private-etc: big profile changes

etc/profile-a-l/1password.profile

@@ -11,7 +11,7 @@ noblacklist ${HOME}/.config/1Password
 mkdir ${HOME}/.config/1Password
 whitelist ${HOME}/.config/1Password
 
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 
 # Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
 ignore dbus-user none

etc/profile-a-l/abiword.profile

@@ -41,7 +41,7 @@ tracelog
 private-bin abiword
 private-cache
 private-dev
-private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
+private-etc @x11
 private-tmp
 
 # dbus-user none

etc/profile-a-l/agetpkg.profile

@@ -49,7 +49,7 @@ tracelog
 private-bin agetpkg,python3
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none

etc/profile-a-l/alacarte.profile

@@ -52,7 +52,7 @@ disable-mnt
 # private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc @tls-ca,@x11,mime.types
 private-tmp
 
 dbus-user none

etc/profile-a-l/alienarena.profile

@@ -43,7 +43,7 @@ disable-mnt
 private-bin alienarena
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11
+private-etc @tls-ca,@x11,bumblebee,glvnd,host.conf,rpc,services
 private-tmp
 
 dbus-user none

etc/profile-a-l/alpine.profile

@@ -90,7 +90,7 @@ disable-mnt
 private-bin alpine
 private-cache
 private-dev
-private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-etc @tls-ca,@x11,c-client.cf,host.conf,krb5.keytab,mailcap,mime.types,pine.conf,pinerc.fixed,rpc,services,terminfo
 private-tmp
 writable-run-user
 writable-var

etc/profile-a-l/anki.profile

@@ -49,7 +49,7 @@ disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc @tls-ca,@x11,Trolltech.conf
 private-tmp
 
 dbus-user none

etc/profile-a-l/apostrophe.profile

@@ -62,7 +62,7 @@ disable-mnt
 private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11
+private-etc @x11,texlive
 private-tmp
 
 dbus-user filter

etc/profile-a-l/aria2c.profile

@@ -45,7 +45,7 @@ private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc @tls-ca,groups
 private-lib libreadline.so.*
 private-tmp
 

etc/profile-a-l/arm.profile

@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,resolv.conf,ssl,tor
+private-etc @tls-ca,tor
 private-tmp
 
 restrict-namespaces

etc/profile-a-l/artha.profile

@@ -54,7 +54,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-lib libnotify.so.*
 private-tmp
 

etc/profile-a-l/atool.profile

@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
+private-etc
 private-tmp
 
 # Redirect

etc/profile-a-l/atril.profile

@@ -41,7 +41,7 @@ tracelog
 
 private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit

etc/profile-a-l/audio-recorder.profile

@@ -43,7 +43,7 @@ tracelog
 disable-mnt
 # private-bin audio-recorder
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user filter

etc/profile-a-l/authenticator-rs.profile

@@ -46,7 +46,7 @@ disable-mnt
 private-bin authenticator-rs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user filter

etc/profile-a-l/authenticator.profile

@@ -38,7 +38,7 @@ seccomp
 disable-mnt
 # private-bin authenticator,python*
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 # makes settings immutable

etc/profile-a-l/ballbuster.profile

@@ -44,7 +44,7 @@ disable-mnt
 private-bin ballbuster
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/bibletime.profile

@@ -51,7 +51,7 @@ disable-mnt
 # private-bin bibletime
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc @tls-ca,sword,sword.conf
 private-tmp
 
 dbus-user none

etc/profile-a-l/bijiben.profile

@@ -50,7 +50,7 @@ disable-mnt
 private-bin bijiben
 # private-cache -- access to .cache/tracker is required
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user filter

etc/profile-a-l/bitwarden.profile

@@ -23,7 +23,7 @@ no3d
 nosound
 
 ?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-opt Bitwarden
 
 # Redirect

etc/profile-a-l/bless.profile

@@ -34,7 +34,7 @@ seccomp
 # private-bin bash,bless,mono,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
+private-etc mono
 private-tmp
 
 dbus-user none

etc/profile-a-l/blobby.profile

@@ -40,7 +40,7 @@ tracelog
 disable-mnt
 private-bin blobby
 private-dev
-private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
+private-etc @x11
 private-lib
 private-tmp
 

etc/profile-a-l/blobwars.profile

@@ -42,7 +42,7 @@ disable-mnt
 private-bin blobwars
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/bsdtar.profile

@@ -6,7 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
+private-etc
 
 # Redirect
 include archiver-common.profile

etc/profile-a-l/cameramonitor.profile

@@ -45,7 +45,7 @@ tracelog
 disable-mnt
 private-bin cameramonitor,python*
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 # dbus-user none

etc/profile-a-l/cargo.profile

@@ -16,7 +16,7 @@ noblacklist ${HOME}/.cargo/credentials.toml
 #whitelist ${HOME}/.rustup
 
 #private-bin cargo,rustc
-private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,magic,magic.mgc,rpc,services
 
 memory-deny-write-execute
 

etc/profile-a-l/cawbird.profile

@@ -38,7 +38,7 @@ disable-mnt
 private-bin cawbird
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 # dbus-user none

etc/profile-a-l/celluloid.profile

@@ -52,7 +52,7 @@ tracelog
 
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11,libva.conf,pkcs11,selinux
 private-dev
 private-tmp
 

etc/profile-a-l/chatterino.profile

@@ -70,7 +70,7 @@ private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamli
 # private-cache may cause issues with mpv (see #2838)
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11
+private-etc @tls-ca,@x11,dbus-1,rpc,services,Trolltech.conf
 private-srv none
 private-tmp
 

etc/profile-a-l/cheese.profile

@@ -51,7 +51,7 @@ disable-mnt
 private-bin cheese
 private-cache
 private-dev
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11,clutter-1.0
 private-tmp
 
 dbus-user filter

etc/profile-a-l/clawsker.profile

@@ -43,7 +43,7 @@ disable-mnt
 private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 

etc/profile-a-l/cmus.profile

@@ -26,6 +26,6 @@ protocol unix,inet,inet6
 seccomp
 
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 
 restrict-namespaces

etc/profile-a-l/cointop.profile

@@ -52,7 +52,7 @@ disable-mnt
 private-bin cointop
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc @tls-ca,host.conf,rpc,services
 private-lib
 private-tmp
 

etc/profile-a-l/colorful.profile

@@ -44,7 +44,7 @@ disable-mnt
 private-bin colorful
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/com.github.bleakgrey.tootle.profile

@@ -44,7 +44,7 @@ disable-mnt
 private-bin com.github.bleakgrey.tootle
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
 # Settings are immutable

etc/profile-a-l/com.github.dahenson.agenda.profile

@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.github.dahenson.agenda
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user filter

etc/profile-a-l/com.github.johnfactotum.Foliate.profile

@@ -54,7 +54,7 @@ disable-mnt
 private-bin com.github.johnfactotum.Foliate,gjs
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11,gconf
 private-tmp
 
 read-only ${HOME}

etc/profile-a-l/com.github.phase1geo.minder.profile

@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.github.phase1geo.minder
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg
+private-etc @x11,mime.types
 private-tmp
 
 dbus-user filter

etc/profile-a-l/com.github.tchx84.Flatseal.profile

@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.github.tchx84.Flatseal,gjs
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-tmp
 
 dbus-user filter

etc/profile-a-l/coyim.profile

@@ -39,7 +39,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none

etc/profile-a-l/crow.profile

@@ -38,7 +38,7 @@ seccomp
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-opt none
 private-tmp
 private-srv none

etc/profile-a-l/d-feet.profile

@@ -49,7 +49,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
+private-etc dbus-1
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)

etc/profile-a-l/dbus-send.profile

@@ -50,7 +50,7 @@ private
 private-bin dbus-send
 private-cache
 private-dev
-private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
+private-etc dbus-1
 private-lib libpcre*
 private-tmp
 

etc/profile-a-l/dconf-editor.profile

@@ -42,7 +42,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
+private-etc @x11
 private-lib
 private-tmp
 

etc/profile-a-l/dconf.profile

@@ -45,7 +45,7 @@ disable-mnt
 private-bin dconf,gsettings
 private-cache
 private-dev
-private-etc alternatives,dconf,ld.so.cache,ld.so.preload
+private-etc @x11
 private-lib
 private-tmp
 

etc/profile-a-l/ddgtk.profile

@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/devhelp.profile

@@ -41,7 +41,7 @@ disable-mnt
 private-bin devhelp
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 # makes settings immutable

etc/profile-a-l/devilspie.profile

@@ -47,7 +47,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib gconv
 private-tmp
 

etc/profile-a-l/dig.profile

@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bash,dig,sh
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
+private-etc
 # Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038).
 #private-lib
 private-tmp

etc/profile-a-l/discord-common.profile

@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 
 private-bin awk,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,which,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca,password
 
 join-or-start discord
 

etc/profile-a-l/display.profile

@@ -39,7 +39,7 @@ seccomp
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives,ImageMagick-6,ImageMagick-7,ld.so.cache,ld.so.preload
+private-etc ImageMagick-6,ImageMagick-7
 private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
 private-tmp
 

etc/profile-a-l/dolphin-emu.profile

@@ -54,7 +54,7 @@ private-bin bash,dolphin-emu,dolphin-emu-x11,sh
 private-cache
 # Add the next line to your dolphin-emu.local if you do not need controller support.
 #private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-etc @tls-ca,@x11,bumblebee,gconf,glvnd,host.conf,mime.types,rpc,services,Trolltech.conf
 private-opt none
 private-tmp
 

etc/profile-a-l/drawio.profile

@@ -44,7 +44,7 @@ seccomp !chroot
 private-bin drawio
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/easystroke.profile

@@ -44,7 +44,7 @@ disable-mnt
 #private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
+private-etc
 # breaks custom shell command functionality
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp

etc/profile-a-l/electron-mail.profile

@@ -29,7 +29,7 @@ read-only ${HOME}/.mozilla/firefox/profiles.ini
 machine-id
 nosound
 
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-opt ElectronMail
 
 dbus-user filter

etc/profile-a-l/electrum.profile

@@ -46,7 +46,7 @@ private-bin electrum,python*
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 # dbus-user none

etc/profile-a-l/email-common.profile

@@ -69,7 +69,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,localtime,machine-id,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,timezone,xdg
+private-etc @tls-ca,@x11,gnupg,groups,hosts.conf,mailname,selinux,timezone
 private-tmp
 # encrypting and signing email
 writable-run-user

etc/profile-a-l/enchant.profile

@@ -47,7 +47,7 @@ x11 none
 private-bin enchant,enchant-*
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-tmp
 

etc/profile-a-l/eo-common.profile

@@ -46,7 +46,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
 

etc/profile-a-l/equalx.profile

@@ -53,7 +53,7 @@ disable-mnt
 private-bin equalx,gs,pdflatex,pdftocairo
 private-cache
 private-dev
-private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc @x11,equalx,equalx.conf,latexmk.conf,papersize,texlive,Trolltech.conf
 private-tmp
 
 dbus-user none

etc/profile-a-l/evince.profile

@@ -54,7 +54,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
+private-etc
 # private-lib might break two-page-view on some systems
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp

etc/profile-a-l/exiftool.profile

@@ -47,7 +47,7 @@ x11 none
 #private-bin exiftool,perl
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/falkon.profile

@@ -47,7 +47,7 @@ disable-mnt
 # private-bin falkon
 private-cache
 private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc @tls-ca,@x11,adobe,mailcap,mime.types,selinux
 private-tmp
 
 # dbus-user filter

etc/profile-a-l/fdns.profile

@@ -42,7 +42,7 @@ private
 private-bin bash,fdns,sh
 private-cache
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc @tls-ca,fdns
 # private-lib
 private-tmp
 

etc/profile-a-l/feh-network.inc.profile

@@ -5,4 +5,4 @@ include feh-network.inc.local
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca

etc/profile-a-l/feh.profile

@@ -35,7 +35,7 @@ seccomp
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc alternatives,feh,ld.so.cache,ld.so.preload
+private-etc feh
 private-tmp
 
 dbus-user none

etc/profile-a-l/ffmpeg.profile

@@ -47,7 +47,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
+private-etc @tls-ca,pkcs11
 private-tmp
 
 dbus-user none

etc/profile-a-l/ffplay.profile

@@ -14,7 +14,7 @@ ignore nogroups
 ignore nosound
 
 private-bin ffplay
-private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
+private-etc
 
 # Redirect
 include ffmpeg.profile

etc/profile-a-l/file-roller.profile

@@ -42,7 +42,7 @@ tracelog
 private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
+private-etc @x11
 # private-tmp
 
 dbus-system none

etc/profile-a-l/firefox-common.profile

@@ -57,9 +57,7 @@ seccomp !chroot
 
 disable-mnt
 ?BROWSER_DISABLE_U2F: private-dev
-# private-etc below works fine on most distributions. There are some problems on CentOS.
+# private-etc below works fine on most distributions. There could be some problems on CentOS.
-# Add it to your firefox-common.local if you want to enable it.
-#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-etc @tls-ca,@x11,mailcap,mime.types,os-release
 private-tmp
 

etc/profile-a-l/flameshot.profile

@@ -51,7 +51,7 @@ tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-dev
 #private-tmp
 

etc/profile-a-l/fractal.profile

@@ -46,7 +46,7 @@ disable-mnt
 private-bin fractal
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types,selinux
 private-tmp
 
 dbus-user filter

etc/profile-a-l/freetube.profile

@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc @tls-ca,@x11,host.conf,mime.types
 
 dbus-user filter
 dbus-user.own org.mpris.MediaPlayer2.chromium.*

etc/profile-a-l/frogatto.profile

@@ -44,7 +44,7 @@ disable-mnt
 private-bin frogatto,sh
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/gajim.profile

@@ -58,7 +58,7 @@ disable-mnt
 private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11
 private-tmp
 writable-run-user
 

etc/profile-a-l/galculator.profile

@@ -42,7 +42,7 @@ tracelog
 private-bin galculator
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload
+private-etc
 private-lib
 private-tmp
 

etc/profile-a-l/gallery-dl.profile

@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
 
 private-bin gallery-dl
-private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
+private-etc gallery-dl.conf
 
 # Redirect
 include youtube-dl.profile

etc/profile-a-l/gapplication.profile

@@ -48,7 +48,7 @@ private
 private-bin gapplication
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 # Add the next line to your gapplication.local to filter D-Bus names.

etc/profile-a-l/gcloud.profile

@@ -35,7 +35,7 @@ tracelog
 
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-tmp
 
 dbus-user none

etc/profile-a-l/gconf.profile

@@ -53,7 +53,7 @@ disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
 private-cache
 private-dev
-private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
+private-etc gconf
 private-lib GConf,libpython*,python2*
 private-tmp
 

etc/profile-a-l/geary.profile

@@ -75,7 +75,7 @@ tracelog
 #private-bin geary,sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mailcap,mime.types,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc @tls-ca,@x11,mailcap,mime.types
 private-tmp
 
 dbus-user filter

etc/profile-a-l/geekbench.profile

@@ -47,7 +47,7 @@ disable-mnt
 #private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
+private-etc lsb-release
 private-tmp
 
 dbus-user none

etc/profile-a-l/gfeeds.profile

@@ -60,7 +60,7 @@ disable-mnt
 private-bin gfeeds,python3*
 # private-cache -- feeds are stored in ~/.cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,dbus-1,gconf,host.conf,mime.types,rpc,services
 private-tmp
 
 dbus-user filter

etc/profile-a-l/gget.profile

@@ -48,7 +48,7 @@ disable-mnt
 private-bin gget
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
+private-etc @tls-ca
 private-lib
 private-tmp
 

etc/profile-a-l/ghostwriter.profile

@@ -51,7 +51,7 @@ private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,p
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
+private-etc @tls-ca,@x11,dbus-1,firejail,gconf,groups,host.conf,mime.types,rpc,services,texlive,Trolltech.conf
 private-tmp
 
 dbus-user filter

etc/profile-a-l/gimp.profile

@@ -59,7 +59,7 @@ seccomp !mbind
 tracelog
 
 private-dev
-private-etc @x11,gcrypt,python*
+private-etc @tls-ca,@x11,python*
 private-tmp
 
 dbus-user none

etc/profile-a-l/gist.profile

@@ -51,7 +51,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ld.so.cache,ld.so.preload
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/git-cola.profile

@@ -69,7 +69,7 @@ tracelog
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc @tls-ca,@x11,gitconfig,host.conf,mime.types,selinux,ssh
 private-tmp
 writable-run-user
 

etc/profile-a-l/gitter.profile

@@ -36,7 +36,7 @@ seccomp
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
+private-etc @tls-ca
 private-opt Gitter
 private-dev
 private-tmp

etc/profile-a-l/gl-117.profile

@@ -43,7 +43,7 @@ disable-mnt
 private-bin gl-117
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-etc @x11,bumblebee,glvnd
 private-tmp
 
 dbus-user none

etc/profile-a-l/glaxium.profile

@@ -43,7 +43,7 @@ disable-mnt
 private-bin glaxium
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-etc @x11,bumblebee,glvnd
 private-tmp
 
 dbus-user none

etc/profile-a-l/gmpc.profile

@@ -43,7 +43,7 @@ tracelog
 disable-mnt
 #private-bin gmpc
 private-cache
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,resolv.conf
+private-etc
 private-tmp
 writable-run-user
 

etc/profile-a-l/gnome-calendar.profile

@@ -44,7 +44,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11
 private-tmp
 
 dbus-user filter

etc/profile-a-l/gnome-characters.profile

@@ -48,7 +48,7 @@ disable-mnt
 private-bin gjs,gnome-characters
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
+private-etc @x11,gconf,mime.types
 private-tmp
 
 # Add the next lines to your gnome-characters.local if you don't need access to recently used chars.

etc/profile-a-l/gnome-chess.profile

@@ -49,7 +49,7 @@ disable-mnt
 private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
+private-etc @x11,gnome-chess
 private-tmp
 
 restrict-namespaces

etc/profile-a-l/gnome-clocks.profile

@@ -41,7 +41,7 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,resolv.conf,ssl
+private-etc @tls-ca,@x11,pkcs11
 private-tmp
 
 restrict-namespaces

etc/profile-a-l/gnome-hexgl.profile

@@ -41,7 +41,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
+private-etc
 private-tmp
 
 dbus-user none

etc/profile-a-l/gnome-latex.profile

@@ -47,7 +47,7 @@ tracelog
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
+private-etc @x11,latexmk.conf,texlive
 
 dbus-system none
 

etc/profile-a-l/gnome-logs.profile

@@ -39,7 +39,7 @@ disable-mnt
 private-bin gnome-logs
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
+private-etc
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log

etc/profile-a-l/gnome-maps.profile

@@ -63,7 +63,7 @@ disable-mnt
 private-bin gjs,gnome-maps
 # private-cache -- gnome-maps cache all maps/satelite-images
 private-dev
-private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-etc @tls-ca,@x11,clutter-1.0,gconf,host.conf,mime.types,pkcs11,rpc,services
 private-tmp
 
 dbus-user filter