195 files changed, 358 insertions, 206 deletions

diff --git a/.gitignore b/.gitignore
index 5e26f1711..7f5913727 100644
--- a/.gitignore
+++ b/.gitignore
@@ -40,4 +40,3 @@ seccomp.64
 seccomp.block_secondary
 seccomp.mdwx
 src/common.mk
-
diff --git a/README b/README
index 50cf6e69f..9414d21d9 100644
--- a/README
+++ b/README
@@ -397,6 +397,8 @@ LaurentGH (https://github.com/LaurentGH)
         - allow private-bin parameters to be absolute paths
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
+Lockdis (https://github.com/Lockdis)
+        - Added crow, nyx, and google-earth-pro profiles
 luzpaz (https://github.com/luzpaz)
         - code spelling fixes
 maces (https://github.com/maces)
@@ -443,6 +445,9 @@ nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
+Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
+        - prevent thunderbird conflicts when firefox is running
+        - add join-or-start to pluma to open multiple files in tabs
 Panzerfather (https://github.com/Panzerfather)
         - allow eog to access user's trash
 Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
diff --git a/README.md b/README.md
index 3867f8795..c8d1b63d2 100644
--- a/README.md
+++ b/README.md
@@ -102,3 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 
 ## New profiles:
+crow, nyx
diff --git a/RELNOTES b/RELNOTES
index 3b36f25ad..4d0df7c89 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,3 +1,6 @@
+firejail (0.9.58) baseline; urgency=low
+  * new profiles: crow, nyx
+
 firejail (0.9.58,2) baseline; urgency=low
   * cgroup flag in /etc/firejail/firejail.config file
   * name-change flag in /etc/firejail.config file
diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile
index f107f77fd..0eab2b5e0 100644
--- a/etc-fixes/0.9.38/firefox.profile
+++ b/etc-fixes/0.9.38/firefox.profile
@@ -29,4 +29,4 @@ whitelist ~/.cache/gnome-mplayer/plugin
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
-#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile
index e3efada2c..6a9ff977e 100644
--- a/etc-fixes/0.9.52/firefox.profile
+++ b/etc-fixes/0.9.52/firefox.profile
@@ -92,7 +92,7 @@ disable-mnt
 # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+# private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 private-tmp
 
 noexec ${HOME}
diff --git a/etc-fixes/0.9.52/gedit.profile b/etc-fixes/0.9.52/gedit.profile
index 2646233cf..8dd71a196 100644
--- a/etc-fixes/0.9.52/gedit.profile
+++ b/etc-fixes/0.9.52/gedit.profile
@@ -36,7 +36,7 @@ tracelog
 
 # private-bin gedit
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 #private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
 private-tmp
 
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
index d988fd41a..69dfbecfe 100644
--- a/etc/QMediathekView.profile
+++ b/etc/QMediathekView.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
 private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/QOwnNotes.profile b/etc/QOwnNotes.profile
index 1135b850b..f63a8b9ef 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/QOwnNotes.profile
@@ -49,7 +49,7 @@ tracelog
 disable-mnt
 private-bin QOwnNotes,gio
 private-dev
-private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index a95c8989a..d9b7f8c26 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -39,5 +39,5 @@ private
 # private-bin Xephyr,sh,xkbcomp
 # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
-# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
 private-tmp
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 967946a6c..ed07485d6 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -41,5 +41,5 @@ private
 # private-bin Xvfb,sh,xkbcomp
 # private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
 private-dev
-private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
 private-tmp
diff --git a/etc/amarok.profile b/etc/amarok.profile
index 6f2e6b3cc..6cec3befc 100644
--- a/etc/amarok.profile
+++ b/etc/amarok.profile
@@ -31,5 +31,5 @@ shell none
 
 # private-bin amarok
 private-dev
-# private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
index 3c207b5b3..377ce0a2c 100644
--- a/etc/ardour5.profile
+++ b/etc/ardour5.profile
@@ -36,7 +36,7 @@ shell none
 #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
 private-cache
 private-dev
-#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
+#private-etc alternatives,pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 3015349b7..56ed081e6 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin aria2c,gzip
 private-cache
 private-dev
-private-etc ca-certificates,ssl
+private-etc alternatives,ca-certificates,ssl
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/ark.profile b/etc/ark.profile
index 37211682c..b60674f95 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -34,7 +34,7 @@ seccomp
 shell none
 
 private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,bash,sh,tclsh
-#private-etc smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
+#private-etc alternatives,smb.conf,samba,mtab,fonts,drirc,kde5rc,passwd,group,xdg
 
 private-dev
 private-tmp
diff --git a/etc/arm.profile b/etc/arm.profile
index 288dd972a..217b61d09 100644
--- a/etc/arm.profile
+++ b/etc/arm.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig
 private-dev
-private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/artha.profile b/etc/artha.profile
index 7b0c6735b..431fc3ed1 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib libnotify.so.*
 private-tmp
 
diff --git a/etc/atool.profile b/etc/atool.profile
index d5daeabbe..c82108cef 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -43,5 +43,5 @@ private-cache
 # private-bin atool
 private-dev
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc passwd,group,login.defs
+private-etc alternatives,passwd,group,login.defs
 private-tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index 92fae21d4..aca945ba3 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
-private-etc fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
index 9656bb3d7..fc86001be 100644
--- a/etc/authenticator.profile
+++ b/etc/authenticator.profile
@@ -40,7 +40,7 @@ disable-mnt
 # private-bin authenticator
 private-cache
 private-dev
-private-etc fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache
 # private-lib
 private-tmp
 
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 07cb889e4..6e40054f7 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -44,5 +44,5 @@ shell none
 
 # private-bin bibletime,qt5ct
 private-dev
-private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile
index 46ce0775b..def292118 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/bitcoin-qt.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin bitcoin-qt
 private-dev
 # Causes problem with loading of libGL.so
-#private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 # Works, but QT complains about OpenSSL a bit.
 #private-lib
 private-tmp
diff --git a/etc/bless.profile b/etc/bless.profile
index cc03107a5..8315f4563 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -35,7 +35,7 @@ shell none
 # private-bin bless,sh,bash,mono
 private-cache
 private-dev
-private-etc fonts,mono
+private-etc alternatives,fonts,mono
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 8ab9472ac..5021db254 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -30,7 +30,7 @@ tracelog
 # private-bin brasero
 private-cache
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index f6864386e..9e45b1fd6 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -37,4 +37,4 @@ tracelog
 # support compressed archives
 private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
diff --git a/etc/caja.profile b/etc/caja.profile
index f938792cd..49516de8c 100644
--- a/etc/caja.profile
+++ b/etc/caja.profile
@@ -41,5 +41,5 @@ tracelog
 # caja needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin caja
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/clawsker.profile b/etc/clawsker.profile
index e863a6a45..d50882c75 100644
--- a/etc/clawsker.profile
+++ b/etc/clawsker.profile
@@ -44,7 +44,7 @@ shell none
 private-bin clawsker,perl
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib girepository-1.*,libgirepository-1.*,perl*
 private-tmp
 
diff --git a/etc/cmus.profile b/etc/cmus.profile
index ee6600b76..e602c4e2a 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 
 private-bin cmus
-private-etc group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/crow.profile b/etc/crow.profile
new file mode 100644
index 000000000..93f71cef8
--- /dev/null
+++ b/etc/crow.profile
@@ -0,0 +1,46 @@
+# Firejail profile for crow
+# Description: A translator that allows to translate and say selected text using Google, Yandex and Bing translate API
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crow.local
+# Persistent global definitions
+include globals.local
+
+mkdir ${HOME}/.config/crow
+mkdir ${HOME}/.cache/gstreamer-1.0
+whitelist ${HOME}/.config/crow
+whitelist ${HOME}/.cache/gstreamer-1.0
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin crow
+private-dev
+private-etc alternatives,ca-certificates,ssl,machine-id,dconf,nsswitch.conf,resolv.conf,fonts,asound.conf,pulse,pki,crypto-policies
+private-opt none
+private-tmp
+private-srv none
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/curl.profile b/etc/curl.profile
index d20e00740..1783f1337 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -33,7 +33,7 @@ shell none
 # private-bin curl
 private-cache
 private-dev
-# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/default.profile b/etc/default.profile
index 14ea0ae17..917e42287 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -37,7 +37,7 @@ seccomp
 # private-bin program
 # private-cache
 # private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 # private-tmp
 
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
index b3558a038..a809bee0c 100644
--- a/etc/devilspie.profile
+++ b/etc/devilspie.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-lib gconv
 private-tmp
 
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
index 4ab2634e8..d8c10413b 100644
--- a/etc/devilspie2.profile
+++ b/etc/devilspie2.profile
@@ -37,7 +37,7 @@ disable-mnt
 private-bin devilspie2
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-lib gconv
 private-tmp
 
diff --git a/etc/dig.profile b/etc/dig.profile
index 8a0ba8f09..f5b26c195 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -40,7 +40,7 @@ private
 private-bin sh,bash,dig
 private-cache
 private-dev
-# private-etc resolv.conf
+# private-etc alternatives,resolv.conf
 private-lib
 private-tmp
 
diff --git a/etc/digikam.profile b/etc/digikam.profile
index ccc0a6544..cc0e98ba3 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -37,7 +37,7 @@ shell none
 
 # private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/dino.profile b/etc/dino.profile
index 9844ce81a..76f63fdc8 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private-bin dino
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f98f247d5..80ea918df 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -305,6 +305,7 @@ blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.mutt
 blacklist ${HOME}/.muttrc
 blacklist ${HOME}/.netrc
+blacklist ${HOME}/.nyx
 blacklist ${HOME}/.pki
 blacklist ${HOME}/.local/share/pki
 blacklist ${HOME}/.smbcredentials
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 32c3ddb07..39aab61c1 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -201,6 +201,7 @@ blacklist ${HOME}/.config/mono
 blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/mypaint
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
@@ -450,6 +451,7 @@ blacklist ${HOME}/.local/share/midori
 blacklist ${HOME}/.local/share/multimc
 blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
+blacklist ${HOME}/.local/share/mypaint
 blacklist ${HOME}/.local/share/nautilus
 blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
@@ -612,6 +614,7 @@ blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
 blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
 blacklist ${HOME}/.cache/nheko/nheko
 blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/okular
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index 9c6a40e8a..c520454e8 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -27,7 +27,7 @@ seccomp
 
 private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh
 private-dev
-private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
+private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/display.profile b/etc/display.profile
index 3182aebbe..ff19365ad 100644
--- a/etc/display.profile
+++ b/etc/display.profile
@@ -39,5 +39,6 @@ shell none
 
 private-bin display,python*
 private-dev
-# private-etc none - on Debian-based systems display is a symlink in /etc/alternatives
+# On Debian-based systems, display is a symlink in /etc/alternatives
+private-etc alternatives
 private-tmp
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
index 31cc48e9f..44156f97e 100644
--- a/etc/easystroke.profile
+++ b/etc/easystroke.profile
@@ -36,7 +36,7 @@ disable-mnt
 private-bin easystroke,bash,sh
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/electrum.profile b/etc/electrum.profile
index d24a31299..a290683de 100644
--- a/etc/electrum.profile
+++ b/etc/electrum.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin electrum,python*
 private-cache
 private-dev
-private-etc fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 6643c5fda..842a0db04 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -36,5 +36,5 @@ tracelog
 # private-bin elinks
 private-cache
 private-dev
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/enchant.profile b/etc/enchant.profile
index e29e542ab..1d3d33d68 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -35,7 +35,7 @@ tracelog
 # private-bin enchant, enchant-*
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
 
 # memory-deny-write-execute
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index b9f2632c4..670808de2 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -34,7 +34,7 @@ tracelog
 
 # private-bin engrampa
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
 
 memory-deny-write-execute
diff --git a/etc/eog.profile b/etc/eog.profile
index 75d343d4e..d448b7c6c 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -39,7 +39,7 @@ shell none
 private-bin eog
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
 
diff --git a/etc/eom.profile b/etc/eom.profile
index 7d84cd3b4..c34331da6 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -39,7 +39,7 @@ tracelog
 
 private-bin eom
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib
 private-tmp
 
diff --git a/etc/etr.profile b/etc/etr.profile
index 6c3db897b..cf13a42de 100644
--- a/etc/etr.profile
+++ b/etc/etr.profile
@@ -31,5 +31,5 @@ shell none
 
 # private-bin etr
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index b9ff3c121..e9b530ece 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -39,7 +39,7 @@ tracelog
 
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 
 private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
 
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 3eac35bac..37e01f8d3 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -39,5 +39,5 @@ tracelog
 # private-bin exiftool,perl
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/feh-network.inc b/etc/feh-network.inc
new file mode 100644
index 000000000..b74486f4f
--- /dev/null
+++ b/etc/feh-network.inc
@@ -0,0 +1,2 @@
+ignore net none
+private-etc resolv.conf,ca-certificates,ssl
diff --git a/etc/feh.profile b/etc/feh.profile
index ddf0fa154..f020bace5 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -12,6 +12,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+# This profile disables network access
+# In order to enable network access,
+# uncomment the following or put it in your feh.local:
+# include feh-network.inc
+
 caps.drop all
 net none
 no3d
@@ -31,5 +36,5 @@ shell none
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc feh
+private-etc alternatives,feh
 private-tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index d79b4de4b..e4863bfc0 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -34,7 +34,7 @@ tracelog
 
 # private-bin file-roller
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
 
 #memory-deny-write-execute  - breaks on Arch
diff --git a/etc/file.profile b/etc/file.profile
index f2f9f25f9..0769f8887 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -34,7 +34,7 @@ x11 none
 #private-bin file
 private-cache
 private-dev
-private-etc magic.mgc,magic,localtime
+private-etc alternatives,magic.mgc,magic,localtime
 private-lib libarchive.so.*,libfakeroot,libmagic.so.*
 
 memory-deny-write-execute
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 7c65be7cb..69920aa5f 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -51,7 +51,7 @@ shell none
 disable-mnt
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+#private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp
 
 # breaks DRM binaries
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index d665d1851..1c5f90f42 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -35,7 +35,7 @@ shell none
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
 
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 3697252e7..ed3b4490f 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -35,5 +35,5 @@ shell none
 disable-mnt
 # private-bin frozen-bubble
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
index a957b07b0..efe85f3aa 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -47,7 +47,7 @@ tracelog
 disable-mnt
 private-bin python,python3,sh,gpg,gpg2,gajim,bash,zsh,paplay,gajim-history-manager
 private-dev
-private-etc alsa,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 323c880a8..509d9bd05 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -38,6 +38,6 @@ tracelog
 
 private-bin galculator
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib
 private-tmp
diff --git a/etc/gcloud.profile b/etc/gcloud.profile
index 5aa73b38f..d9df8fd37 100644
--- a/etc/gcloud.profile
+++ b/etc/gcloud.profile
@@ -32,7 +32,7 @@ tracelog
 
 disable-mnt
 private-dev
-private-etc ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
+private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index af0a3da56..a583c534f 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -40,7 +40,7 @@ tracelog
 
 # private-bin gedit
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell
 private-tmp
 
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
index a7d82b5fb..adfc3ef1c 100644
--- a/etc/geeqie.profile
+++ b/etc/geeqie.profile
@@ -31,4 +31,4 @@ shell none
 
 # private-bin geeqie
 private-dev
-# private-etc X11
+# private-etc alternatives,X11
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index bdca281ed..11686e0e9 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -52,7 +52,7 @@ tracelog
 #private-bin ghostwriter,pandoc
 private-cache
 private-dev
-private-etc cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id
+private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dconf,machine-id
 # Breaks Translation
 #private-lib
 private-tmp
diff --git a/etc/github-desktop.profile b/etc/github-desktop.profile
index 9ac212fe8..934ac7c40 100644
--- a/etc/github-desktop.profile
+++ b/etc/github-desktop.profile
@@ -39,7 +39,7 @@ disable-mnt
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/gitter.profile b/etc/gitter.profile
index d8439fa79..d84f01f20 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -35,7 +35,7 @@ shell none
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 9c7aa5700..f119e5b34 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -34,5 +34,5 @@ tracelog
 
 # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index c748cf7e3..b880980bc 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -37,7 +37,7 @@ tracelog
 
 # private-bin gjs gnome-books
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index fbd8c22c0..42aa3ea2c 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -35,7 +35,7 @@ tracelog
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess
 private-dev
-private-etc fonts,gnome-chess
+private-etc alternatives,fonts,gnome-chess
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 54356a1b7..83ece0fce 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -34,7 +34,7 @@ tracelog
 disable-mnt
 # private-bin gnome-clocks
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index f89684219..c429c7697 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -37,7 +37,7 @@ shell none
 disable-mnt
 private-bin gnome-logs
 private-dev
-private-etc fonts,localtime,machine-id
+private-etc alternatives,fonts,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 2d2f5aa6d..b963c17dd 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -38,7 +38,7 @@ tracelog
 disable-mnt
 # private-bin gjs gnome-maps
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 54e055358..c4dedcf1c 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -40,7 +40,7 @@ tracelog
 
 private-bin gnome-music,python*,env,gio-launch-desktop,yelp
 private-dev
-private-etc fonts,machine-id,pulse,asound.conf
+private-etc alternatives,fonts,machine-id,pulse,asound.conf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index 2e3356607..c48ca50a5 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -34,7 +34,7 @@ tracelog
 
 # private-bin gjs gnome-photos
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile
index cef741eb3..01c65a5a4 100644
--- a/etc/gnome-pie.profile
+++ b/etc/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index 761c604ff..e516566d7 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -38,7 +38,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc ca-certificates,fonts,ssl,crypto-policies,pki
+private-etc alternatives,ca-certificates,fonts,ssl,crypto-policies,pki
 # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
 # not widely tested though, leaving it to devs discretion to enable it later
 #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 6b5f5480d..baa5d39fd 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -38,7 +38,7 @@ tracelog
 disable-mnt
 # private-bin gjs gnome-weather
 private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/goobox.profile b/etc/goobox.profile
index 3cc159eb2..be332665e 100644
--- a/etc/goobox.profile
+++ b/etc/goobox.profile
@@ -31,5 +31,5 @@ tracelog
 
 # private-bin goobox
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index d3e1123f3..af9680b49 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -34,6 +34,6 @@ tracelog
 
 private-bin gpicview
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-lib
 private-tmp
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 76a10f697..38897f184 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -33,7 +33,7 @@ tracelog
 
 private-bin gpredict
 private-dev
-private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gradio.profile b/etc/gradio.profile
index e7f415090..eec7376b4 100644
--- a/etc/gradio.profile
+++ b/etc/gradio.profile
@@ -34,7 +34,7 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-etc asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index e90578333..790e4920d 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -44,7 +44,7 @@ shell none
 
 private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4
 private-dev
-private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 
 # memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/highlight.profile b/etc/highlight.profile
index ae2cce0b4..243643aea 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -34,5 +34,5 @@ tracelog
 private-bin highlight
 private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
index 6f860a3d4..2011759e3 100644
--- a/etc/img2txt.profile
+++ b/etc/img2txt.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin img2txt
 private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/kate.profile b/etc/kate.profile
index cce36eacc..4a78d718f 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -42,7 +42,7 @@ tracelog
 
 # private-bin kate,kbuildsycoca4,kdeinit4
 private-dev
-# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
 # noexec ${HOME}
diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index fc9386618..357eb435d 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 448f5455f..d565373f4 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -42,7 +42,7 @@ shell none
 
 private-bin keepassxc
 private-dev
-private-etc fonts,ld.so.cache,machine-id
+private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
 
 # 2.2.4 crashes on database open
diff --git a/etc/klavaro.profile b/etc/klavaro.profile
index 890cde3db..04b4a5ae5 100644
--- a/etc/klavaro.profile
+++ b/etc/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin klavaro,tclsh,tclsh*,bash
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index 653283150..834f6f2dd 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -37,7 +37,7 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index 9922cb0b5..bc4fba97d 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -44,7 +44,7 @@ tracelog
 
 private-bin kwrite,kbuildsycoca4,kdeinit4
 private-dev
-private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
index 6e53fc62b..047424e5e 100644
--- a/etc/lollypop.profile
+++ b/etc/lollypop.profile
@@ -38,7 +38,7 @@ seccomp
 shell none
 
 private-dev
-private-etc asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
+private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/lynx.profile b/etc/lynx.profile
index e8d44823b..2f043c9b9 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -34,5 +34,5 @@ tracelog
 # private-bin lynx
 private-cache
 private-dev
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index e35ddd2a7..56433df41 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin masterpdfeditor*
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 # private-lib
 private-tmp
 
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index e3220076d..1d3c21e3f 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -39,7 +39,7 @@ shell none
 
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc fonts
+private-etc alternatives,fonts
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 1ba744d5a..a344f70e1 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -34,7 +34,7 @@ shell none
 
 disable-mnt
 private-bin mate-color-select
-private-etc fonts
+private-etc alternatives,fonts
 private-dev
 private-lib
 private-tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index ba179dfdd..196f5b2c3 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -36,7 +36,7 @@ shell none
 
 disable-mnt
 private-bin mate-dictionary
-private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index ea4cb0250..c65a25edc 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -30,4 +30,4 @@ shell none
 
 private-bin mcabber
 private-dev
-private-etc ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
index 115444e0f..32a269fd3 100644
--- a/etc/mediainfo.profile
+++ b/etc/mediainfo.profile
@@ -34,5 +34,5 @@ tracelog
 private-bin mediainfo
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/min.profile b/etc/min.profile
index 80baedff7..6101ac2e6 100644
--- a/etc/min.profile
+++ b/etc/min.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-cache
 private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
+private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp
 
 # memory-deny-write-execute
diff --git a/etc/minetest.profile b/etc/minetest.profile
index 17b39f7c6..aa50847ea 100644
--- a/etc/minetest.profile
+++ b/etc/minetest.profile
@@ -38,7 +38,7 @@ disable-mnt
 private-bin minetest
 private-dev
 # private-etc needs to be updated, see #1702
-#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+#private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/ms-office.profile b/etc/ms-office.profile
index 6c8cb213f..6334ecd41 100644
--- a/etc/ms-office.profile
+++ b/etc/ms-office.profile
@@ -37,7 +37,7 @@ tracelog
 
 disable-mnt
 private-bin bash,fonts,env,jak,ms-office,python*,sh
-private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-dev
 private-tmp
 
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 011e85c0e..59ad36305 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -37,7 +37,7 @@ tracelog
 
 # private-bin mupdf,sh,tempfile,rm
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 
 # mupdf will never write anything
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile
index d5fde525e..54d9fb16e 100644
--- a/etc/musixmatch.profile
+++ b/etc/musixmatch.profile
@@ -21,7 +21,7 @@ nodvd
 nogroups
 nonewprivs
 noroot
-nogroups 
+nogroups
 nosound
 notv
 nou2f
@@ -31,7 +31,7 @@ seccomp
 
 disable-mnt
 private-dev
-private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mypaint-ora-thumbnailer.profile b/etc/mypaint-ora-thumbnailer.profile
new file mode 100644
index 000000000..59b3024ed
--- /dev/null
+++ b/etc/mypaint-ora-thumbnailer.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for mypaint-ora-thumbnailer
+# This file is overwritten after every install/update
+
+# Redirect
+include mypaint.profile
diff --git a/etc/mypaint.profile b/etc/mypaint.profile
new file mode 100644
index 000000000..21fd841cf
--- /dev/null
+++ b/etc/mypaint.profile
@@ -0,0 +1,48 @@
+# Firejail profile for mypaint
+# Description: A fast and easy graphics application for digital painters
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mypaint.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mypaint
+noblacklist ${HOME}/.config/mypaint
+noblacklist ${HOME}/.local/share/mypaint
+noblacklist ${PATH}/python2*
+noblacklist /usr/lib/python2*
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,fonts,gtk-3.0,dconf
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
index 13fe9a9e1..b5e65e3ee 100644
--- a/etc/nautilus.profile
+++ b/etc/nautilus.profile
@@ -42,5 +42,5 @@ tracelog
 # nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 # private-bin nautilus
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile
index 67c651429..bf8fff7cd 100644
--- a/etc/nitroshare.profile
+++ b/etc/nitroshare.profile
@@ -41,7 +41,7 @@ disable-mnt
 private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
 private-cache
 private-dev
-private-etc ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
diff --git a/etc/nyx.profile b/etc/nyx.profile
new file mode 100644
index 000000000..2a078ef0f
--- /dev/null
+++ b/etc/nyx.profile
@@ -0,0 +1,51 @@
+# Firejail profile for nyx
+# Description: Command-line status monitor for tor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nyx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+
+noblacklist ${HOME}/.nyx
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin nyx,python*
+private-cache
+private-dev
+private-etc alternatives,passwd,tor,fonts
+private-opt none
+private-srv none
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index 10f3f68a6..4a4fa828d 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin ocenaudio
 private-cache
 private-dev
-private-etc asound.conf,fonts,ld.so.cache,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
 # private-lib
 private-tmp
 
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
index 3a1369b83..3e1739bf9 100644
--- a/etc/odt2txt.profile
+++ b/etc/odt2txt.profile
@@ -37,6 +37,6 @@ tracelog
 private-bin odt2txt
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
 read-only ${HOME}
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 108398104..bff42fb19 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -33,5 +33,5 @@ shell none
 
 # private-bin open-invaders
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/parole.profile b/etc/parole.profile
index 9ad59d2e6..69ed5a2ca 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -27,4 +27,4 @@ shell none
 
 private-bin parole,dbus-launch
 private-cache
-private-etc passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile
index f0db20b74..d9f721578 100644
--- a/etc/pdfchain.profile
+++ b/etc/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
 
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,xdg
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 6b2b0fba5..85e28372e 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -38,5 +38,5 @@ tracelog
 
 private-bin pdftotext
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/pingus.profile b/etc/pingus.profile
index f071e664f..6b664248f 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -33,5 +33,5 @@ shell none
 
 # private-bin pingus
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 35b141c1a..a8b1e4cc6 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -37,10 +37,12 @@ tracelog
 
 private-bin pluma
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-lib pluma
 private-tmp
 
 memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
+
+join-or-start pluma
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index fc37e6fd2..0c8bfa770 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -37,7 +37,7 @@ shell none
 
 # private-dev is disabled to allow controller support
 #private-dev
-private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-opt ppsspp
 private-tmp
 
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile
index c98f34e77..92cae0f97 100644
--- a/etc/pybitmessage.profile
+++ b/etc/pybitmessage.profile
@@ -42,7 +42,7 @@ shell none
 disable-mnt
 private-bin pybitmessage,python*,sh,ldconfig,env,bash,stat
 private-dev
-private-etc PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,PyBitmessage,PyBitmessage.conf,Trolltech.conf,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,resolv.conf,selinux,sni-qt.conf,system-fips,xdg,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile
index bb948a971..bfe8b614e 100644
--- a/etc/pycharm-community.profile
+++ b/etc/pycharm-community.profile
@@ -32,7 +32,7 @@ novideo
 shell none
 tracelog
 
-# private-etc fonts,passwd - minimal required to run but will probably break
+# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
 # program!
 private-cache
 private-dev
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index b6b94c703..0420d38e9 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -53,7 +53,7 @@ shell none
 
 private-bin qbittorrent,python*
 private-dev
-# private-etc X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-lib - problems on Arch
 private-tmp
 
diff --git a/etc/qtox.profile b/etc/qtox.profile
index b6cb9772a..3dc4c6a30 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -36,7 +36,7 @@ tracelog
 
 disable-mnt
 private-bin qtox
-private-etc fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
+private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse
 private-dev
 private-tmp
 
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index ce0816114..e6c441e27 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -47,7 +47,7 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc X11,ssl,pki,ca-certificates,crypto-policies
+# private-etc alternatives,X11,ssl,pki,ca-certificates,crypto-policies
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
index efee6ce84..eef0c8fa6 100644
--- a/etc/qupzilla.profile
+++ b/etc/qupzilla.profile
@@ -34,7 +34,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res
 # tracelog
 
 private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
 # private-tmp - interferes with the opening of downloaded files
 
 noexec ${HOME}
diff --git a/etc/ricochet.profile b/etc/ricochet.profile
index cbdc28cf6..a67d6b7ca 100644
--- a/etc/ricochet.profile
+++ b/etc/ricochet.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private-bin ricochet,tor
 private-dev
-#private-etc fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
+#private-etc alternatives,fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index 8cb291ba6..d92c62a52 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -50,4 +50,4 @@ seccomp
 tracelog
 
 disable-mnt
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies
diff --git a/etc/server.profile b/etc/server.profile
index 3526e88ab..8da4853e7 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -43,7 +43,7 @@ private
 # private-bin program
 # private-cache
 private-dev
-# private-etc none
+# private-etc alternatives
 # private-lib
 private-tmp
 
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
index 85cb00ef1..4ad841880 100644
--- a/etc/simple-scan.profile
+++ b/etc/simple-scan.profile
@@ -33,5 +33,5 @@ tracelog
 
 # private-bin simple-scan
 # private-dev
-# private-etc fonts,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index a4e4d892c..c07b1c145 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -33,5 +33,5 @@ shell none
 
 # private-bin simutrans
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/slack.profile b/etc/slack.profile
index 995d49687..841998b0e 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -37,5 +37,5 @@ shell none
 disable-mnt
 private-bin slack,locale
 private-dev
-private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id
 private-tmp
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 14f9f5228..60d15735d 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin spotify,bash,sh,zenity
 private-dev
-private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
 private-tmp
 
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index 4486c8869..0a4d38dbe 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
-private-etc ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg
+private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg
 
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index d3b0b27e3..b0cb52a0f 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
 private-dev
-private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
+private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index 775b6c875..9d348347e 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -74,5 +74,5 @@ shell none
 # private-dev should be commented for controllers
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
+private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,pki,services,crypto-policies,alternatives,bumblebee,nvidia,os-release
 private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index f243606ec..3ef3ffcb1 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -24,7 +24,7 @@ tracelog
 private-bin strings
 private-cache
 private-dev
-private-etc none
+private-etc alternatives
 private-lib
 
 memory-deny-write-execute
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index fc523ce0a..793e4126c 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -34,5 +34,5 @@ shell none
 disable-mnt
 # private-bin supertux2
 private-dev
-# private-etc none
+# private-etc alternatives
 private-tmp
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile
index 9f65a2fa1..696ac4de0 100644
--- a/etc/supertuxkart.profile
+++ b/etc/supertuxkart.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin supertuxkart
 private-cache
 private-dev
-private-etc resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux
+private-etc alternatives,resolv.conf,ca-certificates,ssl,hosts,machine-id,xdg,openal,crypto-policies,pki,drirc,system-fips,selinux
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/surf.profile b/etc/surf.profile
index 3a1b1f383..4fad4a81d 100644
--- a/etc/surf.profile
+++ b/etc/surf.profile
@@ -32,7 +32,7 @@ tracelog
 disable-mnt
 private-bin ls,surf,sh,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop
 private-dev
-private-etc passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies
+private-etc alternatives,passwd,group,hosts,resolv.conf,fonts,ssl,pki,ca-certificates,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tar.profile b/etc/tar.profile
index 9a5f00f65..d228051e8 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -26,7 +26,7 @@ tracelog
 # support compressed archives
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
 private-lib
 
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 22038e0b4..43865b6fb 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -44,7 +44,7 @@ shell none
 
 disable-mnt
 private-dev
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
+private-etc alternatives,asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index db563b25c..c3358a9e8 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -44,4 +44,4 @@ writable-run-user
 # Redirect
 # Uncomment if you use enigmail
 # ignore nodbus
-include firefox.profile
+include firefox-common.profile
diff --git a/etc/tilp.profile b/etc/tilp.profile
index ecacd1deb..2643c9a84 100644
--- a/etc/tilp.profile
+++ b/etc/tilp.profile
@@ -29,7 +29,7 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tor.profile b/etc/tor.profile
index 04a6c3abb..418352639 100644
--- a/etc/tor.profile
+++ b/etc/tor.profile
@@ -46,7 +46,7 @@ private
 private-bin tor,bash
 private-cache
 private-dev
-private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,tor,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index a9244683f..2b1cc6549 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -49,7 +49,7 @@ shell none
 disable-mnt
 private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,xz
 private-dev
-private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
+private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/totem.profile b/etc/totem.profile
index 3055ea542..fd473b03c 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -36,7 +36,7 @@ private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
 #private-cache
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/tracker.profile b/etc/tracker.profile
index 6d86b2951..c1779ae3e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -33,5 +33,5 @@ tracelog
 
 # private-bin tracker
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
index 81b52ec7c..89b9b21dc 100644
--- a/etc/transmission-cli.profile
+++ b/etc/transmission-cli.profile
@@ -33,7 +33,7 @@ tracelog
 
 # private-bin transmission-cli
 private-dev
-private-etc ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
index 248eb977e..6154ad15b 100644
--- a/etc/transmission-show.profile
+++ b/etc/transmission-show.profile
@@ -31,5 +31,5 @@ shell none
 tracelog
 
 private-dev
-private-etc none
+private-etc alternatives
 private-tmp
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index f62f018a6..36d1319d1 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -29,5 +29,5 @@ shell none
 
 # private-bin unknown-horizons
 private-dev
-# private-etc ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 00fe0887b..bc5fced9f 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -25,7 +25,7 @@ tracelog
 
 private-bin unrar
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
 private-tmp
 
 include default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 8e659c256..1859a2248 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -25,7 +25,7 @@ tracelog
 
 private-bin unzip
 private-dev
-private-etc passwd,group,localtime
+private-etc alternatives,passwd,group,localtime
 
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 3bd0ebe70..9710b1b9f 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -23,6 +23,6 @@ tracelog
 private-bin uudeview
 private-cache
 private-dev
-private-etc ld.so.preload
+private-etc alternatives,ld.so.preload
 
 include default.profile
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
index 4c22f8e6f..94b6c2052 100644
--- a/etc/viewnior.profile
+++ b/etc/viewnior.profile
@@ -38,7 +38,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts
 private-tmp
 
 # memory-deny-write-executes breaks on Arch - see issue #1808
diff --git a/etc/w3m.profile b/etc/w3m.profile
index c03df49cd..143ac4f63 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -36,5 +36,5 @@ tracelog
 # private-bin w3m
 private-cache
 private-dev
-private-etc resolv.conf,ssl,pki,ca-certificates,crypto-policies
+private-etc alternatives,resolv.conf,ssl,pki,ca-certificates,crypto-policies
 private-tmp
diff --git a/etc/webstorm.profile b/etc/webstorm.profile
index 9a25727a9..4979e8186 100644
--- a/etc/webstorm.profile
+++ b/etc/webstorm.profile
@@ -18,10 +18,10 @@ noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
 
 include disable-common.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-devel.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
diff --git a/etc/wget.profile b/etc/wget.profile
index 87c0501da..c0a6f0d21 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -35,7 +35,7 @@ shell none
 
 # private-bin wget
 private-dev
-# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 # private-tmp
 
 noexec ${HOME}
diff --git a/etc/whois.profile b/etc/whois.profile
index 78236c02f..0e9eb05a5 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -38,7 +38,7 @@ private
 private-bin sh,bash,whois
 private-cache
 private-dev
-# private-etc hosts,services,whois.conf
+# private-etc alternatives,hosts,services,whois.conf
 private-lib
 private-tmp
 
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index f464a2fb9..e974e4304 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -37,5 +37,5 @@ shell none
 disable-mnt
 private-bin wire-desktop
 private-dev
-private-etc fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 4f1142826..a08b97d05 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -45,7 +45,7 @@ tracelog
 
 # private-bin wireshark
 private-dev
-# private-etc fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xed.profile b/etc/xed.profile
index 7dffae05a..cd565f684 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -42,7 +42,7 @@ tracelog
 
 private-bin xed
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 private-tmp
 
 # xed uses python plugins, memory-deny-write-execute breaks python
diff --git a/etc/xfburn.profile b/etc/xfburn.profile
index 3dc525755..1cb7f568a 100644
--- a/etc/xfburn.profile
+++ b/etc/xfburn.profile
@@ -29,5 +29,5 @@ tracelog
 
 # private-bin xfburn
 # private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
 # private-tmp
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 6adfcd819..3ad03e2c6 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -38,5 +38,5 @@ tracelog
 
 private-bin xiphos
 private-dev
-private-etc fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile
index 25b2b8c91..99c9676b8 100644
--- a/etc/xmr-stak.profile
+++ b/etc/xmr-stak.profile
@@ -37,7 +37,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
index 054cf4896..9d422a01e 100644
--- a/etc/xonotic.profile
+++ b/etc/xonotic.profile
@@ -36,7 +36,7 @@ shell none
 disable-mnt
 private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
 private-dev
-private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
+private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index b8297295a..0df879d7c 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -40,7 +40,7 @@ tracelog
 
 private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
 private-dev
-# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
+# private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/xpra.profile b/etc/xpra.profile
index 23f3294bd..2ff6c2a5d 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -52,5 +52,5 @@ shell none
 # older Xpra versions also use Xvfb
 # private-bin xpra,python*,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 private-dev
-# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
+# private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
 private-tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index a879e8b04..e0a3ddee3 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -38,7 +38,7 @@ tracelog
 
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-etc fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index e6185807e..c73630053 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -38,7 +38,7 @@ tracelog
 
 private-bin xviewer
 private-dev
-#private-etc fonts
+#private-etc alternatives,fonts
 private-lib
 private-tmp
 
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 2eee47fa0..922284353 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -35,7 +35,7 @@ shell none
 private-bin zathura
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 private-tmp
 
 read-only ${HOME}/
diff --git a/src/common.mk.in b/src/common.mk.in
index 7a2056e7b..b9af977ae 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -32,4 +32,3 @@ CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 EXTRA_CFLAGS +=@EXTRA_CFLAGS@
-
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index c865ee929..4feb8d9bc 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -314,4 +314,3 @@ void build_dev(const char *fname, FILE *fp) {
                 fprintf(fp, "\n");
         }
 }
-
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index 8a2268b3b..6fe4c56d8 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -189,4 +189,3 @@ void build_protocol(const char *fname, FILE *fp) {
                 fprintf(fp, "netfilter\n");
         }
 }
-
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 811750bd0..66bf8c544 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -67,4 +67,4 @@ FileDB *filedb_add(FileDB *head, const char *fname);
 FileDB *filedb_find(FileDB *head, const char *fname);
 void filedb_print(FileDB *head, const char *prefix, FILE *fp);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index ac2837373..89fe72c29 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -76,4 +76,3 @@ void filedb_print(FileDB *head, const char *prefix, FILE *fp) {
                 ptr = ptr->next;
         }
 }
-
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 7a4df83dd..525d9b6f9 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -322,5 +322,3 @@ void fix_desktop_files(char *homedir) {
         closedir(dir);
         free(user_apps_dir);
 }
-
-
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index f4d5b71d4..47b20006d 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -94,6 +94,7 @@ code
 conkeror
 conky
 corebird
+crow
 cvlc
 cyberfox
 darktable
@@ -200,6 +201,7 @@ google-chrome-beta
 google-chrome-stable
 google-chrome-unstable
 google-earth
+google-earth-pro
 google-play-music-desktop-player
 gpa
 gpicview
@@ -310,6 +312,8 @@ mupen64plus
 musescore
 musixmatch
 mutt
+mypaint
+mypaint-ora-thumbnailer
 natron
 #nautilus - removed in order to let the application start in a new sandbox when clicking on icons in the file manager
 ncdu
@@ -318,6 +322,7 @@ neverball
 nheko
 nitroshare
 nylas
+nyx
 obs
 ocenaudio
 odt2txt
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index 2b1c45d40..e847719cf 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -48,4 +48,3 @@ void sound(void);
 
 // desktop_files.c
 void fix_desktop_files(char *homedir);
-
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c
index c54394c22..2d38e4cfb 100644
--- a/src/firecfg/sound.c
+++ b/src/firecfg/sound.c
@@ -65,4 +65,3 @@ errexit:
         fprintf(stderr, "Error: cannot configure sound file\n");
         exit(1);
 }
-
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index 7c50dd5e2..9923190b5 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -308,8 +308,3 @@ void fslib_install_system(void) {
                 ptr++;
         }
 }
-
-
-
-
-
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 4867e6e54..6a199469a 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -378,4 +378,4 @@ void net_print(pid_t pid) {
 
         enter_network_namespace(pid);
         sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET_MAIN, "printif");
-}
\ No newline at end of file
+}
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 160d6245f..905cc0f15 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -189,4 +189,3 @@ void preproc_clean_run(void) {
 
         free(pidarr);
 }
-
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index b70394bc8..24b3665fc 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -52,15 +52,17 @@ void shut(pid_t pid) {
         printf("Sending SIGTERM to %u\n", pid);
         kill(pid, SIGTERM);
 
-        // wait for not more than 10 seconds
-        sleep(2);
-        int monsec = 8;
+        // wait for not more than 11 seconds
+        int monsec = 11;
         char *monfile;
         if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
                 errExit("asprintf");
         int killdone = 0;
 
         while (monsec) {
+                sleep(1);
+                monsec--;
+
                 FILE *fp = fopen(monfile, "r");
                 if (!fp) {
                         killdone = 1;
@@ -75,9 +77,6 @@ void shut(pid_t pid) {
                         killdone = 1;
                         break;
                 }
-
-                sleep(1);
-                monsec--;
         }
         free(monfile);
 
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index 76126d734..279118bee 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -27,4 +27,4 @@
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);
 int optimize(struct sock_filter * filter, int entries);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c
index f9e4b6a6c..69b99f595 100644
--- a/src/fsec-optimize/optimizer.c
+++ b/src/fsec-optimize/optimizer.c
@@ -133,4 +133,3 @@ struct sock_filter *duplicate(struct sock_filter *filter, int entries) {
         memcpy(rv, filter, len);
         return rv;
 }
-
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 0a40c09ed..777bc609a 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -29,4 +29,4 @@ void print(struct sock_filter *filter, int entries);
 // syscall_list.c
 const char *syscall_find_nr(int nr);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index d58ce2df9..8a5d69120 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -330,4 +330,3 @@ void print(struct sock_filter *filter, int entries) {
                 printf("\n");
         }
 }
-
diff --git a/src/include/ldd_utils.h b/src/include/ldd_utils.h
index e5ec67171..c9e8b4098 100644
--- a/src/include/ldd_utils.h
+++ b/src/include/ldd_utils.h
@@ -43,4 +43,4 @@ int is_lib_64(const char *exe);
 
 
 
-#endif
\ No newline at end of file
+#endif
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 01546d104..c239ed8b8 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -19,4 +19,3 @@ for app in $LIST; do
                 echo "TESTING SKIP: $app not found"
         fi
 done
-
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index 7e14aa23d..b43b232d1 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -20,7 +20,7 @@ int main(int argc, char **argv) {
                 usage();
                 return 1;
         }
-        
+
         if (strcmp(argv[1], "mmap") == 0) {
                 // open some file
                 int fd = open("memwrexe.c", O_RDONLY);
@@ -28,13 +28,13 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-        
+
                 int size = lseek(fd, 0, SEEK_END);
                 if (size == -1) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-                
+
                 void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
                 printf("mmap successful\n");
 
@@ -51,19 +51,19 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-        
+
                 int size = lseek(fd, 0, SEEK_END);
                 if (size == -1) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-                
+
                 void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0);
                 if (!p) {
                         fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n");
                         return 1;
                 }
-                
+
                 mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
                 printf("mprotect successful\n");
 
@@ -73,4 +73,3 @@ int main(int argc, char **argv) {
                 return 0;
         }
 }
-        
\ No newline at end of file
diff --git a/test/fnetfilter/test1.net b/test/fnetfilter/test1.net
index e60127373..ce21f20c2 100644
--- a/test/fnetfilter/test1.net
+++ b/test/fnetfilter/test1.net
@@ -16,4 +16,3 @@
 -A OUTPUT -p tcp --dport 3478 -j DROP
 -A OUTPUT -p tcp --dport 3479 -j DROP
 COMMIT
-
diff --git a/test/fnetfilter/test2.net b/test/fnetfilter/test2.net
index a02785413..f389cd16d 100644
--- a/test/fnetfilter/test2.net
+++ b/test/fnetfilter/test2.net
@@ -9,11 +9,10 @@
 #-A INPUT -p icmp --$ARG1 echo-reply -j ACCEPT
 -A INPUT -p icmp --$ARG1 $ARG2 -j ACCEPT
 -A INPUT -p icmp --$ARG1 $ARG3 -j ACCEPT
--A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT 
+-A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT
 # disable STUN
 -A OUTPUT -p udp --dport $ARG5 -j DROP
 -A OUTPUT -p udp --dport $ARG6 -j DROP
 -A OUTPUT -p tcp --dport $ARG5 -j DROP
 -A OUTPUT -p tcp --dport $ARG6 -j DROP
 COMMIT
-
diff --git a/test/hidepid-howto b/test/hidepid-howto
index f207c9109..0fa1e5d86 100644
--- a/test/hidepid-howto
+++ b/test/hidepid-howto
@@ -23,5 +23,3 @@ $ cat /proc/mounts | grep proc
 proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0
 
 3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats"
-
-
diff --git a/test/network/tcpserver.c b/test/network/tcpserver.c
index e8f89b097..9de965858 100644
--- a/test/network/tcpserver.c
+++ b/test/network/tcpserver.c
@@ -35,7 +35,7 @@ int main(int argc, char **argv) {
                 return 1;
         }
         int portno = atoi(argv[1]);
-        
+
         // init socket
         fd = socket(AF_INET, SOCK_STREAM, 0);
         if (fd < 0) {
@@ -82,7 +82,7 @@ int main(int argc, char **argv) {
                 if (pid == 0) {
                         // child
                         close(fd);
-#define MAXBUF 4096                     
+#define MAXBUF 4096
                         char buf[MAXBUF];
                         memset(buf, 0, MAXBUF);
 
@@ -103,6 +103,6 @@ int main(int argc, char **argv) {
                 else
                         close(newfd);
         }
-        
+
         return 0;
 }
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 46662cef5..85e5c1c13 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -43,4 +43,3 @@ do
         echo "TESTING: $PROFILE"
         ./test-profile.exp $PROFILE
 done
-
diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile
index c28ddadb5..5a70bd829 100644
--- a/test/profiles/test3.profile
+++ b/test/profiles/test3.profile
@@ -1 +1 @@
-include test3.profile
\ No newline at end of file
+include test3.profile
diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp
index 3d492dfdb..cac692cb2 100755
--- a/test/root/option_tmpfs.exp
+++ b/test/root/option_tmpfs.exp
@@ -37,4 +37,3 @@ after 100
 
 
 puts "\nall done\n"
-
diff --git a/test/utils/caps2.profile b/test/utils/caps2.profile
index cb2258c52..e760d4cb5 100644
--- a/test/utils/caps2.profile
+++ b/test/utils/caps2.profile
@@ -1 +1 @@
-caps.keep chown,kill
\ No newline at end of file
+caps.keep chown,kill