even start.
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 ignore noexec ${HOME}
 
@@ -39,15 +39,15 @@ mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
 # mkdir ${HOME}/.wine
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/Games
-whitelist ${HOME}/.cache/lutris
-whitelist ${HOME}/.cache/winetricks
-whitelist ${HOME}/.config/lutris
-whitelist ${HOME}/.local/share/lutris
+allow  ${DOWNLOADS}
+allow  ${HOME}/Games
+allow  ${HOME}/.cache/lutris
+allow  ${HOME}/.cache/winetricks
+allow  ${HOME}/.config/lutris
+allow  ${HOME}/.local/share/lutris
 # whitelist ${HOME}/.wine
-whitelist /usr/share/lutris
-whitelist /usr/share/wine
+allow  /usr/share/lutris
+allow  /usr/share/wine
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index b2a56012e..43147211b 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -6,7 +6,7 @@ include lximage-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/lximage-qt
+nodeny  ${HOME}/.config/lximage-qt
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index cc4b95551..c849f2ad2 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -6,9 +6,9 @@ include lxmusic.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/xmms2
-noblacklist ${HOME}/.config/xmms2
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/xmms2
+nodeny  ${HOME}/.config/xmms2
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index a919e924b..15c8f1faa 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -7,8 +7,8 @@ include lynx.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..358dbf2f2 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -8,8 +8,8 @@ include globals.local
 
 ignore private-tmp
 
-noblacklist ${HOME}/.config/LyX
-noblacklist ${HOME}/.lyx
+nodeny  ${HOME}/.config/LyX
+nodeny  ${HOME}/.lyx
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -21,11 +21,11 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
-whitelist /usr/share/lyx
-whitelist /usr/share/texinfo
-whitelist /usr/share/texlive
-whitelist /usr/share/texmf-dist
-whitelist /usr/share/tlpkg
+allow  /usr/share/lyx
+allow  /usr/share/texinfo
+allow  /usr/share/texlive
+allow  /usr/share/texmf-dist
+allow  /usr/share/tlpkg
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/sway.profile b/etc/profile-a-l/sway.profile
index 4637419bf..3a4edcf69 100644
--- a/etc/profile-a-l/sway.profile
+++ b/etc/profile-a-l/sway.profile
@@ -7,9 +7,9 @@ include sway.local
 include globals.local
 
 # all applications started in sway will run in this profile
-noblacklist ${HOME}/.config/sway
+nodeny  ${HOME}/.config/sway
 # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
-noblacklist ${HOME}/.config/i3
+nodeny  ${HOME}/.config/i3
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index 62d0a8b3a..e6c43007d 100644
--- a/etc/profile-m-z/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -6,7 +6,7 @@ include Maelstrom.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/lib/games/Maelstrom-Scores
+nodeny  /var/lib/games/Maelstrom-Scores
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /var/lib/games
+allow  /var/lib/games
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index c2734b1c1..bd929d21a 100644
--- a/etc/profile-m-z/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
@@ -5,8 +5,8 @@ include Mathematica.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Mathematica
-noblacklist ${HOME}/.Wolfram Research
+nodeny  ${HOME}/.Mathematica
+nodeny  ${HOME}/.Wolfram Research
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
 mkdir ${HOME}/Documents/Wolfram Mathematica
-whitelist ${HOME}/.Mathematica
-whitelist ${HOME}/.Wolfram Research
-whitelist ${HOME}/Documents/Wolfram Mathematica
+allow  ${HOME}/.Mathematica
+allow  ${HOME}/.Wolfram Research
+allow  ${HOME}/Documents/Wolfram Mathematica
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e678b7204..f833b9446 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # Note: you must whitelist your games folder in your PCSX2.local.
 
-noblacklist ${HOME}/.config/PCSX2
+nodeny  ${HOME}/.config/PCSX2
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/PCSX2
-whitelist ${HOME}/.config/PCSX2
+allow  ${HOME}/.config/PCSX2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 86120587b..d7b01fe06 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -6,18 +6,18 @@ include QMediathekView.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/QMediathekView
-noblacklist ${HOME}/.local/share/QMediathekView
-
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/totem
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.local/share/totem
-noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${HOME}/.mplayer
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/QMediathekView
+nodeny  ${HOME}/.local/share/QMediathekView
+
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/totem
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.config/xplayer
+nodeny  ${HOME}/.local/share/totem
+nodeny  ${HOME}/.local/share/xplayer
+nodeny  ${HOME}/.mplayer
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,7 +28,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/qtchooser
+allow  /usr/share/qtchooser
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 660378089..4ca42730a 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -6,10 +6,10 @@ include QOwnNotes.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/Nextcloud/Notes
-noblacklist ${HOME}/.config/PBE
-noblacklist ${HOME}/.local/share/PBE
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/Nextcloud/Notes
+nodeny  ${HOME}/.config/PBE
+nodeny  ${HOME}/.local/share/PBE
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/Nextcloud/Notes
 mkdir ${HOME}/.config/PBE
 mkdir ${HOME}/.local/share/PBE
-whitelist ${DOCUMENTS}
-whitelist ${HOME}/Nextcloud/Notes
-whitelist ${HOME}/.config/PBE
-whitelist ${HOME}/.local/share/PBE
+allow  ${DOCUMENTS}
+allow  ${HOME}/Nextcloud/Notes
+allow  ${HOME}/.config/PBE
+allow  ${HOME}/.local/share/PBE
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 3195e39fa..b98847d3a 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -5,8 +5,8 @@ include Viber.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ViberPC
-noblacklist ${PATH}/dig
+nodeny  ${HOME}/.ViberPC
+nodeny  ${PATH}/dig
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.ViberPC
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.ViberPC
+allow  ${DOWNLOADS}
+allow  ${HOME}/.ViberPC
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index d78e04595..c9cf7adf7 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -5,7 +5,7 @@ include XMind.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xmind
+nodeny  ${HOME}/.xmind
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.xmind
-whitelist ${HOME}/.xmind
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.xmind
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 5cf5161ce..7ba1cdac9 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -15,7 +15,7 @@ include globals.local
 # or run "sudo firecfg"
 #
 
-whitelist /var/lib/xkb
+allow  /var/lib/xkb
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..a246ccb23 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -18,7 +18,7 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
-whitelist /var/lib/xkb
+allow  /var/lib/xkb
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
index 7686c3442..4f65ad7d1 100644
--- a/etc/profile-m-z/ZeGrapher.profile
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -6,7 +6,7 @@ include ZeGrapher.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ZeGrapher Project
+nodeny  ${HOME}/.config/ZeGrapher Project
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist /usr/share/ZeGrapher
+allow  /usr/share/ZeGrapher
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/io.github.lainsce.Notejot.profile b/etc/profile-m-z/io.github.lainsce.Notejot.profile
new file mode 100644
index 000000000..a8029db72
--- /dev/null
+++ b/etc/profile-m-z/io.github.lainsce.Notejot.profile
@@ -0,0 +1,61 @@
+# Firejail profile for notejot
+# Description: Jot your ideas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include io.github.lainsce.Notejot.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${HOME}/.cache/io.github.lainsce.Notejot
+nodeny ${HOME}/.local/share/io.github.lainsce.Notejot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/io.github.lainsce.Notejot
+mkdir ${HOME}/.local/share/io.github.lainsce.Notejot
+allow ${HOME}/.cache/io.github.lainsce.Notejot
+allow ${HOME}/.local/share/io.github.lainsce.Notejot
+allow /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin io.github.lainsce.Notejot
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own io.github.lainsce.Notejot
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index d1dcb6fe0..763d475bb 100644
--- a/etc/profile-m-z/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -5,8 +5,8 @@ include macrofusion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mfusion
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/mfusion
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index 8a27b2626..d561a5095 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -6,7 +6,7 @@ include magicor.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.magicor
+nodeny  ${HOME}/.magicor
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.magicor
-whitelist ${HOME}/.magicor
-whitelist /usr/share/magicor
+allow  ${HOME}/.magicor
+allow  /usr/share/magicor
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 513fcae55..a7c486c9f 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -6,8 +6,8 @@ include makepkg.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
 # for potential issues and their solutions when Firejailing makepkg
@@ -17,18 +17,18 @@ blacklist ${RUNUSER}/wayland-*
 # whitelist ${HOME}/.gnupg
 
 # Enable severely restricted access to ${HOME}/.gnupg
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
-blacklist ${HOME}/.gnupg/random_seed
-blacklist ${HOME}/.gnupg/pubring.kbx~
-blacklist ${HOME}/.gnupg/private-keys-v1.d
-blacklist ${HOME}/.gnupg/crls.d
-blacklist ${HOME}/.gnupg/openpgp-revocs.d
+deny  ${HOME}/.gnupg/random_seed
+deny  ${HOME}/.gnupg/pubring.kbx~
+deny  ${HOME}/.gnupg/private-keys-v1.d
+deny  ${HOME}/.gnupg/crls.d
+deny  ${HOME}/.gnupg/openpgp-revocs.d
 
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index bd510fcac..383eeeeb7 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -7,10 +7,10 @@ include man.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.local/share/man
-noblacklist ${HOME}/.rustup
+nodeny  ${HOME}/.local/share/man
+nodeny  ${HOME}/.rustup
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,12 +23,12 @@ include disable-xdg.inc
 #mkdir ${HOME}/.local/share/man
 #whitelist ${HOME}/.local/share/man
 #whitelist ${HOME}/.manpath
-whitelist /usr/share/groff
-whitelist /usr/share/info
-whitelist /usr/share/lintian
-whitelist /usr/share/locale
-whitelist /usr/share/man
-whitelist /var/cache/man
+allow  /usr/share/groff
+allow  /usr/share/info
+allow  /usr/share/lintian
+allow  /usr/share/locale
+allow  /usr/share/man
+allow  /var/cache/man
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
index f59a56ac6..67ee783a6 100644
--- a/etc/profile-m-z/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -6,8 +6,8 @@ include manaplus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mana
-noblacklist ${HOME}/.local/share/mana
+nodeny  ${HOME}/.config/mana
+nodeny  ${HOME}/.local/share/mana
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,8 +21,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/mana
 mkdir ${HOME}/.config/mana/mana
 mkdir ${HOME}/.local/share/mana
-whitelist ${HOME}/.config/mana
-whitelist ${HOME}/.local/share/mana
+allow  ${HOME}/.config/mana
+allow  ${HOME}/.local/share/mana
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index bd56a8221..7645ad335 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -11,8 +11,8 @@ include globals.local
 #protocol unix,inet,inet6
 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
 
-noblacklist ${HOME}/.cache/marker
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/marker
+nodeny  ${DOCUMENTS}
 
 include allow-python3.inc
 
@@ -25,8 +25,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/com.github.fabiocolacio.marker
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/com.github.fabiocolacio.marker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index de1135071..d8b215b7f 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -6,8 +6,8 @@ include masterpdfeditor.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Code Industry
-noblacklist ${HOME}/.masterpdfeditor
+nodeny  ${HOME}/.config/Code Industry
+nodeny  ${HOME}/.masterpdfeditor
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 39ee7439d..92832783e 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -6,7 +6,7 @@ include mate-calc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mate-calc
+nodeny  ${HOME}/.config/mate-calc
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/mate-calc
 mkdir ${HOME}/.config/caja
 mkdir ${HOME}/.config/mate-menu
-whitelist ${HOME}/.cache/mate-calc
-whitelist ${HOME}/.config/caja
-whitelist ${HOME}/.config/mate-menu
+allow  ${HOME}/.cache/mate-calc
+allow  ${HOME}/.config/caja
+allow  ${HOME}/.config/mate-menu
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index ae1fcbf62..90c9d0993 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -5,7 +5,7 @@ include mate-dictionary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mate/mate-dictionary
+nodeny  ${HOME}/.config/mate/mate-dictionary
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/mate/mate-dictionary
-whitelist ${HOME}/.config/mate/mate-dictionary
+allow  ${HOME}/.config/mate/mate-dictionary
 include whitelist-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
index b3080df88..8ee470a50 100644
--- a/etc/profile-m-z/matrix-mirage.profile
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -7,16 +7,16 @@ include matrix-mirage.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/matrix-mirage
-noblacklist ${HOME}/.config/matrix-mirage
-noblacklist ${HOME}/.local/share/matrix-mirage
+nodeny  ${HOME}/.cache/matrix-mirage
+nodeny  ${HOME}/.config/matrix-mirage
+nodeny  ${HOME}/.local/share/matrix-mirage
 
 mkdir ${HOME}/.cache/matrix-mirage
 mkdir ${HOME}/.config/matrix-mirage
 mkdir ${HOME}/.local/share/matrix-mirage
-whitelist ${HOME}/.cache/matrix-mirage
-whitelist ${HOME}/.config/matrix-mirage
-whitelist ${HOME}/.local/share/matrix-mirage
+allow  ${HOME}/.cache/matrix-mirage
+allow  ${HOME}/.config/matrix-mirage
+allow  ${HOME}/.local/share/matrix-mirage
 
 private-bin matrix-mirage
 
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index 3c2bf4fa3..01076a90a 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -10,12 +10,12 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Mattermost
+nodeny  ${HOME}/.config/Mattermost
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Mattermost
-whitelist ${HOME}/.config/Mattermost
+allow  ${HOME}/.config/Mattermost
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 38d2d8d63..ae749114a 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -6,8 +6,8 @@ include mcabber.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mcabber
-noblacklist ${HOME}/.mcabberrc
+nodeny  ${HOME}/.mcabber
+nodeny  ${HOME}/.mcabberrc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
index fcd1e24e5..d9e12fb5d 100644
--- a/etc/profile-m-z/mcomix.profile
+++ b/etc/profile-m-z/mcomix.profile
@@ -6,9 +6,9 @@ include mcomix.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mcomix
-noblacklist ${HOME}/.local/share/mcomix
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/mcomix
+nodeny  ${HOME}/.local/share/mcomix
+nodeny  ${DOCUMENTS}
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -30,7 +30,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/mcomix
 mkdir ${HOME}/.local/share/mcomix
-whitelist /usr/share/mcomix
+allow  /usr/share/mcomix
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 5d3f8dc41..9e8656290 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -5,7 +5,7 @@ include mdr.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 17363624f..ae34ea321 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -6,7 +6,7 @@ include mediainfo.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 0063badd8..3459ad4cf 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -6,16 +6,16 @@ include mediathekview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/totem
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.local/share/totem
-noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${HOME}/.mediathek3
-noblacklist ${HOME}/.mplayer
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/totem
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.config/xplayer
+nodeny  ${HOME}/.local/share/totem
+nodeny  ${HOME}/.local/share/xplayer
+nodeny  ${HOME}/.mediathek3
+nodeny  ${HOME}/.mplayer
+nodeny  ${VIDEOS}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index f07b9166a..ad9094ddf 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -6,7 +6,7 @@ include megaglest.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.megaglest
+nodeny  ${HOME}/.megaglest
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
-whitelist ${HOME}/.megaglest
-whitelist /usr/share/megaglest
-whitelist /usr/share/games/megaglest    # Debian version
+allow  ${HOME}/.megaglest
+allow  /usr/share/megaglest
+allow  /usr/share/games/megaglest       # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 2a8bb3acf..06ee572c9 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -13,12 +13,12 @@ include globals.local
 # Calling it by its absolute path (example for git mergetool):
 # $ git config --global mergetool.meld.cmd /usr/bin/meld
 
-noblacklist ${HOME}/.config/meld
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.local/share/meld
-noblacklist ${HOME}/.subversion
+nodeny  ${HOME}/.config/meld
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.local/share/meld
+nodeny  ${HOME}/.subversion
 
 # Allow python (blacklisted by disable-interpreters.inc)
 # Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks
@@ -29,7 +29,7 @@ include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 # Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index c0bdbb230..e33d6c157 100644
--- a/etc/profile-m-z/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -6,13 +6,13 @@ include mendeleydesktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.cache/Mendeley Ltd.
-noblacklist ${HOME}/.config/Mendeley Ltd.
-noblacklist ${HOME}/.local/share/Mendeley Ltd.
-noblacklist ${HOME}/.local/share/data/Mendeley Ltd.
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.cache/Mendeley Ltd.
+nodeny  ${HOME}/.config/Mendeley Ltd.
+nodeny  ${HOME}/.local/share/Mendeley Ltd.
+nodeny  ${HOME}/.local/share/data/Mendeley Ltd.
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 2081b8c96..52808a5b5 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # Whitelist your system icon directory,varies by distro
-whitelist /usr/share/app-info
-whitelist /usr/share/desktop-directories
-whitelist /usr/share/icons
-whitelist /usr/share/menulibre
-whitelist /var/lib/app-info/icons
-whitelist /var/lib/flatpak/exports/share/applications
-whitelist /var/lib/flatpak/exports/share/icons
+allow  /usr/share/app-info
+allow  /usr/share/desktop-directories
+allow  /usr/share/icons
+allow  /usr/share/menulibre
+allow  /var/lib/app-info/icons
+allow  /var/lib/flatpak/exports/share/applications
+allow  /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 85ed7bc74..48f936632 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -6,8 +6,8 @@ include meteo-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
-noblacklist ${HOME}/.config/meteo-qt
+nodeny  ${HOME}/.config/autostart
+nodeny  ${HOME}/.config/meteo-qt
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/meteo-qt
-whitelist ${HOME}/.config/autostart
-whitelist ${HOME}/.config/meteo-qt
+allow  ${HOME}/.config/autostart
+allow  ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
new file mode 100644
index 000000000..259d39a5f
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Beta
+# Description: Web browser from Microsoft,beta channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-beta.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.cache/microsoft-edge-beta
+nodeny  ${HOME}/.config/microsoft-edge-beta
+
+mkdir ${HOME}/.cache/microsoft-edge-beta
+mkdir ${HOME}/.config/microsoft-edge-beta
+allow  ${HOME}/.cache/microsoft-edge-beta
+allow  ${HOME}/.config/microsoft-edge-beta
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index 039cd36a8..96465866c 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -6,13 +6,13 @@ include microsoft-edge-dev.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/microsoft-edge-dev
-noblacklist ${HOME}/.config/microsoft-edge-dev
+nodeny  ${HOME}/.cache/microsoft-edge-dev
+nodeny  ${HOME}/.config/microsoft-edge-dev
 
 mkdir ${HOME}/.cache/microsoft-edge-dev
 mkdir ${HOME}/.config/microsoft-edge-dev
-whitelist ${HOME}/.cache/microsoft-edge-dev
-whitelist ${HOME}/.config/microsoft-edge-dev
+allow  ${HOME}/.cache/microsoft-edge-dev
+allow  ${HOME}/.config/microsoft-edge-dev
 
 private-opt microsoft
 
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index e15259608..c4a444e0d 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -9,17 +9,17 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/midori
-noblacklist ${HOME}/.config/midori
-noblacklist ${HOME}/.local/share/midori
+nodeny  ${HOME}/.cache/midori
+nodeny  ${HOME}/.config/midori
+nodeny  ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
 # noblacklist ${HOME}/.local/share/webkitgtk
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
-noblacklist ${HOME}/.cache/gnome-mplayer
-noblacklist ${HOME}/.config/gnome-mplayer
-noblacklist ${HOME}/.lastpass
+nodeny  ${HOME}/.cache/gnome-mplayer
+nodeny  ${HOME}/.config/gnome-mplayer
+nodeny  ${HOME}/.lastpass
 
 include disable-common.inc
 include disable-devel.inc
@@ -36,17 +36,17 @@ mkdir ${HOME}/.local/share/webkit
 mkdir ${HOME}/.local/share/webkitgtk
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/midori
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/midori
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/midori
-whitelist ${HOME}/.local/share/webkit
-whitelist ${HOME}/.local/share/webkitgtk
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/gnome-mplayer/plugin
+allow  ${HOME}/.cache/midori
+allow  ${HOME}/.config/gnome-mplayer
+allow  ${HOME}/.config/midori
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.local/share/midori
+allow  ${HOME}/.local/share/webkit
+allow  ${HOME}/.local/share/webkitgtk
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index 7f3aeab44..214332184 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,10 +6,10 @@ include min.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Min
+nodeny  ${HOME}/.config/Min
 
 mkdir ${HOME}/.config/Min
-whitelist ${HOME}/.config/Min
+allow  ${HOME}/.config/Min
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index fbf6b58e8..ee8402b87 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/mindless
+allow  /usr/share/mindless
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 1028e374a..595313851 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -11,7 +11,7 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.minecraft
+nodeny  ${HOME}/.minecraft
 
 include allow-java.inc
 
@@ -25,7 +25,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.minecraft
-whitelist ${HOME}/.minecraft
+allow  ${HOME}/.minecraft
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index cad1adbda..11d0859b7 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -9,8 +9,8 @@ include globals.local
 # In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
 #   screenshot_path = /home/<USER>/.minetest/screenshots
 
-noblacklist ${HOME}/.cache/minetest
-noblacklist ${HOME}/.minetest
+nodeny  ${HOME}/.cache/minetest
+nodeny  ${HOME}/.minetest
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -26,10 +26,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
-whitelist ${HOME}/.cache/minetest
-whitelist ${HOME}/.minetest
-whitelist /usr/share/games/minetest
-whitelist /usr/share/minetest
+allow  ${HOME}/.cache/minetest
+allow  ${HOME}/.minetest
+allow  /usr/share/games/minetest
+allow  /usr/share/minetest
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 3fe3428d0..192913dbf 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -6,10 +6,10 @@ include minitube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
-noblacklist ${HOME}/.cache/Flavio Tordini
-noblacklist ${HOME}/.config/Flavio Tordini
-noblacklist ${HOME}/.local/share/Flavio Tordini
+nodeny  ${PICTURES}
+nodeny  ${HOME}/.cache/Flavio Tordini
+nodeny  ${HOME}/.config/Flavio Tordini
+nodeny  ${HOME}/.local/share/Flavio Tordini
 
 include allow-lua.inc
 
@@ -25,11 +25,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
 mkdir ${HOME}/.config/Flavio Tordini
 mkdir ${HOME}/.local/share/Flavio Tordini
-whitelist ${PICTURES}
-whitelist ${HOME}/.cache/Flavio Tordini
-whitelist ${HOME}/.config/Flavio Tordini
-whitelist ${HOME}/.local/share/Flavio Tordini
-whitelist /usr/share/minitube
+allow  ${PICTURES}
+allow  ${HOME}/.cache/Flavio Tordini
+allow  ${HOME}/.config/Flavio Tordini
+allow  ${HOME}/.local/share/Flavio Tordini
+allow  /usr/share/minitube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 505009283..b2f2cc5b1 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -6,10 +6,10 @@ include mirage.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mirage
-noblacklist ${HOME}/.config/mirage
-noblacklist ${HOME}/.local/share/mirage
-noblacklist /sbin
+nodeny  ${HOME}/.cache/mirage
+nodeny  ${HOME}/.config/mirage
+nodeny  ${HOME}/.local/share/mirage
+nodeny  /sbin
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -27,10 +27,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/mirage
 mkdir ${HOME}/.config/mirage
 mkdir ${HOME}/.local/share/mirage
-whitelist ${HOME}/.cache/mirage
-whitelist ${HOME}/.config/mirage
-whitelist ${HOME}/.local/share/mirage
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/mirage
+allow  ${HOME}/.config/mirage
+allow  ${HOME}/.local/share/mirage
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 58dfd56f5..d5ebfd4b0 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -6,7 +6,7 @@ include mirrormagic.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mirrormagic
+nodeny  ${HOME}/.mirrormagic
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.mirrormagic
-whitelist ${HOME}/.mirrormagic
-whitelist /usr/share/mirrormagic
+allow  ${HOME}/.mirrormagic
+allow  /usr/share/mirrormagic
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index e71ba4569..b734bd7c0 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -7,8 +7,8 @@ include mocp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.moc
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.moc
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
index 98063fa7c..a02b29b61 100644
--- a/etc/profile-m-z/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -6,7 +6,7 @@ include mousepad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Mousepad
+nodeny  ${HOME}/.config/Mousepad
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 37ce60e04..f47384753 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -6,7 +6,7 @@ include mp3splt-gtk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mp3splt-gtk
+nodeny  ${HOME}/.mp3splt-gtk
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 070de8451..8a2ab15bd 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -6,9 +6,9 @@ include mp3splt.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 55a0b5897..6994b0429 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -6,13 +6,13 @@ include mpDris2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mpDris2
+nodeny  ${HOME}/.config/mpDris2
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${MUSIC}
+allow  ${MUSIC}
 
 mkdir ${HOME}/.config/mpDris2
-whitelist ${HOME}/.config/mpDris2
+allow  ${HOME}/.config/mpDris2
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index b517d4ab2..8b3350ac8 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -6,10 +6,10 @@ include mpd.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mpd
-noblacklist ${HOME}/.mpd
-noblacklist ${HOME}/.mpdconf
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/mpd
+nodeny  ${HOME}/.mpd
+nodeny  ${HOME}/.mpdconf
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 25187e894..03bd44daa 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -7,7 +7,7 @@ include mpg123.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 5d023b7f1..84754aeb2 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -6,7 +6,7 @@ include mplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mplayer
+nodeny  ${HOME}/.mplayer
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 
 read-only ${DESKTOP}
 mkdir ${HOME}/.mplayer
-whitelist ${HOME}/.mplayer
+allow  ${HOME}/.mplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index bfe57a132..d35519103 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -6,12 +6,12 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mps-youtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.mplayer
-noblacklist ${HOME}/.netrc
-noblacklist ${HOME}/mps
+nodeny  ${HOME}/.config/mps-youtube
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.mplayer
+nodeny  ${HOME}/.netrc
+nodeny  ${HOME}/mps
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -20,8 +20,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,12 +37,12 @@ mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
-whitelist ${HOME}/.config/mps-youtube
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.mplayer
-whitelist ${HOME}/.netrc
-whitelist ${HOME}/mps
+allow  ${HOME}/.config/mps-youtube
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.config/youtube-dl
+allow  ${HOME}/.mplayer
+allow  ${HOME}/.netrc
+allow  ${HOME}/mps
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index af5c214f7..4ea2dd348 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -24,9 +24,9 @@ include globals.local
 #include allow-bin-sh.inc
 #private-bin sh
 
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.netrc
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -35,7 +35,7 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -49,14 +49,14 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.config/youtube-dl
 mkfile ${HOME}/.netrc
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.netrc
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.config/youtube-dl
+allow  ${HOME}/.netrc
 include whitelist-common.inc
 include whitelist-player-common.inc
-whitelist /usr/share/lua
-whitelist /usr/share/lua*
-whitelist /usr/share/vulkan
+allow  /usr/share/lua
+allow  /usr/share/lua*
+allow  /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index e3ceb3bd4..a8c49a690 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -6,7 +6,7 @@ include mrrescue.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/love
+nodeny  ${HOME}/.local/share/love
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -14,7 +14,7 @@ include allow-bin-sh.inc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -26,8 +26,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/love
-whitelist ${HOME}/.local/share/love
-whitelist /usr/share/mrrescue
+allow  ${HOME}/.local/share/love
+allow  /usr/share/mrrescue
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
index db24e8f9b..5fea86ae7 100644
--- a/etc/profile-m-z/ms-excel.profile
+++ b/etc/profile-m-z/ms-excel.profile
@@ -6,7 +6,7 @@ include ms-excel.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-excel-online
+nodeny  ${HOME}/.cache/ms-excel-online
 private-bin ms-excel
 
 # Redirect
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 38fc84ecc..4033627f7 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -5,8 +5,8 @@ include ms-office.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/ms-office-online
-noblacklist ${HOME}/.jak
+nodeny  ${HOME}/.cache/ms-office-online
+nodeny  ${HOME}/.jak
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
index 9ea0637bd..805de5102 100644
--- a/etc/profile-m-z/ms-onenote.profile
+++ b/etc/profile-m-z/ms-onenote.profile
@@ -6,7 +6,7 @@ include ms-onenote.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-onenote-online
+nodeny  ${HOME}/.cache/ms-onenote-online
 private-bin ms-onenote
 
 # Redirect
diff --git a/etc/profile-m-z/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
index fc3e7c009..bd14fb7d3 100644
--- a/etc/profile-m-z/ms-outlook.profile
+++ b/etc/profile-m-z/ms-outlook.profile
@@ -6,7 +6,7 @@ include ms-outlook.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-outlook-online
+nodeny  ${HOME}/.cache/ms-outlook-online
 private-bin ms-outlook
 
 # Redirect
diff --git a/etc/profile-m-z/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
index dadcd5b1e..02a7424e2 100644
--- a/etc/profile-m-z/ms-powerpoint.profile
+++ b/etc/profile-m-z/ms-powerpoint.profile
@@ -6,7 +6,7 @@ include ms-powerpoint.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-powerpoint-online
+nodeny  ${HOME}/.cache/ms-powerpoint-online
 private-bin ms-powerpoint
 
 # Redirect
diff --git a/etc/profile-m-z/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
index df1618361..01729f9a2 100644
--- a/etc/profile-m-z/ms-skype.profile
+++ b/etc/profile-m-z/ms-skype.profile
@@ -8,7 +8,7 @@ include ms-skype.local
 
 ignore novideo
 
-noblacklist ${HOME}/.cache/ms-skype-online
+nodeny  ${HOME}/.cache/ms-skype-online
 
 private-bin ms-skype
 
diff --git a/etc/profile-m-z/ms-word.profile b/etc/profile-m-z/ms-word.profile
index 5a617a893..34cf02128 100644
--- a/etc/profile-m-z/ms-word.profile
+++ b/etc/profile-m-z/ms-word.profile
@@ -6,7 +6,7 @@ include ms-word.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-word-online
+nodeny  ${HOME}/.cache/ms-word-online
 private-bin ms-word
 
 # Redirect
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index 85c3ee9f2..ec7cd5d04 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -6,7 +6,7 @@ include mtpaint.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 6df681df1..447e7753f 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -5,9 +5,9 @@ include multimc5.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/multimc
-noblacklist ${HOME}/.local/share/multimc5
-noblacklist ${HOME}/.multimc5
+nodeny  ${HOME}/.local/share/multimc
+nodeny  ${HOME}/.local/share/multimc5
+nodeny  ${HOME}/.multimc5
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -22,9 +22,9 @@ include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
 mkdir ${HOME}/.local/share/multimc5
 mkdir ${HOME}/.multimc5
-whitelist ${HOME}/.local/share/multimc
-whitelist ${HOME}/.local/share/multimc5
-whitelist ${HOME}/.multimc5
+allow  ${HOME}/.local/share/multimc
+allow  ${HOME}/.local/share/multimc5
+allow  ${HOME}/.multimc5
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index c7f59c5ee..1d72e07b8 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -6,9 +6,9 @@ include mumble.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Mumble
-noblacklist ${HOME}/.local/share/data/Mumble
-noblacklist ${HOME}/.local/share/Mumble
+nodeny  ${HOME}/.config/Mumble
+nodeny  ${HOME}/.local/share/data/Mumble
+nodeny  ${HOME}/.local/share/Mumble
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Mumble
 mkdir ${HOME}/.local/share/data/Mumble
 mkdir ${HOME}/.local/share/Mumble
-whitelist ${HOME}/.config/Mumble
-whitelist ${HOME}/.local/share/data/Mumble
-whitelist ${HOME}/.local/share/Mumble
+allow  ${HOME}/.config/Mumble
+allow  ${HOME}/.local/share/data/Mumble
+allow  ${HOME}/.local/share/Mumble
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
index be94a9083..c208a5e54 100644
--- a/etc/profile-m-z/mupdf-gl.profile
+++ b/etc/profile-m-z/mupdf-gl.profile
@@ -7,7 +7,7 @@ include mupdf-gl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.mupdf.history
+nodeny  ${HOME}/.mupdf.history
 
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 9e4609c48..e602b1429 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -6,7 +6,7 @@ include mupdf.local
 # Persistent global definitions
 #include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index 00983a8f3..ecc7e2957 100644
--- a/etc/profile-m-z/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -6,8 +6,8 @@ include mupen64plus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mupen64plus
-noblacklist ${HOME}/.local/share/mupen64plus
+nodeny  ${HOME}/.config/mupen64plus
+nodeny  ${HOME}/.local/share/mupen64plus
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 # you'll need to manually whitelist ROM files
 mkdir ${HOME}/.config/mupen64plus
 mkdir ${HOME}/.local/share/mupen64plus
-whitelist ${HOME}/.config/mupen64plus
-whitelist ${HOME}/.local/share/mupen64plus
+allow  ${HOME}/.config/mupen64plus
+allow  ${HOME}/.local/share/mupen64plus
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index 679e82ae8..aa141f9c0 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -6,12 +6,12 @@ include musescore.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/MusE
-noblacklist ${HOME}/.config/MuseScore
-noblacklist ${HOME}/.local/share/data/MusE
-noblacklist ${HOME}/.local/share/data/MuseScore
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/MusE
+nodeny  ${HOME}/.config/MuseScore
+nodeny  ${HOME}/.local/share/data/MusE
+nodeny  ${HOME}/.local/share/data/MuseScore
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 04500ac6a..5ab1303a2 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -6,9 +6,9 @@ include musictube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Flavio Tordini
-noblacklist ${HOME}/.config/Flavio Tordini
-noblacklist ${HOME}/.local/share/Flavio Tordini
+nodeny  ${HOME}/.cache/Flavio Tordini
+nodeny  ${HOME}/.config/Flavio Tordini
+nodeny  ${HOME}/.local/share/Flavio Tordini
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
 mkdir ${HOME}/.config/Flavio Tordini
 mkdir ${HOME}/.local/share/Flavio Tordini
-whitelist ${HOME}/.cache/Flavio Tordini
-whitelist ${HOME}/.config/Flavio Tordini
-whitelist ${HOME}/.local/share/Flavio Tordini
-whitelist /usr/share/musictube
+allow  ${HOME}/.cache/Flavio Tordini
+allow  ${HOME}/.config/Flavio Tordini
+allow  ${HOME}/.local/share/Flavio Tordini
+allow  /usr/share/musictube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 74b3e9a5f..9390f9dcf 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -5,7 +5,7 @@ include musixmatch.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index debf81659..91606bdfa 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -7,36 +7,36 @@ include mutt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.Mail
-noblacklist ${HOME}/.bogofilter
-noblacklist ${HOME}/.cache/mutt
-noblacklist ${HOME}/.config/mutt
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.elinks
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mail
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.msmtprc
-noblacklist ${HOME}/.mutt
-noblacklist ${HOME}/.muttrc
-noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
-noblacklist ${HOME}/.vimrc
-noblacklist ${HOME}/.w3m
-noblacklist ${HOME}/Mail
-noblacklist ${HOME}/mail
-noblacklist ${HOME}/postponed
-noblacklist ${HOME}/sent
+nodeny  /var/mail
+nodeny  /var/spool/mail
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.Mail
+nodeny  ${HOME}/.bogofilter
+nodeny  ${HOME}/.cache/mutt
+nodeny  ${HOME}/.config/mutt
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.elinks
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mail
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.msmtprc
+nodeny  ${HOME}/.mutt
+nodeny  ${HOME}/.muttrc
+nodeny  ${HOME}/.nanorc
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
+nodeny  ${HOME}/.vimrc
+nodeny  ${HOME}/.w3m
+nodeny  ${HOME}/Mail
+nodeny  ${HOME}/mail
+nodeny  ${HOME}/postponed
+nodeny  ${HOME}/sent
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Add the next lines to your mutt.local for oauth.py,S/MIME support.
 #include allow-perl.inc
@@ -75,37 +75,37 @@ mkfile ${HOME}/.nanorc
 mkfile ${HOME}/.signature
 mkfile ${HOME}/.viminfo
 mkfile ${HOME}/.vimrc
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.Mail
-whitelist ${HOME}/.bogofilter
-whitelist ${HOME}/.cache/mutt
-whitelist ${HOME}/.config/mutt
-whitelist ${HOME}/.config/nano
-whitelist ${HOME}/.elinks
-whitelist ${HOME}/.emacs
-whitelist ${HOME}/.emacs.d
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mail
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/.msmtprc
-whitelist ${HOME}/.mutt
-whitelist ${HOME}/.muttrc
-whitelist ${HOME}/.nanorc
-whitelist ${HOME}/.signature
-whitelist ${HOME}/.vim
-whitelist ${HOME}/.viminfo
-whitelist ${HOME}/.vimrc
-whitelist ${HOME}/.w3m
-whitelist ${HOME}/Mail
-whitelist ${HOME}/mail
-whitelist ${HOME}/postponed
-whitelist ${HOME}/sent
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/mutt
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  ${HOME}/.Mail
+allow  ${HOME}/.bogofilter
+allow  ${HOME}/.cache/mutt
+allow  ${HOME}/.config/mutt
+allow  ${HOME}/.config/nano
+allow  ${HOME}/.elinks
+allow  ${HOME}/.emacs
+allow  ${HOME}/.emacs.d
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mail
+allow  ${HOME}/.mailcap
+allow  ${HOME}/.msmtprc
+allow  ${HOME}/.mutt
+allow  ${HOME}/.muttrc
+allow  ${HOME}/.nanorc
+allow  ${HOME}/.signature
+allow  ${HOME}/.vim
+allow  ${HOME}/.viminfo
+allow  ${HOME}/.vimrc
+allow  ${HOME}/.w3m
+allow  ${HOME}/Mail
+allow  ${HOME}/mail
+allow  ${HOME}/postponed
+allow  ${HOME}/sent
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/mutt
+allow  /var/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index d8d487fe7..19af47498 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -6,10 +6,10 @@ include mypaint.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mypaint
-noblacklist ${HOME}/.config/mypaint
-noblacklist ${HOME}/.local/share/mypaint
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/mypaint
+nodeny  ${HOME}/.config/mypaint
+nodeny  ${HOME}/.local/share/mypaint
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 4698c2287..f0553bed5 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -7,10 +7,10 @@ include nano.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.nanorc
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.nanorc
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/nano
+allow  /usr/share/nano
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index 5bf152f84..35d152748 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -5,9 +5,9 @@ include natron.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Natron
-noblacklist ${HOME}/.cache/INRIA/Natron
-noblacklist ${HOME}/.config/INRIA
+nodeny  ${HOME}/.Natron
+nodeny  ${HOME}/.cache/INRIA/Natron
+nodeny  ${HOME}/.config/INRIA
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 063e30366..38646dc90 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -6,7 +6,7 @@ include ncdu.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-exec.inc
 
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 9f00448c8..ceb885908 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -6,12 +6,12 @@ include neochat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/KDE/neochat
-noblacklist ${HOME}/.config/KDE
-noblacklist ${HOME}/.config/KDE/neochat
-noblacklist ${HOME}/.config/neochatrc
-noblacklist ${HOME}/.config/neochat.notifyrc
-noblacklist ${HOME}/.local/share/KDE/neochat
+nodeny  ${HOME}/.cache/KDE/neochat
+nodeny  ${HOME}/.config/KDE
+nodeny  ${HOME}/.config/KDE/neochat
+nodeny  ${HOME}/.config/neochatrc
+nodeny  ${HOME}/.config/neochat.notifyrc
+nodeny  ${HOME}/.local/share/KDE/neochat
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,9 +24,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/KDE/neochat
 mkdir ${HOME}/.local/share/KDE/neochat
-whitelist ${HOME}/.cache/KDE/neochat
-whitelist ${HOME}/.local/share/KDE/neochat
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/KDE/neochat
+allow  ${HOME}/.local/share/KDE/neochat
+allow  ${DOWNLOADS}
 include whitelist-1793-workaround.inc
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index fafa129e4..939d6f111 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -7,38 +7,38 @@ include neomutt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.Mail
-noblacklist ${HOME}/.bogofilter
-noblacklist ${HOME}/.config/mutt
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.config/neomutt
-noblacklist ${HOME}/.elinks
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mail
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.msmtprc
-noblacklist ${HOME}/.mutt
-noblacklist ${HOME}/.muttrc
-noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.neomutt
-noblacklist ${HOME}/.neomuttrc
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
-noblacklist ${HOME}/.vimrc
-noblacklist ${HOME}/.w3m
-noblacklist ${HOME}/Mail
-noblacklist ${HOME}/mail
-noblacklist ${HOME}/postponed
-noblacklist ${HOME}/sent
-noblacklist /var/mail
-noblacklist /var/spool/mail
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.Mail
+nodeny  ${HOME}/.bogofilter
+nodeny  ${HOME}/.config/mutt
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.config/neomutt
+nodeny  ${HOME}/.elinks
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mail
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.msmtprc
+nodeny  ${HOME}/.mutt
+nodeny  ${HOME}/.muttrc
+nodeny  ${HOME}/.nanorc
+nodeny  ${HOME}/.neomutt
+nodeny  ${HOME}/.neomuttrc
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
+nodeny  ${HOME}/.vimrc
+nodeny  ${HOME}/.w3m
+nodeny  ${HOME}/Mail
+nodeny  ${HOME}/mail
+nodeny  ${HOME}/postponed
+nodeny  ${HOME}/sent
+nodeny  /var/mail
+nodeny  /var/spool/mail
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include allow-lua.inc
 
@@ -76,39 +76,39 @@ mkfile ${HOME}/.neomuttrc
 mkfile ${HOME}/.signature
 mkfile ${HOME}/.viminfo
 mkfile ${HOME}/.vimrc
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.Mail
-whitelist ${HOME}/.bogofilter
-whitelist ${HOME}/.config/mutt
-whitelist ${HOME}/.config/nano
-whitelist ${HOME}/.config/neomutt
-whitelist ${HOME}/.elinks
-whitelist ${HOME}/.emacs
-whitelist ${HOME}/.emacs.d
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mail
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/.msmtprc
-whitelist ${HOME}/.mutt
-whitelist ${HOME}/.muttrc
-whitelist ${HOME}/.nanorc
-whitelist ${HOME}/.neomutt
-whitelist ${HOME}/.neomuttrc
-whitelist ${HOME}/.signature
-whitelist ${HOME}/.vim
-whitelist ${HOME}/.viminfo
-whitelist ${HOME}/.vimrc
-whitelist ${HOME}/.w3m
-whitelist ${HOME}/Mail
-whitelist ${HOME}/mail
-whitelist ${HOME}/postponed
-whitelist ${HOME}/sent
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/neomutt
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  ${HOME}/.Mail
+allow  ${HOME}/.bogofilter
+allow  ${HOME}/.config/mutt
+allow  ${HOME}/.config/nano
+allow  ${HOME}/.config/neomutt
+allow  ${HOME}/.elinks
+allow  ${HOME}/.emacs
+allow  ${HOME}/.emacs.d
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mail
+allow  ${HOME}/.mailcap
+allow  ${HOME}/.msmtprc
+allow  ${HOME}/.mutt
+allow  ${HOME}/.muttrc
+allow  ${HOME}/.nanorc
+allow  ${HOME}/.neomutt
+allow  ${HOME}/.neomuttrc
+allow  ${HOME}/.signature
+allow  ${HOME}/.vim
+allow  ${HOME}/.viminfo
+allow  ${HOME}/.vimrc
+allow  ${HOME}/.w3m
+allow  ${HOME}/Mail
+allow  ${HOME}/mail
+allow  ${HOME}/postponed
+allow  ${HOME}/sent
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/neomutt
+allow  /var/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 5d45dd7bc..68297c110 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -6,7 +6,7 @@ include netactview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.netactview
+nodeny  ${HOME}/.netactview
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.netactview
-whitelist ${HOME}/.netactview
-whitelist /usr/share/netactview
+allow  ${HOME}/.netactview
+allow  /usr/share/netactview
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index c9a537370..d5bf8a52a 100644
--- a/etc/profile-m-z/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -6,7 +6,7 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.vultures
+nodeny  ${HOME}/.vultures
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.vultures
-whitelist ${HOME}/.vultures
-whitelist /var/log/vultures
+allow  ${HOME}/.vultures
+allow  /var/log/vultures
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
index b57abe260..23b57bb52 100644
--- a/etc/profile-m-z/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -6,7 +6,7 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/games/nethack
+nodeny  /var/games/nethack
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/games/nethack
+allow  /var/games/nethack
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile
index 0ddb7bbbe..b099d6f0c 100644
--- a/etc/profile-m-z/netsurf.profile
+++ b/etc/profile-m-z/netsurf.profile
@@ -6,8 +6,8 @@ include netsurf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/netsurf
-noblacklist ${HOME}/.config/netsurf
+nodeny  ${HOME}/.cache/netsurf
+nodeny  ${HOME}/.config/netsurf
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/netsurf
 mkdir ${HOME}/.config/netsurf
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/netsurf
-whitelist ${HOME}/.config/netsurf
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/netsurf
+allow  ${HOME}/.config/netsurf
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index ecfbb14e4..dad90a66c 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -6,7 +6,7 @@ include neverball.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.neverball
+nodeny  ${HOME}/.neverball
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.neverball
-whitelist ${HOME}/.neverball
-whitelist /usr/share/neverball
+allow  ${HOME}/.neverball
+allow  /usr/share/neverball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 6efb19502..c26ba4be0 100644
--- a/etc/profile-m-z/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -11,15 +11,15 @@ ignore include newsboat.local
 ignore mkdir ${HOME}/.config/newsboat
 ignore mkdir ${HOME}/.local/share/newsboat
 ignore mkdir ${HOME}/.newsboat
-blacklist ${PATH}/newsboat
+deny  ${PATH}/newsboat
 
-blacklist ${HOME}/.config/newsboat
-blacklist ${HOME}/.local/share/newsboat
-blacklist ${HOME}/.newsboat
+deny  ${HOME}/.config/newsboat
+deny  ${HOME}/.local/share/newsboat
+deny  ${HOME}/.newsboat
 
-nowhitelist ${HOME}/.config/newsboat
-nowhitelist ${HOME}/.local/share/newsboat
-nowhitelist ${HOME}/.newsboat
+noallow  ${HOME}/.config/newsboat
+noallow  ${HOME}/.local/share/newsboat
+noallow  ${HOME}/.newsboat
 
 mkdir ${HOME}/.config/newsbeuter
 mkdir ${HOME}/.local/share/newsbeuter
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 13bc3a615..e34752b55 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -6,12 +6,12 @@ include newsboat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/newsbeuter
-noblacklist ${HOME}/.config/newsboat
-noblacklist ${HOME}/.local/share/newsbeuter
-noblacklist ${HOME}/.local/share/newsboat
-noblacklist ${HOME}/.newsbeuter
-noblacklist ${HOME}/.newsboat
+nodeny  ${HOME}/.config/newsbeuter
+nodeny  ${HOME}/.config/newsboat
+nodeny  ${HOME}/.local/share/newsbeuter
+nodeny  ${HOME}/.local/share/newsboat
+nodeny  ${HOME}/.newsbeuter
+nodeny  ${HOME}/.newsboat
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,12 +24,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/newsboat
 mkdir ${HOME}/.local/share/newsboat
 mkdir ${HOME}/.newsboat
-whitelist ${HOME}/.config/newsbeuter
-whitelist ${HOME}/.config/newsboat
-whitelist ${HOME}/.local/share/newsbeuter
-whitelist ${HOME}/.local/share/newsboat
-whitelist ${HOME}/.newsbeuter
-whitelist ${HOME}/.newsboat
+allow  ${HOME}/.config/newsbeuter
+allow  ${HOME}/.config/newsboat
+allow  ${HOME}/.local/share/newsbeuter
+allow  ${HOME}/.local/share/newsboat
+allow  ${HOME}/.newsbeuter
+allow  ${HOME}/.newsboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 18d8c6ed4..273628ea2 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -6,9 +6,9 @@ include newsflash.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/NewsFlashGTK
-noblacklist ${HOME}/.config/news-flash
-noblacklist ${HOME}/.local/share/news-flash
+nodeny  ${HOME}/.cache/NewsFlashGTK
+nodeny  ${HOME}/.config/news-flash
+nodeny  ${HOME}/.local/share/news-flash
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/NewsFlashGTK
 mkdir ${HOME}/.config/news-flash
 mkdir ${HOME}/.local/share/news-flash
-whitelist ${HOME}/.cache/NewsFlashGTK
-whitelist ${HOME}/.config/news-flash
-whitelist ${HOME}/.local/share/news-flash
+allow  ${HOME}/.cache/NewsFlashGTK
+allow  ${HOME}/.config/news-flash
+allow  ${HOME}/.local/share/news-flash
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 9fd76fbe7..7ba46691d 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -6,9 +6,9 @@ include nextcloud.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/Nextcloud
-noblacklist ${HOME}/.config/Nextcloud
-noblacklist ${HOME}/.local/share/Nextcloud
+nodeny  ${HOME}/Nextcloud
+nodeny  ${HOME}/.config/Nextcloud
+nodeny  ${HOME}/.local/share/Nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #noblacklist ${DOCUMENTS}
 #noblacklist ${MUSIC}
@@ -27,9 +27,9 @@ include disable-xdg.inc
 mkdir ${HOME}/Nextcloud
 mkdir ${HOME}/.config/Nextcloud
 mkdir ${HOME}/.local/share/Nextcloud
-whitelist ${HOME}/Nextcloud
-whitelist ${HOME}/.config/Nextcloud
-whitelist ${HOME}/.local/share/Nextcloud
+allow  ${HOME}/Nextcloud
+allow  ${HOME}/.config/Nextcloud
+allow  ${HOME}/.local/share/Nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
 #whitelist ${MUSIC}
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index f8062891c..0149e0737 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -6,9 +6,9 @@ include nheko.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/nheko
-noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.local/share/nheko
+nodeny  ${HOME}/.cache/nheko
+nodeny  ${HOME}/.config/nheko
+nodeny  ${HOME}/.local/share/nheko
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/nheko
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.local/share/nheko
-whitelist ${HOME}/.cache/nheko
-whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.local/share/nheko
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/nheko
+allow  ${HOME}/.config/nheko
+allow  ${HOME}/.local/share/nheko
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 1c7dbc009..b31a7babf 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -6,7 +6,7 @@ include nicotine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.nicotine
+nodeny  ${HOME}/.nicotine
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.nicotine
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.nicotine
-whitelist /usr/share/GeoIP
+allow  ${DOWNLOADS}
+allow  ${HOME}/.nicotine
+allow  /usr/share/GeoIP
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 8dba84f02..70fffd5d4 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -6,8 +6,8 @@ include nitroshare.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Nathan Osman
-noblacklist ${HOME}/.config/NitroShare
+nodeny  ${HOME}/.config/Nathan Osman
+nodeny  ${HOME}/.config/NitroShare
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index fa69f9214..7981ba6ae 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,22 +7,22 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
 ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
 
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-noblacklist ${HOME}/.nvm
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
+nodeny  ${HOME}/.node-gyp
+nodeny  ${HOME}/.npm
+nodeny  ${HOME}/.npmrc
+nodeny  ${HOME}/.nvm
+nodeny  ${HOME}/.yarn
+nodeny  ${HOME}/.yarn-config
+nodeny  ${HOME}/.yarncache
+nodeny  ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
 
@@ -58,9 +58,9 @@ include disable-xdg.inc
 #whitelist ${HOME}/Projects
 #include whitelist-common.inc
 
-whitelist /usr/share/doc/node
-whitelist /usr/share/nvm
-whitelist /usr/share/systemtap/tapset/node.stp
+allow  /usr/share/doc/node
+allow  /usr/share/nvm
+allow  /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index a36dee874..80fbd0fcb 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -6,10 +6,10 @@ include nomacs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/nomacs
-noblacklist ${HOME}/.local/share/nomacs
-noblacklist ${HOME}/.local/share/data/nomacs
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/nomacs
+nodeny  ${HOME}/.local/share/nomacs
+nodeny  ${HOME}/.local/share/data/nomacs
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 650118c98..a3bcc040c 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -7,7 +7,7 @@ include notify-send.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index c7a131a2c..b3002ad0e 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -7,10 +7,10 @@ include nslookup.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist ${PATH}/nslookup
+nodeny  ${PATH}/nslookup
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.nslookuprc
+allow  ${HOME}/.nslookuprc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..67f54f9fc 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -8,12 +8,12 @@ include globals.local
 
 ignore dbus-user
 
-noblacklist ${HOME}/.config/nuclear
+nodeny  ${HOME}/.config/nuclear
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/nuclear
-whitelist ${HOME}/.config/nuclear
+allow  ${HOME}/.config/nuclear
 
 no3d
 
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
index fe0c2116b..ee7710b9c 100644
--- a/etc/profile-m-z/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
@@ -5,8 +5,8 @@ include nylas.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Nylas Mail
-noblacklist ${HOME}/.nylas-mail
+nodeny  ${HOME}/.config/Nylas Mail
+nodeny  ${HOME}/.nylas-mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/Nylas Mail
 mkdir ${HOME}/.nylas-mail
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/Nylas Mail
-whitelist ${HOME}/.nylas-mail
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/Nylas Mail
+allow  ${HOME}/.nylas-mail
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index d040d42af..1d606f70c 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -10,7 +10,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${HOME}/.nyx
+nodeny  ${HOME}/.nyx
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +22,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.nyx
-whitelist ${HOME}/.nyx
+allow  ${HOME}/.nyx
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index 9345cee4f..f70bdc55a 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -5,10 +5,10 @@ include obs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/obs-studio
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/obs-studio
+nodeny  ${MUSIC}
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 7be68a201..792c2ffc6 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,9 +6,9 @@ include ocenaudio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/ocenaudio
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.local/share/ocenaudio
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 6163d2e22..61b71ec10 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -6,9 +6,9 @@ include odt2txt.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index ab8ccf623..feeed86cb 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -6,18 +6,18 @@ include okular.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/okular
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-noblacklist ${HOME}/.local/share/kxmlgui5/okular
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/okular
+nodeny  ${HOME}/.config/okularpartrc
+nodeny  ${HOME}/.config/okularrc
+nodeny  ${HOME}/.kde/share/apps/okular
+nodeny  ${HOME}/.kde/share/config/okularpartrc
+nodeny  ${HOME}/.kde/share/config/okularrc
+nodeny  ${HOME}/.kde4/share/apps/okular
+nodeny  ${HOME}/.kde4/share/config/okularpartrc
+nodeny  ${HOME}/.kde4/share/config/okularrc
+nodeny  ${HOME}/.local/share/kxmlgui5/okular
+nodeny  ${HOME}/.local/share/okular
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,15 +28,15 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/config.kcfg/gssettings.kcfg
-whitelist /usr/share/config.kcfg/pdfsettings.kcfg
-whitelist /usr/share/config.kcfg/okular.kcfg
-whitelist /usr/share/config.kcfg/okular_core.kcfg
-whitelist /usr/share/ghostscript
-whitelist /usr/share/kconf_update/okular.upd
-whitelist /usr/share/kxmlgui5/okular
-whitelist /usr/share/okular
-whitelist /usr/share/poppler
+allow  /usr/share/config.kcfg/gssettings.kcfg
+allow  /usr/share/config.kcfg/pdfsettings.kcfg
+allow  /usr/share/config.kcfg/okular.kcfg
+allow  /usr/share/config.kcfg/okular_core.kcfg
+allow  /usr/share/ghostscript
+allow  /usr/share/kconf_update/okular.upd
+allow  /usr/share/kxmlgui5/okular
+allow  /usr/share/okular
+allow  /usr/share/poppler
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 5b367b639..748d17995 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -6,7 +6,7 @@ include onboard.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/onboard
+nodeny  ${HOME}/.config/onboard
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/onboard
-whitelist ${HOME}/.config/onboard
-whitelist /usr/share/onboard
+allow  ${HOME}/.config/onboard
+allow  /usr/share/onboard
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 960df9034..188818a7f 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -5,7 +5,7 @@ include onionshare-gui.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/onionshare
+nodeny  ${HOME}/.config/onionshare
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 7a840d4a9..6e2b31def 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -6,7 +6,7 @@ include open-invaders.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openinvaders
+nodeny  ${HOME}/.openinvaders
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.openinvaders
-whitelist ${HOME}/.openinvaders
+allow  ${HOME}/.openinvaders
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 36ce0316f..dfc78e5a9 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -6,7 +6,7 @@ include openarena.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openarena
+nodeny  ${HOME}/.openarena
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.openarena
-whitelist ${HOME}/.openarena
-whitelist /usr/share/openarena
+allow  ${HOME}/.openarena
+allow  /usr/share/openarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index b49fd9932..5a6b378f0 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -7,7 +7,7 @@ include openbox.local
 include globals.local
 
 # all applications started in openbox will run in this profile
-noblacklist ${HOME}/.config/openbox
+nodeny  ${HOME}/.config/openbox
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
index a3d371e15..268e7cee3 100644
--- a/etc/profile-m-z/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -6,7 +6,7 @@ include opencity.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.opencity
+nodeny  ${HOME}/.opencity
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.opencity
-whitelist ${HOME}/.opencity
+allow  ${HOME}/.opencity
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 32b40df42..588191cb3 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -6,7 +6,7 @@ include openclonk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.clonk
+nodeny  ${HOME}/.clonk
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.clonk
-whitelist ${HOME}/.clonk
+allow  ${HOME}/.clonk
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index d1fe67aed..95d507c98 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -6,8 +6,8 @@ include openmw.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/openmw
-noblacklist ${HOME}/.local/share/openmw
+nodeny  ${HOME}/.config/openmw
+nodeny  ${HOME}/.local/share/openmw
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,11 +21,11 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/openmw
 mkdir ${HOME}/.local/share/openmw
-whitelist ${HOME}/.config/openmw
+allow  ${HOME}/.config/openmw
 # Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt.
 # Alternatively you can whitelist custom paths in your openmw.local.
-whitelist ${HOME}/.local/share/openmw
-whitelist /usr/share/openmw
+allow  ${HOME}/.local/share/openmw
+allow  /usr/share/openmw
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index 6118630c4..ebb536b3e 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -6,8 +6,8 @@ include openshot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openshot
-noblacklist ${HOME}/.openshot_qt
+nodeny  ${HOME}/.openshot
+nodeny  ${HOME}/.openshot_qt
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/blender
-whitelist /usr/share/inkscape
+allow  /usr/share/blender
+allow  /usr/share/inkscape
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
index 546958bb7..79c1f8ffa 100644
--- a/etc/profile-m-z/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -6,7 +6,7 @@ include openttd.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openttd
+nodeny  ${HOME}/.openttd
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.openttd
-whitelist ${HOME}/.openttd
+allow  ${HOME}/.openttd
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 551f1aba4..548afc0b4 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/opera
-noblacklist ${HOME}/.config/opera-beta
+nodeny  ${HOME}/.cache/opera
+nodeny  ${HOME}/.config/opera-beta
 
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera-beta
-whitelist ${HOME}/.cache/opera
-whitelist ${HOME}/.config/opera-beta
+allow  ${HOME}/.cache/opera
+allow  ${HOME}/.config/opera-beta
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index 2c7c5fc35..5a3fe064e 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -11,16 +11,16 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/opera
-noblacklist ${HOME}/.config/opera
-noblacklist ${HOME}/.opera
+nodeny  ${HOME}/.cache/opera
+nodeny  ${HOME}/.config/opera
+nodeny  ${HOME}/.opera
 
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera
 mkdir ${HOME}/.opera
-whitelist ${HOME}/.cache/opera
-whitelist ${HOME}/.config/opera
-whitelist ${HOME}/.opera
+allow  ${HOME}/.cache/opera
+allow  ${HOME}/.config/opera
+allow  ${HOME}/.opera
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index 4e4d8bea5..a49cbdb91 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -6,8 +6,8 @@ include orage.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/orage
-noblacklist ${HOME}/.local/share/orage
+nodeny  ${HOME}/.config/orage
+nodeny  ${HOME}/.local/share/orage
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index 310b90919..ed881816e 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -6,7 +6,7 @@ include ostrichriders.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ostrichriders
+nodeny  ${HOME}/.ostrichriders
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.ostrichriders
-whitelist ${HOME}/.ostrichriders
-whitelist /usr/share/ostrichriders
+allow  ${HOME}/.ostrichriders
+allow  /usr/share/ostrichriders
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 20a4e25ed..bc9e730a1 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -8,10 +8,10 @@ include globals.local
 
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/Otter
-noblacklist ${HOME}/.config/otter
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/Otter
+nodeny  ${HOME}/.config/otter
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,12 +25,12 @@ mkdir ${HOME}/.cache/Otter
 mkdir ${HOME}/.config/otter
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/Otter
-whitelist ${HOME}/.config/otter
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
-whitelist /usr/share/otter-browser
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/Otter
+allow  ${HOME}/.config/otter
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
+allow  /usr/share/otter-browser
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index acb2ce176..503c141d8 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -5,13 +5,13 @@ include palemoon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/moonchild productions/pale moon
-noblacklist ${HOME}/.moonchild productions/pale moon
+nodeny  ${HOME}/.cache/moonchild productions/pale moon
+nodeny  ${HOME}/.moonchild productions/pale moon
 
 mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
-whitelist ${HOME}/.cache/moonchild productions/pale moon
-whitelist ${HOME}/.moonchild productions
+allow  ${HOME}/.cache/moonchild productions/pale moon
+allow  ${HOME}/.moonchild productions
 
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 513b4119e..a59f53298 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -7,9 +7,9 @@ include pandoc.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 0a4422a73..a277d1cbc 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -6,8 +6,8 @@ include parole.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 0de968185..156c3956d 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -7,9 +7,9 @@ include patch.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..dcd69cdd0 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -7,10 +7,10 @@ include pavucontrol-qt.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.config/pavucontrol-qt
+nodeny  ${HOME}/.config/pavucontrol-qt
 
 mkdir ${HOME}/.config/pavucontrol-qt
-whitelist ${HOME}/.config/pavucontrol-qt
+allow  ${HOME}/.config/pavucontrol-qt
 
 private-bin pavucontrol-qt
 ignore private-lib
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index b46fb3026..f44730c33 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -6,7 +6,7 @@ include pavucontrol.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pavucontrol.ini
+nodeny  ${HOME}/.config/pavucontrol.ini
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 # whitelisting in ${HOME} is broken, see #3112
 #mkfile ${HOME}/.config/pavucontrol.ini
 #whitelist ${HOME}/.config/pavucontrol.ini
-whitelist /usr/share/pavucontrol
-whitelist /usr/share/pavucontrol-qt
+allow  /usr/share/pavucontrol
+allow  /usr/share/pavucontrol-qt
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index a6dab2a9a..3f920ced8 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # Note: you must whitelist your games folder in your pcsxr.local
 
-noblacklist ${HOME}/.pcsxr
+nodeny  ${HOME}/.pcsxr
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pcsxr
-whitelist ${HOME}/.pcsxr
+allow  ${HOME}/.pcsxr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index d72417914..13a011072 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -5,7 +5,7 @@ include pdfchain.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index a19826555..e49ce8073 100644
--- a/etc/profile-m-z/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -6,9 +6,9 @@ include pdfmod.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/pdfmod
-noblacklist ${HOME}/.config/pdfmod
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/pdfmod
+nodeny  ${HOME}/.config/pdfmod
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index e2808d4d2..67c14bbc3 100644
--- a/etc/profile-m-z/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -6,7 +6,7 @@ include pdfsam.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index d3902a51c..1c7ebfad5 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -6,9 +6,9 @@ include pdftotext.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist /usr/share/poppler
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  /usr/share/poppler
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index c33953687..e809625ad 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -5,9 +5,9 @@ include peek.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/peek
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.cache/peek
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
index f5ad0321d..5ebd7b462 100644
--- a/etc/profile-m-z/penguin-command.profile
+++ b/etc/profile-m-z/penguin-command.profile
@@ -6,7 +6,7 @@ include penguin-command.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.penguin-command
+nodeny  ${HOME}/.penguin-command
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist ${HOME}/.penguin-command
+allow  ${HOME}/.penguin-command
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index 40068ff78..8dd506850 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -6,7 +6,7 @@ include photoflare.local
 # Persistent global definitions
 include photoflare.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
index a5ea47088..ac178ee6c 100644
--- a/etc/profile-m-z/picard.profile
+++ b/etc/profile-m-z/picard.profile
@@ -6,9 +6,9 @@ include picard.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/MusicBrainz
-noblacklist ${HOME}/.config/MusicBrainz
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/MusicBrainz
+nodeny  ${HOME}/.config/MusicBrainz
+nodeny  ${MUSIC}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 26872e9a1..a65abeb2e 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
 
-noblacklist ${HOME}/.purple
+nodeny  ${HOME}/.purple
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.purple
-whitelist ${HOME}/.purple
-whitelist ${DOWNLOADS}
-whitelist ${PICTURES}
+allow  ${HOME}/.purple
+allow  ${DOWNLOADS}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
index 2e17be2ce..41e4fb6c0 100644
--- a/etc/profile-m-z/pinball.profile
+++ b/etc/profile-m-z/pinball.profile
@@ -6,7 +6,7 @@ include pinball.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/emilia
+nodeny  ${HOME}/.config/emilia
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,11 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/emilia
-whitelist ${HOME}/.config/emilia
+allow  ${HOME}/.config/emilia
 
-whitelist /usr/share/pinball
+allow  /usr/share/pinball
 # on debian games are stored under /usr/share/games
-whitelist /usr/share/games/pinball
+allow  /usr/share/games/pinball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index e914007c0..65e77abfa 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,8 +7,8 @@ include ping.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index f1fdfcbad..aa2cfe203 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -6,12 +6,12 @@ include pingus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.pingus
+nodeny  ${HOME}/.pingus
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
-whitelist ${HOME}/.pingus
-whitelist /usr/share/pingus
+allow  ${HOME}/.pingus
+allow  /usr/share/pingus
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
index 19406c399..d0d4f1fce 100644
--- a/etc/profile-m-z/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -6,9 +6,9 @@ include pinta.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Pinta
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/Pinta
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
index 721b3944a..6cfea28b6 100644
--- a/etc/profile-m-z/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -6,7 +6,7 @@ include pioneer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.pioneer
+nodeny  ${HOME}/.pioneer
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pioneer
-whitelist ${HOME}/.pioneer
+allow  ${HOME}/.pioneer
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
index 3de064311..acd7eeaf2 100644
--- a/etc/profile-m-z/pipe-viewer.profile
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -7,13 +7,13 @@ include pipe-viewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/pipe-viewer
-noblacklist ${HOME}/.config/pipe-viewer
+nodeny  ${HOME}/.cache/pipe-viewer
+nodeny  ${HOME}/.config/pipe-viewer
 
 mkdir ${HOME}/.config/pipe-viewer
 mkdir ${HOME}/.cache/pipe-viewer
-whitelist ${HOME}/.cache/pipe-viewer
-whitelist ${HOME}/.config/pipe-viewer
+allow  ${HOME}/.cache/pipe-viewer
+allow  ${HOME}/.config/pipe-viewer
 
 private-bin gtk-pipe-viewer,pipe-viewer
 
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
index a2dd809c4..abce4c911 100644
--- a/etc/profile-m-z/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -6,7 +6,7 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pitivi
+nodeny  ${HOME}/.config/pitivi
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
index 81d3e9370..63451d352 100644
--- a/etc/profile-m-z/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -5,10 +5,10 @@ include pix.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pix
-noblacklist ${HOME}/.local/share/pix
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.config/pix
+nodeny  ${HOME}/.local/share/pix
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 4eb41b3bd..13d7db7f7 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -17,9 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /var/log/apt/history.log
-whitelist /var/log/dnf.rpm.log
-whitelist /var/log/pacman.log
+allow  /var/log/apt/history.log
+allow  /var/log/dnf.rpm.log
+allow  /var/log/pacman.log
 
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 8e98905b5..9c23841e2 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -7,10 +7,10 @@ include playonlinux.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.PlayOnLinux
+nodeny  ${HOME}/.PlayOnLinux
 
 # nc is needed to run playonlinux
-noblacklist ${PATH}/nc
+nodeny  ${PATH}/nc
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index 10e12e5b1..ab7e0c64b 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -6,8 +6,8 @@ include pluma.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/enchant
-noblacklist ${HOME}/.config/pluma
+nodeny  ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/pluma
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 5201fd853..02cb83ef6 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -6,7 +6,7 @@ include plv.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/PacmanLogViewer
+nodeny  ${HOME}/.config/PacmanLogViewer
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/PacmanLogViewer
-whitelist ${HOME}/.config/PacmanLogViewer
-whitelist /var/log/pacman.log
+allow  ${HOME}/.config/PacmanLogViewer
+allow  /var/log/pacman.log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 8a181d5a8..2c4dda43e 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,9 +7,9 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile
index a3d4f9851..115ac36ab 100644
--- a/etc/profile-m-z/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -21,12 +21,12 @@ mkdir ${HOME}/.local/share/Empathy
 mkdir ${HOME}/.local/share/TpLogger
 mkdir ${HOME}/.local/share/telepathy
 mkdir ${HOME}/.purple
-whitelist ${HOME}/.cache/telepathy
-whitelist ${HOME}/.config/telepathy-account-widgets
-whitelist ${HOME}/.local/share/Empathy
-whitelist ${HOME}/.local/share/TpLogger
-whitelist ${HOME}/.local/share/telepathy
-whitelist ${HOME}/.purple
+allow  ${HOME}/.cache/telepathy
+allow  ${HOME}/.config/telepathy-account-widgets
+allow  ${HOME}/.local/share/Empathy
+allow  ${HOME}/.local/share/TpLogger
+allow  ${HOME}/.local/share/telepathy
+allow  ${HOME}/.purple
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 1f73c1d89..10c59ea32 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # Note: you must whitelist your games folder in your ppsspp.local.
 
-noblacklist ${HOME}/.config/ppsspp
+nodeny  ${HOME}/.config/ppsspp
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/ppsspp
-whitelist ${HOME}/.config/ppsspp
-whitelist /usr/share/ppsspp
+allow  ${HOME}/.config/ppsspp
+allow  /usr/share/ppsspp
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index f138d785e..9b03bf632 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -6,8 +6,8 @@ include pragha.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pragha
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/pragha
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 743458725..137b4cb20 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -7,8 +7,8 @@ include profanity.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/profanity
-noblacklist ${HOME}/.local/share/profanity
+nodeny  ${HOME}/.config/profanity
+nodeny  ${HOME}/.local/share/profanity
 
 # Allow Python
 include allow-python2.inc
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 5ac58b0ac..b0e28baf7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -6,8 +6,8 @@ include psi-plus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/psi+
-noblacklist ${HOME}/.local/share/psi+
+nodeny  ${HOME}/.config/psi+
+nodeny  ${HOME}/.local/share/psi+
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/psi+
 mkdir ${HOME}/.config/psi+
 mkdir ${HOME}/.local/share/psi+
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/psi+
-whitelist ${HOME}/.config/psi+
-whitelist ${HOME}/.local/share/psi+
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/psi+
+allow  ${HOME}/.config/psi+
+allow  ${HOME}/.local/share/psi+
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 7e0ef99fc..2588c3b75 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -8,11 +8,11 @@ include globals.local
 
 # Add the next line to your psi.local to enable GPG support.
 #noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.cache/psi
-noblacklist ${HOME}/.cache/Psi
-noblacklist ${HOME}/.config/psi
-noblacklist ${HOME}/.local/share/psi
-noblacklist ${HOME}/.local/share/Psi
+nodeny  ${HOME}/.cache/psi
+nodeny  ${HOME}/.cache/Psi
+nodeny  ${HOME}/.config/psi
+nodeny  ${HOME}/.local/share/psi
+nodeny  ${HOME}/.local/share/Psi
 
 include disable-common.inc
 include disable-devel.inc
@@ -32,16 +32,16 @@ mkdir ${HOME}/.local/share/psi
 mkdir ${HOME}/.local/share/Psi
 # Add the next line to your psi.local to enable GPG support.
 #whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.cache/psi
-whitelist ${HOME}/.cache/Psi
-whitelist ${HOME}/.config/psi
-whitelist ${HOME}/.local/share/psi
-whitelist ${HOME}/.local/share/Psi
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/psi
+allow  ${HOME}/.cache/Psi
+allow  ${HOME}/.config/psi
+allow  ${HOME}/.local/share/psi
+allow  ${HOME}/.local/share/Psi
+allow  ${DOWNLOADS}
 # Add the next lines to your psi.local to enable GPG support.
 #whitelist /usr/share/gnupg
 #whitelist /usr/share/gnupg2
-whitelist /usr/share/psi
+allow  /usr/share/psi
 # Add the next lines to your psi.local to enable GPG support.
 #whitelist ${RUNUSER}/gnupg
 #whitelist ${RUNUSER}/keyring
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 60ae37930..1f0e83ab6 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -5,9 +5,9 @@ include pybitmessage.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/local/sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/local/sbin
+nodeny  /usr/sbin
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 00d7239ae..b6c08290e 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -5,7 +5,7 @@ include pycharm-community.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.PyCharmCE*
+nodeny  ${HOME}/.PyCharmCE*
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index b754a18c9..fa0932cc0 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -6,7 +6,7 @@ include pyucharm-professional.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.PyCharm*
+nodeny  ${HOME}/.PyCharm*
 
 # Redirect
 include pycharm-community.profile
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 506b738cc..fb8e622b0 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -6,10 +6,10 @@ include qbittorrent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/qBittorrent
-noblacklist ${HOME}/.config/qBittorrent
-noblacklist ${HOME}/.config/qBittorrentrc
-noblacklist ${HOME}/.local/share/data/qBittorrent
+nodeny  ${HOME}/.cache/qBittorrent
+nodeny  ${HOME}/.config/qBittorrent
+nodeny  ${HOME}/.config/qBittorrentrc
+nodeny  ${HOME}/.local/share/data/qBittorrent
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -27,11 +27,11 @@ mkdir ${HOME}/.cache/qBittorrent
 mkdir ${HOME}/.config/qBittorrent
 mkfile ${HOME}/.config/qBittorrentrc
 mkdir ${HOME}/.local/share/data/qBittorrent
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/qBittorrent
-whitelist ${HOME}/.config/qBittorrent
-whitelist ${HOME}/.config/qBittorrentrc
-whitelist ${HOME}/.local/share/data/qBittorrent
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/qBittorrent
+allow  ${HOME}/.config/qBittorrent
+allow  ${HOME}/.config/qBittorrentrc
+allow  ${HOME}/.local/share/data/qBittorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
index 0e52d7fc4..7bcc4b065 100644
--- a/etc/profile-m-z/qcomicbook.profile
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -6,10 +6,10 @@ include qcomicbook.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/PawelStolowski
-noblacklist ${HOME}/.config/PawelStolowski
-noblacklist ${HOME}/.local/share/PawelStolowski
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/PawelStolowski
+nodeny  ${HOME}/.config/PawelStolowski
+nodeny  ${HOME}/.local/share/PawelStolowski
+nodeny  ${DOCUMENTS}
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -27,7 +27,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/PawelStolowski
 mkdir ${HOME}/.config/PawelStolowski
 mkdir ${HOME}/.local/share/PawelStolowski
-whitelist /usr/share/qcomicbook
+allow  /usr/share/qcomicbook
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index ac60384fd..d527a2b82 100644
--- a/etc/profile-m-z/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -5,7 +5,7 @@ include qemu-launcher.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.qemu-launcher
+nodeny  ${HOME}/.qemu-launcher
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 2e97daea2..e99140c22 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -6,10 +6,10 @@ include qgis.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/QGIS
-noblacklist ${HOME}/.local/share/QGIS
-noblacklist ${HOME}/.qgis2
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/QGIS
+nodeny  ${HOME}/.local/share/QGIS
+nodeny  ${HOME}/.qgis2
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -25,10 +25,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/QGIS
 mkdir ${HOME}/.qgis2
 mkdir ${HOME}/.config/QGIS
-whitelist ${HOME}/.local/share/QGIS
-whitelist ${HOME}/.qgis2
-whitelist ${HOME}/.config/QGIS
-whitelist ${DOCUMENTS}
+allow  ${HOME}/.local/share/QGIS
+allow  ${HOME}/.qgis2
+allow  ${HOME}/.config/QGIS
+allow  ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
index 6e94d5845..75dc58ae4 100644
--- a/etc/profile-m-z/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -6,7 +6,7 @@ include qlipper.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Qlipper
+nodeny  ${HOME}/.config/Qlipper
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index c3d982c17..d37fce997 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -6,8 +6,8 @@ include qmmp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.qmmp
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.qmmp
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index ca11df5be..f12340052 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -6,7 +6,7 @@ include qnapi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/qnapi.ini
+nodeny  ${HOME}/.config/qnapi.ini
 
 ignore noexec /tmp
 
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.config/qnapi.ini
-whitelist ${HOME}/.config/qnapi.ini
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/qnapi.ini
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index be690ffa4..62fae324c 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -6,9 +6,9 @@ include qpdfview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/qpdfview
+nodeny  ${HOME}/.local/share/qpdfview
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 6cbf8519f..5f0aec804 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -7,7 +7,7 @@ include qrencode.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index 8ffe24d11..1ad46814e 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -6,8 +6,8 @@ include qtox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Tox
-noblacklist ${HOME}/.config/tox
+nodeny  ${HOME}/.cache/Tox
+nodeny  ${HOME}/.config/tox
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/tox
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
index 91e0d9d0d..aee24925c 100644
--- a/etc/profile-m-z/quadrapassel.profile
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -6,11 +6,11 @@ include quadrapassel.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/quadrapassel
+nodeny  ${HOME}/.local/share/quadrapassel
 
 mkdir ${HOME}/.local/share/quadrapassel
-whitelist ${HOME}/.local/share/quadrapassel
-whitelist /usr/share/quadrapassel
+allow  ${HOME}/.local/share/quadrapassel
+allow  /usr/share/quadrapassel
 
 private-bin quadrapassel
 
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 1d146aa39..a319e1e12 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -6,8 +6,8 @@ include quaternion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Quotient/quaternion
-noblacklist ${HOME}/.config/Quotient
+nodeny  ${HOME}/.cache/Quotient/quaternion
+nodeny  ${HOME}/.config/Quotient
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Quotient/quaternion
 mkdir ${HOME}/.config/Quotient
-whitelist ${HOME}/.cache/Quotient/quaternion
-whitelist ${HOME}/.config/Quotient
-whitelist ${DOWNLOADS}
-whitelist /usr/share/Quotient/quaternion
+allow  ${HOME}/.cache/Quotient/quaternion
+allow  ${HOME}/.config/Quotient
+allow  ${DOWNLOADS}
+allow  /usr/share/Quotient/quaternion
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 9490089b2..2693f2ed5 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -6,10 +6,10 @@ include quiterss.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/QuiteRss
-noblacklist ${HOME}/.config/QuiteRss
-noblacklist ${HOME}/.config/QuiteRssrc
-noblacklist ${HOME}/.local/share/QuiteRss
+nodeny  ${HOME}/.cache/QuiteRss
+nodeny  ${HOME}/.config/QuiteRss
+nodeny  ${HOME}/.config/QuiteRssrc
+nodeny  ${HOME}/.local/share/QuiteRss
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,12 +25,12 @@ mkdir ${HOME}/.local/share/data
 mkdir ${HOME}/.local/share/data/QuiteRss
 mkdir ${HOME}/.local/share/QuiteRss
 mkfile ${HOME}/quiterssfeeds.opml
-whitelist ${HOME}/.cache/QuiteRss
-whitelist ${HOME}/.config/QuiteRss
-whitelist ${HOME}/.config/QuiteRssrc
-whitelist ${HOME}/.local/share/data/QuiteRss
-whitelist ${HOME}/.local/share/QuiteRss
-whitelist ${HOME}/quiterssfeeds.opml
+allow  ${HOME}/.cache/QuiteRss
+allow  ${HOME}/.config/QuiteRss
+allow  ${HOME}/.config/QuiteRssrc
+allow  ${HOME}/.local/share/data/QuiteRss
+allow  ${HOME}/.local/share/QuiteRss
+allow  ${HOME}/quiterssfeeds.opml
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index 92b02b2bf..52c120c08 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -6,10 +6,10 @@ include quodlibet.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/quodlibet
-noblacklist ${HOME}/.config/quodlibet
-noblacklist ${HOME}/.quodlibet
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/quodlibet
+nodeny  ${HOME}/.config/quodlibet
+nodeny  ${HOME}/.quodlibet
+nodeny  ${MUSIC}
 
 include allow-bin-sh.inc
 
@@ -30,11 +30,11 @@ mkdir ${HOME}/.cache/quodlibet
 mkdir ${HOME}/.config/quodlibet
 mkdir ${HOME}/.quodlibet
 
-whitelist ${HOME}/.cache/quodlibet
-whitelist ${HOME}/.config/quodlibet
-whitelist ${HOME}/.quodlibet
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
+allow  ${HOME}/.cache/quodlibet
+allow  ${HOME}/.config/quodlibet
+allow  ${HOME}/.quodlibet
+allow  ${DOWNLOADS}
+allow  ${MUSIC}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
index 7aa71c848..9bc91808b 100644
--- a/etc/profile-m-z/qupzilla.profile
+++ b/etc/profile-m-z/qupzilla.profile
@@ -6,8 +6,8 @@ include qupzilla.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/qupzilla
-noblacklist ${HOME}/.config/qupzilla
+nodeny  ${HOME}/.cache/qupzilla
+nodeny  ${HOME}/.config/qupzilla
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/qupzilla
 mkdir ${HOME}/.config/qupzilla
-whitelist ${HOME}/.cache/qupzilla
-whitelist ${HOME}/.config/qupzilla
+allow  ${HOME}/.cache/qupzilla
+allow  ${HOME}/.config/qupzilla
 
 # Redirect
 include falkon.profile
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..a342e2acd 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -6,9 +6,9 @@ include qutebrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/qutebrowser
-noblacklist ${HOME}/.config/qutebrowser
-noblacklist ${HOME}/.local/share/qutebrowser
+nodeny  ${HOME}/.cache/qutebrowser
+nodeny  ${HOME}/.config/qutebrowser
+nodeny  ${HOME}/.local/share/qutebrowser
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,10 +22,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/qutebrowser
 mkdir ${HOME}/.config/qutebrowser
 mkdir ${HOME}/.local/share/qutebrowser
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/qutebrowser
-whitelist ${HOME}/.config/qutebrowser
-whitelist ${HOME}/.local/share/qutebrowser
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/qutebrowser
+allow  ${HOME}/.config/qutebrowser
+allow  ${HOME}/.local/share/qutebrowser
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
index ffa2022ee..b1059cee8 100644
--- a/etc/profile-m-z/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -6,9 +6,9 @@ include rambox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Rambox
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.config/Rambox
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +18,10 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Rambox
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/Rambox
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/Rambox
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index 9bc196a16..3b56f651f 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -6,7 +6,7 @@ include redeclipse.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.redeclipse
+nodeny  ${HOME}/.redeclipse
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.redeclipse
-whitelist ${HOME}/.redeclipse
-whitelist /usr/share/redeclipse
+allow  ${HOME}/.redeclipse
+allow  /usr/share/redeclipse
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
new file mode 100644
index 000000000..67281c518
--- /dev/null
+++ b/etc/profile-m-z/rednotebook.profile
@@ -0,0 +1,67 @@
+# Firejail profile for rednotebook
+# Description: Daily journal with calendar, templates and keyword searching
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rednotebook.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${HOME}/.cache/rednotebook
+nodeny ${HOME}/.rednotebook
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/rednotebook
+mkdir ${HOME}/.rednotebook
+allow ${HOME}/.cache/rednotebook
+allow ${HOME}/.rednotebook
+allow ${DESKTOP}
+allow ${DOCUMENTS}
+allow ${DOWNLOADS}
+allow ${MUSIC}
+allow ${PICTURES}
+allow ${VIDEOS}
+allow /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python3*,rednotebook
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
index f87c5f67c..3035e1d74 100644
--- a/etc/profile-m-z/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -7,8 +7,8 @@ include redshift.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/redshift
-noblacklist ${HOME}/.config/redshift.conf
+nodeny  ${HOME}/.config/redshift
+nodeny  ${HOME}/.config/redshift.conf
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/redshift
-whitelist ${HOME}/.config/redshift
-whitelist ${HOME}/.config/redshift.conf
+allow  ${HOME}/.config/redshift
+allow  ${HOME}/.config/redshift.conf
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index f5131c5d0..82feafab9 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/com.github.artemanufrij.regextester
+allow  /usr/share/com.github.artemanufrij.regextester
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index aca22f187..3f385f602 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -6,9 +6,9 @@ include remmina.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.remmina
-noblacklist ${HOME}/.config/remmina
-noblacklist ${HOME}/.local/share/remmina
+nodeny  ${HOME}/.remmina
+nodeny  ${HOME}/.config/remmina
+nodeny  ${HOME}/.local/share/remmina
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index 970e8ffba..c532d3dc1 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -6,9 +6,9 @@ include rhythmbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${HOME}/.cache/rhythmbox
-noblacklist ${HOME}/.local/share/rhythmbox
+nodeny  ${MUSIC}
+nodeny  ${HOME}/.cache/rhythmbox
+nodeny  ${HOME}/.local/share/rhythmbox
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -26,10 +26,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/rhythmbox
-whitelist /usr/share/lua
-whitelist /usr/share/libquvi-scripts
-whitelist /usr/share/tracker
+allow  /usr/share/rhythmbox
+allow  /usr/share/lua
+allow  /usr/share/libquvi-scripts
+allow  /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
index b664a2be3..c3ee57ef3 100644
--- a/etc/profile-m-z/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -5,7 +5,7 @@ include ricochet.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/Ricochet
+nodeny  ${HOME}/.local/share/Ricochet
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.local/share/Ricochet
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.local/share/Ricochet
+allow  ${DOWNLOADS}
+allow  ${HOME}/.local/share/Ricochet
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index 687c943b0..782396a50 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -8,11 +8,11 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Riot
+nodeny  ${HOME}/.config/Riot
 
 mkdir ${HOME}/.config/Riot
-whitelist ${HOME}/.config/Riot
-whitelist /usr/share/webapps/element
+allow  ${HOME}/.config/Riot
+allow  /usr/share/webapps/element
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
index be815e714..c97ac8090 100644
--- a/etc/profile-m-z/ripperx.profile
+++ b/etc/profile-m-z/ripperx.profile
@@ -6,8 +6,8 @@ include ripperx.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ripperXrc
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.ripperXrc
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 5572cab5a..109d2f8f1 100644
--- a/etc/profile-m-z/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -6,9 +6,9 @@ include ristretto.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ristretto
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.config/ristretto
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index 8d3607c75..1a76c4211 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -21,10 +21,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
 
-noblacklist ${HOME}/.config/Rocket.Chat
+nodeny  ${HOME}/.config/Rocket.Chat
 
 mkdir ${HOME}/.config/Rocket.Chat
-whitelist ${HOME}/.config/Rocket.Chat
+allow  ${HOME}/.config/Rocket.Chat
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 690b44bb1..4807b7d36 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -11,8 +11,8 @@ include globals.local
 # not as a daemon (rsync --daemon) nor to create backups.
 # Usage: firejail --profile=rsync-download_only rsync
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
index c9da0b628..6b7d6b155 100644
--- a/etc/profile-m-z/rtv-addons.profile
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -11,13 +11,18 @@ ignore nosound
 ignore private-bin
 ignore dbus-user none
 
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.netrc
-noblacklist ${HOME}/.w3m
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.netrc
+nodeny  ${HOME}/.w3m
 
-whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/.netrc
-whitelist ${HOME}/.w3m
+allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.mailcap
+allow  ${HOME}/.netrc
+allow  ${HOME}/.w3m
+
+#private-bin w3m,mpv,youtube-dl
+
+# tells rtv, which browser to use
+#env RTV_BROWSER=w3m
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index f0b8d31e9..074050792 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -6,11 +6,14 @@ include rtv.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/rtv
-noblacklist ${HOME}/.local/share/rtv
+nodeny  ${HOME}/.config/rtv
+nodeny  ${HOME}/.local/share/rtv
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -30,8 +33,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/rtv
 mkdir ${HOME}/.local/share/rtv
-whitelist ${HOME}/.config/rtv
-whitelist ${HOME}/.local/share/rtv
+allow  ${HOME}/.config/rtv
+allow  ${HOME}/.local/share/rtv
 include whitelist-var-common.inc
 
 apparmor
@@ -54,10 +57,10 @@ shell none
 tracelog
 
 disable-mnt
-private-bin python*,rtv,sh,xdg-settings
+private-bin less,python*,rtv,sh,xdg-settings
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
index de79913cc..963f5da02 100644
--- a/etc/profile-m-z/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -5,8 +5,8 @@ include sayonara.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Sayonara
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.Sayonara
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
index eb8468c3b..26550b5e0 100644
--- a/etc/profile-m-z/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -6,10 +6,10 @@ include scallion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/llvm*
-noblacklist ${PATH}/openssl
-noblacklist ${PATH}/openssl-1.0
-noblacklist ${DOCUMENTS}
+nodeny  ${PATH}/llvm*
+nodeny  ${PATH}/openssl
+nodeny  ${PATH}/openssl-1.0
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index b1989e474..921efb49e 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -6,7 +6,7 @@ include scorched3d.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.scorched3d
+nodeny  ${HOME}/.scorched3d
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.scorched3d
-whitelist ${HOME}/.scorched3d
-whitelist /usr/share/scorched3d
-whitelist /usr/share/games/scorched3d
+allow  ${HOME}/.scorched3d
+allow  /usr/share/scorched3d
+allow  /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 2cb1df6b5..54a6c3a01 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -6,7 +6,7 @@ include scorchwentbonkers.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.swb.ini
+nodeny  ${HOME}/.swb.ini
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.swb.ini
-whitelist ${HOME}/.swb.ini
-whitelist /usr/share/scorchwentbonkers
+allow  ${HOME}/.swb.ini
+allow  /usr/share/scorchwentbonkers
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 1fdeaa145..6519f8e87 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -7,24 +7,24 @@ include scribus.local
 include globals.local
 
 # Support for PDF readers comes with Scribus 1.5 and higher
-noblacklist ${HOME}/.cache/okular
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/scribus
-noblacklist ${HOME}/.config/scribusrc
-noblacklist ${HOME}/.gimp*
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/scribus
-noblacklist ${HOME}/.scribus
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/okular
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.config/okularpartrc
+nodeny  ${HOME}/.config/okularrc
+nodeny  ${HOME}/.config/scribus
+nodeny  ${HOME}/.config/scribusrc
+nodeny  ${HOME}/.gimp*
+nodeny  ${HOME}/.kde/share/apps/okular
+nodeny  ${HOME}/.kde/share/config/okularpartrc
+nodeny  ${HOME}/.kde/share/config/okularrc
+nodeny  ${HOME}/.kde4/share/apps/okular
+nodeny  ${HOME}/.kde4/share/config/okularpartrc
+nodeny  ${HOME}/.kde4/share/config/okularrc
+nodeny  ${HOME}/.local/share/okular
+nodeny  ${HOME}/.local/share/scribus
+nodeny  ${HOME}/.scribus
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 7799ab7ed..95cedac3f 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -22,8 +22,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/seahorse-adventures
-whitelist /usr/share/games/seahorse-adventures
+allow  /usr/share/seahorse-adventures
+allow  /usr/share/games/seahorse-adventures
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index d3d8e453f..66605173b 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -6,9 +6,9 @@ include seahorse.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -27,13 +27,13 @@ include disable-xdg.inc
 #mkdir ${HOME}/.ssh
 #whitelist ${HOME}/.gnupg
 #whitelist ${HOME}/.ssh
-whitelist /tmp/ssh-*
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/seahorse
-whitelist /usr/share/seahorse-nautilus
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
+allow  /tmp/ssh-*
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/seahorse
+allow  /usr/share/seahorse-nautilus
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 807effbeb..c9867719a 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -6,10 +6,10 @@ include seamonkey.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,25 +20,25 @@ mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/mozilla
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/gnome-mplayer/plugin
+allow  ${HOME}/.cache/mozilla
+allow  ${HOME}/.config/gnome-mplayer
+allow  ${HOME}/.config/pipelight-silverlight5.1
+allow  ${HOME}/.config/pipelight-widevine
+allow  ${HOME}/.keysnail.js
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.mozilla
+allow  ${HOME}/.pentadactyl
+allow  ${HOME}/.pentadactylrc
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
+allow  ${HOME}/.vimperator
+allow  ${HOME}/.vimperatorrc
+allow  ${HOME}/.wine-pipelight
+allow  ${HOME}/.wine-pipelight64
+allow  ${HOME}/.zotero
+allow  ${HOME}/dwhelper
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 7d56684db..23f464637 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -32,12 +32,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 # noblacklist /var/opt
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index b7f398f45..0cb9de45a 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -7,9 +7,9 @@ include shellcheck.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/shellcheck
+allow  /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index d629240ec..a8e5f6b18 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -6,8 +6,8 @@ include shortwave.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Shortwave
-noblacklist ${HOME}/.local/share/Shortwave
+nodeny  ${HOME}/.cache/Shortwave
+nodeny  ${HOME}/.local/share/Shortwave
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Shortwave
 mkdir ${HOME}/.local/share/Shortwave
-whitelist ${HOME}/.cache/Shortwave
-whitelist ${HOME}/.local/share/Shortwave
-whitelist /usr/share/shortwave
+allow  ${HOME}/.cache/Shortwave
+allow  ${HOME}/.local/share/Shortwave
+allow  /usr/share/shortwave
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
index 63af4d367..1f3c39c46 100644
--- a/etc/profile-m-z/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -8,7 +8,7 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/Meltytech
+nodeny  ${HOME}/.config/Meltytech
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index ddc8a7743..b653930c3 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -6,10 +6,10 @@ include shotwell.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/shotwell
-noblacklist ${HOME}/.local/share/shotwell
+nodeny  ${HOME}/.cache/shotwell
+nodeny  ${HOME}/.local/share/shotwell
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,9 +21,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/shotwell
 mkdir ${HOME}/.local/share/shotwell
-whitelist ${HOME}/.cache/shotwell
-whitelist ${HOME}/.local/share/shotwell
-whitelist ${PICTURES}
+allow  ${HOME}/.cache/shotwell
+allow  ${HOME}/.local/share/shotwell
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 478377344..8a46899f1 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -6,10 +6,10 @@ include signal-cli.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.local/share/signal-cli
+nodeny  ${HOME}/.local/share/signal-cli
 
 include allow-java.inc
 
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/signal-cli
-whitelist ${HOME}/.local/share/signal-cli
+allow  ${HOME}/.local/share/signal-cli
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 77a7f5b38..a12080748 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -9,15 +9,15 @@ ignore novideo
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Signal
+nodeny  ${HOME}/.config/Signal
 
 # These lines are needed to allow Firefox to open links
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+nodeny  ${HOME}/.mozilla
+allow  ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.config/Signal
-whitelist ${HOME}/.config/Signal
+allow  ${HOME}/.config/Signal
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 17920677b..589a44ffc 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -6,8 +6,8 @@ include simple-scan.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/simple-scan
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/simple-scan
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/hplip
-whitelist /usr/share/simple-scan
+allow  /usr/share/hplip
+allow  /usr/share/simple-scan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index d664f8bf5..83f833508 100644
--- a/etc/profile-m-z/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -6,8 +6,8 @@ include simplescreenrecorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${VIDEOS}
-noblacklist ${HOME}/.ssr
+nodeny  ${VIDEOS}
+nodeny  ${HOME}/.ssr
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/simplescreenrecorder
+allow  /usr/share/simplescreenrecorder
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index afaa0f6d8..1d7f41579 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -6,7 +6,7 @@ include simutrans.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.simutrans
+nodeny  ${HOME}/.simutrans
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.simutrans
-whitelist ${HOME}/.simutrans
+allow  ${HOME}/.simutrans
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 093a61398..98ed624f9 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -6,7 +6,7 @@ include skanlite.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index ed04eda8e..e7f70eebe 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -21,7 +21,7 @@ ignore dbus-system none
 ignore apparmor
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/skypeforlinux
+nodeny  ${HOME}/.config/skypeforlinux
 
 # private-dev - needs /dev/disk
 
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 51f6c8b00..b8299add3 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -16,14 +16,14 @@ ignore private-tmp
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Slack
+nodeny  ${HOME}/.config/Slack
 
 include allow-bin-sh.inc
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
-whitelist ${HOME}/.config/Slack
+allow  ${HOME}/.config/Slack
 
 private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
index c5a31c237..36a0044dc 100644
--- a/etc/profile-m-z/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -6,7 +6,7 @@ include slashem.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/games/slashem
+nodeny  /var/games/slashem
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/games/slashem
+allow  /var/games/slashem
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 01547e5c1..4e4334dc0 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -6,9 +6,9 @@ include smplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.mplayer
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.mplayer
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -17,8 +17,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,9 +29,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/lua*
-whitelist /usr/share/smplayer
-whitelist /usr/share/vulkan
+allow  /usr/share/lua*
+allow  /usr/share/smplayer
+allow  /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index 196950eaf..99d02ffdf 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -6,14 +6,14 @@ include smtube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/smtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mplayer
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.local/share/vlc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/smtube
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.mplayer
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.local/share/vlc
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,8 +23,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/smplayer
-whitelist /usr/share/smtube
+allow  /usr/share/smplayer
+allow  /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index c3a9bb858..3a79890cc 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -6,9 +6,9 @@ include smuxi-frontend-gnome.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/smuxi
-noblacklist ${HOME}/.config/smuxi
-noblacklist ${HOME}/.local/share/smuxi
+nodeny  ${HOME}/.cache/smuxi
+nodeny  ${HOME}/.config/smuxi
+nodeny  ${HOME}/.local/share/smuxi
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/smuxi
 mkdir ${HOME}/.config/smuxi
 mkdir ${HOME}/.local/share/smuxi
-whitelist ${HOME}/.cache/smuxi
-whitelist ${HOME}/.config/smuxi
-whitelist ${HOME}/.local/share/smuxi
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/smuxi
+allow  ${HOME}/.config/smuxi
+allow  ${HOME}/.local/share/smuxi
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 83493652c..1d315404e 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -10,15 +10,15 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/snox
-noblacklist ${HOME}/.config/snox
+nodeny  ${HOME}/.cache/snox
+nodeny  ${HOME}/.config/snox
 
 #mkdir ${HOME}/.cache/dnox
 #mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/snox
 mkdir ${HOME}/.config/snox
-whitelist ${HOME}/.cache/snox
-whitelist ${HOME}/.config/snox
+allow  ${HOME}/.cache/snox
+allow  ${HOME}/.config/snox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 83315231f..bd4991e81 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -10,7 +10,7 @@ include softmaker-common.local
 # with an absolute Exec line. These files are NOT handelt by firecfg,
 # therefore you must manualy copy them in you home and remove '/usr/bin/'.
 
-noblacklist ${HOME}/SoftMaker
+nodeny  ${HOME}/SoftMaker
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/office2018
-whitelist /usr/share/freeoffice2018
+allow  /usr/share/office2018
+allow  /usr/share/freeoffice2018
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index ef00fdfff..16ee39e09 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -6,8 +6,8 @@ include sound-juicer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/sound-juicer
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/sound-juicer
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index 4dbf34100..46da7a453 100644
--- a/etc/profile-m-z/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
@@ -10,7 +10,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist /usr/share/soundconverter
+allow  ${DOWNLOADS}
+allow  ${MUSIC}
+allow  /usr/share/soundconverter
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 4468f21e7..08adb5861 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -12,8 +12,8 @@ include globals.local
 #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
 #protocol unix,inet,inet6
 
-noblacklist ${HOME}/.config/spectaclerc
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/spectaclerc
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkfile  ${HOME}/.config/spectaclerc
-whitelist ${HOME}/.config/spectaclerc
-whitelist ${PICTURES}
-whitelist /usr/share/kconf_update/spectacle_newConfig.upd
-whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
+allow  ${HOME}/.config/spectaclerc
+allow  ${PICTURES}
+allow  /usr/share/kconf_update/spectacle_newConfig.upd
+allow  /usr/share/kconf_update/spectacle_shortcuts.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 283674517..4c1b2d3e1 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -6,8 +6,8 @@ include spectral.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/ENCOM/Spectral
-noblacklist ${HOME}/.config/ENCOM
+nodeny  ${HOME}/.cache/ENCOM/Spectral
+nodeny  ${HOME}/.config/ENCOM
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/ENCOM/Spectral
 mkdir ${HOME}/.config/ENCOM
-whitelist ${HOME}/.cache/ENCOM/Spectral
-whitelist ${HOME}/.config/ENCOM
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/ENCOM/Spectral
+allow  ${HOME}/.config/ENCOM
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index 984461f90..3a3fd838d 100644
--- a/etc/profile-m-z/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -6,10 +6,10 @@ include spectre-meltdown-checker.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${PATH}/mount
-noblacklist ${PATH}/umount
+nodeny  ${PATH}/mount
+nodeny  ${PATH}/umount
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index 01bc2bc05..e1c830268 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -5,11 +5,11 @@ include spotify.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/spotify
-noblacklist ${HOME}/.config/spotify
-noblacklist ${HOME}/.local/share/spotify
+nodeny  ${HOME}/.cache/spotify
+nodeny  ${HOME}/.config/spotify
+nodeny  ${HOME}/.local/share/spotify
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/spotify
 mkdir ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
-whitelist ${HOME}/.cache/spotify
-whitelist ${HOME}/.config/spotify
-whitelist ${HOME}/.local/share/spotify
+allow  ${HOME}/.cache/spotify
+allow  ${HOME}/.config/spotify
+allow  ${HOME}/.local/share/spotify
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 4dd2c7262..aa577b63a 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -6,8 +6,8 @@ include sqlitebrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/sqlitebrowser
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/sqlitebrowser
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 5802299a3..e456ebe07 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -9,8 +9,8 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a58642192..8a0d86150 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -8,8 +8,8 @@ include ssh.local
 include globals.local
 
 # nc can be used as ProxyCommand, e.g. when using tor
-noblacklist ${PATH}/nc
-noblacklist ${PATH}/ncat
+nodeny  ${PATH}/nc
+nodeny  ${PATH}/ncat
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -19,8 +19,8 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
-whitelist ${RUNUSER}/keyring/ssh
+allow  ${RUNUSER}/gnupg/S.gpg-agent.ssh
+allow  ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 48a532876..75de118ab 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -5,8 +5,8 @@ include standardnotes-desktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/Standard Notes Backups
-noblacklist ${HOME}/.config/Standard Notes
+nodeny  ${HOME}/Standard Notes Backups
+nodeny  ${HOME}/.config/Standard Notes
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/Standard Notes Backups
 mkdir ${HOME}/.config/Standard Notes
-whitelist ${HOME}/Standard Notes Backups
-whitelist ${HOME}/.config/Standard Notes
+allow  ${HOME}/Standard Notes Backups
+allow  ${HOME}/.config/Standard Notes
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 2f73c9fee..8f75365e8 100644
--- a/etc/profile-m-z/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -6,71 +6,71 @@ include start-tor-browser.desktop.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser*
+nodeny  ${HOME}/.tor-browser*
 
-whitelist ${HOME}/.tor-browser-ar
-whitelist ${HOME}/.tor-browser-ca
-whitelist ${HOME}/.tor-browser-cs
-whitelist ${HOME}/.tor-browser-da
-whitelist ${HOME}/.tor-browser-de
-whitelist ${HOME}/.tor-browser-el
-whitelist ${HOME}/.tor-browser-en
-whitelist ${HOME}/.tor-browser-en-us
-whitelist ${HOME}/.tor-browser-es
-whitelist ${HOME}/.tor-browser-es-es
-whitelist ${HOME}/.tor-browser-fa
-whitelist ${HOME}/.tor-browser-fr
-whitelist ${HOME}/.tor-browser-ga-ie
-whitelist ${HOME}/.tor-browser-he
-whitelist ${HOME}/.tor-browser-hu
-whitelist ${HOME}/.tor-browser-id
-whitelist ${HOME}/.tor-browser-is
-whitelist ${HOME}/.tor-browser-it
-whitelist ${HOME}/.tor-browser-ja
-whitelist ${HOME}/.tor-browser-ka
-whitelist ${HOME}/.tor-browser-ko
-whitelist ${HOME}/.tor-browser-nb
-whitelist ${HOME}/.tor-browser-nl
-whitelist ${HOME}/.tor-browser-pl
-whitelist ${HOME}/.tor-browser-pt-br
-whitelist ${HOME}/.tor-browser-ru
-whitelist ${HOME}/.tor-browser-sv-se
-whitelist ${HOME}/.tor-browser-tr
-whitelist ${HOME}/.tor-browser-vi
-whitelist ${HOME}/.tor-browser-zh-cn
-whitelist ${HOME}/.tor-browser-zh-tw
+allow  ${HOME}/.tor-browser-ar
+allow  ${HOME}/.tor-browser-ca
+allow  ${HOME}/.tor-browser-cs
+allow  ${HOME}/.tor-browser-da
+allow  ${HOME}/.tor-browser-de
+allow  ${HOME}/.tor-browser-el
+allow  ${HOME}/.tor-browser-en
+allow  ${HOME}/.tor-browser-en-us
+allow  ${HOME}/.tor-browser-es
+allow  ${HOME}/.tor-browser-es-es
+allow  ${HOME}/.tor-browser-fa
+allow  ${HOME}/.tor-browser-fr
+allow  ${HOME}/.tor-browser-ga-ie
+allow  ${HOME}/.tor-browser-he
+allow  ${HOME}/.tor-browser-hu
+allow  ${HOME}/.tor-browser-id
+allow  ${HOME}/.tor-browser-is
+allow  ${HOME}/.tor-browser-it
+allow  ${HOME}/.tor-browser-ja
+allow  ${HOME}/.tor-browser-ka
+allow  ${HOME}/.tor-browser-ko
+allow  ${HOME}/.tor-browser-nb
+allow  ${HOME}/.tor-browser-nl
+allow  ${HOME}/.tor-browser-pl
+allow  ${HOME}/.tor-browser-pt-br
+allow  ${HOME}/.tor-browser-ru
+allow  ${HOME}/.tor-browser-sv-se
+allow  ${HOME}/.tor-browser-tr
+allow  ${HOME}/.tor-browser-vi
+allow  ${HOME}/.tor-browser-zh-cn
+allow  ${HOME}/.tor-browser-zh-tw
 
-whitelist ${HOME}/.tor-browser_ar
-whitelist ${HOME}/.tor-browser_ca
-whitelist ${HOME}/.tor-browser_cs
-whitelist ${HOME}/.tor-browser_da
-whitelist ${HOME}/.tor-browser_de
-whitelist ${HOME}/.tor-browser_el
-whitelist ${HOME}/.tor-browser_en
-whitelist ${HOME}/.tor-browser_en_US
-whitelist ${HOME}/.tor-browser_es
-whitelist ${HOME}/.tor-browser_es-ES
-whitelist ${HOME}/.tor-browser_fa
-whitelist ${HOME}/.tor-browser_fr
-whitelist ${HOME}/.tor-browser_ga-IE
-whitelist ${HOME}/.tor-browser_he
-whitelist ${HOME}/.tor-browser_hu
-whitelist ${HOME}/.tor-browser_id
-whitelist ${HOME}/.tor-browser_is
-whitelist ${HOME}/.tor-browser_it
-whitelist ${HOME}/.tor-browser_ja
-whitelist ${HOME}/.tor-browser_ka
-whitelist ${HOME}/.tor-browser_ko
-whitelist ${HOME}/.tor-browser_nb
-whitelist ${HOME}/.tor-browser_nl
-whitelist ${HOME}/.tor-browser_pl
-whitelist ${HOME}/.tor-browser_pt-BR
-whitelist ${HOME}/.tor-browser_ru
-whitelist ${HOME}/.tor-browser_sv-SE
-whitelist ${HOME}/.tor-browser_tr
-whitelist ${HOME}/.tor-browser_vi
-whitelist ${HOME}/.tor-browser_zh-CN
-whitelist ${HOME}/.tor-browser_zh-TW
+allow  ${HOME}/.tor-browser_ar
+allow  ${HOME}/.tor-browser_ca
+allow  ${HOME}/.tor-browser_cs
+allow  ${HOME}/.tor-browser_da
+allow  ${HOME}/.tor-browser_de
+allow  ${HOME}/.tor-browser_el
+allow  ${HOME}/.tor-browser_en
+allow  ${HOME}/.tor-browser_en_US
+allow  ${HOME}/.tor-browser_es
+allow  ${HOME}/.tor-browser_es-ES
+allow  ${HOME}/.tor-browser_fa
+allow  ${HOME}/.tor-browser_fr
+allow  ${HOME}/.tor-browser_ga-IE
+allow  ${HOME}/.tor-browser_he
+allow  ${HOME}/.tor-browser_hu
+allow  ${HOME}/.tor-browser_id
+allow  ${HOME}/.tor-browser_is
+allow  ${HOME}/.tor-browser_it
+allow  ${HOME}/.tor-browser_ja
+allow  ${HOME}/.tor-browser_ka
+allow  ${HOME}/.tor-browser_ko
+allow  ${HOME}/.tor-browser_nb
+allow  ${HOME}/.tor-browser_nl
+allow  ${HOME}/.tor-browser_pl
+allow  ${HOME}/.tor-browser_pt-BR
+allow  ${HOME}/.tor-browser_ru
+allow  ${HOME}/.tor-browser_sv-SE
+allow  ${HOME}/.tor-browser_tr
+allow  ${HOME}/.tor-browser_vi
+allow  ${HOME}/.tor-browser_zh-CN
+allow  ${HOME}/.tor-browser_zh-TW
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 06d08f3a2..09e29373d 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -6,40 +6,40 @@ include steam.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Epic
-noblacklist ${HOME}/.config/Loop_Hero
-noblacklist ${HOME}/.config/ModTheSpire
-noblacklist ${HOME}/.config/RogueLegacy
-noblacklist ${HOME}/.config/RogueLegacyStorageContainer
-noblacklist ${HOME}/.killingfloor
-noblacklist ${HOME}/.klei
-noblacklist ${HOME}/.local/share/3909/PapersPlease
-noblacklist ${HOME}/.local/share/aspyr-media
-noblacklist ${HOME}/.local/share/bohemiainteractive
-noblacklist ${HOME}/.local/share/cdprojektred
-noblacklist ${HOME}/.local/share/Dredmor
-noblacklist ${HOME}/.local/share/FasterThanLight
-noblacklist ${HOME}/.local/share/feral-interactive
-noblacklist ${HOME}/.local/share/IntoTheBreach
-noblacklist ${HOME}/.local/share/Paradox Interactive
-noblacklist ${HOME}/.local/share/PillarsOfEternity
-noblacklist ${HOME}/.local/share/RogueLegacy
-noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/SteamWorldDig
-noblacklist ${HOME}/.local/share/SteamWorld Dig 2
-noblacklist ${HOME}/.local/share/SuperHexagon
-noblacklist ${HOME}/.local/share/Terraria
-noblacklist ${HOME}/.local/share/vpltd
-noblacklist ${HOME}/.local/share/vulkan
-noblacklist ${HOME}/.mbwarband
-noblacklist ${HOME}/.paradoxinteractive
-noblacklist ${HOME}/.steam
-noblacklist ${HOME}/.steampath
-noblacklist ${HOME}/.steampid
+nodeny  ${HOME}/.config/Epic
+nodeny  ${HOME}/.config/Loop_Hero
+nodeny  ${HOME}/.config/ModTheSpire
+nodeny  ${HOME}/.config/RogueLegacy
+nodeny  ${HOME}/.config/RogueLegacyStorageContainer
+nodeny  ${HOME}/.killingfloor
+nodeny  ${HOME}/.klei
+nodeny  ${HOME}/.local/share/3909/PapersPlease
+nodeny  ${HOME}/.local/share/aspyr-media
+nodeny  ${HOME}/.local/share/bohemiainteractive
+nodeny  ${HOME}/.local/share/cdprojektred
+nodeny  ${HOME}/.local/share/Dredmor
+nodeny  ${HOME}/.local/share/FasterThanLight
+nodeny  ${HOME}/.local/share/feral-interactive
+nodeny  ${HOME}/.local/share/IntoTheBreach
+nodeny  ${HOME}/.local/share/Paradox Interactive
+nodeny  ${HOME}/.local/share/PillarsOfEternity
+nodeny  ${HOME}/.local/share/RogueLegacy
+nodeny  ${HOME}/.local/share/RogueLegacyStorageContainer
+nodeny  ${HOME}/.local/share/Steam
+nodeny  ${HOME}/.local/share/SteamWorldDig
+nodeny  ${HOME}/.local/share/SteamWorld Dig 2
+nodeny  ${HOME}/.local/share/SuperHexagon
+nodeny  ${HOME}/.local/share/Terraria
+nodeny  ${HOME}/.local/share/vpltd
+nodeny  ${HOME}/.local/share/vulkan
+nodeny  ${HOME}/.mbwarband
+nodeny  ${HOME}/.paradoxinteractive
+nodeny  ${HOME}/.steam
+nodeny  ${HOME}/.steampath
+nodeny  ${HOME}/.steampid
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -84,38 +84,38 @@ mkdir ${HOME}/.paradoxinteractive
 mkdir ${HOME}/.steam
 mkfile ${HOME}/.steampath
 mkfile ${HOME}/.steampid
-whitelist ${HOME}/.config/Epic
-whitelist ${HOME}/.config/Loop_Hero
-whitelist ${HOME}/.config/ModTheSpire
-whitelist ${HOME}/.config/RogueLegacy
-whitelist ${HOME}/.config/RogueLegacyStorageContainer
-whitelist ${HOME}/.config/unity3d
-whitelist ${HOME}/.killingfloor
-whitelist ${HOME}/.klei
-whitelist ${HOME}/.local/share/3909/PapersPlease
-whitelist ${HOME}/.local/share/aspyr-media
-whitelist ${HOME}/.local/share/bohemiainteractive
-whitelist ${HOME}/.local/share/cdprojektred
-whitelist ${HOME}/.local/share/Dredmor
-whitelist ${HOME}/.local/share/FasterThanLight
-whitelist ${HOME}/.local/share/feral-interactive
-whitelist ${HOME}/.local/share/IntoTheBreach
-whitelist ${HOME}/.local/share/Paradox Interactive
-whitelist ${HOME}/.local/share/PillarsOfEternity
-whitelist ${HOME}/.local/share/RogueLegacy
-whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
-whitelist ${HOME}/.local/share/Steam
-whitelist ${HOME}/.local/share/SteamWorldDig
-whitelist ${HOME}/.local/share/SteamWorld Dig 2
-whitelist ${HOME}/.local/share/SuperHexagon
-whitelist ${HOME}/.local/share/Terraria
-whitelist ${HOME}/.local/share/vpltd
-whitelist ${HOME}/.local/share/vulkan
-whitelist ${HOME}/.mbwarband
-whitelist ${HOME}/.paradoxinteractive
-whitelist ${HOME}/.steam
-whitelist ${HOME}/.steampath
-whitelist ${HOME}/.steampid
+allow  ${HOME}/.config/Epic
+allow  ${HOME}/.config/Loop_Hero
+allow  ${HOME}/.config/ModTheSpire
+allow  ${HOME}/.config/RogueLegacy
+allow  ${HOME}/.config/RogueLegacyStorageContainer
+allow  ${HOME}/.config/unity3d
+allow  ${HOME}/.killingfloor
+allow  ${HOME}/.klei
+allow  ${HOME}/.local/share/3909/PapersPlease
+allow  ${HOME}/.local/share/aspyr-media
+allow  ${HOME}/.local/share/bohemiainteractive
+allow  ${HOME}/.local/share/cdprojektred
+allow  ${HOME}/.local/share/Dredmor
+allow  ${HOME}/.local/share/FasterThanLight
+allow  ${HOME}/.local/share/feral-interactive
+allow  ${HOME}/.local/share/IntoTheBreach
+allow  ${HOME}/.local/share/Paradox Interactive
+allow  ${HOME}/.local/share/PillarsOfEternity
+allow  ${HOME}/.local/share/RogueLegacy
+allow  ${HOME}/.local/share/RogueLegacyStorageContainer
+allow  ${HOME}/.local/share/Steam
+allow  ${HOME}/.local/share/SteamWorldDig
+allow  ${HOME}/.local/share/SteamWorld Dig 2
+allow  ${HOME}/.local/share/SuperHexagon
+allow  ${HOME}/.local/share/Terraria
+allow  ${HOME}/.local/share/vpltd
+allow  ${HOME}/.local/share/vulkan
+allow  ${HOME}/.mbwarband
+allow  ${HOME}/.paradoxinteractive
+allow  ${HOME}/.steam
+allow  ${HOME}/.steampath
+allow  ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
index a752ab53c..003d3a079 100644
--- a/etc/profile-m-z/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -6,8 +6,8 @@ include stellarium.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/stellarium
-noblacklist ${HOME}/.stellarium
+nodeny  ${HOME}/.config/stellarium
+nodeny  ${HOME}/.stellarium
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/stellarium
 mkdir ${HOME}/.stellarium
-whitelist ${HOME}/.config/stellarium
-whitelist ${HOME}/.stellarium
+allow  ${HOME}/.config/stellarium
+allow  ${HOME}/.stellarium
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index d73927f2a..dd643bc20 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -7,13 +7,13 @@ include straw-viewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/straw-viewer
-noblacklist ${HOME}/.config/straw-viewer
+nodeny  ${HOME}/.cache/straw-viewer
+nodeny  ${HOME}/.config/straw-viewer
 
 mkdir ${HOME}/.config/straw-viewer
 mkdir ${HOME}/.cache/straw-viewer
-whitelist ${HOME}/.cache/straw-viewer
-whitelist ${HOME}/.config/straw-viewer
+allow  ${HOME}/.cache/straw-viewer
+allow  ${HOME}/.config/straw-viewer
 
 private-bin gtk-straw-viewer,straw-viewer
 
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index b87906f55..aed0b7910 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -6,10 +6,10 @@ include strawberry.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/strawberry
-noblacklist ${HOME}/.config/strawberry
-noblacklist ${HOME}/.local/share/strawberry
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/strawberry
+nodeny  ${HOME}/.config/strawberry
+nodeny  ${HOME}/.local/share/strawberry
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 1ebcded7f..5c820ef81 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -7,7 +7,7 @@ include strings.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index bbe92fd38..0d07b5ea7 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -6,8 +6,8 @@ include subdownloader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/SubDownloader
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/SubDownloader
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index cfd7a63ea..8cc547805 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -6,7 +6,7 @@ include supertux2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/supertux2
+nodeny  ${HOME}/.local/share/supertux2
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/supertux2
-whitelist ${HOME}/.local/share/supertux2
-whitelist /usr/share/supertux2
-whitelist /usr/share/games/supertux2    # Debian version
+allow  ${HOME}/.local/share/supertux2
+allow  /usr/share/supertux2
+allow  /usr/share/games/supertux2       # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 4eb8f921c..44dc1524f 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -6,11 +6,11 @@ include supertuxkart.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/supertuxkart
-noblacklist ${HOME}/.cache/supertuxkart
-noblacklist ${HOME}/.local/share/supertuxkart
+nodeny  ${HOME}/.config/supertuxkart
+nodeny  ${HOME}/.cache/supertuxkart
+nodeny  ${HOME}/.local/share/supertuxkart
 
-blacklist /usr/libexec
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,11 +24,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/supertuxkart
 mkdir ${HOME}/.cache/supertuxkart
 mkdir ${HOME}/.local/share/supertuxkart
-whitelist ${HOME}/.config/supertuxkart
-whitelist ${HOME}/.cache/supertuxkart
-whitelist ${HOME}/.local/share/supertuxkart
-whitelist /usr/share/supertuxkart
-whitelist /usr/share/games/supertuxkart # Debian version
+allow  ${HOME}/.config/supertuxkart
+allow  ${HOME}/.cache/supertuxkart
+allow  ${HOME}/.local/share/supertuxkart
+allow  /usr/share/supertuxkart
+allow  /usr/share/games/supertuxkart    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 8db7d2433..fd1e7f9e9 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -6,7 +6,7 @@ include surf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.surf
+nodeny  ${HOME}/.surf
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.surf
-whitelist ${HOME}/.surf
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.surf
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
index 9efae815d..55cd0965a 100644
--- a/etc/profile-m-z/swell-foop.profile
+++ b/etc/profile-m-z/swell-foop.profile
@@ -6,12 +6,12 @@ include swell-foop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/swell-foop
+nodeny  ${HOME}/.local/share/swell-foop
 
 mkdir ${HOME}/.local/share/swell-foop
-whitelist ${HOME}/.local/share/swell-foop
+allow  ${HOME}/.local/share/swell-foop
 
-whitelist /usr/share/swell-foop
+allow  /usr/share/swell-foop
 
 private-bin swell-foop
 
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 328812b04..447cdc99e 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -6,12 +6,12 @@ include sylpheed.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.sylpheed-2.0
+nodeny  ${HOME}/.sylpheed-2.0
 
 mkdir ${HOME}/.sylpheed-2.0
-whitelist ${HOME}/.sylpheed-2.0
+allow  ${HOME}/.sylpheed-2.0
 
-whitelist /usr/share/sylpheed
+allow  /usr/share/sylpheed
 
 # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
 
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index c60186c42..7cbbafd54 100644
--- a/etc/profile-m-z/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -6,8 +6,8 @@ include synfigstudio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/synfig
-noblacklist ${HOME}/.synfig
+nodeny  ${HOME}/.config/synfig
+nodeny  ${HOME}/.synfig
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index b52b25b96..f20f88791 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -6,7 +6,7 @@ include sysprof.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -24,15 +24,15 @@ include disable-xdg.inc
 #nowhitelist /usr/share/yelp-tools
 #nowhitelist /usr/share/yelp-xsl
 
-noblacklist ${HOME}/.config/yelp
+nodeny  ${HOME}/.config/yelp
 mkdir ${HOME}/.config/yelp
-whitelist ${HOME}/.config/yelp
-whitelist /usr/share/help/C/sysprof
-whitelist /usr/share/yelp
-whitelist /usr/share/yelp-tools
-whitelist /usr/share/yelp-xsl
+allow  ${HOME}/.config/yelp
+allow  /usr/share/help/C/sysprof
+allow  /usr/share/yelp
+allow  /usr/share/yelp-tools
+allow  /usr/share/yelp-xsl
 
-whitelist ${DOCUMENTS}
+allow  ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..74c8a0849 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -12,7 +12,7 @@ ignore include disable-shell.inc
 
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
 # all capabilities this is automatically read-only.
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 private-etc alternatives,group,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
diff --git a/etc/profile-m-z/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
index ffe9605b6..691c33191 100644
--- a/etc/profile-m-z/tb-starter-wrapper.profile
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
@@ -8,10 +8,10 @@ include tb-starter-wrapper.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tb
+nodeny  ${HOME}/.tb
 
 mkdir ${HOME}/.tb
-whitelist ${HOME}/.tb
+allow  ${HOME}/.tb
 
 private-bin tb-starter-wrapper
 
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index e2ba5893c..b4c4873b3 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -6,9 +6,9 @@ include tcpdump.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
-noblacklist ${PATH}/tcpdump
+nodeny  /sbin
+nodeny  /usr/sbin
+nodeny  ${PATH}/tcpdump
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index eee083332..24cbb42da 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -14,10 +14,10 @@ ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/teams-for-linux
+nodeny  ${HOME}/.config/teams-for-linux
 
 mkdir ${HOME}/.config/teams-for-linux
-whitelist ${HOME}/.config/teams-for-linux
+allow  ${HOME}/.config/teams-for-linux
 
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index c8d98cbaa..8639edbc8 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -18,13 +18,13 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/teams
-noblacklist ${HOME}/.config/Microsoft
+nodeny  ${HOME}/.config/teams
+nodeny  ${HOME}/.config/Microsoft
 
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
-whitelist ${HOME}/.config/teams
-whitelist ${HOME}/.config/Microsoft
+allow  ${HOME}/.config/teams
+allow  ${HOME}/.config/Microsoft
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 02a2c8ae4..781a5f4eb 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -6,8 +6,8 @@ include teamspeak3.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ts3client
-noblacklist ${PATH}/openssl
+nodeny  ${HOME}/.ts3client
+nodeny  ${PATH}/openssl
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.ts3client
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.ts3client
+allow  ${DOWNLOADS}
+allow  ${HOME}/.ts3client
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index be01aee12..c9c444ffc 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -6,7 +6,7 @@ include teeworlds.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.teeworlds
+nodeny  ${HOME}/.teeworlds
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.teeworlds
-whitelist ${HOME}/.teeworlds
+allow  ${HOME}/.teeworlds
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 05c621fb2..92689a461 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -5,8 +5,8 @@ include telegram.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.TelegramDesktop
-noblacklist ${HOME}/.local/share/TelegramDesktop
+nodeny  ${HOME}/.TelegramDesktop
+nodeny  ${HOME}/.local/share/TelegramDesktop
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.TelegramDesktop
 mkdir ${HOME}/.local/share/TelegramDesktop
-whitelist ${HOME}/.TelegramDesktop
-whitelist ${HOME}/.local/share/TelegramDesktop
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.TelegramDesktop
+allow  ${HOME}/.local/share/TelegramDesktop
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -39,7 +39,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 shell none
-tracelog
 
 disable-mnt
 #private-bin telegram,Telegram,telegram-desktop
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index ce2ca1d17..b2f98fbac 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -7,7 +7,7 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.local/share/terasology
+nodeny  ${HOME}/.local/share/terasology
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -21,8 +21,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.java
 mkdir ${HOME}/.local/share/terasology
-whitelist ${HOME}/.java
-whitelist ${HOME}/.local/share/terasology
+allow  ${HOME}/.java
+allow  ${HOME}/.local/share/terasology
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index b478fbe1e..a539cadf8 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -22,14 +22,14 @@ writable-run-user
 #writable-var
 
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+nodeny  ${HOME}/.mozilla
+allow  ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
-noblacklist ${HOME}/.cache/thunderbird
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.cache/thunderbird
+nodeny  ${HOME}/.gnupg
 # noblacklist ${HOME}/.icedove
-noblacklist ${HOME}/.thunderbird
+nodeny  ${HOME}/.thunderbird
 
 include disable-passwdmgr.inc
 include disable-xdg.inc
@@ -42,15 +42,15 @@ mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
 # mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
-whitelist ${HOME}/.cache/thunderbird
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.cache/thunderbird
+allow  ${HOME}/.gnupg
 # whitelist ${HOME}/.icedove
-whitelist ${HOME}/.thunderbird
+allow  ${HOME}/.thunderbird
 
-whitelist /usr/share/gnupg
-whitelist /usr/share/mozilla
-whitelist /usr/share/thunderbird
-whitelist /usr/share/webext
+allow  /usr/share/gnupg
+allow  /usr/share/mozilla
+allow  /usr/share/thunderbird
+allow  /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index dd4a372c4..b0fa54f08 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -5,7 +5,7 @@ include tilp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.tilp
+nodeny  ${HOME}/.tilp
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index e0ed3090a..3ee696b8b 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -6,12 +6,12 @@ include tin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.newsrc
-noblacklist ${HOME}/.tin
+nodeny  ${HOME}/.newsrc
+nodeny  ${HOME}/.tin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
-blacklist /usr/libexec
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index 0139d7515..d2e90e356 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -7,10 +7,10 @@ include tmux.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist /tmp/tmux-*
+nodeny  /tmp/tmux-*
 
 # include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 59f1bc3b1..49158b93e 100644
--- a/etc/profile-m-z/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -6,10 +6,10 @@ include tor-browser-ar.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ar
+nodeny  ${HOME}/.tor-browser-ar
 
 mkdir ${HOME}/.tor-browser-ar
-whitelist ${HOME}/.tor-browser-ar
+allow  ${HOME}/.tor-browser-ar
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index 68577e352..612f8bd7c 100644
--- a/etc/profile-m-z/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -6,10 +6,10 @@ include tor-browser-ca.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ca
+nodeny  ${HOME}/.tor-browser-ca
 
 mkdir ${HOME}/.tor-browser-ca
-whitelist ${HOME}/.tor-browser-ca
+allow  ${HOME}/.tor-browser-ca
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 33e51fcd0..a400fde05 100644
--- a/etc/profile-m-z/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -6,10 +6,10 @@ include tor-browser-cs.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-cs
+nodeny  ${HOME}/.tor-browser-cs
 
 mkdir ${HOME}/.tor-browser-cs
-whitelist ${HOME}/.tor-browser-cs
+allow  ${HOME}/.tor-browser-cs
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 440bb7fc3..9010025e3 100644
--- a/etc/profile-m-z/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -6,10 +6,10 @@ include tor-browser-da.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-da
+nodeny  ${HOME}/.tor-browser-da
 
 mkdir ${HOME}/.tor-browser-da
-whitelist ${HOME}/.tor-browser-da
+allow  ${HOME}/.tor-browser-da
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index b2b98cf82..cd556c32b 100644
--- a/etc/profile-m-z/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -6,10 +6,10 @@ include tor-browser-de.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-de
+nodeny  ${HOME}/.tor-browser-de
 
 mkdir ${HOME}/.tor-browser-de
-whitelist ${HOME}/.tor-browser-de
+allow  ${HOME}/.tor-browser-de
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index 626757dd5..ee2b0fea7 100644
--- a/etc/profile-m-z/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -6,10 +6,10 @@ include tor-browser-el.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-el
+nodeny  ${HOME}/.tor-browser-el
 
 mkdir ${HOME}/.tor-browser-el
-whitelist ${HOME}/.tor-browser-el
+allow  ${HOME}/.tor-browser-el
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index 15e690748..2be71a5aa 100644
--- a/etc/profile-m-z/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -6,10 +6,10 @@ include tor-browser-en-us.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-en-us
+nodeny  ${HOME}/.tor-browser-en-us
 
 mkdir ${HOME}/.tor-browser-en-us
-whitelist ${HOME}/.tor-browser-en-us
+allow  ${HOME}/.tor-browser-en-us
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ef8c1eb8b..633c2f4f9 100644
--- a/etc/profile-m-z/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -6,10 +6,10 @@ include tor-browser-en.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-en
+nodeny  ${HOME}/.tor-browser-en
 
 mkdir ${HOME}/.tor-browser-en
-whitelist ${HOME}/.tor-browser-en
+allow  ${HOME}/.tor-browser-en
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index ad734662e..f7c2302a7 100644
--- a/etc/profile-m-z/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -6,10 +6,10 @@ include tor-browser-es-es.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-es-es
+nodeny  ${HOME}/.tor-browser-es-es
 
 mkdir ${HOME}/.tor-browser-es-es
-whitelist ${HOME}/.tor-browser-es-es
+allow  ${HOME}/.tor-browser-es-es
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index 97d8d8577..d88dcdec1 100644
--- a/etc/profile-m-z/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -6,10 +6,10 @@ include tor-browser-es.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-es
+nodeny  ${HOME}/.tor-browser-es
 
 mkdir ${HOME}/.tor-browser-es
-whitelist ${HOME}/.tor-browser-es
+allow  ${HOME}/.tor-browser-es
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 095be69e4..3f7074fdb 100644
--- a/etc/profile-m-z/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -6,10 +6,10 @@ include tor-browser-fa.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-fa
+nodeny  ${HOME}/.tor-browser-fa
 
 mkdir ${HOME}/.tor-browser-fa
-whitelist ${HOME}/.tor-browser-fa
+allow  ${HOME}/.tor-browser-fa
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index 37f61fc3a..ef14f44a2 100644
--- a/etc/profile-m-z/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -6,10 +6,10 @@ include tor-browser-fr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-fr
+nodeny  ${HOME}/.tor-browser-fr
 
 mkdir ${HOME}/.tor-browser-fr
-whitelist ${HOME}/.tor-browser-fr
+allow  ${HOME}/.tor-browser-fr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index ab7141fc4..06baaf34f 100644
--- a/etc/profile-m-z/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -6,10 +6,10 @@ include tor-browser-ga-ie.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ga-ie
+nodeny  ${HOME}/.tor-browser-ga-ie
 
 mkdir ${HOME}/.tor-browser-ga-ie
-whitelist ${HOME}/.tor-browser-ga-ie
+allow  ${HOME}/.tor-browser-ga-ie
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index ae56f3b7f..57588ffc7 100644
--- a/etc/profile-m-z/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -6,10 +6,10 @@ include tor-browser-he.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-he
+nodeny  ${HOME}/.tor-browser-he
 
 mkdir ${HOME}/.tor-browser-he
-whitelist ${HOME}/.tor-browser-he
+allow  ${HOME}/.tor-browser-he
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 65cd18ac8..a10b66a24 100644
--- a/etc/profile-m-z/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -6,10 +6,10 @@ include tor-browser-hu.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-hu
+nodeny  ${HOME}/.tor-browser-hu
 
 mkdir ${HOME}/.tor-browser-hu
-whitelist ${HOME}/.tor-browser-hu
+allow  ${HOME}/.tor-browser-hu
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 57fe09f47..fcdb822cd 100644
--- a/etc/profile-m-z/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -6,10 +6,10 @@ include tor-browser-id.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-id
+nodeny  ${HOME}/.tor-browser-id
 
 mkdir ${HOME}/.tor-browser-id
-whitelist ${HOME}/.tor-browser-id
+allow  ${HOME}/.tor-browser-id
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 54f1df42d..45b47c108 100644
--- a/etc/profile-m-z/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -6,10 +6,10 @@ include tor-browser-is.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-is
+nodeny  ${HOME}/.tor-browser-is
 
 mkdir ${HOME}/.tor-browser-is
-whitelist ${HOME}/.tor-browser-is
+allow  ${HOME}/.tor-browser-is
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index a7d46e875..b5a2f7c13 100644
--- a/etc/profile-m-z/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -6,10 +6,10 @@ include tor-browser-it.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-it
+nodeny  ${HOME}/.tor-browser-it
 
 mkdir ${HOME}/.tor-browser-it
-whitelist ${HOME}/.tor-browser-it
+allow  ${HOME}/.tor-browser-it
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index b89016141..e1f023bd4 100644
--- a/etc/profile-m-z/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -6,10 +6,10 @@ include tor-browser-ja.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ja
+nodeny  ${HOME}/.tor-browser-ja
 
 mkdir ${HOME}/.tor-browser-ja
-whitelist ${HOME}/.tor-browser-ja
+allow  ${HOME}/.tor-browser-ja
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index b57cf10de..17930b58e 100644
--- a/etc/profile-m-z/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -6,10 +6,10 @@ include tor-browser-ka.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ka
+nodeny  ${HOME}/.tor-browser-ka
 
 mkdir ${HOME}/.tor-browser-ka
-whitelist ${HOME}/.tor-browser-ka
+allow  ${HOME}/.tor-browser-ka
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index a9bedb6fd..b33d1edb4 100644
--- a/etc/profile-m-z/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -6,10 +6,10 @@ include tor-browser-ko.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ko
+nodeny  ${HOME}/.tor-browser-ko
 
 mkdir ${HOME}/.tor-browser-ko
-whitelist ${HOME}/.tor-browser-ko
+allow  ${HOME}/.tor-browser-ko
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index fbe9f92bd..b462eb9ac 100644
--- a/etc/profile-m-z/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -6,10 +6,10 @@ include tor-browser-nb.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-nb
+nodeny  ${HOME}/.tor-browser-nb
 
 mkdir ${HOME}/.tor-browser-nb
-whitelist ${HOME}/.tor-browser-nb
+allow  ${HOME}/.tor-browser-nb
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index 678ac1713..0225eb6fd 100644
--- a/etc/profile-m-z/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -6,10 +6,10 @@ include tor-browser-nl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-nl
+nodeny  ${HOME}/.tor-browser-nl
 
 mkdir ${HOME}/.tor-browser-nl
-whitelist ${HOME}/.tor-browser-nl
+allow  ${HOME}/.tor-browser-nl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 25d473b1a..75604b458 100644
--- a/etc/profile-m-z/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -6,10 +6,10 @@ include tor-browser-pl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-pl
+nodeny  ${HOME}/.tor-browser-pl
 
 mkdir ${HOME}/.tor-browser-pl
-whitelist ${HOME}/.tor-browser-pl
+allow  ${HOME}/.tor-browser-pl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 55adbd5ea..4d50d8034 100644
--- a/etc/profile-m-z/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -6,10 +6,10 @@ include tor-browser-pt-br.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-pt-br
+nodeny  ${HOME}/.tor-browser-pt-br
 
 mkdir ${HOME}/.tor-browser-pt-br
-whitelist ${HOME}/.tor-browser-pt-br
+allow  ${HOME}/.tor-browser-pt-br
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index aea13be9d..4bca3c46f 100644
--- a/etc/profile-m-z/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -6,10 +6,10 @@ include tor-browser-ru.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ru
+nodeny  ${HOME}/.tor-browser-ru
 
 mkdir ${HOME}/.tor-browser-ru
-whitelist ${HOME}/.tor-browser-ru
+allow  ${HOME}/.tor-browser-ru
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index b7882bd04..1b319dc43 100644
--- a/etc/profile-m-z/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -6,10 +6,10 @@ include tor-browser-sv-se.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-sv-se
+nodeny  ${HOME}/.tor-browser-sv-se
 
 mkdir ${HOME}/.tor-browser-sv-se
-whitelist ${HOME}/.tor-browser-sv-se
+allow  ${HOME}/.tor-browser-sv-se
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index c52e8c4c4..0775a0c08 100644
--- a/etc/profile-m-z/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -6,10 +6,10 @@ include tor-browser-tr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-tr
+nodeny  ${HOME}/.tor-browser-tr
 
 mkdir ${HOME}/.tor-browser-tr
-whitelist ${HOME}/.tor-browser-tr
+allow  ${HOME}/.tor-browser-tr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index d5bf76655..c4d5a7a76 100644
--- a/etc/profile-m-z/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -6,10 +6,10 @@ include tor-browser-vi.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-vi
+nodeny  ${HOME}/.tor-browser-vi
 
 mkdir ${HOME}/.tor-browser-vi
-whitelist ${HOME}/.tor-browser-vi
+allow  ${HOME}/.tor-browser-vi
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 6c8925a4a..4cd287e5d 100644
--- a/etc/profile-m-z/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -6,10 +6,10 @@ include tor-browser-zh-cn.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-zh-cn
+nodeny  ${HOME}/.tor-browser-zh-cn
 
 mkdir ${HOME}/.tor-browser-zh-cn
-whitelist ${HOME}/.tor-browser-zh-cn
+allow  ${HOME}/.tor-browser-zh-cn
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 141a6701e..c75baf522 100644
--- a/etc/profile-m-z/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -6,10 +6,10 @@ include tor-browser-zh-tw.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-zh-tw
+nodeny  ${HOME}/.tor-browser-zh-tw
 
 mkdir ${HOME}/.tor-browser-zh-tw
-whitelist ${HOME}/.tor-browser-zh-tw
+allow  ${HOME}/.tor-browser-zh-tw
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 76a0e1fa5..8a2dbda53 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -6,10 +6,10 @@ include tor-browser.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser
+nodeny  ${HOME}/.tor-browser
 
 mkdir ${HOME}/.tor-browser
-whitelist ${HOME}/.tor-browser
+allow  ${HOME}/.tor-browser
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index d811b7549..90b5a0960 100644
--- a/etc/profile-m-z/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -6,10 +6,10 @@ include tor-browser_ar.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ar
+nodeny  ${HOME}/.tor-browser_ar
 
 mkdir ${HOME}/.tor-browser_ar
-whitelist ${HOME}/.tor-browser_ar
+allow  ${HOME}/.tor-browser_ar
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index 8bf1f7cd4..a04207ccd 100644
--- a/etc/profile-m-z/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -6,10 +6,10 @@ include tor-browser_ca.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ca
+nodeny  ${HOME}/.tor-browser_ca
 
 mkdir ${HOME}/.tor-browser_ca
-whitelist ${HOME}/.tor-browser_ca
+allow  ${HOME}/.tor-browser_ca
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index b41107bf1..b99ad14a8 100644
--- a/etc/profile-m-z/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -6,10 +6,10 @@ include tor-browser_cs.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_cs
+nodeny  ${HOME}/.tor-browser_cs
 
 mkdir ${HOME}/.tor-browser_cs
-whitelist ${HOME}/.tor-browser_cs
+allow  ${HOME}/.tor-browser_cs
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index cbec4ee2e..545e53b7e 100644
--- a/etc/profile-m-z/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -6,10 +6,10 @@ include tor-browser_da.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_da
+nodeny  ${HOME}/.tor-browser_da
 
 mkdir ${HOME}/.tor-browser_da
-whitelist ${HOME}/.tor-browser_da
+allow  ${HOME}/.tor-browser_da
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index ea26765d3..545f82f72 100644
--- a/etc/profile-m-z/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -6,10 +6,10 @@ include tor-browser_de.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_de
+nodeny  ${HOME}/.tor-browser_de
 
 mkdir ${HOME}/.tor-browser_de
-whitelist ${HOME}/.tor-browser_de
+allow  ${HOME}/.tor-browser_de
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index ff57a8722..3120b1701 100644
--- a/etc/profile-m-z/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -6,10 +6,10 @@ include tor-browser_el.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_el
+nodeny  ${HOME}/.tor-browser_el
 
 mkdir ${HOME}/.tor-browser_el
-whitelist ${HOME}/.tor-browser_el
+allow  ${HOME}/.tor-browser_el
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index 18c92b638..6719ac057 100644
--- a/etc/profile-m-z/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -6,10 +6,10 @@ include tor-browser_en-US.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_en-US
+nodeny  ${HOME}/.tor-browser_en-US
 
 mkdir ${HOME}/.tor-browser_en-US
-whitelist ${HOME}/.tor-browser_en-US
+allow  ${HOME}/.tor-browser_en-US
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index ebba83cc4..4cbd37109 100644
--- a/etc/profile-m-z/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -6,10 +6,10 @@ include tor-browser_en.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_en
+nodeny  ${HOME}/.tor-browser_en
 
 mkdir ${HOME}/.tor-browser_en
-whitelist ${HOME}/.tor-browser_en
+allow  ${HOME}/.tor-browser_en
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index aecab38d5..6c8a5987c 100644
--- a/etc/profile-m-z/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -6,10 +6,10 @@ include tor-browser_es-ES.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_es-ES
+nodeny  ${HOME}/.tor-browser_es-ES
 
 mkdir ${HOME}/.tor-browser_es-ES
-whitelist ${HOME}/.tor-browser_es-ES
+allow  ${HOME}/.tor-browser_es-ES
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index e19e9b5e6..7d358b7ca 100644
--- a/etc/profile-m-z/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -6,10 +6,10 @@ include tor-browser_es.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_es
+nodeny  ${HOME}/.tor-browser_es
 
 mkdir ${HOME}/.tor-browser_es
-whitelist ${HOME}/.tor-browser_es
+allow  ${HOME}/.tor-browser_es
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index 68414c277..fc4285c5d 100644
--- a/etc/profile-m-z/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -6,10 +6,10 @@ include tor-browser_fa.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_fa
+nodeny  ${HOME}/.tor-browser_fa
 
 mkdir ${HOME}/.tor-browser_fa
-whitelist ${HOME}/.tor-browser_fa
+allow  ${HOME}/.tor-browser_fa
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index 0a8bb30b7..2d0c0ff1f 100644
--- a/etc/profile-m-z/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -6,10 +6,10 @@ include tor-browser_fr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_fr
+nodeny  ${HOME}/.tor-browser_fr
 
 mkdir ${HOME}/.tor-browser_fr
-whitelist ${HOME}/.tor-browser_fr
+allow  ${HOME}/.tor-browser_fr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 12354b900..2880e1e2a 100644
--- a/etc/profile-m-z/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -6,10 +6,10 @@ include tor-browser_ga-IE.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ga-IE
+nodeny  ${HOME}/.tor-browser_ga-IE
 
 mkdir ${HOME}/.tor-browser_ga-IE
-whitelist ${HOME}/.tor-browser_ga-IE
+allow  ${HOME}/.tor-browser_ga-IE
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index 19cbb0809..ac6993019 100644
--- a/etc/profile-m-z/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -6,10 +6,10 @@ include tor-browser_he.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_he
+nodeny  ${HOME}/.tor-browser_he
 
 mkdir ${HOME}/.tor-browser_he
-whitelist ${HOME}/.tor-browser_he
+allow  ${HOME}/.tor-browser_he
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 62b55e170..6877a6be4 100644
--- a/etc/profile-m-z/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -6,10 +6,10 @@ include tor-browser_hu.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_hu
+nodeny  ${HOME}/.tor-browser_hu
 
 mkdir ${HOME}/.tor-browser_hu
-whitelist ${HOME}/.tor-browser_hu
+allow  ${HOME}/.tor-browser_hu
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index 2970a7747..5f5601f74 100644
--- a/etc/profile-m-z/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -6,10 +6,10 @@ include tor-browser_id.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_id
+nodeny  ${HOME}/.tor-browser_id
 
 mkdir ${HOME}/.tor-browser_id
-whitelist ${HOME}/.tor-browser_id
+allow  ${HOME}/.tor-browser_id
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index f922c7644..f0814d16e 100644
--- a/etc/profile-m-z/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -6,10 +6,10 @@ include tor-browser_is.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_is
+nodeny  ${HOME}/.tor-browser_is
 
 mkdir ${HOME}/.tor-browser_is
-whitelist ${HOME}/.tor-browser_is
+allow  ${HOME}/.tor-browser_is
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 406901759..fa01f6bca 100644
--- a/etc/profile-m-z/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -6,10 +6,10 @@ include tor-browser_it.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_it
+nodeny  ${HOME}/.tor-browser_it
 
 mkdir ${HOME}/.tor-browser_it
-whitelist ${HOME}/.tor-browser_it
+allow  ${HOME}/.tor-browser_it
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 8f9d8d751..dde107dd3 100644
--- a/etc/profile-m-z/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -6,10 +6,10 @@ include tor-browser_ja.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ja
+nodeny  ${HOME}/.tor-browser_ja
 
 mkdir ${HOME}/.tor-browser_ja
-whitelist ${HOME}/.tor-browser_ja
+allow  ${HOME}/.tor-browser_ja
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 4de4135e1..7de4dff65 100644
--- a/etc/profile-m-z/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -6,10 +6,10 @@ include tor-browser_ka.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ka
+nodeny  ${HOME}/.tor-browser_ka
 
 mkdir ${HOME}/.tor-browser_ka
-whitelist ${HOME}/.tor-browser_ka
+allow  ${HOME}/.tor-browser_ka
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 125c733ce..7e3ceb4d9 100644
--- a/etc/profile-m-z/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -6,10 +6,10 @@ include tor-browser_ko.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ko
+nodeny  ${HOME}/.tor-browser_ko
 
 mkdir ${HOME}/.tor-browser_ko
-whitelist ${HOME}/.tor-browser_ko
+allow  ${HOME}/.tor-browser_ko
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index dc6ac876b..c11001960 100644
--- a/etc/profile-m-z/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -6,10 +6,10 @@ include tor-browser_nb.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_nb
+nodeny  ${HOME}/.tor-browser_nb
 
 mkdir ${HOME}/.tor-browser_nb
-whitelist ${HOME}/.tor-browser_nb
+allow  ${HOME}/.tor-browser_nb
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 2a3a5b519..2d1044f9d 100644
--- a/etc/profile-m-z/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -6,10 +6,10 @@ include tor-browser_nl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_nl
+nodeny  ${HOME}/.tor-browser_nl
 
 mkdir ${HOME}/.tor-browser_nl
-whitelist ${HOME}/.tor-browser_nl
+allow  ${HOME}/.tor-browser_nl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index b7dec32db..2818320a0 100644
--- a/etc/profile-m-z/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -6,10 +6,10 @@ include tor-browser_pl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_pl
+nodeny  ${HOME}/.tor-browser_pl
 
 mkdir ${HOME}/.tor-browser_pl
-whitelist ${HOME}/.tor-browser_pl
+allow  ${HOME}/.tor-browser_pl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7a7d4726c..8c33e2545 100644
--- a/etc/profile-m-z/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -6,10 +6,10 @@ include tor-browser_pt-BR.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_pt-BR
+nodeny  ${HOME}/.tor-browser_pt-BR
 
 mkdir ${HOME}/.tor-browser_pt-BR
-whitelist ${HOME}/.tor-browser_pt-BR
+allow  ${HOME}/.tor-browser_pt-BR
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 7d2e6bc97..2553bb031 100644
--- a/etc/profile-m-z/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -6,10 +6,10 @@ include tor-browser_ru.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ru
+nodeny  ${HOME}/.tor-browser_ru
 
 mkdir ${HOME}/.tor-browser_ru
-whitelist ${HOME}/.tor-browser_ru
+allow  ${HOME}/.tor-browser_ru
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 585925e81..3152cb658 100644
--- a/etc/profile-m-z/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -6,10 +6,10 @@ include tor-browser_sv-SE.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_sv-SE
+nodeny  ${HOME}/.tor-browser_sv-SE
 
 mkdir ${HOME}/.tor-browser_sv-SE
-whitelist ${HOME}/.tor-browser_sv-SE
+allow  ${HOME}/.tor-browser_sv-SE
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 4b0cc3821..9808d4725 100644
--- a/etc/profile-m-z/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -6,10 +6,10 @@ include tor-browser_tr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_tr
+nodeny  ${HOME}/.tor-browser_tr
 
 mkdir ${HOME}/.tor-browser_tr
-whitelist ${HOME}/.tor-browser_tr
+allow  ${HOME}/.tor-browser_tr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4dcfbf56d..364fca40b 100644
--- a/etc/profile-m-z/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -6,10 +6,10 @@ include tor-browser_vi.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_vi
+nodeny  ${HOME}/.tor-browser_vi
 
 mkdir ${HOME}/.tor-browser_vi
-whitelist ${HOME}/.tor-browser_vi
+allow  ${HOME}/.tor-browser_vi
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index 1e03b8d6b..193e8a399 100644
--- a/etc/profile-m-z/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -6,10 +6,10 @@ include tor-browser_zh-CN.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_zh-CN
+nodeny  ${HOME}/.tor-browser_zh-CN
 
 mkdir ${HOME}/.tor-browser_zh-CN
-whitelist ${HOME}/.tor-browser_zh-CN
+allow  ${HOME}/.tor-browser_zh-CN
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index a2dcf5cf1..047be9b8e 100644
--- a/etc/profile-m-z/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -6,10 +6,10 @@ include tor-browser_zh-TW.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_zh-TW
+nodeny  ${HOME}/.tor-browser_zh-TW
 
 mkdir ${HOME}/.tor-browser_zh-TW
-whitelist ${HOME}/.tor-browser_zh-TW
+allow  ${HOME}/.tor-browser_zh-TW
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 7659ed1e9..65a37db5f 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -8,15 +8,15 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/torbrowser
-noblacklist ${HOME}/.local/share/torbrowser
+nodeny  ${HOME}/.config/torbrowser
+nodeny  ${HOME}/.local/share/torbrowser
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /opt
-blacklist /srv
+deny  /opt
+deny  /srv
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,10 +28,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/torbrowser
 mkdir ${HOME}/.local/share/torbrowser
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/torbrowser
-whitelist ${HOME}/.local/share/torbrowser
-whitelist /usr/share/torbrowser-launcher
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/torbrowser
+allow  ${HOME}/.local/share/torbrowser
+allow  /usr/share/torbrowser-launcher
 include whitelist-common.inc
 include whitelist-var-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index 0f98a8f64..c5d89c3e3 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -6,7 +6,7 @@ include torcs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.torcs
+nodeny  ${HOME}/.torcs
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.torcs
-whitelist ${HOME}/.torcs
-whitelist /usr/share/games/torcs
-whitelist /var/games/torcs
+allow  ${HOME}/.torcs
+allow  /usr/share/games/torcs
+allow  /var/games/torcs
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 70d9e0aee..77d3c55f8 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -13,8 +13,8 @@ include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-noblacklist ${HOME}/.config/totem
-noblacklist ${HOME}/.local/share/totem
+nodeny  ${HOME}/.config/totem
+nodeny  ${HOME}/.local/share/totem
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,9 +27,9 @@ include disable-shell.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/totem
 mkdir ${HOME}/.local/share/totem
-whitelist ${HOME}/.config/totem
-whitelist ${HOME}/.local/share/totem
-whitelist /usr/share/totem
+allow  ${HOME}/.config/totem
+allow  ${HOME}/.local/share/totem
+allow  /usr/share/totem
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index 87c5de076..26f4abd0b 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -8,8 +8,8 @@ include globals.local
 
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index ea118a9f0..d5920e2a2 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -6,7 +6,7 @@ include transgui.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/transgui
+nodeny  ${HOME}/.config/transgui
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/transgui
-whitelist ${HOME}/.config/transgui
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/transgui
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 82671b709..5c2cf9d9a 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -7,8 +7,8 @@ include transmission-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
+nodeny  ${HOME}/.cache/transmission
+nodeny  ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/transmission
+allow  ${HOME}/.config/transmission
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..9f0c464fc 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -10,8 +10,8 @@ include globals.local
 ignore caps.drop all
 
 mkdir ${HOME}/.config/transmission-daemon
-whitelist ${HOME}/.config/transmission-daemon
-whitelist /var/lib/transmission
+allow  ${HOME}/.config/transmission-daemon
+allow  /var/lib/transmission
 
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..7c8eddcbc 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -7,10 +7,10 @@ include transmission-remote-gtk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/transmission-remote-gtk
+nodeny  ${HOME}/.config/transmission-remote-gtk
 
 mkdir ${HOME}/.config/transmission-remote-gtk
-whitelist ${HOME}/.config/transmission-remote-gtk
+allow  ${HOME}/.config/transmission-remote-gtk
 
 private-etc fonts,hostname,hosts,resolv.conf
 # Problems with private-lib (see issue #2889)
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index aba563fac..c2797ddaa 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -6,7 +6,7 @@ include tremulous.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.tremulous
+nodeny  ${HOME}/.tremulous
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.tremulous
-whitelist ${HOME}/.tremulous
-whitelist /usr/share/tremulous
+allow  ${HOME}/.tremulous
+allow  /usr/share/tremulous
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2d95081f6..95f39b35d 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -6,10 +6,10 @@ include trojita.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.abook
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.cache/flaska.net/trojita
-noblacklist ${HOME}/.config/flaska.net
+nodeny  ${HOME}/.abook
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/flaska.net/trojita
+nodeny  ${HOME}/.config/flaska.net
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
-whitelist ${HOME}/.abook
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.cache/flaska.net/trojita
-whitelist ${HOME}/.config/flaska.net
+allow  ${HOME}/.abook
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.cache/flaska.net/trojita
+allow  ${HOME}/.config/flaska.net
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
index 749626475..76f289a27 100644
--- a/etc/profile-m-z/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -5,8 +5,8 @@ include truecraft.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mono
-noblacklist ${HOME}/.config/truecraft
+nodeny  ${HOME}/.config/mono
+nodeny  ${HOME}/.config/truecraft
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/mono
 mkdir ${HOME}/.config/truecraft
-whitelist ${HOME}/.config/mono
-whitelist ${HOME}/.config/truecraft
+allow  ${HOME}/.config/mono
+allow  ${HOME}/.config/truecraft
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
index 8d4675454..cd6ae96df 100644
--- a/etc/profile-m-z/ts3client_runscript.sh.profile
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -9,11 +9,11 @@ include ts3client_runscript.sh.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
-noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+nodeny  ${HOME}/TeamSpeak3-Client-linux_x86
+nodeny  ${HOME}/TeamSpeak3-Client-linux_amd64
 
-whitelist ${HOME}/TeamSpeak3-Client-linux_x86
-whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
+allow  ${HOME}/TeamSpeak3-Client-linux_x86
+allow  ${HOME}/TeamSpeak3-Client-linux_amd64
 
 # Redirect
 include teamspeak3.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index d2cb0cc8a..e59a86ce6 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -6,8 +6,8 @@ include tutanota-desktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/tuta_integration
-noblacklist ${HOME}/.config/tutanota-desktop
+nodeny  ${HOME}/.config/tuta_integration
+nodeny  ${HOME}/.config/tutanota-desktop
 
 ignore noexec /tmp
 
@@ -15,12 +15,12 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/tuta_integration
 mkdir ${HOME}/.config/tutanota-desktop
-whitelist ${HOME}/.config/tuta_integration
-whitelist ${HOME}/.config/tutanota-desktop
+allow  ${HOME}/.config/tuta_integration
+allow  ${HOME}/.config/tutanota-desktop
 
 # These lines are needed to allow Firefox to open links
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+nodeny  ${HOME}/.mozilla
+allow  ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 ?HAS_APPIMAGE: ignore private-dev
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index 3cd496412..5bb97e161 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -9,9 +9,9 @@ include globals.local
 # tuxguitar fails to launch
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.tuxguitar*
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.tuxguitar*
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index dae7d86da..8febcd337 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -6,8 +6,8 @@ include tvbrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/tvbrowser
-noblacklist ${HOME}/.tvbrowser
+nodeny  ${HOME}/.config/tvbrowser
+nodeny  ${HOME}/.tvbrowser
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/tvbrowser
 mkdir ${HOME}/.tvbrowser
-whitelist ${HOME}/.config/tvbrowser
-whitelist ${HOME}/.tvbrowser
-whitelist /usr/share/tvbrowser
+allow  ${HOME}/.config/tvbrowser
+allow  ${HOME}/.tvbrowser
+allow  /usr/share/tvbrowser
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 2f573c872..abcc885e6 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -10,12 +10,12 @@ include globals.local
 ignore nou2f
 ignore novideo
 
-noblacklist ${HOME}/.config/Twitch
+nodeny  ${HOME}/.config/Twitch
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Twitch
-whitelist ${HOME}/.config/Twitch
+allow  ${HOME}/.config/Twitch
 
 private-bin twitch
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 3e4fdbb03..8c705c95f 100644
--- a/etc/profile-m-z/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -5,7 +5,7 @@ include uefitool.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index 4420099ff..eed2db541 100644
--- a/etc/profile-m-z/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -5,7 +5,7 @@ include uget-gtk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/uGet
+nodeny  ${HOME}/.config/uGet
 
 include disable-common.inc
 include disable-devel.inc
@@ -14,8 +14,8 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/uGet
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/uGet
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/uGet
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index 0c077babf..7e7b3fbec 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
 
-whitelist /var/lib/unbound
-whitelist /var/run
+allow  /var/lib/unbound
+allow  /var/run
 
 caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
 ipc-namespace
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 6db7ba362..846271971 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -7,7 +7,7 @@ include unf.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 956492f52..3e1c6264d 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -6,7 +6,7 @@ include unknown-horizons.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.unknown-horizons
+nodeny  ${HOME}/.unknown-horizons
 
 include disable-common.inc
 include disable-exec.inc
@@ -14,10 +14,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.unknown-horizons
-whitelist ${HOME}/.unknown-horizons
+allow  ${HOME}/.unknown-horizons
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-whitelist /usr/share/unknown-horizons
+allow  /usr/share/unknown-horizons
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..99d2415ca 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -8,7 +8,7 @@ include unzip.local
 include globals.local
 
 # GNOME Shell integration (chrome-gnome-shell)
-noblacklist ${HOME}/.local/share/gnome-shell
+nodeny  ${HOME}/.local/share/gnome-shell
 
 private-etc alternatives,group,localtime,passwd
 
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index dd881f091..3b0f7c646 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -6,8 +6,8 @@ include utox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Tox
-noblacklist ${HOME}/.config/tox
+nodeny  ${HOME}/.cache/Tox
+nodeny  ${HOME}/.config/tox
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/tox
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 2adc044e5..3bda71666 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -7,7 +7,7 @@ include uudeview.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index 41487a8f2..6899f4bf7 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -5,9 +5,9 @@ include uzbl-browser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/uzbl
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.local/share/uzbl
+nodeny  ${HOME}/.config/uzbl
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.local/share/uzbl
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.config/uzbl
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.local/share/uzbl
 mkdir ${HOME}/.password-store
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/uzbl
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.local/share/uzbl
-whitelist ${HOME}/.password-store
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/uzbl
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.local/share/uzbl
+allow  ${HOME}/.password-store
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index a9ba344dd..e0bf02706 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -6,11 +6,11 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.config/viewnior
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.config/viewnior
+nodeny  ${HOME}/.steam
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
index 8f8ef5939..b16f691d6 100644
--- a/etc/profile-m-z/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -6,9 +6,9 @@ include viking.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.viking
-noblacklist ${HOME}/.viking-maps
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.viking
+nodeny  ${HOME}/.viking-maps
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
index c3cfe5980..b535225dd 100644
--- a/etc/profile-m-z/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -6,9 +6,9 @@ include vim.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
-noblacklist ${HOME}/.vimrc
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
+nodeny  ${HOME}/.vimrc
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c22fb0ff9..f28828338 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -6,12 +6,12 @@ include virtualbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.VirtualBox
-noblacklist ${HOME}/.config/VirtualBox
-noblacklist ${HOME}/VirtualBox VMs
+nodeny  ${HOME}/.VirtualBox
+nodeny  ${HOME}/.config/VirtualBox
+nodeny  ${HOME}/VirtualBox VMs
 # noblacklist /usr/bin/virtualbox
-noblacklist /usr/lib/virtualbox
-noblacklist /usr/lib64/virtualbox
+nodeny  /usr/lib/virtualbox
+nodeny  /usr/lib64/virtualbox
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
-whitelist ${HOME}/.config/VirtualBox
-whitelist ${HOME}/VirtualBox VMs
-whitelist ${DOWNLOADS}
-whitelist /usr/share/virtualbox
+allow  ${HOME}/.config/VirtualBox
+allow  ${HOME}/VirtualBox VMs
+allow  ${DOWNLOADS}
+allow  /usr/share/virtualbox
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index fdeb0307f..3858405db 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -8,26 +8,26 @@ include globals.local
 # Allow HTML5 Proprietary Media & DRM/EME (Widevine)
 ignore apparmor
 ignore noexec /var
-noblacklist /var/opt
-whitelist /var/opt/vivaldi
+nodeny  /var/opt
+allow  /var/opt/vivaldi
 writable-var
 
-noblacklist ${HOME}/.cache/vivaldi
-noblacklist ${HOME}/.cache/vivaldi-snapshot
-noblacklist ${HOME}/.config/vivaldi
-noblacklist ${HOME}/.config/vivaldi-snapshot
-noblacklist ${HOME}/.local/lib/vivaldi
+nodeny  ${HOME}/.cache/vivaldi
+nodeny  ${HOME}/.cache/vivaldi-snapshot
+nodeny  ${HOME}/.config/vivaldi
+nodeny  ${HOME}/.config/vivaldi-snapshot
+nodeny  ${HOME}/.local/lib/vivaldi
 
 mkdir ${HOME}/.cache/vivaldi
 mkdir ${HOME}/.cache/vivaldi-snapshot
 mkdir ${HOME}/.config/vivaldi
 mkdir ${HOME}/.config/vivaldi-snapshot
 mkdir ${HOME}/.local/lib/vivaldi
-whitelist ${HOME}/.cache/vivaldi
-whitelist ${HOME}/.cache/vivaldi-snapshot
-whitelist ${HOME}/.config/vivaldi
-whitelist ${HOME}/.config/vivaldi-snapshot
-whitelist ${HOME}/.local/lib/vivaldi
+allow  ${HOME}/.cache/vivaldi
+allow  ${HOME}/.cache/vivaldi-snapshot
+allow  ${HOME}/.config/vivaldi
+allow  ${HOME}/.config/vivaldi-snapshot
+allow  ${HOME}/.local/lib/vivaldi
 
 #private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
 
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index cd7dccd8a..ede2d4525 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -6,10 +6,10 @@ include vlc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/vlc
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.config/aacs
-noblacklist ${HOME}/.local/share/vlc
+nodeny  ${HOME}/.cache/vlc
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.config/aacs
+nodeny  ${HOME}/.local/share/vlc
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.cache/vlc
 mkdir ${HOME}/.config/vlc
 mkdir ${HOME}/.local/share/vlc
-whitelist ${HOME}/.cache/vlc
-whitelist ${HOME}/.config/vlc
-whitelist ${HOME}/.config/aacs
-whitelist ${HOME}/.local/share/vlc
+allow  ${HOME}/.cache/vlc
+allow  ${HOME}/.config/vlc
+allow  ${HOME}/.config/aacs
+allow  ${HOME}/.local/share/vlc
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index f07c31b68..f23e90e84 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -6,10 +6,10 @@ include vmware-view.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.vmware
+nodeny  ${HOME}/.vmware
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 include allow-bin-sh.inc
 
@@ -23,7 +23,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.vmware
-whitelist ${HOME}/.vmware
+allow  ${HOME}/.vmware
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 5241e27b3..3a535588f 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -6,8 +6,8 @@ include vmware.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/vmware
-noblacklist ${HOME}/.vmware
+nodeny  ${HOME}/.cache/vmware
+nodeny  ${HOME}/.vmware
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/vmware
 mkdir ${HOME}/.vmware
-whitelist ${HOME}/.cache/vmware
-whitelist ${HOME}/.vmware
+allow  ${HOME}/.cache/vmware
+allow  ${HOME}/.vmware
 # Add the next lines to your vmware.local if you need to use "shared VM".
 #whitelist /var/lib/vmware
 #writable-var
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..7996113f5 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -6,7 +6,7 @@ include vscodium.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.VSCodium
+nodeny  ${HOME}/.VSCodium
 
 # Redirect
 include code.profile
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index fa6ddf1fb..a6c38c1f1 100644
--- a/etc/profile-m-z/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -6,8 +6,8 @@ include vulturesclaw.local
 # added by included profile
 #include globals.local
 
-noblacklist /var/games/vulturesclaw
-whitelist /var/games/vulturesclaw
+nodeny  /var/games/vulturesclaw
+allow  /var/games/vulturesclaw
 
 # Redirect
 include nethack-vultures.profile
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 49d3fa94f..763c50bf6 100644
--- a/etc/profile-m-z/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
@@ -6,8 +6,8 @@ include vultureseye.local
 # added by included profile
 #include globals.local
 
-noblacklist /var/games/vultureseye
-whitelist /var/games/vultureseye
+nodeny  /var/games/vultureseye
+allow  /var/games/vultureseye
 
 # Redirect
 include nethack-vultures.profile
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
index 5421c4e4b..1f2462c32 100644
--- a/etc/profile-m-z/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -6,7 +6,7 @@ include vym.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/InSilmaril
+nodeny  ${HOME}/.config/InSilmaril
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 69b2c6c59..6b38bbf13 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -12,10 +12,10 @@ include globals.local
 #ignore private-dev
 #ignore private-etc
 
-noblacklist ${HOME}/.w3m
+nodeny  ${HOME}/.w3m
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -33,9 +33,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.w3m
-whitelist /usr/share/w3m
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.w3m
+allow  /usr/share/w3m
+allow  ${DOWNLOADS}
+allow  ${HOME}/.w3m
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 1227a202c..6658ac5db 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -6,9 +6,9 @@ include warmux.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/wormux
-noblacklist ${HOME}/.local/share/wormux
-noblacklist ${HOME}/.wormux
+nodeny  ${HOME}/.config/wormux
+nodeny  ${HOME}/.local/share/wormux
+nodeny  ${HOME}/.wormux
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/wormux
 mkdir ${HOME}/.local/share/wormux
 mkdir ${HOME}/.wormux
-whitelist ${HOME}/.config/wormux
-whitelist ${HOME}/.local/share/wormux
-whitelist ${HOME}/.wormux
-whitelist /usr/share/warmux
+allow  ${HOME}/.config/wormux
+allow  ${HOME}/.local/share/wormux
+allow  ${HOME}/.wormux
+allow  /usr/share/warmux
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index e0cd3daad..fac4d0555 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -8,8 +8,8 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/warsow-2.1
-noblacklist ${HOME}/.local/share/warsow-2.1
+nodeny  ${HOME}/.cache/warsow-2.1
+nodeny  ${HOME}/.local/share/warsow-2.1
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/warsow-2.1
 mkdir ${HOME}/.local/share/warsow-2.1
-whitelist ${HOME}/.cache/warsow-2.1
-whitelist ${HOME}/.local/share/warsow-2.1
-whitelist /usr/share/warsow
+allow  ${HOME}/.cache/warsow-2.1
+allow  ${HOME}/.local/share/warsow-2.1
+allow  /usr/share/warsow
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 420e8927e..081ae349b 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -6,7 +6,7 @@ include warzone2100.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.warzone2100-3.*
+nodeny  ${HOME}/.warzone2100-3.*
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 
 mkdir ${HOME}/.warzone2100-3.1
 mkdir ${HOME}/.warzone2100-3.2
-whitelist ${HOME}/.warzone2100-3.1
-whitelist ${HOME}/.warzone2100-3.2
-whitelist /usr/share/games
+allow  ${HOME}/.warzone2100-3.1
+allow  ${HOME}/.warzone2100-3.2
+allow  /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index 18f1ca79a..4081b29b9 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -5,13 +5,13 @@ include waterfox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/waterfox
-noblacklist ${HOME}/.waterfox
+nodeny  ${HOME}/.cache/waterfox
+nodeny  ${HOME}/.waterfox
 
 mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
-whitelist ${HOME}/.cache/waterfox
-whitelist ${HOME}/.waterfox
+allow  ${HOME}/.cache/waterfox
+allow  ${HOME}/.waterfox
 
 # Add the next lines to your watefox.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 69e96d0cd..1f42dae2c 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -5,12 +5,12 @@ include webstorm.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.WebStorm*
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.WebStorm*
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 # Allow KDE file manager to open with log directories (blacklisted by disable-programs.inc)
-noblacklist ${HOME}/.config/dolphinrc
+nodeny  ${HOME}/.config/dolphinrc
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
@@ -18,8 +18,8 @@ include allow-common-devel.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-noblacklist ${PATH}/node
-noblacklist ${HOME}/.nvm
+nodeny  ${PATH}/node
+nodeny  ${HOME}/.nvm
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index d5a998f35..d1bbcfb67 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -6,7 +6,7 @@ include webui-aria2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/node
+nodeny  ${PATH}/node
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 76935212f..99941a590 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -6,12 +6,12 @@ include weechat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.weechat
+nodeny  ${HOME}/.weechat
 
 include disable-common.inc
 include disable-programs.inc
 
-whitelist /usr/share/weechat
+allow  /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 199b3c6f0..47b923e6a 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -6,9 +6,9 @@ include wesnoth.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/wesnoth
-noblacklist ${HOME}/.config/wesnoth
-noblacklist ${HOME}/.local/share/wesnoth
+nodeny  ${HOME}/.cache/wesnoth
+nodeny  ${HOME}/.config/wesnoth
+nodeny  ${HOME}/.local/share/wesnoth
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/wesnoth
 mkdir ${HOME}/.config/wesnoth
 mkdir ${HOME}/.local/share/wesnoth
-whitelist ${HOME}/.cache/wesnoth
-whitelist ${HOME}/.config/wesnoth
-whitelist ${HOME}/.local/share/wesnoth
+allow  ${HOME}/.cache/wesnoth
+allow  ${HOME}/.config/wesnoth
+allow  ${HOME}/.local/share/wesnoth
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 53c4711bd..3c4a4eb63 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -7,12 +7,12 @@ include wget.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.netrc
-noblacklist ${HOME}/.wget-hsts
-noblacklist ${HOME}/.wgetrc
+nodeny  ${HOME}/.netrc
+nodeny  ${HOME}/.wget-hsts
+nodeny  ${HOME}/.wgetrc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 22a84274d..fdbd406c2 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -13,10 +13,10 @@ ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Whalebird
+nodeny  ${HOME}/.config/Whalebird
 
 mkdir ${HOME}/.config/Whalebird
-whitelist ${HOME}/.config/Whalebird
+allow  ${HOME}/.config/Whalebird
 
 no3d
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 93871a5a4..35d7fe9cb 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -7,8 +7,8 @@ include whois.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
index 0dc26b11d..8f5adb0fc 100644
--- a/etc/profile-m-z/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -6,7 +6,7 @@ include widelands.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.widelands
+nodeny  ${HOME}/.widelands
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.widelands
-whitelist ${HOME}/.widelands
+allow  ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 0ea24aafd..6bc68c829 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,13 +6,13 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/winetricks
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
-noblacklist ${HOME}/.steam
-noblacklist ${HOME}/.wine
-noblacklist /tmp/.wine-*
+nodeny  ${HOME}/.cache/winetricks
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.local/share/Steam
+nodeny  ${HOME}/.local/share/steam
+nodeny  ${HOME}/.steam
+nodeny  ${HOME}/.wine
+nodeny  /tmp/.wine-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..5f40bbd48 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -20,10 +20,10 @@ ignore private-cache
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Wire
+nodeny  ${HOME}/.config/Wire
 
 mkdir ${HOME}/.config/Wire
-whitelist ${HOME}/.config/Wire
+allow  ${HOME}/.config/Wire
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index 1824026a8..f3f347283 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -6,9 +6,9 @@ include wireshark.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/wireshark
-noblacklist ${HOME}/.wireshark
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/wireshark
+nodeny  ${HOME}/.wireshark
+nodeny  ${DOCUMENTS}
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/wireshark
+allow  /usr/share/wireshark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 9c724a5d2..1f1541a20 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -6,7 +6,7 @@ include wordwarvi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.wordwarvi
+nodeny  ${HOME}/.wordwarvi
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.wordwarvi
-whitelist ${HOME}/.wordwarvi
-whitelist /usr/share/wordwarvi
+allow  ${HOME}/.wordwarvi
+allow  /usr/share/wordwarvi
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index a44b6490e..6d16dfb04 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -6,9 +6,9 @@ include wps.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kingsoft
-noblacklist ${HOME}/.config/Kingsoft
-noblacklist ${HOME}/.local/share/Kingsoft
+nodeny  ${HOME}/.kingsoft
+nodeny  ${HOME}/.config/Kingsoft
+nodeny  ${HOME}/.local/share/Kingsoft
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index 557f07cd9..311746cd9 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -6,8 +6,8 @@ include x2goclient.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.x2go
-noblacklist ${HOME}/.x2goclient
+nodeny  ${HOME}/.x2go
+nodeny  ${HOME}/.x2goclient
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index 384f76acc..e545aa3a0 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -15,8 +15,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/xbill
-whitelist /var/games/xbill/scores
+allow  /usr/share/xbill
+allow  /var/games/xbill/scores
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile
index a94444aab..7d0adbcc2 100644
--- a/etc/profile-m-z/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
@@ -6,7 +6,7 @@ include xchat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xchat
+nodeny  ${HOME}/.config/xchat
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index 4a3022e83..5db709bd1 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -5,10 +5,10 @@ include xed.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xed
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
+nodeny  ${HOME}/.config/xed
+nodeny  ${HOME}/.python-history
+nodeny  ${HOME}/.python_history
+nodeny  ${HOME}/.pythonhist
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index cd9561e74..297ff6164 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -6,7 +6,7 @@ include xfburn.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfburn
+nodeny  ${HOME}/.config/xfburn
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index ecd321c7e..8ecd84116 100644
--- a/etc/profile-m-z/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -6,7 +6,7 @@ include xfce4-dict.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfce4-dict
+nodeny  ${HOME}/.config/xfce4-dict
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index bb38dbebd..8a6f9e921 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -6,7 +6,7 @@ include xfce4-mixer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+nodeny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +18,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist /usr/share/gstreamer-*
-whitelist /usr/share/xfce4
-whitelist /usr/share/xfce4-mixer
+allow  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+allow  /usr/share/gstreamer-*
+allow  /usr/share/xfce4
+allow  /usr/share/xfce4-mixer
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index ebfb4333c..fe88f9b27 100644
--- a/etc/profile-m-z/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -6,9 +6,9 @@ include xfce4-notes.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-noblacklist ${HOME}/.local/share/notes
+nodeny  ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+nodeny  ${HOME}/.config/xfce4/xfce4-notes.rc
+nodeny  ${HOME}/.local/share/notes
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b1e5bafbf..baf222354 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -6,7 +6,7 @@ include xfce4-screenshooter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/xfce4
+allow  /usr/share/xfce4
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 81d98db7a..5c11cbd66 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -6,10 +6,10 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.sword
-noblacklist ${HOME}/.xiphos
+nodeny  ${HOME}/.sword
+nodeny  ${HOME}/.xiphos
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.xiphos
-whitelist ${HOME}/.sword
-whitelist ${HOME}/.xiphos
+allow  ${HOME}/.sword
+allow  ${HOME}/.xiphos
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index d5e25cfe7..da4801101 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -7,7 +7,7 @@ include xlinks.local
 # added by included profile
 #include globals.local
 
-noblacklist /tmp/.X11-unix
+nodeny  /tmp/.X11-unix
 
 include whitelist-common.inc
 
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index 1ae6a60ca..a7612cb2a 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -7,7 +7,7 @@ include xlinks2.local
 # added by included profile
 #include globals.local
 
-noblacklist /tmp/.X11-unix
+nodeny  /tmp/.X11-unix
 
 include whitelist-common.inc
 
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
index 25261d925..1ed35f29a 100644
--- a/etc/profile-m-z/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -5,8 +5,8 @@ include xmms.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xmms
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.xmms
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index e7020f36b..c97c12f56 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -5,7 +5,7 @@ include xmr-stak.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xmr-stak
+nodeny  ${HOME}/.xmr-stak
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 53c9a0a08..94a09198c 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -6,7 +6,7 @@ include xonotic.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xonotic
+nodeny  ${HOME}/.xonotic
 
 include allow-bin-sh.inc
 include allow-opengl-game.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.xonotic
-whitelist ${HOME}/.xonotic
-whitelist /usr/share/xonotic
+allow  ${HOME}/.xonotic
+allow  /usr/share/xonotic
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index c4f092d50..34a188a4e 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -6,7 +6,7 @@ include xournal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/xournal
-whitelist /usr/share/poppler
+allow  /usr/share/xournal
+allow  /usr/share/poppler
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 988b878b9..f82d2a5d3 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -7,13 +7,13 @@ include xournalpp.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.xournalpp
+nodeny  ${HOME}/.xournalpp
 
 include allow-lua.inc
 
-whitelist /usr/share/texlive
-whitelist /usr/share/xournalpp
-whitelist /var/lib/texmf
+allow  /usr/share/texlive
+allow  /usr/share/xournalpp
+allow  /var/lib/texmf
 include whitelist-runuser-common.inc
 
 #mkdir ${HOME}/.xournalpp
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 1447ec9a7..9da63b52a 100644
--- a/etc/profile-m-z/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -6,8 +6,8 @@ include xpdf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xpdfrc
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.xpdfrc
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index c3bb3292c..4af4586e3 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -5,8 +5,8 @@ include xplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.local/share/xplayer
+nodeny  ${HOME}/.config/xplayer
+nodeny  ${HOME}/.local/share/xplayer
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-programs.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/xplayer
 mkdir ${HOME}/.local/share/xplayer
-whitelist ${HOME}/.config/xplayer
-whitelist ${HOME}/.local/share/xplayer
+allow  ${HOME}/.config/xplayer
+allow  ${HOME}/.local/share/xplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 6e409e1aa..28fbc94dd 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -25,7 +25,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/lib/xkb
+allow  /var/lib/xkb
 # whitelisting home directory, or including whitelist-common.inc
 # will crash xpra on some platforms
 
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 3ab35edfc..440f26af2 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -6,9 +6,9 @@ include xreader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/xreader
-noblacklist ${HOME}/.config/xreader
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/xreader
+nodeny  ${HOME}/.config/xreader
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 4d454f81c..671e0cf5b 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -5,10 +5,10 @@ include xviewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.config/xviewer
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.config/xviewer
+nodeny  ${HOME}/.local/share/Trash
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 81cd021f7..27d0eb411 100644
--- a/etc/profile-m-z/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/yandex-browser
-noblacklist ${HOME}/.cache/yandex-browser-beta
-noblacklist ${HOME}/.config/yandex-browser
-noblacklist ${HOME}/.config/yandex-browser-beta
+nodeny  ${HOME}/.cache/yandex-browser
+nodeny  ${HOME}/.cache/yandex-browser-beta
+nodeny  ${HOME}/.config/yandex-browser
+nodeny  ${HOME}/.config/yandex-browser-beta
 
 mkdir ${HOME}/.cache/yandex-browser
 mkdir ${HOME}/.cache/yandex-browser-beta
 mkdir ${HOME}/.config/yandex-browser
 mkdir ${HOME}/.config/yandex-browser-beta
-whitelist ${HOME}/.cache/yandex-browser
-whitelist ${HOME}/.cache/yandex-browser-beta
-whitelist ${HOME}/.config/yandex-browser
-whitelist ${HOME}/.config/yandex-browser-beta
+allow  ${HOME}/.cache/yandex-browser
+allow  ${HOME}/.cache/yandex-browser-beta
+allow  ${HOME}/.config/yandex-browser
+allow  ${HOME}/.config/yandex-browser-beta
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index dee154409..b288993f2 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -6,7 +6,7 @@ include yelp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/yelp
+nodeny  ${HOME}/.config/yelp
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,15 +18,15 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
-whitelist ${HOME}/.config/yelp
-whitelist /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/doc
-whitelist /usr/share/groff
-whitelist /usr/share/help
-whitelist /usr/share/man
-whitelist /usr/share/yelp
-whitelist /usr/share/yelp-tools
-whitelist /usr/share/yelp-xsl
+allow  ${HOME}/.config/yelp
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/doc
+allow  /usr/share/groff
+allow  /usr/share/help
+allow  /usr/share/man
+allow  /usr/share/yelp
+allow  /usr/share/yelp-tools
+allow  /usr/share/yelp-xsl
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index b52271a2c..26ea3acaa 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -8,7 +8,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${HOME}/.config/youtube-dlg
+nodeny  ${HOME}/.config/youtube-dlg
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/youtube-dlg
-whitelist ${HOME}/.config/youtube-dlg
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/youtube-dlg
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 24c4d6db3..37f87d0b5 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -10,18 +10,18 @@ include globals.local
 # breaks when installed under ${HOME} via `pip install --user` (see #2833)
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/youtube-dl
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.cache/youtube-dl
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.netrc
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index b54dd37ad..84b8bbc6a 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,13 +7,13 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/youtube-viewer
-noblacklist ${HOME}/.config/youtube-viewer
+nodeny  ${HOME}/.cache/youtube-viewer
+nodeny  ${HOME}/.config/youtube-viewer
 
 mkdir ${HOME}/.cache/youtube-viewer
 mkdir ${HOME}/.config/youtube-viewer
-whitelist ${HOME}/.cache/youtube-viewer
-whitelist ${HOME}/.config/youtube-viewer
+allow  ${HOME}/.cache/youtube-viewer
+allow  ${HOME}/.config/youtube-viewer
 
 private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
 
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 25a073d4a..f531f815e 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -7,7 +7,7 @@ include youtube-viewers-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/youtube-dl
+nodeny  ${HOME}/.cache/youtube-dl
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -27,8 +27,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index ad7ceaee4..b015fb013 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -9,12 +9,12 @@ include globals.local
 # Disabled until someone reported positive feedback
 ignore nou2f
 
-noblacklist ${HOME}/.config/Youtube
+nodeny  ${HOME}/.config/Youtube
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Youtube
-whitelist ${HOME}/.config/Youtube
+allow  ${HOME}/.config/Youtube
 
 private-bin youtube
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 74b0e38b9..d594a3d0f 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -6,12 +6,12 @@ include youtube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
+nodeny  ${HOME}/.config/youtubemusic-nativefier-040164
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
-whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+allow  ${HOME}/.config/youtubemusic-nativefier-040164
 
 private-bin youtubemusic-nativefier
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..9987c953e 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -8,10 +8,10 @@ include globals.local
 
 ignore dbus-user none
 
-noblacklist ${HOME}/.config/youtube-music-desktop-app
+nodeny  ${HOME}/.config/youtube-music-desktop-app
 
 mkdir ${HOME}/.config/youtube-music-desktop-app
-whitelist ${HOME}/.config/youtube-music-desktop-app
+allow  ${HOME}/.config/youtube-music-desktop-app
 
 # private-bin env,ytmdesktop
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 5a168feb6..2f18a8c45 100644
--- a/etc/profile-m-z/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
@@ -6,7 +6,7 @@ include zaproxy.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ZAP
+nodeny  ${HOME}/.ZAP
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -20,8 +20,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.java
 mkdir ${HOME}/.ZAP
-whitelist ${HOME}/.java
-whitelist ${HOME}/.ZAP
+allow  ${HOME}/.java
+allow  ${HOME}/.ZAP
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
index 10f83aa30..32ff4f8ed 100644
--- a/etc/profile-m-z/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -6,8 +6,8 @@ include zart.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index d0e68c980..4bc841f63 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -6,9 +6,9 @@ include zathura.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/zathura
-noblacklist ${HOME}/.local/share/zathura
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/zathura
+nodeny  ${HOME}/.local/share/zathura
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
-whitelist /usr/share/doc
-whitelist /usr/share/zathura
+allow  /usr/share/doc
+allow  /usr/share/zathura
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile
index 5de13ab90..904ea9f05 100644
--- a/etc/profile-m-z/zcat.profile
+++ b/etc/profile-m-z/zcat.profile
@@ -9,7 +9,7 @@ include zcat.local
 
 # Allow running kernel config check
 ignore include disable-shell.inc
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 
 # Redirect
 include gzip.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 2c6f6910f..458df2a46 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -6,9 +6,9 @@ include zeal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Zeal
-noblacklist ${HOME}/.cache/Zeal
-noblacklist ${HOME}/.local/share/Zeal
+nodeny  ${HOME}/.config/Zeal
+nodeny  ${HOME}/.cache/Zeal
+nodeny  ${HOME}/.local/share/Zeal
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,9 +23,9 @@ mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/qt5ct
 mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.local/share/Zeal
-whitelist ${HOME}/.cache/Zeal
-whitelist ${HOME}/.config/Zeal
-whitelist ${HOME}/.local/share/Zeal
+allow  ${HOME}/.cache/Zeal
+allow  ${HOME}/.config/Zeal
+allow  ${HOME}/.local/share/Zeal
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile
index f63dc871f..e2dfbd105 100644
--- a/etc/profile-m-z/zgrep.profile
+++ b/etc/profile-m-z/zgrep.profile
@@ -9,7 +9,7 @@ include zgrep.local
 
 # Allow running kernel config check
 ignore include disable-shell.inc
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 
 # Redirect
 include gzip.profile
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
new file mode 100644
index 000000000..5ae9cddb3
--- /dev/null
+++ b/etc/profile-m-z/zim.profile
@@ -0,0 +1,72 @@
+# Firejail profile for Zim
+# Description: Desktop wiki & notekeeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zim.local
+# Persistent global definitions
+include globals.local
+
+nodeny ${HOME}/.cache/zim
+nodeny ${HOME}/.config/zim
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+deny /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/zim
+mkdir ${HOME}/.config/zim
+mkdir ${HOME}/Notebooks
+allow ${HOME}/.cache/zim
+allow ${HOME}/.config/zim
+allow ${HOME}/Notebooks
+allow ${DESKTOP}
+allow ${DOCUMENTS}
+allow ${DOWNLOADS}
+allow ${MUSIC}
+allow ${PICTURES}
+allow ${VIDEOS}
+allow /usr/share/zim
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python*,zim
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index ac615d861..6b0417b56 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -16,17 +16,17 @@ ignore dbus-system none
 # If you use such a system, add 'ignore nogroups' to your zoom.local.
 #ignore nogroups
 
-noblacklist ${HOME}/.config/zoomus.conf
-noblacklist ${HOME}/.zoom
+nodeny  ${HOME}/.config/zoomus.conf
+nodeny  ${HOME}/.zoom
 
-nowhitelist ${DOWNLOADS}
+noallow  ${DOWNLOADS}
 
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
-whitelist ${HOME}/.cache/zoom
-whitelist ${HOME}/.config/zoomus.conf
-whitelist ${HOME}/.zoom
+allow  ${HOME}/.cache/zoom
+allow  ${HOME}/.config/zoomus.conf
+allow  ${HOME}/.zoom
 
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 093da5212..cdbbdccf1 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -8,7 +8,7 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Zulip
+nodeny  ${HOME}/.config/Zulip
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/Zulip
-whitelist ${HOME}/.config/Zulip
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/Zulip
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 0775f60ff..3992c984a 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
diff --git a/src/common.mk.in b/src/common.mk.in
index f88da55ac..5ae8bf204 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
@@ -42,7 +41,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 8700e0ba1..019c3ac5a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) {
 void build_var(const char *fname, FILE *fp) {
         assert(fname);
 
-        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
+        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/");
         process_files(fname, "/var", var_callback);
 
         // always whitelist /var
         if (var_out)
-                filedb_print(var_out, "whitelist /var/", fp);
+                filedb_print(var_out, "allow /var/", fp);
         fprintf(fp, "include whitelist-var-common.inc\n");
 }
 
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) {
 void build_share(const char *fname, FILE *fp) {
         assert(fname);
 
-        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
+        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/");
         process_files(fname, "/usr/share", share_callback);
 
         // always whitelist /usr/share
         if (share_out)
-                filedb_print(share_out, "whitelist /usr/share/", fp);
+                filedb_print(share_out, "allow /usr/share/", fp);
         fprintf(fp, "include whitelist-usr-share-common.inc\n");
 }
 
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index b3ec6cffd..f283a0cce 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -138,7 +138,7 @@ void build_home(const char *fname, FILE *fp) {
         assert(fname);
 
         // load whitelist common
-        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
+        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/");
 
         // find user home directory
         struct passwd *pw = getpwuid(getuid());
@@ -166,7 +166,7 @@ void build_home(const char *fname, FILE *fp) {
 
         // print the out list if any
         if (db_out) {
-                filedb_print(db_out, "whitelist ${HOME}/", fp);
+                filedb_print(db_out, "allow ${HOME}/", fp);
                 fprintf(fp, "include whitelist-common.inc\n");
         }
         else
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e58fe39ec..3b0ad0aed 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -45,8 +45,8 @@ amule
 amuled
 android-studio
 anydesk
-apostrophe
 apktool
+apostrophe
 # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
 archaudit-report
@@ -142,8 +142,9 @@ claws-mail
 clawsker
 clementine
 clion
-clipit
+clion-eap
 clipgrab
+clipit
 cliqz
 clocks
 cmus
@@ -167,6 +168,7 @@ crow
 cryptocat
 cvlc
 cyberfox
+d-feet
 darktable
 dconf-editor
 ddgr
@@ -197,13 +199,12 @@ dragon
 drawio
 drill
 dropbox
-d-feet
 easystroke
-ebook-viewer
 ebook-convert
 ebook-edit
 ebook-meta
 ebook-polish
+ebook-viewer
 electron-mail
 electrum
 element-desktop
@@ -294,8 +295,8 @@ gimp-2.10
 gimp-2.8
 gist
 gist-paste
-gitg
 git-cola
+gitg
 github-desktop
 gitter
 # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
@@ -386,14 +387,15 @@ icecat
 icedove
 iceweasel
 idea
-ideaIC
 idea.sh
+ideaIC
 imagej
 img2txt
 impressive
 inkscape
 inkview
 inox
+io.github.lainsce.Notejot
 ipcalc
 ipcalc-ng
 iridium
@@ -452,6 +454,7 @@ librecad
 libreoffice
 librewolf
 librewolf-nightly
+lifeograph
 liferea
 lightsoff
 lincity-ng
@@ -507,6 +510,7 @@ mendeleydesktop
 menulibre
 meteo-qt
 microsoft-edge
+microsoft-edge-beta
 microsoft-edge-dev
 midori
 min
@@ -523,7 +527,6 @@ mp3splt-gtk
 mp3wrap
 mpDris2
 mpg123
-mpg123.bin
 mpg123-alsa
 mpg123-id3dump
 mpg123-jack
@@ -533,6 +536,7 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
+mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -674,6 +678,7 @@ qupzilla
 qutebrowser
 rambox
 redeclipse
+rednotebook
 redshift
 regextester
 remmina
@@ -734,8 +739,8 @@ steam
 steam-native
 steam-runtime
 stellarium
-strawberry
 straw-viewer
+strawberry
 strings
 studio.sh
 subdownloader
@@ -862,10 +867,10 @@ wire-desktop
 wireshark
 wireshark-gtk
 wireshark-qt
+wordwarvi
 wpp
 wps
 wpspdf
-wordwarvi
 x2goclient
 xbill
 xcalc
@@ -907,6 +912,7 @@ zaproxy
 zart
 zathura
 zeal
+zim
 zoom
 # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index a96415985..2266fa499 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -21,6 +21,7 @@
 // sudo mount -o loop krita-3.0-x86_64.appimage mnt
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -28,10 +29,6 @@
 #include <linux/loop.h>
 #include <errno.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static char *devloop = NULL;    // device file
 static long unsigned size = 0;  // offset into appimage file
 #define MAXBUF 4096
@@ -144,9 +141,8 @@ void appimage_set(const char *appimage) {
 
         if (cfg.cwd)
                 env_store_name_val("OWD", cfg.cwd, SETENV);
-#ifdef HAVE_GCOV
+
         __gcov_flush();
-#endif
 #else
         fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
         exit(1);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 1e9f4b641..06e6f0ccb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -106,7 +106,6 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
                         PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
                         PARSE_YESNO(CFG_SECCOMP, "seccomp")
-                        PARSE_YESNO(CFG_WHITELIST, "whitelist")
                         PARSE_YESNO(CFG_NETWORK, "network")
                         PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
                         PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
@@ -342,14 +341,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- file and directory whitelisting support is %s\n",
-#ifdef HAVE_WHITELIST
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- file transfer support is %s\n",
 #ifdef HAVE_FILE_TRANSFER
                 "enabled"
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index edc31cdea..37ec22117 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -20,6 +20,7 @@
 
 #ifdef HAVE_CHROOT
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/sendfile.h>
 #include <errno.h>
@@ -29,10 +30,6 @@
 #define O_PATH 010000000
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 // exit if error
 void fs_check_chroot_dir(void) {
         EUID_ASSERT();
@@ -263,9 +260,8 @@ void fs_chroot(const char *rootdir) {
         // update chroot resolv.conf
         update_file(parentfd, "etc/resolv.conf");
 
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         // create /run/firejail/mnt/oroot
         char *oroot = RUN_OVERLAY_ROOT;
         if (mkdir(oroot, 0755) == -1)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9971d30b6..545573c08 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -156,6 +156,8 @@ typedef struct config_t {
 
         // filesystem
         ProfileEntry *profile;
+        ProfileEntry *profile_rebuild_etc;      // blacklist files in /etc directory used by fs_rebuild_etc()
+
 #define MAX_PROFILE_IGNORE 32
         char *profile_ignore[MAX_PROFILE_IGNORE];
         char *chrootdir;        // chroot directory
@@ -625,7 +627,6 @@ void fs_trace(void);
 
 // fs_hostname.c
 void fs_hostname(const char *hostname);
-void fs_resolvconf(void);
 char *fs_check_hosts_file(const char *fname);
 void fs_store_hosts_file(void);
 void fs_mount_hosts_file(void);
@@ -668,6 +669,7 @@ void fs_machineid(void);
 void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list);
 void fs_private_dir_mount(const char *private_dir, const char *private_run_dir);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_rebuild_etc(void);
 
 // no_sandbox.c
 int check_namespace_virt(void);
@@ -776,7 +778,6 @@ enum {
         CFG_NETWORK,
         CFG_RESTRICTED_NETWORK,
         CFG_FORCE_NONEWPRIVS,
-        CFG_WHITELIST,
         CFG_XEPHYR_WINDOW_TITLE,
         CFG_OVERLAYFS,
         CFG_PRIVATE_BIN,
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4ae7dbfa4..5ac2da164 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/statvfs.h>
@@ -33,10 +34,6 @@
 #define O_PATH 010000000
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
@@ -165,6 +162,19 @@ static void disable_file(OPERATION op, const char *filename) {
                                 fs_logger2("blacklist", fname);
                         else
                                 fs_logger2("blacklist-nolog", fname);
+
+                        // files in /etc will be reprocessed during /etc rebuild
+                        if (strncmp(fname, "/etc/", 5) == 0) {
+                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
+                                if (!prf)
+                                        errExit("malloc");
+                                memset(prf, 0, sizeof(ProfileEntry));
+                                prf->data = strdup(fname);
+                                if (!prf->data)
+                                        errExit("strdup");
+                                prf->next = cfg.profile_rebuild_etc;
+                                cfg.profile_rebuild_etc = prf;
+                        }
                 }
         }
         else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
@@ -492,7 +502,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
         struct statvfs buf;
         if (fstatvfs(fd, &buf) == -1)
                 errExit("fstatvfs");
-        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
+        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
         // mount via the symbolic link in /proc/self/fd
         EUID_ROOT();
         char *proc;
@@ -1213,9 +1223,8 @@ void fs_overlayfs(void) {
         fs_logger("whitelist /tmp");
 
         // chroot in the new filesystem
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         if (chroot(oroot) == -1)
                 errExit("chroot");
 
@@ -1281,6 +1290,9 @@ void fs_private_tmp(void) {
         // read-only x11 directory
         profile_add("read-only /tmp/.X11-unix");
 
+        // whitelist sndio directory
+        profile_add("whitelist /tmp/sndio");
+
         // whitelist any pulse* file in /tmp directory
         // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
         DIR *dir;
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index b0e1e1bf1..76054b485 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -24,6 +24,7 @@
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
+#include <dirent.h>
 
 // spoof /etc/machine_id
 void fs_machineid(void) {
@@ -250,3 +251,128 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
         fs_private_dir_mount(private_dir, private_run_dir);
         fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
+
+void fs_rebuild_etc(void) {
+        int have_dhcp = 1;
+        if (cfg.dns1 == NULL && !any_dhcp())
+                have_dhcp = 0;
+
+        if (arg_debug)
+                printf("rebuilding /etc directory\n");
+        if (mkdir(RUN_DNS_ETC, 0755))
+                errExit("mkdir");
+        selinux_relabel_path(RUN_DNS_ETC, "/etc");
+        fs_logger("tmpfs /etc");
+
+        DIR *dir = opendir("/etc");
+        if (!dir)
+                errExit("opendir");
+
+        struct stat s;
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                // skip files in cfg.profile_rebuild_etc list
+                // these files are already blacklisted
+                {
+                        ProfileEntry *prf = cfg.profile_rebuild_etc;
+                        int found = 0;
+                        while (prf) {
+                                if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/")
+                                        found = 1;
+                                        break;
+                                }
+                                prf = prf->next;
+                        }
+                        if (found)
+                                continue;
+                }
+
+                // for resolv.conf we might have to  create a brand new file later
+                if (have_dhcp &&
+                    (strcmp(entry->d_name, "resolv.conf") == 0 ||
+                     strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0))
+                        continue;
+//              printf("linking %s\n", entry->d_name);
+
+                char *src;
+                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
+                        errExit("asprintf");
+                if (stat(src, &s) != 0) {
+                        free(src);
+                        continue;
+                }
+
+                char *dest;
+                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
+                        errExit("asprintf");
+
+                int symlink_done = 0;
+                if (is_link(src)) {
+                        char *rp =realpath(src, NULL);
+                        if (rp == NULL) {
+                                free(src);
+                                free(dest);
+                                continue;
+                        }
+                        if (symlink(rp, dest))
+                                errExit("symlink");
+                        else
+                                symlink_done = 1;
+                }
+                else if (S_ISDIR(s.st_mode))
+                        create_empty_dir_as_root(dest, s.st_mode);
+                else
+                        create_empty_file_as_root(dest, s.st_mode);
+
+                // bind-mount src on top of dest
+                if (!symlink_done) {
+                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind mirroring /etc");
+                }
+                fs_logger2("clone", src);
+
+                free(src);
+                free(dest);
+        }
+        closedir(dir);
+
+        // mount bind our private etc directory on top of /etc
+        if (arg_debug)
+                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
+        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind mirroring /etc");
+        fs_logger("mount /etc");
+
+        if (have_dhcp == 0)
+                return;
+
+        if (arg_debug)
+                printf("Creating a new /etc/resolv.conf file\n");
+        FILE *fp = fopen("/etc/resolv.conf", "wxe");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
+                exit(1);
+        }
+
+        if (cfg.dns1) {
+                if (any_dhcp())
+                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
+                fprintf(fp, "nameserver %s\n", cfg.dns1);
+        }
+        if (cfg.dns2)
+                fprintf(fp, "nameserver %s\n", cfg.dns2);
+        if (cfg.dns3)
+                fprintf(fp, "nameserver %s\n", cfg.dns3);
+        if (cfg.dns4)
+                fprintf(fp, "nameserver %s\n", cfg.dns4);
+
+        // mode and owner
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+
+        fclose(fp);
+
+        fs_logger("create /etc/resolv.conf");
+}
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 80046f7ae..1a9a78ceb 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -88,109 +88,6 @@ errexit:
         exit(1);
 }
 
-void fs_resolvconf(void) {
-        if (cfg.dns1 == NULL && !any_dhcp())
-                return;
-
-        if (arg_debug)
-                printf("mirroring /etc directory\n");
-        if (mkdir(RUN_DNS_ETC, 0755))
-                errExit("mkdir");
-        selinux_relabel_path(RUN_DNS_ETC, "/etc");
-        fs_logger("tmpfs /etc");
-
-        DIR *dir = opendir("/etc");
-        if (!dir)
-                errExit("opendir");
-
-        struct stat s;
-        struct dirent *entry;
-        while ((entry = readdir(dir))) {
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
-                        continue;
-                // for resolv.conf we create a brand new file
-                if (strcmp(entry->d_name, "resolv.conf") == 0 ||
-        strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)
-                        continue;
-//              printf("linking %s\n", entry->d_name);
-
-                char *src;
-                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
-                        errExit("asprintf");
-                if (stat(src, &s) != 0) {
-                        free(src);
-                        continue;
-                }
-
-                char *dest;
-                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
-                        errExit("asprintf");
-
-                int symlink_done = 0;
-                if (is_link(src)) {
-                        char *rp =realpath(src, NULL);
-                        if (rp == NULL) {
-                                free(src);
-                                free(dest);
-                                continue;
-                        }
-                        if (symlink(rp, dest))
-                                errExit("symlink");
-                        else
-                                symlink_done = 1;
-                }
-                else if (S_ISDIR(s.st_mode))
-                        create_empty_dir_as_root(dest, s.st_mode);
-                else
-                        create_empty_file_as_root(dest, s.st_mode);
-
-                // bind-mount src on top of dest
-                if (!symlink_done) {
-                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind mirroring /etc");
-                }
-                fs_logger2("clone", src);
-
-                free(src);
-                free(dest);
-        }
-        closedir(dir);
-
-        // mount bind our private etc directory on top of /etc
-        if (arg_debug)
-                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
-        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind mirroring /etc");
-        fs_logger("mount /etc");
-
-        if (arg_debug)
-                printf("Creating a new /etc/resolv.conf file\n");
-        FILE *fp = fopen("/etc/resolv.conf", "wxe");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
-                exit(1);
-        }
-
-        if (cfg.dns1) {
-                if (any_dhcp())
-                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
-                fprintf(fp, "nameserver %s\n", cfg.dns1);
-        }
-        if (cfg.dns2)
-                fprintf(fp, "nameserver %s\n", cfg.dns2);
-        if (cfg.dns3)
-                fprintf(fp, "nameserver %s\n", cfg.dns3);
-        if (cfg.dns4)
-                fprintf(fp, "nameserver %s\n", cfg.dns4);
-
-        // mode and owner
-        SET_PERMS_STREAM(fp, 0, 0, 0644);
-
-        fclose(fp);
-
-        fs_logger("create /etc/resolv.conf");
-}
-
 char *fs_check_hosts_file(const char *fname) {
         assert(fname);
         invalid_filename(fname, 0); // no globbing
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index bbc2aa938..4983db0a0 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -25,10 +26,6 @@
 #include <sys/wait.h>
 #include <string.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static void check(const char *fname) {
         // manufacture /run/user directory
         char *runuser;
@@ -98,9 +95,9 @@ void fs_mkdir(const char *name) {
 
                 // create directory
                 mkdir_recursive(expanded);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 6ee557648..70985ba9e 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -31,10 +32,6 @@
 //#include <stdio.h>
 //#include <stdlib.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 // uid/gid cache
 static uid_t c_uid = 0;
 static char *c_uid_name = NULL;
@@ -353,9 +350,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         ls(fname1);
                 else
                         cat(fname1);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
@@ -387,9 +383,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -419,9 +415,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a59d508e5..655e6e9d0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/syscall.h"
 #include "../include/seccomp.h"
 #define _GNU_SOURCE
@@ -44,10 +45,6 @@
 #define O_PATH 010000000
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #ifdef __ia64__
 /* clone(2) has a different interface on ia64, as it needs to know
    the size of the stack */
@@ -1262,9 +1259,9 @@ int main(int argc, char **argv, char **envp) {
                         arg_debug = 1;
                         arg_quiet = 0;
                 }
-                else if (strcmp(argv[i], "--debug-blacklists") == 0)
+                else if (strcmp(argv[i], "--debug-deny") == 0)
                         arg_debug_blacklists = 1;
-                else if (strcmp(argv[i], "--debug-whitelists") == 0)
+                else if (strcmp(argv[i], "--debug-allow") == 0)
                         arg_debug_whitelists = 1;
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
@@ -1564,6 +1561,8 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+
+                // blacklist/deny
                 else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1572,6 +1571,14 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--deny=", 7) == 0) {
+                        char *line;
+                        if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
                 else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
                         char *line;
                         if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1580,19 +1587,31 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
+                        char *line;
+                        if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
 
-#ifdef HAVE_WHITELIST
+                // whitelist
                 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-                        if (checkcfg(CFG_WHITELIST)) {
-                                char *line;
-                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-                                        errExit("asprintf");
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                errExit("asprintf");
 
-                                profile_check_line(line, 0, NULL);      // will exit if something wrong
-                                profile_add(line);
-                        }
-                        else
-                                exit_err_feature("whitelist");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--allow=", 8) == 0) {
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
                 }
                 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                         char *line;
@@ -1602,7 +1621,16 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-#endif
+                else if (strncmp(argv[i], "--noallow=", 10) == 0) {
+                        char *line;
+                        if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+
+
                 else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
                         char *line;
                         if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
@@ -3036,9 +3064,9 @@ int main(int argc, char **argv, char **envp) {
                         network_main(child);
                         if (arg_debug)
                                 printf("Host network configured\n");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 835dff2db..ce10ab157 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -50,13 +50,21 @@ void check_output(int argc, char **argv) {
         if (!outindex)
                 return;
 
-
-        // check filename
         drop_privs(0);
         char *outfile = argv[outindex];
         outfile += (enable_stderr)? 16:9;
+
+        // check filename
         invalid_filename(outfile, 0); // no globbing
 
+        // expand user home directory
+        if (outfile[0] == '~') {
+                char *full;
+                if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1)
+                        errExit("asprintf");
+                outfile = full;
+        }
+
         // do not accept directories, links, and files with ".."
         if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
                 fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5b1478918..b7c7185a6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -18,15 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
@@ -1592,22 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noblacklist ", 12) == 0)
                 ptr += 12;
         else if (strncmp(ptr, "whitelist ", 10) == 0) {
-#ifdef HAVE_WHITELIST
-                if (checkcfg(CFG_WHITELIST)) {
-                        arg_whitelist = 1;
-                        ptr += 10;
-                }
-                else {
-                        static int whitelist_warning_printed = 0;
-                        if (!whitelist_warning_printed) {
-                                warning_feature_disabled("whitelist");
-                                whitelist_warning_printed = 1;
-                        }
-                        return 0;
-                }
-#else
-                return 0;
-#endif
+                arg_whitelist = 1;
+                ptr += 10;
         }
         else if (strncmp(ptr, "nowhitelist ", 12) == 0)
                 ptr += 12;
@@ -1753,6 +1736,44 @@ void profile_read(const char *fname) {
                         continue;
                 }
 
+                // translate allow/deny to whitelist/blacklist
+                if (strncmp(ptr, "allow ", 6) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny ", 5) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny-nolog ", 11) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                // translate noallow/nodeny to nowhitelist/noblacklist
+                else if (strncmp(ptr, "noallow ", 8) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "nodeny ", 7) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+
                 // process quiet
                 // todo: a quiet in the profile file cannot be disabled by --ignore on command line
                 if (strcmp(ptr, "quiet") == 0) {
@@ -1805,9 +1826,8 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         fclose(fp);
 }
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index dd6fec972..f177f4b89 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -18,13 +18,10 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/time.h>
 #include <sys/resource.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 void set_rlimits(void) {
         EUID_ASSERT();
         // resource limits
@@ -37,9 +34,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
                 rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_CPU, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -54,9 +51,10 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
-#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+
+                // gcov-instrumented programs might crash at this point
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -71,9 +69,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -88,9 +86,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                 rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -105,9 +103,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -122,9 +120,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_as;
                 rl.rlim_max = (rlim_t) cfg.rlimit_as;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_AS, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 95be3335f..59ddfb855 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
 #include <sys/mount.h>
@@ -49,10 +50,6 @@
 #include <sys/apparmor.h>
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static int force_nonewprivs = 0;
 
 static int monitored_pid = 0;
@@ -507,9 +504,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                         exit(1);
                 }
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -563,9 +559,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -1048,7 +1043,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // set dns
         //****************************
-        fs_resolvconf();
+        fs_rebuild_etc();
 
         //****************************
         // start dhcp client
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 888a6ffed..b4f3021c7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -28,6 +28,7 @@ static char *usage_str =
         "\n"
         "Options:\n"
         "    -- - signal the end of options and disables further option processing.\n"
+        "    --allow=filename - allow file system access.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
         "    --apparmor - enable AppArmor confinement.\n"
@@ -38,13 +39,12 @@ static char *usage_str =
 #endif
         "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
         "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
-        "    --blacklist=filename - blacklist directory or file.\n"
-        "    --build - build a whitelisted profile for the application.\n"
-        "    --build=filename - build a whitelisted profile for the application.\n"
+        "    --build - build a profile for the application.\n"
+        "    --build=filename - build a profile for the application.\n"
         "    --caps - enable default Linux capabilities filter.\n"
         "    --caps.drop=all - drop all capabilities.\n"
-        "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
-        "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
+        "    --caps.drop=capability,capability - drop capabilities.\n"
+        "    --caps.keep=capability,capability - allow capabilities.\n"
         "    --caps.print=name|pid - print the caps filter.\n"
 #ifdef HAVE_FILE_TRANSFER
         "    --cat=name|pid filename - print content of file from sandbox container.\n"
@@ -58,34 +58,35 @@ static char *usage_str =
 #ifdef HAVE_DBUSPROXY
         "    --dbus-log=file - set DBus log file location.\n"
         "    --dbus-system=filter|none - set system DBus access policy.\n"
-        "    --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n"
+        "    --dbus-system.broadcast=rule - allow signals on the system DBus according\n"
+        "\tto rule.\n"
         "    --dbus-system.call=rule - allow calls on the system DBus according to rule.\n"
-        "    --dbus-system.log - turn on logging for the system DBus."
+        "    --dbus-system.log - turn on logging for the system DBus.\n"
         "    --dbus-system.own=name - allow ownership of name on the system DBus.\n"
         "    --dbus-system.see=name - allow seeing name on the system DBus.\n"
         "    --dbus-system.talk=name - allow talking to name on the system DBus.\n"
         "    --dbus-user=filter|none - set session DBus access policy.\n"
-        "    --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n"
+        "    --dbus-user.broadcast=rule - allow signals on the session DBus according\n"
+        "\tto rule.\n"
         "    --dbus-user.call=rule - allow calls on the session DBus according to rule.\n"
-        "    --dbus-user.log - turn on logging for the user DBus."
+        "    --dbus-user.log - turn on logging for the user DBus.\n"
         "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
         "    --dbus-user.see=name - allow seeing name on the session DBus.\n"
         "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
 #endif
         "    --debug - print sandbox debug messages.\n"
-        "    --debug-blacklists - debug blacklisting.\n"
+        "    --debug-allow - debug file system access.\n"
+        "    --debug-deny - debug file system access.\n"
         "    --debug-caps - print all recognized capabilities.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
         "    --debug-private-lib - debug for --private-lib option.\n"
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
         "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
-#ifdef HAVE_WHITELIST
-        "    --debug-whitelists - debug whitelisting.\n"
-#endif
 #ifdef HAVE_NETWORK
         "    --defaultgw=address - configure default gateway.\n"
 #endif
+        "    --deny=filename - deny access to directory or file.\n"
         "    --deterministic-exit-code - always exit with first child's status code.\n"
         "    --dns=address - set DNS server.\n"
         "    --dns.print=name|pid - print DNS configuration.\n"
@@ -143,14 +144,15 @@ static char *usage_str =
         "    --netfilter.print=name|pid - print the firewall.\n"
         "    --netfilter6=filename - enable IPv6 firewall.\n"
         "    --netfilter6.print=name|pid - print the IPv6 firewall.\n"
-        "    --netmask=address - define a network mask when dealing with unconfigured"
+        "    --netmask=address - define a network mask when dealing with unconfigured\n"
         "\tparrent interfaces.\n"
         "    --netns=name - Run the program in a named, persistent network namespace.\n"
         "    --netstats - monitor network statistics.\n"
 #endif
         "    --nice=value - set nice value.\n"
         "    --no3d - disable 3D hardware acceleration.\n"
-        "    --noblacklist=filename - disable blacklist for file or directory.\n"
+        "    --noallow=filename - disable allow command for file or directory.\n"
+        "    --nodeny=filename - disable deny command for file or directory.\n"
         "    --nodbus - disable D-Bus access.\n"
         "    --nodvd - disable DVD and audio CD devices.\n"
         "    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
@@ -165,7 +167,6 @@ static char *usage_str =
         "    --noautopulse - disable automatic ~/.config/pulse init.\n"
         "    --novideo - disable video devices.\n"
         "    --nou2f - disable U2F devices.\n"
-        "    --nowhitelist=filename - disable whitelist for file or directory.\n"
 #ifdef HAVE_OUTPUT
         "    --output=logfile - stdout logging and log rotation.\n"
         "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
@@ -222,14 +223,14 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-        "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
-        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
+        "    --seccomp - enable seccomp filter and drop the default syscalls.\n"
+        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n"
         "\tdefault syscall list and the syscalls specified by the command.\n"
         "    --seccomp.block-secondary - build only the native architecture filters.\n"
         "    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
-        "\tblacklist the syscalls specified by the command.\n"
+        "\tdrop the syscalls specified by the command.\n"
         "    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
-        "\twhitelist the syscalls specified by the command.\n"
+        "\tallow the syscalls specified by the command.\n"
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
@@ -244,7 +245,7 @@ static char *usage_str =
         "    --top - monitor the most CPU-intensive sandboxes.\n"
         "    --trace - trace open, access and connect system calls.\n"
         "    --tracelog - add a syslog message for every access to files or\n"
-        "\tdirectories blacklisted by the security profile.\n"
+        "\tdirectories dropped by the security profile.\n"
         "    --tree - print a tree of all sandboxed processes.\n"
         "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
         "\tfiretunnel utility.\n"
@@ -252,9 +253,6 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
-#ifdef HAVE_WHITELIST
-        "    --whitelist=filename - whitelist directory or file.\n"
-#endif
         "    --writable-etc - /etc directory is mounted read-write.\n"
         "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
         "\t/run/user/$UID/gnupg.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 2ff2d2973..094a68c60 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -19,6 +19,7 @@
  */
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <ftw.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -44,10 +45,6 @@
 #include <linux/openat2.h>
 #endif
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
 #define EMPTY_STRING ("")
@@ -382,9 +379,9 @@ void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
                 int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                 if (rv)
                         fwarning("cannot copy %s\n", srcname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -416,9 +413,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                         close(src);
                 }
                 close(dst);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -447,9 +444,9 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                 }
                 else
                         fwarning("cannot create %s\n", fname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -1056,9 +1053,9 @@ int remove_overlay_directory(void) {
                         // remove ~/.firejail
                         if (rmdir(path) == -1)
                                 errExit("rmdir");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
                 // wait for the child to finish
@@ -1114,9 +1111,9 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                         }
                         else if (arg_debug)
                                 printf("Directory %s not created: %s\n", dir, strerror(errno));
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
                 waitpid(child, NULL, 0);
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index b93d4a5a2..780e3d706 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <netdb.h>
@@ -33,10 +34,6 @@
 //#include <net/route.h>
 //#include <linux/if_bridge.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 // print IP addresses for all interfaces
 static void net_ifprint(void) {
         uint32_t ip;
@@ -149,9 +146,9 @@ static void print_sandbox(pid_t pid) {
                 if (rv)
                         return;
                 net_ifprint();
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
 
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 23d228e26..9d8e5d7f5 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -18,16 +18,13 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define MAXBUF 4096
 
 // ip -s link: device stats
@@ -246,8 +243,7 @@ void netstats(void) {
                                 print_proc(i, itv, col);
                         }
                 }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 4e809681e..716a9cba4 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/socket.h>
 #include <linux/connector.h>
 #include <linux/netlink.h>
@@ -30,10 +31,6 @@
 #include <fcntl.h>
 #include <sys/uio.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
 
@@ -234,9 +231,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
         tv.tv_usec = 0;
 
         while (1) {
-#ifdef HAVE_GCOV
                 __gcov_flush();
-#endif
 
 #define BUFFSIZE 4096
                 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 9d6f34991..2217cc7de 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -18,16 +18,13 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
-
 static unsigned pgs_rss = 0;
 static unsigned pgs_shared = 0;
 static unsigned clocktick = 0;
@@ -330,8 +327,7 @@ void top(void) {
                         }
                 }
                 head_print(col, row);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..4aafb8e18
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+
+#ifdef HAS_GCOV
+#include <gcov.h>
+
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+#else
+#define __gcov_dump() ((void)0)
+#define __gcov_reset() ((void)0)
+#define __gcov_flush() ((void)0)
+#endif /* HAS_GCOV */
+
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index b3131ac17..d0d9ff5aa 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_fanotify_init
           "fanotify_init,"
 #endif
-#ifdef SYS_kcmp
-          "kcmp,"
-#endif
 #ifdef SYS_add_key
           "add_key,"
 #endif
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index db58e0910..34f5e8bf9 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -156,7 +156,7 @@ Scripting commands:
 \fBFile and directory names
 File and directory names containing spaces are supported. The space character ' ' should not be escaped.
 
-Example: "blacklist ~/My Virtual Machines"
+Example: "deny ~/My Virtual Machines"
 
 .TP
 \fB# this is a comment
@@ -170,9 +170,9 @@ net none # this command creates an empty network namespace
 \fB?CONDITIONAL: profile line
 Conditionally add profile line.
 
-Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
+Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir"
 
-This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
+This example will load the profile line only if the \-\-appimage option has been specified on the command line.
 
 Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files
 are included at the start of regular profile files.
 
 .TP
-\fBnoblacklist file_name
-If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
+\fBnoallow file_name
+If the file name matches file_name, the file will not be allowed in any allow commands that follow.
 
-Example: "noblacklist ${HOME}/.mozilla"
+Example: "nowhitelist ~/.config"
 
 .TP
-\fBnowhitelist file_name
-If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow.
+\fBnodeny file_name
+If the file name matches file_name, the file will not be denied any deny commands that follow.
 
-Example: "nowhitelist ~/.config"
+Example: "nodeny ${HOME}/.mozilla"
 
 .TP
 \fBignore
@@ -242,19 +242,17 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect
 for more details.
 Examples:
 .TP
-\fBblacklist file_or_directory
-Blacklist directory or file. Examples:
+\fBallow file_or_directory
+Allow directory or file. A temporary file system is mounted on the top directory, and the
+allowed files are mount-binded inside. Modifications to allowd files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
-blacklist /usr/bin
-.br
-blacklist /usr/bin/gcc*
-.br
-blacklist ${PATH}/ifconfig
-.br
-blacklist ${HOME}/.ssh
-
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
 .TP
 \fBblacklist-nolog file_or_directory
 When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
@@ -273,6 +271,20 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
+\fBdeny file_or_directory
+Deny access to directory or file. Examples:
+.br
+
+.br
+deny /usr/bin
+.br
+deny /usr/bin/gcc*
+.br
+deny ${PATH}/ifconfig
+.br
+deny ${HOME}/.ssh
+
+.TP
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
@@ -292,7 +304,7 @@ The directory is created if it doesn't already exist.
 .br
 
 .br
-Use this command for whitelisted directories you need to preserve
+Use this command for allowed directories you need to preserve
 when the sandbox is closed. Without it, the application will create the directory, and the directory
 will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
@@ -305,7 +317,7 @@ whitelist ~/.mozilla
 .br
 mkdir ~/.cache/mozilla/firefox
 .br
-whitelist ~/.cache/mozilla/firefox
+allow ~/.cache/mozilla/firefox
 .br
 
 .br
@@ -411,7 +423,7 @@ expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
+Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix.
 .TP
 \fBread-only file_or_directory
 Make directory or file read-only.
@@ -423,25 +435,13 @@ Make directory or file read-write.
 Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
-Blacklist violations logged to syslog.
-.TP
-\fBwhitelist file_or_directory
-Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory can be
-all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
-all directories in /usr.
-.br
-
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
+File system deny violations logged to syslog.
 .TP
 \fBwritable-etc
 Mount /etc directory read-write.
 .TP
 \fBwritable-run-user
-Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
+Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg.
 .TP
 \fBwritable-var
 Mount /var directory read-write.
@@ -455,7 +455,7 @@ The following security filters are currently implemented:
 
 .TP
 \fBallow-debuggers
-Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
+Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv.
 #ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
@@ -466,13 +466,13 @@ Enable AppArmor confinement.
 Enable default Linux capabilities filter.
 .TP
 \fBcaps.drop capability,capability,capability
-Blacklist given Linux capabilities.
+Deny given Linux capabilities.
 .TP
 \fBcaps.drop all
-Blacklist all Linux capabilities.
+Deny all Linux capabilities.
 .TP
 \fBcaps.keep capability,capability,capability
-Whitelist given Linux capabilities.
+Allow given Linux capabilities.
 .TP
 \fBmemory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
@@ -497,32 +497,32 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
-Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
+Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details.
 .TP
 \fBseccomp.32
-Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
+Enable seccomp filter and deny the system calls in the list on top of default seccomp filter.
 .TP
 \fBseccomp.32 syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.block-secondary
 Enable seccomp filter and filter system call architectures
 so that only the native architecture is allowed.
 .TP
 \fBseccomp.drop syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list.
+Enable seccomp filter and deny the system calls in the list.
 .TP
 \fBseccomp.32.drop syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.keep syscall,syscall,syscall
-Enable seccomp filter and whitelist the system calls in the list.
+Enable seccomp filter and allow the system calls in the list.
 .TP
 \fBseccomp.32.keep syscall,syscall,syscall
-Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp-error-action kill | log | ERRNO
 Return a different error instead of EPERM to the process, kill it when
@@ -534,7 +534,7 @@ attempt.
 Enable X11 sandboxing.
 .TP
 \fBx11 none
-Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0462705c0..498ff9aa9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -99,6 +99,40 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow=dirname_or_filename
+Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
+allowed files are mount-binded inside. Modifications to allowed files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
+.br
+
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.br
+
+.br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-allow=~/.mozilla
+.br
+$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
+.br
+$ firejail "\-\-allow=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
+
+
+
+
+
+
+.TP
 \fB\-\-allow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting
 system calls ptrace and process_vm_readv. This option is only
@@ -169,21 +203,6 @@ Example:
 .br
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
-\fB\-\-blacklist=dirname_or_filename
-Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
-.br
-$ firejail \-\-blacklist=~/.mozilla
-.br
-$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
-.TP
 \fB\-\-build
 The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
 builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -243,7 +262,7 @@ $ firejail \-\-caps.drop=all warzone2100
 
 .TP
 \fB\-\-caps.drop=capability,capability,capability
-Define a custom blacklist Linux capabilities filter.
+Define a custom Linux capabilities filter.
 .br
 
 .br
@@ -624,14 +643,14 @@ Example:
 $ firejail \-\-debug firefox
 
 .TP
-\fB\-\-debug-blacklists\fR
-Debug blacklisting.
+\fB\-\-debug-allow\fR
+Debug file system access.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-debug-blacklists firefox
+$ firejail \-\-debug-allow firefox
 
 .TP
 \fB\-\-debug-caps
@@ -644,6 +663,16 @@ Example:
 $ firejail \-\-debug-caps
 
 .TP
+\fB\-\-debug-deny\fR
+Debug file access.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-debug-deny firefox
+
+.TP
 \fB\-\-debug-errnos
 Print all recognized error numbers in the current Firejail software build and exit.
 .br
@@ -677,15 +706,7 @@ $ firejail \-\-debug-syscalls
 \fB\-\-debug-syscalls32
 Print all recognized 32 bit system calls in the current Firejail software build and exit.
 .br
-.TP
-\fB\-\-debug-whitelists\fR
-Debug whitelisting.
-.br
 
-.br
-Example:
-.br
-$ firejail \-\-debug-whitelists firefox
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-defaultgw=address
@@ -697,13 +718,32 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 #endif
+
+.TP
+\fB\-\-deny=dirname_or_filename
+Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin
+.br
+$ firejail \-\-deny=~/.mozilla
+.br
+$ firejail "\-\-deny=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
+
+
+
 .TP
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
 .TP
 \fB\-\-disable-mnt
-Blacklist /mnt, /media, /run/mount and /run/media access.
+Deny access to /mnt, /media, /run/mount and /run/media.
 .br
 
 .br
@@ -1471,12 +1511,16 @@ Example:
 $ firejail --no3d firefox
 
 .TP
+\fB\-\-noallow=dirname_or_filename
+Disable \-\-allow for this directory or file.
+
+.TP
 \fB\-\-noautopulse \fR(deprecated)
 See --keep-config-pulse.
 
 .TP
-\fB\-\-noblacklist=dirname_or_filename
-Disable blacklist for this directory or file.
+\fB\-\-nodeny=dirname_or_filename
+Disable \-\-deny for this directory or file.
 .br
 
 .br
@@ -1492,7 +1536,7 @@ $ exit
 .br
 
 .br
-$ firejail --noblacklist=/bin/nc
+$ firejail --nodeny=/bin/nc
 .br
 $ nc dict.org 2628
 .br
@@ -1666,10 +1710,6 @@ $ firejail \-\-nou2f
 Disable video devices.
 .br
 
-.TP
-\fB\-\-nowhitelist=dirname_or_filename
-Disable whitelist for this directory or file.
-
 #ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
@@ -2733,34 +2773,6 @@ Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
 #endif
-.TP
-\fB\-\-whitelist=dirname_or_filename
-Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory can be
-all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
-all directories in /usr.
-.br
-
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
-.br
-
-.br
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
-.br
-$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
-.br
-$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
 .TP
 \fB\-\-writable-etc
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
new file mode 100644
index 000000000..93bb3f73d
--- /dev/null
+++ b/src/tools/profcleaner.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+//*************************************************************
+// Small utility program to convert profiles from blacklist/whitelist to deny/allow
+// Compile:
+//       gcc -o profcleaner profcleaner.c
+// Usage:
+//       profcleaner *.profile
+//*************************************************************
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#define MAXBUF 4096
+
+int main(int argc, char **argv) {
+        printf("Usage: profcleaner files\n");
+        int i;
+
+        for (i = 1; i < argc; i++) {
+                FILE *fp = fopen(argv[i], "r");
+                if (!fp) {
+                        fprintf(stderr, "Error: cannot open %s\n", argv[i]);
+                        return 1;
+                }
+
+                FILE *fpout = fopen("profcleaner-tmp", "w");
+                if (!fpout) {
+                        fprintf(stderr, "Error: cannot open output file\n");
+                        return 1;
+                }
+
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp)) {
+                        if (strncmp(buf, "blacklist-nolog", 15) == 0)
+                                fprintf(fpout, "deny-nolog %s", buf + 15);
+                        else if (strncmp(buf, "blacklist", 9) == 0)
+                                fprintf(fpout, "deny %s", buf + 9);
+                        else if (strncmp(buf, "noblacklist", 11) == 0)
+                                fprintf(fpout, "nodeny %s", buf + 11);
+                        else if (strncmp(buf, "whitelist", 9) == 0)
+                                fprintf(fpout, "allow %s", buf + 9);
+                        else if (strncmp(buf, "nowhitelist", 11) == 0)
+                                fprintf(fpout, "noallow %s", buf + 11);
+                        else
+                                fprintf(fpout, "%s", buf);
+                }
+
+                fclose(fp);
+                fclose(fpout);
+                unlink(argv[i]);
+                rename("profcleaner-tmp", argv[i]);
+        }
+
+        return 0;
+}
\ No newline at end of file
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
new file mode 100755
index 000000000..709008e08
--- /dev/null
+++ b/src/tools/profcleaner.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright (C) 2021 Firejail Authors
+#
+# This file is part of firejail project
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [[ $1 == --help ]]; then
+        cat <<-EOM
+        USAGE:
+          profcleaner.sh --help        Show this help message and exit
+          profcleaner.sh --system      Clean all profiles in /etc/firejail
+          profcleaner.sh --user        Clean all profiles in ~/.config/firejail
+          profcleaner.sh /path/to/profile1 /path/to/profile2 ...
+        EOM
+        exit 0
+fi
+
+if [[ $1 == --system ]]; then
+        profiles=(/etc/firejail/*.{inc,local,profile})
+elif [[ $1 == --user ]]; then
+        profiles=("$HOME"/.config/firejail/*.{inc,local,profile})
+else
+        profiles=("$@")
+fi
+
+sed -i -E \
+        -e "s/^(# |#)?blacklist/\1deny/" \
+        -e "s/^(# |#)?noblacklist/\1nodeny/" \
+        -e "s/^(# |#)?whitelist/\1allow/" \
+        -e "s/^(# |#)?nowhitelist/\1noallow/" \
+        "${profiles[@]}"
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f1a19b86d..b703783b0 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -48,8 +48,8 @@ _firejail_args=(
     '*::arguments:_normal'
 
     '--appimage[sandbox an AppImage application]'
-    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '--build=-[build a whitelisted profile for the application and save it]: :_files'
+    '--build[build a profile for the application and print it on stdout]'
+    '--build=-[build a profile for the application and save it]: :_files'
     # Ignore that you can do -? too as it's the only short option
     '--help[this help screen]'
     '--join=-[join the sandbox name|pid]: :_all_firejails'
@@ -63,14 +63,14 @@ _firejail_args=(
     '--version[print program version and exit]'
 
     '--debug[print sandbox debug messages]'
-    '--debug-blacklists[debug blacklisting]'
+    '--debug-allow[debug file system access]'
     '--debug-caps[print all recognized capabilities]'
+    '--debug-deny[debug file system access]'
     '--debug-errnos[print all recognized error numbers]'
     '--debug-private-lib[debug for --private-lib option]'
     '--debug-protocols[print all recognized protocols]'
     '--debug-syscalls[print all recognized system calls]'
     '--debug-syscalls32[print all recognized 32 bit system calls]'
-    '--debug-whitelists[debug whitelisting]'
 
     '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
     '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
@@ -83,13 +83,13 @@ _firejail_args=(
     '--allusers[all user home directories are visible inside the sandbox]'
     # Should be _files, a comma and files or files -/
     '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '*--blacklist=-[blacklist directory or file]: :_files'
     '--caps[enable default Linux capabilities filter]'
     '--caps.drop=all[drop all capabilities]'
     '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
     '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
     '--cgroup=-[place the sandbox in the specified control group]: :'
     '--cpu=-[set cpu affinity]: :->cpus'
+    '*--deny=-[deny access to directory or file]: :_files'
     "--deterministic-exit-code[always exit with first child's status code]"
     '*--dns=-[set DNS server]: :'
     '*--env=-[set environment variable]: :'
@@ -112,7 +112,7 @@ _firejail_args=(
     '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
     '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--noblacklist=-[disable blacklist for file or directory]: :_files'
+    '--nodeny=-[disable deny command for file or directory]: :_files'
     '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
     '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
@@ -143,13 +143,13 @@ _firejail_args=(
     '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
     '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
     '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
-    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
-    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp[enable seccomp filter and drop the default syscalls]: :'
+    '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp'
     '--seccomp.block-secondary[build only the native architecture filters]'
-    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
-    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
     # FIXME: Add errnos
     '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
     '--shell=none[run the program directly without a user shell]'
@@ -157,7 +157,7 @@ _firejail_args=(
     '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
     #'(--tracelog)--trace[trace open, access and connect system calls]'
     '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
-    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]'
     '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
     '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
     '--writable-var[/var directory is mounted read-write]'
@@ -251,10 +251,8 @@ _firejail_args=(
     '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
 
-#ifdef HAVE_WHITELIST
-    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
-    '*--whitelist=-[whitelist directory or file]: :_files'
-#endif
+    '*--noallow=-[disable allow command for file or directory]: :_files'
+    '*--allow=-[allow file system access]: :_files'
 
 #ifdef HAVE_X11
     '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 258089a39..a2cccb0d4 100755
--- a/test/profiles/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -22,7 +22,7 @@ expect {
 }
 
 sleep 1
-send -- "ls -l /etc/shadow\r"
+send -- "ls -l /dev/console\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "root root"
diff --git a/test/profiles/test.profile b/test/profiles/test.profile
index 26d6de849..27cb99606 100644
--- a/test/profiles/test.profile
+++ b/test/profiles/test.profile
@@ -1,5 +1,5 @@
 blacklist /sbin/iptables
-blacklist /etc/shadow
+blacklist /dev/console
 blacklist /bin/rmdir
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount