move whitelist/blacklist to allow/deny

2026-05-21 06:45:29 -06:00 · 2021-07-05 07:23:31 -04:00 · 2021-07-05 07:23:31 -04:00 · fe0f975f44
commit fe0f975f44
parent c32924b825
799 changed files with 5141 additions and 5059 deletions
--- a/etc/inc/allow-bin-sh.inc
+++ b/etc/inc/allow-bin-sh.inc
@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-bin-sh.local
-noblacklist ${PATH}/bash
+nodeny  ${PATH}/bash
-noblacklist ${PATH}/dash
+nodeny  ${PATH}/dash
-noblacklist ${PATH}/sh
+nodeny  ${PATH}/sh
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@ -3,29 +3,29 @@
 include allow-common-devel.local
 # Git
-noblacklist ${HOME}/.config/git
+nodeny  ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
+nodeny  ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+nodeny  ${HOME}/.git-credentials
 # Java
-noblacklist ${HOME}/.gradle
+nodeny  ${HOME}/.gradle
-noblacklist ${HOME}/.java
+nodeny  ${HOME}/.java
 # Node.js
-noblacklist ${HOME}/.node-gyp
+nodeny  ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
+nodeny  ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
+nodeny  ${HOME}/.npmrc
-noblacklist ${HOME}/.nvm
+nodeny  ${HOME}/.nvm
-noblacklist ${HOME}/.yarn
+nodeny  ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
+nodeny  ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
+nodeny  ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
+nodeny  ${HOME}/.yarnrc
 # Python
-noblacklist ${HOME}/.pylint.d
+nodeny  ${HOME}/.pylint.d
-noblacklist ${HOME}/.python-history
+nodeny  ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
+nodeny  ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
+nodeny  ${HOME}/.pythonhist
 # Rust
-noblacklist ${HOME}/.cargo/*
+nodeny  ${HOME}/.cargo/*
--- a/etc/inc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-gjs.local
-noblacklist ${PATH}/gjs
+nodeny  ${PATH}/gjs
-noblacklist ${PATH}/gjs-console
+nodeny  ${PATH}/gjs-console
-noblacklist /usr/lib/gjs
+nodeny  /usr/lib/gjs
-noblacklist /usr/lib/libgjs*
+nodeny  /usr/lib/libgjs*
-noblacklist /usr/lib/libmozjs-*
+nodeny  /usr/lib/libmozjs-*
-noblacklist /usr/lib64/gjs
+nodeny  /usr/lib64/gjs
-noblacklist /usr/lib64/libgjs*
+nodeny  /usr/lib64/libgjs*
-noblacklist /usr/lib64/libmozjs-*
+nodeny  /usr/lib64/libmozjs-*
--- a/etc/inc/allow-java.inc
+++ b/etc/inc/allow-java.inc
@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-java.local
-noblacklist ${HOME}/.java
+nodeny  ${HOME}/.java
-noblacklist ${PATH}/java
+nodeny  ${PATH}/java
-noblacklist /etc/java
+nodeny  /etc/java
-noblacklist /usr/lib/java
+nodeny  /usr/lib/java
-noblacklist /usr/share/java
+nodeny  /usr/share/java
--- a/etc/inc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-lua.local
-noblacklist ${PATH}/lua*
+nodeny  ${PATH}/lua*
-noblacklist /usr/include
+nodeny  /usr/include
-noblacklist /usr/lib/liblua*
+nodeny  /usr/lib/liblua*
-noblacklist /usr/lib/lua
+nodeny  /usr/lib/lua
-noblacklist /usr/lib64/liblua*
+nodeny  /usr/lib64/liblua*
-noblacklist /usr/lib64/lua
+nodeny  /usr/lib64/lua
-noblacklist /usr/share/lua
+nodeny  /usr/share/lua
-noblacklist /usr/share/lua*
+nodeny  /usr/share/lua*
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
-noblacklist ${PATH}/node
+nodeny  ${PATH}/node
-noblacklist /usr/include/node
+nodeny  /usr/include/node
 # Allow python for node-gyp (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
--- a/etc/inc/allow-opengl-game.inc
+++ b/etc/inc/allow-opengl-game.inc
@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-opengl-game.local
-noblacklist ${PATH}/bash
+nodeny  ${PATH}/bash
-whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
+allow  /usr/share/opengl-games-utils/opengl-game-functions.sh
 private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-perl.local
-noblacklist ${PATH}/core_perl
+nodeny  ${PATH}/core_perl
-noblacklist ${PATH}/cpan*
+nodeny  ${PATH}/cpan*
-noblacklist ${PATH}/perl
+nodeny  ${PATH}/perl
-noblacklist ${PATH}/site_perl
+nodeny  ${PATH}/site_perl
-noblacklist ${PATH}/vendor_perl
+nodeny  ${PATH}/vendor_perl
-noblacklist /usr/lib/perl*
+nodeny  /usr/lib/perl*
-noblacklist /usr/lib64/perl*
+nodeny  /usr/lib64/perl*
-noblacklist /usr/share/perl*
+nodeny  /usr/share/perl*
--- a/etc/inc/allow-php.inc
+++ b/etc/inc/allow-php.inc
@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-php.local
-noblacklist ${PATH}/php*
+nodeny  ${PATH}/php*
-noblacklist /usr/lib/php*
+nodeny  /usr/lib/php*
-noblacklist /usr/share/php*
+nodeny  /usr/share/php*
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
-noblacklist ${PATH}/python2*
+nodeny  ${PATH}/python2*
-noblacklist /usr/include/python2*
+nodeny  /usr/include/python2*
-noblacklist /usr/lib/python2*
+nodeny  /usr/lib/python2*
-noblacklist /usr/local/lib/python2*
+nodeny  /usr/local/lib/python2*
-noblacklist /usr/share/python2*
+nodeny  /usr/share/python2*
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@ -2,9 +2,9 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
-noblacklist ${PATH}/python3*
+nodeny  ${PATH}/python3*
-noblacklist /usr/include/python3*
+nodeny  /usr/include/python3*
-noblacklist /usr/lib/python3*
+nodeny  /usr/lib/python3*
-noblacklist /usr/lib64/python3*
+nodeny  /usr/lib64/python3*
-noblacklist /usr/local/lib/python3*
+nodeny  /usr/local/lib/python3*
-noblacklist /usr/share/python3*
+nodeny  /usr/share/python3*
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@ -2,5 +2,5 @@
 # Persistent customizations should go in a .local file.
 include allow-ruby.local
-noblacklist ${PATH}/ruby
+nodeny  ${PATH}/ruby
-noblacklist /usr/lib/ruby
+nodeny  /usr/lib/ruby
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-ssh.local
-noblacklist ${HOME}/.ssh
+nodeny  ${HOME}/.ssh
-noblacklist /etc/ssh
+nodeny  /etc/ssh
-noblacklist /etc/ssh/ssh_config
+nodeny  /etc/ssh/ssh_config
-noblacklist /tmp/ssh-*
+nodeny  /tmp/ssh-*
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@ -5,63 +5,63 @@ include disable-common.local
 # The following block breaks trash functionality in file managers
 #read-only ${HOME}/.local
 #read-write ${HOME}/.local/share
-blacklist ${HOME}/.local/share/Trash
+deny  ${HOME}/.local/share/Trash
 # History files in $HOME and clipboard managers
-blacklist-nolog ${HOME}/.*_history
+deny-nolog  ${HOME}/.*_history
-blacklist-nolog ${HOME}/.adobe
+deny-nolog  ${HOME}/.adobe
-blacklist-nolog ${HOME}/.cache/greenclip*
+deny-nolog  ${HOME}/.cache/greenclip*
-blacklist-nolog ${HOME}/.histfile
+deny-nolog  ${HOME}/.histfile
-blacklist-nolog ${HOME}/.history
+deny-nolog  ${HOME}/.history
-blacklist-nolog ${HOME}/.kde/share/apps/klipper
+deny-nolog  ${HOME}/.kde/share/apps/klipper
-blacklist-nolog ${HOME}/.kde4/share/apps/klipper
+deny-nolog  ${HOME}/.kde4/share/apps/klipper
-blacklist-nolog ${HOME}/.local/share/fish/fish_history
+deny-nolog  ${HOME}/.local/share/fish/fish_history
-blacklist-nolog ${HOME}/.local/share/klipper
+deny-nolog  ${HOME}/.local/share/klipper
-blacklist-nolog ${HOME}/.macromedia
+deny-nolog  ${HOME}/.macromedia
-blacklist-nolog ${HOME}/.mupdf.history
+deny-nolog  ${HOME}/.mupdf.history
-blacklist-nolog ${HOME}/.python-history
+deny-nolog  ${HOME}/.python-history
-blacklist-nolog ${HOME}/.python_history
+deny-nolog  ${HOME}/.python_history
-blacklist-nolog ${HOME}/.pythonhist
+deny-nolog  ${HOME}/.pythonhist
-blacklist-nolog ${HOME}/.lesshst
+deny-nolog  ${HOME}/.lesshst
-blacklist-nolog ${HOME}/.viminfo
+deny-nolog  ${HOME}/.viminfo
-blacklist-nolog /tmp/clipmenu*
+deny-nolog  /tmp/clipmenu*
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
-blacklist ${HOME}/.Xsession
+deny  ${HOME}/.Xsession
-blacklist ${HOME}/.blackbox
+deny  ${HOME}/.blackbox
-blacklist ${HOME}/.config/autostart
+deny  ${HOME}/.config/autostart
-blacklist ${HOME}/.config/autostart-scripts
+deny  ${HOME}/.config/autostart-scripts
-blacklist ${HOME}/.config/awesome
+deny  ${HOME}/.config/awesome
-blacklist ${HOME}/.config/i3
+deny  ${HOME}/.config/i3
-blacklist ${HOME}/.config/sway
+deny  ${HOME}/.config/sway
-blacklist ${HOME}/.config/lxsession/LXDE/autostart
+deny  ${HOME}/.config/lxsession/LXDE/autostart
-blacklist ${HOME}/.config/openbox
+deny  ${HOME}/.config/openbox
-blacklist ${HOME}/.config/plasma-workspace
+deny  ${HOME}/.config/plasma-workspace
-blacklist ${HOME}/.config/startupconfig
+deny  ${HOME}/.config/startupconfig
-blacklist ${HOME}/.config/startupconfigkeys
+deny  ${HOME}/.config/startupconfigkeys
-blacklist ${HOME}/.fluxbox
+deny  ${HOME}/.fluxbox
-blacklist ${HOME}/.gnomerc
+deny  ${HOME}/.gnomerc
-blacklist ${HOME}/.kde/Autostart
+deny  ${HOME}/.kde/Autostart
-blacklist ${HOME}/.kde/env
+deny  ${HOME}/.kde/env
-blacklist ${HOME}/.kde/share/autostart
+deny  ${HOME}/.kde/share/autostart
-blacklist ${HOME}/.kde/share/config/startupconfig
+deny  ${HOME}/.kde/share/config/startupconfig
-blacklist ${HOME}/.kde/share/config/startupconfigkeys
+deny  ${HOME}/.kde/share/config/startupconfigkeys
-blacklist ${HOME}/.kde/shutdown
+deny  ${HOME}/.kde/shutdown
-blacklist ${HOME}/.kde4/env
+deny  ${HOME}/.kde4/env
-blacklist ${HOME}/.kde4/Autostart
+deny  ${HOME}/.kde4/Autostart
-blacklist ${HOME}/.kde4/share/autostart
+deny  ${HOME}/.kde4/share/autostart
-blacklist ${HOME}/.kde4/shutdown
+deny  ${HOME}/.kde4/shutdown
-blacklist ${HOME}/.kde4/share/config/startupconfig
+deny  ${HOME}/.kde4/share/config/startupconfig
-blacklist ${HOME}/.kde4/share/config/startupconfigkeys
+deny  ${HOME}/.kde4/share/config/startupconfigkeys
-blacklist ${HOME}/.local/share/autostart
+deny  ${HOME}/.local/share/autostart
-blacklist ${HOME}/.xinitrc
+deny  ${HOME}/.xinitrc
-blacklist ${HOME}/.xprofile
+deny  ${HOME}/.xprofile
-blacklist ${HOME}/.xserverrc
+deny  ${HOME}/.xserverrc
-blacklist ${HOME}/.xsession
+deny  ${HOME}/.xsession
-blacklist ${HOME}/.xsessionrc
+deny  ${HOME}/.xsessionrc
-blacklist /etc/X11/Xsession.d
+deny  /etc/X11/Xsession.d
-blacklist /etc/xdg/autostart
+deny  /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
 # Session manager
@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
 #?HAS_X11: blacklist /tmp/.ICE-unix
 # KDE config
-blacklist ${HOME}/.cache/konsole
+deny  ${HOME}/.cache/konsole
-blacklist ${HOME}/.config/khotkeysrc
+deny  ${HOME}/.config/khotkeysrc
-blacklist ${HOME}/.config/krunnerrc
+deny  ${HOME}/.config/krunnerrc
-blacklist ${HOME}/.config/kscreenlockerrc
+deny  ${HOME}/.config/kscreenlockerrc
-blacklist ${HOME}/.config/ksslcertificatemanager
+deny  ${HOME}/.config/ksslcertificatemanager
-blacklist ${HOME}/.config/kwalletrc
+deny  ${HOME}/.config/kwalletrc
-blacklist ${HOME}/.config/kwinrc
+deny  ${HOME}/.config/kwinrc
-blacklist ${HOME}/.config/kwinrulesrc
+deny  ${HOME}/.config/kwinrulesrc
-blacklist ${HOME}/.config/plasma-locale-settings.sh
+deny  ${HOME}/.config/plasma-locale-settings.sh
-blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
+deny  ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
-blacklist ${HOME}/.config/plasmashellrc
+deny  ${HOME}/.config/plasmashellrc
-blacklist ${HOME}/.config/plasmavaultrc
+deny  ${HOME}/.config/plasmavaultrc
-blacklist ${HOME}/.kde/share/apps/kwin
+deny  ${HOME}/.kde/share/apps/kwin
-blacklist ${HOME}/.kde/share/apps/plasma
+deny  ${HOME}/.kde/share/apps/plasma
-blacklist ${HOME}/.kde/share/apps/solid
+deny  ${HOME}/.kde/share/apps/solid
-blacklist ${HOME}/.kde/share/config/khotkeysrc
+deny  ${HOME}/.kde/share/config/khotkeysrc
-blacklist ${HOME}/.kde/share/config/krunnerrc
+deny  ${HOME}/.kde/share/config/krunnerrc
-blacklist ${HOME}/.kde/share/config/kscreensaverrc
+deny  ${HOME}/.kde/share/config/kscreensaverrc
-blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
+deny  ${HOME}/.kde/share/config/ksslcertificatemanager
-blacklist ${HOME}/.kde/share/config/kwalletrc
+deny  ${HOME}/.kde/share/config/kwalletrc
-blacklist ${HOME}/.kde/share/config/kwinrc
+deny  ${HOME}/.kde/share/config/kwinrc
-blacklist ${HOME}/.kde/share/config/kwinrulesrc
+deny  ${HOME}/.kde/share/config/kwinrulesrc
-blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
+deny  ${HOME}/.kde/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.kde4/share/apps/kwin
+deny  ${HOME}/.kde4/share/apps/kwin
-blacklist ${HOME}/.kde4/share/apps/plasma
+deny  ${HOME}/.kde4/share/apps/plasma
-blacklist ${HOME}/.kde4/share/apps/solid
+deny  ${HOME}/.kde4/share/apps/solid
-blacklist ${HOME}/.kde4/share/config/khotkeysrc
+deny  ${HOME}/.kde4/share/config/khotkeysrc
-blacklist ${HOME}/.kde4/share/config/krunnerrc
+deny  ${HOME}/.kde4/share/config/krunnerrc
-blacklist ${HOME}/.kde4/share/config/kscreensaverrc
+deny  ${HOME}/.kde4/share/config/kscreensaverrc
-blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
+deny  ${HOME}/.kde4/share/config/ksslcertificatemanager
-blacklist ${HOME}/.kde4/share/config/kwalletrc
+deny  ${HOME}/.kde4/share/config/kwalletrc
-blacklist ${HOME}/.kde4/share/config/kwinrc
+deny  ${HOME}/.kde4/share/config/kwinrc
-blacklist ${HOME}/.kde4/share/config/kwinrulesrc
+deny  ${HOME}/.kde4/share/config/kwinrulesrc
-blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
+deny  ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.local/share/kglobalaccel
+deny  ${HOME}/.local/share/kglobalaccel
-blacklist ${HOME}/.local/share/kwin
+deny  ${HOME}/.local/share/kwin
-blacklist ${HOME}/.local/share/plasma
+deny  ${HOME}/.local/share/plasma
-blacklist ${HOME}/.local/share/plasmashell
+deny  ${HOME}/.local/share/plasmashell
-blacklist ${HOME}/.local/share/solid
+deny  ${HOME}/.local/share/solid
-blacklist /tmp/konsole-*.history
+deny  /tmp/konsole-*.history
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
@ -138,124 +138,124 @@ read-only ${HOME}/.local/share/kservices5
 read-only ${HOME}/.local/share/kssl
 # KDE sockets
-blacklist ${RUNUSER}/*.slave-socket
+deny  ${RUNUSER}/*.slave-socket
-blacklist ${RUNUSER}/kdeinit5__*
+deny  ${RUNUSER}/kdeinit5__*
-blacklist ${RUNUSER}/kdesud_*
+deny  ${RUNUSER}/kdesud_*
 # see #3358
 #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
 #?HAS_NODBUS: blacklist /tmp/ksocket-*
 # gnome
 # contains extensions, last used times of applications, and notifications
-blacklist ${HOME}/.local/share/gnome-shell
+deny  ${HOME}/.local/share/gnome-shell
 # contains recently used files and serials of static/removable storage
-blacklist ${HOME}/.local/share/gvfs-metadata
+deny  ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
-blacklist ${RUNUSER}/gnome-session-leader-fifo
+deny  ${RUNUSER}/gnome-session-leader-fifo
-blacklist ${RUNUSER}/gnome-shell
+deny  ${RUNUSER}/gnome-shell
-blacklist ${RUNUSER}/gsconnect
+deny  ${RUNUSER}/gsconnect
 # systemd
-blacklist ${HOME}/.config/systemd
+deny  ${HOME}/.config/systemd
-blacklist ${HOME}/.local/share/systemd
+deny  ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
+deny  /var/lib/systemd
-blacklist ${PATH}/systemd-run
+deny  ${PATH}/systemd-run
-blacklist ${RUNUSER}/systemd
+deny  ${RUNUSER}/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 # openrc
-blacklist /etc/runlevels/
+deny  /etc/runlevels/
-blacklist /etc/init.d/
+deny  /etc/init.d/
-blacklist /etc/rc.conf
+deny  /etc/rc.conf
 # VirtualBox
-blacklist ${HOME}/.VirtualBox
+deny  ${HOME}/.VirtualBox
-blacklist ${HOME}/.config/VirtualBox
+deny  ${HOME}/.config/VirtualBox
-blacklist ${HOME}/VirtualBox VMs
+deny  ${HOME}/VirtualBox VMs
 # GNOME Boxes
-blacklist ${HOME}/.config/gnome-boxes
+deny  ${HOME}/.config/gnome-boxes
-blacklist ${HOME}/.local/share/gnome-boxes
+deny  ${HOME}/.local/share/gnome-boxes
 # libvirt
-blacklist ${HOME}/.cache/libvirt
+deny  ${HOME}/.cache/libvirt
-blacklist ${HOME}/.config/libvirt
+deny  ${HOME}/.config/libvirt
-blacklist ${RUNUSER}/libvirt
+deny  ${RUNUSER}/libvirt
-blacklist /var/cache/libvirt
+deny  /var/cache/libvirt
-blacklist /var/lib/libvirt
+deny  /var/lib/libvirt
-blacklist /var/log/libvirt
+deny  /var/log/libvirt
 # OCI-Containers / Podman
-blacklist ${RUNUSER}/containers
+deny  ${RUNUSER}/containers
-blacklist ${RUNUSER}/crun
+deny  ${RUNUSER}/crun
-blacklist ${RUNUSER}/libpod
+deny  ${RUNUSER}/libpod
-blacklist ${RUNUSER}/runc
+deny  ${RUNUSER}/runc
-blacklist ${RUNUSER}/toolbox
+deny  ${RUNUSER}/toolbox
 # VeraCrypt
-blacklist ${HOME}/.VeraCrypt
+deny  ${HOME}/.VeraCrypt
-blacklist ${PATH}/veracrypt
+deny  ${PATH}/veracrypt
-blacklist ${PATH}/veracrypt-uninstall.sh
+deny  ${PATH}/veracrypt-uninstall.sh
-blacklist /usr/share/applications/veracrypt.*
+deny  /usr/share/applications/veracrypt.*
-blacklist /usr/share/pixmaps/veracrypt.*
+deny  /usr/share/pixmaps/veracrypt.*
-blacklist /usr/share/veracrypt
+deny  /usr/share/veracrypt
 # TrueCrypt
-blacklist ${HOME}/.TrueCrypt
+deny  ${HOME}/.TrueCrypt
-blacklist ${PATH}/truecrypt
+deny  ${PATH}/truecrypt
-blacklist ${PATH}/truecrypt-uninstall.sh
+deny  ${PATH}/truecrypt-uninstall.sh
-blacklist /usr/share/applications/truecrypt.*
+deny  /usr/share/applications/truecrypt.*
-blacklist /usr/share/pixmaps/truecrypt.*
+deny  /usr/share/pixmaps/truecrypt.*
-blacklist /usr/share/truecrypt
+deny  /usr/share/truecrypt
 # zuluCrypt
-blacklist ${HOME}/.zuluCrypt
+deny  ${HOME}/.zuluCrypt
-blacklist ${HOME}/.zuluCrypt-socket
+deny  ${HOME}/.zuluCrypt-socket
-blacklist ${PATH}/zuluCrypt-cli
+deny  ${PATH}/zuluCrypt-cli
-blacklist ${PATH}/zuluMount-cli
+deny  ${PATH}/zuluMount-cli
 # var
-blacklist /var/cache/apt
+deny  /var/cache/apt
-blacklist /var/cache/pacman
+deny  /var/cache/pacman
-blacklist /var/lib/apt
+deny  /var/lib/apt
-blacklist /var/lib/clamav
+deny  /var/lib/clamav
-blacklist /var/lib/dkms
+deny  /var/lib/dkms
-blacklist /var/lib/mysql/mysql.sock
+deny  /var/lib/mysql/mysql.sock
-blacklist /var/lib/mysqld/mysql.sock
+deny  /var/lib/mysqld/mysql.sock
-blacklist /var/lib/pacman
+deny  /var/lib/pacman
-blacklist /var/lib/upower
+deny  /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
 # every sandbox, unless --writable-var-log switch is activated
-blacklist /var/mail
+deny  /var/mail
-blacklist /var/opt
+deny  /var/opt
-blacklist /var/run/acpid.socket
+deny  /var/run/acpid.socket
-blacklist /var/run/docker.sock
+deny  /var/run/docker.sock
-blacklist /var/run/minissdpd.sock
+deny  /var/run/minissdpd.sock
-blacklist /var/run/mysql/mysqld.sock
+deny  /var/run/mysql/mysqld.sock
-blacklist /var/run/mysqld/mysqld.sock
+deny  /var/run/mysqld/mysqld.sock
-blacklist /var/run/rpcbind.sock
+deny  /var/run/rpcbind.sock
-blacklist /var/run/screens
+deny  /var/run/screens
-blacklist /var/spool/anacron
+deny  /var/spool/anacron
-blacklist /var/spool/cron
+deny  /var/spool/cron
-blacklist /var/spool/mail
+deny  /var/spool/mail
 # etc
-blacklist /etc/anacrontab
+deny  /etc/anacrontab
-blacklist /etc/cron*
+deny  /etc/cron*
-blacklist /etc/profile.d
+deny  /etc/profile.d
-blacklist /etc/rc.local
+deny  /etc/rc.local
 # rc1.d, rc2.d, ...
-blacklist /etc/rc?.d
+deny  /etc/rc?.d
-blacklist /etc/kernel*
+deny  /etc/kernel*
-blacklist /etc/grub*
+deny  /etc/grub*
-blacklist /etc/dkms
+deny  /etc/dkms
-blacklist /etc/apparmor*
+deny  /etc/apparmor*
-blacklist /etc/selinux
+deny  /etc/selinux
-blacklist /etc/modules*
+deny  /etc/modules*
-blacklist /etc/logrotate*
+deny  /etc/logrotate*
-blacklist /etc/adduser.conf
+deny  /etc/adduser.conf
 # Startup files
 read-only ${HOME}/.antigen
@ -292,13 +292,13 @@ read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 # Remote access
-blacklist ${HOME}/.rhosts
+deny  ${HOME}/.rhosts
-blacklist ${HOME}/.shosts
+deny  ${HOME}/.shosts
-blacklist ${HOME}/.ssh/authorized_keys
+deny  ${HOME}/.ssh/authorized_keys
-blacklist ${HOME}/.ssh/authorized_keys2
+deny  ${HOME}/.ssh/authorized_keys2
-blacklist ${HOME}/.ssh/environment
+deny  ${HOME}/.ssh/environment
-blacklist ${HOME}/.ssh/rc
+deny  ${HOME}/.ssh/rc
-blacklist /etc/hosts.equiv
+deny  /etc/hosts.equiv
 read-only ${HOME}/.ssh/config
 read-only ${HOME}/.ssh/config.d
@ -359,200 +359,200 @@ read-only ${HOME}/.local/share/mime
 read-only ${HOME}/.local/share/thumbnailers
 # prevent access to ssh-agent
-blacklist /tmp/ssh-*
+deny  /tmp/ssh-*
 # top secret
-blacklist ${HOME}/*.kdb
+deny  ${HOME}/*.kdb
-blacklist ${HOME}/*.kdbx
+deny  ${HOME}/*.kdbx
-blacklist ${HOME}/*.key
+deny  ${HOME}/*.key
-blacklist ${HOME}/.Private
+deny  ${HOME}/.Private
-blacklist ${HOME}/.caff
+deny  ${HOME}/.caff
-blacklist ${HOME}/.cargo/credentials
+deny  ${HOME}/.cargo/credentials
-blacklist ${HOME}/.cargo/credentials.toml
+deny  ${HOME}/.cargo/credentials.toml
-blacklist ${HOME}/.cert
+deny  ${HOME}/.cert
-blacklist ${HOME}/.config/keybase
+deny  ${HOME}/.config/keybase
-blacklist ${HOME}/.davfs2/secrets
+deny  ${HOME}/.davfs2/secrets
-blacklist ${HOME}/.ecryptfs
+deny  ${HOME}/.ecryptfs
-blacklist ${HOME}/.fetchmailrc
+deny  ${HOME}/.fetchmailrc
-blacklist ${HOME}/.fscrypt
+deny  ${HOME}/.fscrypt
-blacklist ${HOME}/.git-credential-cache
+deny  ${HOME}/.git-credential-cache
-blacklist ${HOME}/.git-credentials
+deny  ${HOME}/.git-credentials
-blacklist ${HOME}/.gnome2/keyrings
+deny  ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/.gnupg
+deny  ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
+deny  ${HOME}/.config/hub
-blacklist ${HOME}/.kde/share/apps/kwallet
+deny  ${HOME}/.kde/share/apps/kwallet
-blacklist ${HOME}/.kde4/share/apps/kwallet
+deny  ${HOME}/.kde4/share/apps/kwallet
-blacklist ${HOME}/.local/share/keyrings
+deny  ${HOME}/.local/share/keyrings
-blacklist ${HOME}/.local/share/kwalletd
+deny  ${HOME}/.local/share/kwalletd
-blacklist ${HOME}/.local/share/plasma-vault
+deny  ${HOME}/.local/share/plasma-vault
-blacklist ${HOME}/.msmtprc
+deny  ${HOME}/.msmtprc
-blacklist ${HOME}/.mutt
+deny  ${HOME}/.mutt
-blacklist ${HOME}/.muttrc
+deny  ${HOME}/.muttrc
-blacklist ${HOME}/.netrc
+deny  ${HOME}/.netrc
-blacklist ${HOME}/.nyx
+deny  ${HOME}/.nyx
-blacklist ${HOME}/.pki
+deny  ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
+deny  ${HOME}/.local/share/pki
-blacklist ${HOME}/.smbcredentials
+deny  ${HOME}/.smbcredentials
-blacklist ${HOME}/.ssh
+deny  ${HOME}/.ssh
-blacklist ${HOME}/.vaults
+deny  ${HOME}/.vaults
-blacklist /.fscrypt
+deny  /.fscrypt
-blacklist /etc/davfs2/secrets
+deny  /etc/davfs2/secrets
-blacklist /etc/group+
+deny  /etc/group+
-blacklist /etc/group-
+deny  /etc/group-
-blacklist /etc/gshadow
+deny  /etc/gshadow
-blacklist /etc/gshadow+
+deny  /etc/gshadow+
-blacklist /etc/gshadow-
+deny  /etc/gshadow-
-blacklist /etc/passwd+
+deny  /etc/passwd+
-blacklist /etc/passwd-
+deny  /etc/passwd-
-blacklist /etc/shadow
+deny  /etc/shadow
-blacklist /etc/shadow+
+deny  /etc/shadow+
-blacklist /etc/shadow-
+deny  /etc/shadow-
-blacklist /etc/ssh
+deny  /etc/ssh
-blacklist /etc/ssh/*
+deny  /etc/ssh/*
-blacklist /home/.ecryptfs
+deny  /home/.ecryptfs
-blacklist /home/.fscrypt
+deny  /home/.fscrypt
-blacklist /var/backup
+deny  /var/backup
 # cloud provider configuration
-blacklist ${HOME}/.aws
+deny  ${HOME}/.aws
-blacklist ${HOME}/.boto
+deny  ${HOME}/.boto
-blacklist ${HOME}/.config/gcloud
+deny  ${HOME}/.config/gcloud
-blacklist ${HOME}/.kube
+deny  ${HOME}/.kube
-blacklist ${HOME}/.passwd-s3fs
+deny  ${HOME}/.passwd-s3fs
-blacklist ${HOME}/.s3cmd
+deny  ${HOME}/.s3cmd
-blacklist /etc/boto.cfg
+deny  /etc/boto.cfg
 # system directories
-blacklist /sbin
+deny  /sbin
-blacklist /usr/local/sbin
+deny  /usr/local/sbin
-blacklist /usr/sbin
+deny  /usr/sbin
 # system management
-blacklist ${PATH}/at
+deny  ${PATH}/at
-blacklist ${PATH}/busybox
+deny  ${PATH}/busybox
-blacklist ${PATH}/chage
+deny  ${PATH}/chage
-blacklist ${PATH}/chfn
+deny  ${PATH}/chfn
-blacklist ${PATH}/chsh
+deny  ${PATH}/chsh
-blacklist ${PATH}/crontab
+deny  ${PATH}/crontab
-blacklist ${PATH}/evtest
+deny  ${PATH}/evtest
-blacklist ${PATH}/expiry
+deny  ${PATH}/expiry
-blacklist ${PATH}/fusermount
+deny  ${PATH}/fusermount
-blacklist ${PATH}/gksu
+deny  ${PATH}/gksu
-blacklist ${PATH}/gksudo
+deny  ${PATH}/gksudo
-blacklist ${PATH}/gpasswd
+deny  ${PATH}/gpasswd
-blacklist ${PATH}/kdesudo
+deny  ${PATH}/kdesudo
-blacklist ${PATH}/ksu
+deny  ${PATH}/ksu
-blacklist ${PATH}/mount
+deny  ${PATH}/mount
-blacklist ${PATH}/mount.ecryptfs_private
+deny  ${PATH}/mount.ecryptfs_private
-blacklist ${PATH}/nc
+deny  ${PATH}/nc
-blacklist ${PATH}/ncat
+deny  ${PATH}/ncat
-blacklist ${PATH}/nmap
+deny  ${PATH}/nmap
-blacklist ${PATH}/newgidmap
+deny  ${PATH}/newgidmap
-blacklist ${PATH}/newgrp
+deny  ${PATH}/newgrp
-blacklist ${PATH}/newuidmap
+deny  ${PATH}/newuidmap
-blacklist ${PATH}/ntfs-3g
+deny  ${PATH}/ntfs-3g
-blacklist ${PATH}/pkexec
+deny  ${PATH}/pkexec
-blacklist ${PATH}/procmail
+deny  ${PATH}/procmail
-blacklist ${PATH}/sg
+deny  ${PATH}/sg
-blacklist ${PATH}/strace
+deny  ${PATH}/strace
-blacklist ${PATH}/su
+deny  ${PATH}/su
-blacklist ${PATH}/sudo
+deny  ${PATH}/sudo
-blacklist ${PATH}/tcpdump
+deny  ${PATH}/tcpdump
-blacklist ${PATH}/umount
+deny  ${PATH}/umount
-blacklist ${PATH}/unix_chkpwd
+deny  ${PATH}/unix_chkpwd
-blacklist ${PATH}/xev
+deny  ${PATH}/xev
-blacklist ${PATH}/xinput
+deny  ${PATH}/xinput
 # other SUID binaries
-blacklist /usr/lib/virtualbox
+deny  /usr/lib/virtualbox
-blacklist /usr/lib64/virtualbox
+deny  /usr/lib64/virtualbox
 # prevent lxterminal connecting to an existing lxterminal session
-blacklist /tmp/.lxterminal-socket*
+deny  /tmp/.lxterminal-socket*
 # prevent tmux connecting to an existing session
-blacklist /tmp/tmux-*
+deny  /tmp/tmux-*
 # disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
+deny  ${PATH}/lxterminal
-blacklist ${PATH}/gnome-terminal
+deny  ${PATH}/gnome-terminal
-blacklist ${PATH}/gnome-terminal.wrapper
+deny  ${PATH}/gnome-terminal.wrapper
-blacklist ${PATH}/lilyterm
+deny  ${PATH}/lilyterm
-blacklist ${PATH}/mate-terminal
+deny  ${PATH}/mate-terminal
-blacklist ${PATH}/mate-terminal.wrapper
+deny  ${PATH}/mate-terminal.wrapper
-blacklist ${PATH}/pantheon-terminal
+deny  ${PATH}/pantheon-terminal
-blacklist ${PATH}/roxterm
+deny  ${PATH}/roxterm
-blacklist ${PATH}/roxterm-config
+deny  ${PATH}/roxterm-config
-blacklist ${PATH}/terminix
+deny  ${PATH}/terminix
-blacklist ${PATH}/tilix
+deny  ${PATH}/tilix
-blacklist ${PATH}/urxvtc
+deny  ${PATH}/urxvtc
-blacklist ${PATH}/urxvtcd
+deny  ${PATH}/urxvtcd
-blacklist ${PATH}/xfce4-terminal
+deny  ${PATH}/xfce4-terminal
-blacklist ${PATH}/xfce4-terminal.wrapper
+deny  ${PATH}/xfce4-terminal.wrapper
 # blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 # kernel files
-blacklist /initrd*
+deny  /initrd*
-blacklist /vmlinuz*
+deny  /vmlinuz*
 # snapshot files
-blacklist /.snapshots
+deny  /.snapshots
 # flatpak
-blacklist ${HOME}/.cache/flatpak
+deny  ${HOME}/.cache/flatpak
-blacklist ${HOME}/.config/flatpak
+deny  ${HOME}/.config/flatpak
-noblacklist ${HOME}/.local/share/flatpak/exports
+nodeny  ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
-blacklist ${HOME}/.local/share/flatpak/*
+deny  ${HOME}/.local/share/flatpak/*
-blacklist ${HOME}/.var
+deny  ${HOME}/.var
-blacklist ${RUNUSER}/app
+deny  ${RUNUSER}/app
-blacklist ${RUNUSER}/doc
+deny  ${RUNUSER}/doc
-blacklist ${RUNUSER}/.dbus-proxy
+deny  ${RUNUSER}/.dbus-proxy
-blacklist ${RUNUSER}/.flatpak
+deny  ${RUNUSER}/.flatpak
-blacklist ${RUNUSER}/.flatpak-cache
+deny  ${RUNUSER}/.flatpak-cache
-blacklist ${RUNUSER}/.flatpak-helper
+deny  ${RUNUSER}/.flatpak-helper
-blacklist /usr/share/flatpak
+deny  /usr/share/flatpak
-noblacklist /var/lib/flatpak/exports
+nodeny  /var/lib/flatpak/exports
-blacklist /var/lib/flatpak/*
+deny  /var/lib/flatpak/*
 # most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
+deny  ${PATH}/bwrap
 # snap
-blacklist ${RUNUSER}/snapd-session-agent.socket
+deny  ${RUNUSER}/snapd-session-agent.socket
 # mail directories used by mutt
-blacklist ${HOME}/.Mail
+deny  ${HOME}/.Mail
-blacklist ${HOME}/.mail
+deny  ${HOME}/.mail
-blacklist ${HOME}/.signature
+deny  ${HOME}/.signature
-blacklist ${HOME}/Mail
+deny  ${HOME}/Mail
-blacklist ${HOME}/mail
+deny  ${HOME}/mail
-blacklist ${HOME}/postponed
+deny  ${HOME}/postponed
-blacklist ${HOME}/sent
+deny  ${HOME}/sent
 # kernel configuration
-blacklist /proc/config.gz
+deny  /proc/config.gz
 # prevent DNS malware attempting to communicate with the server
 # using regular DNS tools
-blacklist ${PATH}/dig
+deny  ${PATH}/dig
-blacklist ${PATH}/dlint
+deny  ${PATH}/dlint
-blacklist ${PATH}/dns2tcp
+deny  ${PATH}/dns2tcp
-blacklist ${PATH}/dnssec-*
+deny  ${PATH}/dnssec-*
-blacklist ${PATH}/dnswalk
+deny  ${PATH}/dnswalk
-blacklist ${PATH}/drill
+deny  ${PATH}/drill
-blacklist ${PATH}/host
+deny  ${PATH}/host
-blacklist ${PATH}/iodine
+deny  ${PATH}/iodine
-blacklist ${PATH}/kdig
+deny  ${PATH}/kdig
-blacklist ${PATH}/khost
+deny  ${PATH}/khost
-blacklist ${PATH}/knsupdate
+deny  ${PATH}/knsupdate
-blacklist ${PATH}/ldns-*
+deny  ${PATH}/ldns-*
-blacklist ${PATH}/ldnsd
+deny  ${PATH}/ldnsd
-blacklist ${PATH}/nslookup
+deny  ${PATH}/nslookup
-blacklist ${PATH}/resolvectl
+deny  ${PATH}/resolvectl
-blacklist ${PATH}/unbound-host
+deny  ${PATH}/unbound-host
 # rest of ${RUNUSER}
-blacklist ${RUNUSER}/*.lock
+deny  ${RUNUSER}/*.lock
-blacklist ${RUNUSER}/inaccessible
+deny  ${RUNUSER}/inaccessible
-blacklist ${RUNUSER}/pk-debconf-socket
+deny  ${RUNUSER}/pk-debconf-socket
-blacklist ${RUNUSER}/update-notifier.pid
+deny  ${RUNUSER}/update-notifier.pid
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@ -5,65 +5,65 @@ include disable-devel.local
 # development tools
 # clang/llvm
-blacklist ${PATH}/clang*
+deny  ${PATH}/clang*
-blacklist ${PATH}/lldb*
+deny  ${PATH}/lldb*
-blacklist ${PATH}/llvm*
+deny  ${PATH}/llvm*
 # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
 # blacklist /usr/lib/llvm*
 # GCC
-blacklist ${PATH}/as
+deny  ${PATH}/as
-blacklist ${PATH}/cc
+deny  ${PATH}/cc
-blacklist ${PATH}/c++*
+deny  ${PATH}/c++*
-blacklist ${PATH}/c8*
+deny  ${PATH}/c8*
-blacklist ${PATH}/c9*
+deny  ${PATH}/c9*
-blacklist ${PATH}/cpp*
+deny  ${PATH}/cpp*
-blacklist ${PATH}/g++*
+deny  ${PATH}/g++*
-blacklist ${PATH}/gcc*
+deny  ${PATH}/gcc*
-blacklist ${PATH}/gdb
+deny  ${PATH}/gdb
-blacklist ${PATH}/ld
+deny  ${PATH}/ld
-blacklist ${PATH}/*-gcc*
+deny  ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
+deny  ${PATH}/*-g++*
-blacklist ${PATH}/*-gcc*
+deny  ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
+deny  ${PATH}/*-g++*
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 #Go
-blacklist ${PATH}/gccgo
+deny  ${PATH}/gccgo
-blacklist ${PATH}/go
+deny  ${PATH}/go
-blacklist ${PATH}/gofmt
+deny  ${PATH}/gofmt
 # Java
-blacklist ${PATH}/java
+deny  ${PATH}/java
-blacklist ${PATH}/javac
+deny  ${PATH}/javac
-blacklist /etc/java
+deny  /etc/java
-blacklist /usr/lib/java
+deny  /usr/lib/java
-blacklist /usr/share/java
+deny  /usr/share/java
 #OpenSSL
-blacklist ${PATH}/openssl
+deny  ${PATH}/openssl
-blacklist ${PATH}/openssl-1.0
+deny  ${PATH}/openssl-1.0
 #Rust
-blacklist ${PATH}/rust-gdb
+deny  ${PATH}/rust-gdb
-blacklist ${PATH}/rust-lldb
+deny  ${PATH}/rust-lldb
-blacklist ${PATH}/rustc
+deny  ${PATH}/rustc
-blacklist ${HOME}/.rustup
+deny  ${HOME}/.rustup
 # tcc - Tiny C Compiler
-blacklist ${PATH}/tcc
+deny  ${PATH}/tcc
-blacklist ${PATH}/x86_64-tcc
+deny  ${PATH}/x86_64-tcc
-blacklist /usr/lib/tcc
+deny  /usr/lib/tcc
 # Valgrind
-blacklist ${PATH}/valgrind*
+deny  ${PATH}/valgrind*
-blacklist /usr/lib/valgrind
+deny  /usr/lib/valgrind
 # Source-Code
-blacklist /usr/src
+deny  /usr/src
-blacklist /usr/local/src
+deny  /usr/local/src
-blacklist /usr/include
+deny  /usr/include
-blacklist /usr/local/include
+deny  /usr/local/include
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@ -3,66 +3,66 @@
 include disable-interpreters.local
 # gjs
-blacklist ${PATH}/gjs
+deny  ${PATH}/gjs
-blacklist ${PATH}/gjs-console
+deny  ${PATH}/gjs-console
-blacklist /usr/lib/gjs
+deny  /usr/lib/gjs
-blacklist /usr/lib/libgjs*
+deny  /usr/lib/libgjs*
-blacklist /usr/lib64/gjs
+deny  /usr/lib64/gjs
-blacklist /usr/lib64/libgjs*
+deny  /usr/lib64/libgjs*
 # Lua
-blacklist ${PATH}/lua*
+deny  ${PATH}/lua*
-blacklist /usr/include/lua*
+deny  /usr/include/lua*
-blacklist /usr/lib/liblua*
+deny  /usr/lib/liblua*
-blacklist /usr/lib/lua
+deny  /usr/lib/lua
-blacklist /usr/lib64/liblua*
+deny  /usr/lib64/liblua*
-blacklist /usr/lib64/lua
+deny  /usr/lib64/lua
-blacklist /usr/share/lua*
+deny  /usr/share/lua*
 # mozjs
-blacklist /usr/lib/libmozjs-*
+deny  /usr/lib/libmozjs-*
-blacklist /usr/lib64/libmozjs-*
+deny  /usr/lib64/libmozjs-*
 # Node.js
-blacklist ${PATH}/node
+deny  ${PATH}/node
-blacklist /usr/include/node
+deny  /usr/include/node
 # nvm
-blacklist ${HOME}/.nvm
+deny  ${HOME}/.nvm
 # Perl
-blacklist ${PATH}/core_perl
+deny  ${PATH}/core_perl
-blacklist ${PATH}/cpan*
+deny  ${PATH}/cpan*
-blacklist ${PATH}/perl
+deny  ${PATH}/perl
-blacklist ${PATH}/site_perl
+deny  ${PATH}/site_perl
-blacklist ${PATH}/vendor_perl
+deny  ${PATH}/vendor_perl
-blacklist /usr/lib/perl*
+deny  /usr/lib/perl*
-blacklist /usr/lib64/perl*
+deny  /usr/lib64/perl*
-blacklist /usr/share/perl*
+deny  /usr/share/perl*
 # PHP
-blacklist ${PATH}/php*
+deny  ${PATH}/php*
-blacklist /usr/lib/php*
+deny  /usr/lib/php*
-blacklist /usr/share/php*
+deny  /usr/share/php*
 # Ruby
-blacklist ${PATH}/ruby
+deny  ${PATH}/ruby
-blacklist /usr/lib/ruby
+deny  /usr/lib/ruby
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
-blacklist ${PATH}/python2*
+deny  ${PATH}/python2*
-blacklist /usr/include/python2*
+deny  /usr/include/python2*
-blacklist /usr/lib/python2*
+deny  /usr/lib/python2*
-blacklist /usr/local/lib/python2*
+deny  /usr/local/lib/python2*
-blacklist /usr/share/python2*
+deny  /usr/share/python2*
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 # Python 3
-blacklist ${PATH}/python3*
+deny  ${PATH}/python3*
-blacklist /usr/include/python3*
+deny  /usr/include/python3*
-blacklist /usr/lib/python3*
+deny  /usr/lib/python3*
-blacklist /usr/lib64/python3*
+deny  /usr/lib64/python3*
-blacklist /usr/local/lib/python3*
+deny  /usr/local/lib/python3*
-blacklist /usr/share/python3*
+deny  /usr/share/python3*
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@ -2,18 +2,18 @@
 # Persistent customizations should go in a .local file.
 include disable-passwdmgr.local
-blacklist ${HOME}/.config/Bitwarden
+deny  ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/KeePass
+deny  ${HOME}/.config/KeePass
-blacklist ${HOME}/.config/keepass
+deny  ${HOME}/.config/keepass
-blacklist ${HOME}/.config/keepassx
+deny  ${HOME}/.config/keepassx
-blacklist ${HOME}/.config/keepassxc
+deny  ${HOME}/.config/keepassxc
-blacklist ${HOME}/.config/KeePassXCrc
+deny  ${HOME}/.config/KeePassXCrc
-blacklist ${HOME}/.config/Sinew Software Systems
+deny  ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.fpm
+deny  ${HOME}/.fpm
-blacklist ${HOME}/.keepass
+deny  ${HOME}/.keepass
-blacklist ${HOME}/.keepassx
+deny  ${HOME}/.keepassx
-blacklist ${HOME}/.keepassxc
+deny  ${HOME}/.keepassxc
-blacklist ${HOME}/.lastpass
+deny  ${HOME}/.lastpass
-blacklist ${HOME}/.local/share/KeePass
+deny  ${HOME}/.local/share/KeePass
-blacklist ${HOME}/.local/share/keepass
+deny  ${HOME}/.local/share/keepass
-blacklist ${HOME}/.password-store
+deny  ${HOME}/.password-store
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@ -2,14 +2,14 @@
 # Persistent customizations should go in a .local file.
 include disable-shell.local
-blacklist ${PATH}/bash
+deny  ${PATH}/bash
-blacklist ${PATH}/csh
+deny  ${PATH}/csh
-blacklist ${PATH}/dash
+deny  ${PATH}/dash
-blacklist ${PATH}/fish
+deny  ${PATH}/fish
-blacklist ${PATH}/ksh
+deny  ${PATH}/ksh
-blacklist ${PATH}/mksh
+deny  ${PATH}/mksh
-blacklist ${PATH}/oksh
+deny  ${PATH}/oksh
-blacklist ${PATH}/sh
+deny  ${PATH}/sh
-blacklist ${PATH}/tclsh
+deny  ${PATH}/tclsh
-blacklist ${PATH}/tcsh
+deny  ${PATH}/tcsh
-blacklist ${PATH}/zsh
+deny  ${PATH}/zsh
--- a/etc/inc/disable-xdg.inc
+++ b/etc/inc/disable-xdg.inc
@ -2,10 +2,10 @@
 # Persistent customizations should go in a .local file.
 include disable-xdg.local
-blacklist ${DOCUMENTS}
+deny  ${DOCUMENTS}
-blacklist ${MUSIC}
+deny  ${MUSIC}
-blacklist ${PICTURES}
+deny  ${PICTURES}
-blacklist ${VIDEOS}
+deny  ${VIDEOS}
 # The following should be considered catch-all directories
 #blacklist ${DESKTOP}
--- a/etc/inc/whitelist-1793-workaround.inc
+++ b/etc/inc/whitelist-1793-workaround.inc
@ -3,27 +3,27 @@
 include whitelist-1793-workaround.local
 # This works around bug 1793, and allows whitelisting to be used for some KDE applications.
-noblacklist ${HOME}/.config/ibus
+nodeny  ${HOME}/.config/ibus
-noblacklist ${HOME}/.config/mimeapps.list
+nodeny  ${HOME}/.config/mimeapps.list
-noblacklist ${HOME}/.config/pkcs11
+nodeny  ${HOME}/.config/pkcs11
-noblacklist ${HOME}/.config/user-dirs.dirs
+nodeny  ${HOME}/.config/user-dirs.dirs
-noblacklist ${HOME}/.config/user-dirs.locale
+nodeny  ${HOME}/.config/user-dirs.locale
-noblacklist ${HOME}/.config/dconf
+nodeny  ${HOME}/.config/dconf
-noblacklist ${HOME}/.config/fontconfig
+nodeny  ${HOME}/.config/fontconfig
-noblacklist ${HOME}/.config/gtk-2.0
+nodeny  ${HOME}/.config/gtk-2.0
-noblacklist ${HOME}/.config/gtk-3.0
+nodeny  ${HOME}/.config/gtk-3.0
-noblacklist ${HOME}/.config/gtk-4.0
+nodeny  ${HOME}/.config/gtk-4.0
-noblacklist ${HOME}/.config/gtkrc
+nodeny  ${HOME}/.config/gtkrc
-noblacklist ${HOME}/.config/gtkrc-2.0
+nodeny  ${HOME}/.config/gtkrc-2.0
-noblacklist ${HOME}/.config/Kvantum
+nodeny  ${HOME}/.config/Kvantum
-noblacklist ${HOME}/.config/Trolltech.conf
+nodeny  ${HOME}/.config/Trolltech.conf
-noblacklist ${HOME}/.config/QtProject.conf
+nodeny  ${HOME}/.config/QtProject.conf
-noblacklist ${HOME}/.config/kdeglobals
+nodeny  ${HOME}/.config/kdeglobals
-noblacklist ${HOME}/.config/kio_httprc
+nodeny  ${HOME}/.config/kio_httprc
-noblacklist ${HOME}/.config/kioslaverc
+nodeny  ${HOME}/.config/kioslaverc
-noblacklist ${HOME}/.config/ksslcablacklist
+nodeny  ${HOME}/.config/ksslcablacklist
-noblacklist ${HOME}/.config/qt5ct
+nodeny  ${HOME}/.config/qt5ct
-noblacklist ${HOME}/.config/qtcurve
+nodeny  ${HOME}/.config/qtcurve
-blacklist ${HOME}/.config/*
+deny  ${HOME}/.config/*
-whitelist ${HOME}/.config
+allow  ${HOME}/.config
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@ -4,82 +4,82 @@ include whitelist-common.local
 # common whitelist for all profiles
-whitelist ${HOME}/.XCompose
+allow  ${HOME}/.XCompose
-whitelist ${HOME}/.alsaequal.bin
+allow  ${HOME}/.alsaequal.bin
-whitelist ${HOME}/.asoundrc
+allow  ${HOME}/.asoundrc
-whitelist ${HOME}/.config/ibus
+allow  ${HOME}/.config/ibus
-whitelist ${HOME}/.config/mimeapps.list
+allow  ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.config/pkcs11
+allow  ${HOME}/.config/pkcs11
 read-only ${HOME}/.config/pkcs11
-whitelist ${HOME}/.config/user-dirs.dirs
+allow  ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.dirs
-whitelist ${HOME}/.config/user-dirs.locale
+allow  ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.config/user-dirs.locale
-whitelist ${HOME}/.drirc
+allow  ${HOME}/.drirc
-whitelist ${HOME}/.icons
+allow  ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
-whitelist ${HOME}/.local/share/applications
+allow  ${HOME}/.local/share/applications
 read-only ${HOME}/.local/share/applications
-whitelist ${HOME}/.local/share/icons
+allow  ${HOME}/.local/share/icons
-whitelist ${HOME}/.local/share/mime
+allow  ${HOME}/.local/share/mime
-whitelist ${HOME}/.mime.types
+allow  ${HOME}/.mime.types
-whitelist ${HOME}/.sndio/cookie
+allow  ${HOME}/.sndio/cookie
-whitelist ${HOME}/.uim.d
+allow  ${HOME}/.uim.d
 # dconf
 mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
+allow  ${HOME}/.config/dconf
 # fonts
-whitelist ${HOME}/.cache/fontconfig
+allow  ${HOME}/.cache/fontconfig
-whitelist ${HOME}/.config/fontconfig
+allow  ${HOME}/.config/fontconfig
-whitelist ${HOME}/.fontconfig
+allow  ${HOME}/.fontconfig
-whitelist ${HOME}/.fonts
+allow  ${HOME}/.fonts
-whitelist ${HOME}/.fonts.conf
+allow  ${HOME}/.fonts.conf
-whitelist ${HOME}/.fonts.conf.d
+allow  ${HOME}/.fonts.conf.d
-whitelist ${HOME}/.fonts.d
+allow  ${HOME}/.fonts.d
-whitelist ${HOME}/.local/share/fonts
+allow  ${HOME}/.local/share/fonts
-whitelist ${HOME}/.pangorc
+allow  ${HOME}/.pangorc
 # gtk
-whitelist ${HOME}/.config/gtk-2.0
+allow  ${HOME}/.config/gtk-2.0
-whitelist ${HOME}/.config/gtk-3.0
+allow  ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/gtk-4.0
+allow  ${HOME}/.config/gtk-4.0
-whitelist ${HOME}/.config/gtkrc
+allow  ${HOME}/.config/gtkrc
-whitelist ${HOME}/.config/gtkrc-2.0
+allow  ${HOME}/.config/gtkrc-2.0
-whitelist ${HOME}/.gnome2
+allow  ${HOME}/.gnome2
-whitelist ${HOME}/.gnome2-private
+allow  ${HOME}/.gnome2-private
-whitelist ${HOME}/.gtk-2.0
+allow  ${HOME}/.gtk-2.0
-whitelist ${HOME}/.gtkrc
+allow  ${HOME}/.gtkrc
-whitelist ${HOME}/.gtkrc-2.0
+allow  ${HOME}/.gtkrc-2.0
-whitelist ${HOME}/.kde/share/config/gtkrc
+allow  ${HOME}/.kde/share/config/gtkrc
-whitelist ${HOME}/.kde/share/config/gtkrc-2.0
+allow  ${HOME}/.kde/share/config/gtkrc-2.0
-whitelist ${HOME}/.kde4/share/config/gtkrc
+allow  ${HOME}/.kde4/share/config/gtkrc
-whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
+allow  ${HOME}/.kde4/share/config/gtkrc-2.0
-whitelist ${HOME}/.local/share/themes
+allow  ${HOME}/.local/share/themes
-whitelist ${HOME}/.themes
+allow  ${HOME}/.themes
 # qt/kde
-whitelist ${HOME}/.cache/kioexec/krun
+allow  ${HOME}/.cache/kioexec/krun
-whitelist ${HOME}/.config/Kvantum
+allow  ${HOME}/.config/Kvantum
-whitelist ${HOME}/.config/Trolltech.conf
+allow  ${HOME}/.config/Trolltech.conf
-whitelist ${HOME}/.config/QtProject.conf
+allow  ${HOME}/.config/QtProject.conf
-whitelist ${HOME}/.config/kdeglobals
+allow  ${HOME}/.config/kdeglobals
-whitelist ${HOME}/.config/kio_httprc
+allow  ${HOME}/.config/kio_httprc
-whitelist ${HOME}/.config/kioslaverc
+allow  ${HOME}/.config/kioslaverc
-whitelist ${HOME}/.config/ksslcablacklist
+allow  ${HOME}/.config/ksslcablacklist
-whitelist ${HOME}/.config/qt5ct
+allow  ${HOME}/.config/qt5ct
-whitelist ${HOME}/.config/qtcurve
+allow  ${HOME}/.config/qtcurve
-whitelist ${HOME}/.kde/share/config/kdeglobals
+allow  ${HOME}/.kde/share/config/kdeglobals
-whitelist ${HOME}/.kde/share/config/kio_httprc
+allow  ${HOME}/.kde/share/config/kio_httprc
-whitelist ${HOME}/.kde/share/config/kioslaverc
+allow  ${HOME}/.kde/share/config/kioslaverc
-whitelist ${HOME}/.kde/share/config/ksslcablacklist
+allow  ${HOME}/.kde/share/config/ksslcablacklist
-whitelist ${HOME}/.kde/share/config/oxygenrc
+allow  ${HOME}/.kde/share/config/oxygenrc
-whitelist ${HOME}/.kde/share/icons
+allow  ${HOME}/.kde/share/icons
-whitelist ${HOME}/.kde4/share/config/kdeglobals
+allow  ${HOME}/.kde4/share/config/kdeglobals
-whitelist ${HOME}/.kde4/share/config/kio_httprc
+allow  ${HOME}/.kde4/share/config/kio_httprc
-whitelist ${HOME}/.kde4/share/config/kioslaverc
+allow  ${HOME}/.kde4/share/config/kioslaverc
-whitelist ${HOME}/.kde4/share/config/ksslcablacklist
+allow  ${HOME}/.kde4/share/config/ksslcablacklist
-whitelist ${HOME}/.kde4/share/config/oxygenrc
+allow  ${HOME}/.kde4/share/config/oxygenrc
-whitelist ${HOME}/.kde4/share/icons
+allow  ${HOME}/.kde4/share/icons
-whitelist ${HOME}/.local/share/qt5ct
+allow  ${HOME}/.local/share/qt5ct
--- a/etc/inc/whitelist-player-common.inc
+++ b/etc/inc/whitelist-player-common.inc
@ -4,8 +4,8 @@ include whitelist-player-common.local
 # common whitelist for all media players
-whitelist ${DESKTOP}
+allow  ${DESKTOP}
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
-whitelist ${MUSIC}
+allow  ${MUSIC}
-whitelist ${PICTURES}
+allow  ${PICTURES}
-whitelist ${VIDEOS}
+allow  ${VIDEOS}
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@ -4,13 +4,13 @@ include whitelist-runuser-common.local
 # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
-whitelist ${RUNUSER}/bus
+allow  ${RUNUSER}/bus
-whitelist ${RUNUSER}/dconf
+allow  ${RUNUSER}/dconf
-whitelist ${RUNUSER}/gdm/Xauthority
+allow  ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/ICEauthority
+allow  ${RUNUSER}/ICEauthority
-whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
+allow  ${RUNUSER}/.mutter-Xwaylandauth.*
-whitelist ${RUNUSER}/pulse/native
+allow  ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
+allow  ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
+allow  ${RUNUSER}/wayland-1
-whitelist ${RUNUSER}/xauth_*
+allow  ${RUNUSER}/xauth_*
-whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+allow  ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
 # common /usr/share whitelist for all profiles
-whitelist /usr/share/alsa
+allow  /usr/share/alsa
-whitelist /usr/share/applications
+allow  /usr/share/applications
-whitelist /usr/share/ca-certificates
+allow  /usr/share/ca-certificates
-whitelist /usr/share/crypto-policies
+allow  /usr/share/crypto-policies
-whitelist /usr/share/cursors
+allow  /usr/share/cursors
-whitelist /usr/share/dconf
+allow  /usr/share/dconf
-whitelist /usr/share/distro-info
+allow  /usr/share/distro-info
-whitelist /usr/share/drirc.d
+allow  /usr/share/drirc.d
-whitelist /usr/share/enchant
+allow  /usr/share/enchant
-whitelist /usr/share/enchant-2
+allow  /usr/share/enchant-2
-whitelist /usr/share/file
+allow  /usr/share/file
-whitelist /usr/share/fontconfig
+allow  /usr/share/fontconfig
-whitelist /usr/share/fonts
+allow  /usr/share/fonts
-whitelist /usr/share/fonts-config
+allow  /usr/share/fonts-config
-whitelist /usr/share/gir-1.0
+allow  /usr/share/gir-1.0
-whitelist /usr/share/gjs-1.0
+allow  /usr/share/gjs-1.0
-whitelist /usr/share/glib-2.0
+allow  /usr/share/glib-2.0
-whitelist /usr/share/glvnd
+allow  /usr/share/glvnd
-whitelist /usr/share/gtk-2.0
+allow  /usr/share/gtk-2.0
-whitelist /usr/share/gtk-3.0
+allow  /usr/share/gtk-3.0
-whitelist /usr/share/gtk-engines
+allow  /usr/share/gtk-engines
-whitelist /usr/share/gtksourceview-3.0
+allow  /usr/share/gtksourceview-3.0
-whitelist /usr/share/gtksourceview-4
+allow  /usr/share/gtksourceview-4
-whitelist /usr/share/hunspell
+allow  /usr/share/hunspell
-whitelist /usr/share/hwdata
+allow  /usr/share/hwdata
-whitelist /usr/share/icons
+allow  /usr/share/icons
-whitelist /usr/share/icu
+allow  /usr/share/icu
-whitelist /usr/share/knotifications5
+allow  /usr/share/knotifications5
-whitelist /usr/share/kservices5
+allow  /usr/share/kservices5
-whitelist /usr/share/Kvantum
+allow  /usr/share/Kvantum
-whitelist /usr/share/kxmlgui5
+allow  /usr/share/kxmlgui5
-whitelist /usr/share/libdrm
+allow  /usr/share/libdrm
-whitelist /usr/share/libthai
+allow  /usr/share/libthai
-whitelist /usr/share/locale
+allow  /usr/share/locale
-whitelist /usr/share/mime
+allow  /usr/share/mime
-whitelist /usr/share/misc
+allow  /usr/share/misc
-whitelist /usr/share/Modules
+allow  /usr/share/Modules
-whitelist /usr/share/myspell
+allow  /usr/share/myspell
-whitelist /usr/share/p11-kit
+allow  /usr/share/p11-kit
-whitelist /usr/share/perl
+allow  /usr/share/perl
-whitelist /usr/share/perl5
+allow  /usr/share/perl5
-whitelist /usr/share/pixmaps
+allow  /usr/share/pixmaps
-whitelist /usr/share/pki
+allow  /usr/share/pki
-whitelist /usr/share/plasma
+allow  /usr/share/plasma
-whitelist /usr/share/publicsuffix
+allow  /usr/share/publicsuffix
-whitelist /usr/share/qt
+allow  /usr/share/qt
-whitelist /usr/share/qt4
+allow  /usr/share/qt4
-whitelist /usr/share/qt5
+allow  /usr/share/qt5
-whitelist /usr/share/qt5ct
+allow  /usr/share/qt5ct
-whitelist /usr/share/sounds
+allow  /usr/share/sounds
-whitelist /usr/share/tcl8.6
+allow  /usr/share/tcl8.6
-whitelist /usr/share/tcltk
+allow  /usr/share/tcltk
-whitelist /usr/share/terminfo
+allow  /usr/share/terminfo
-whitelist /usr/share/texlive
+allow  /usr/share/texlive
-whitelist /usr/share/texmf
+allow  /usr/share/texmf
-whitelist /usr/share/themes
+allow  /usr/share/themes
-whitelist /usr/share/thumbnail.so
+allow  /usr/share/thumbnail.so
-whitelist /usr/share/uim
+allow  /usr/share/uim
-whitelist /usr/share/vulkan
+allow  /usr/share/vulkan
-whitelist /usr/share/X11
+allow  /usr/share/X11
-whitelist /usr/share/xml
+allow  /usr/share/xml
-whitelist /usr/share/zenity
+allow  /usr/share/zenity
-whitelist /usr/share/zoneinfo
+allow  /usr/share/zoneinfo
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@ -4,12 +4,12 @@ include whitelist-var-common.local
 # common /var whitelist for all profiles
-whitelist /var/lib/aspell
+allow  /var/lib/aspell
-whitelist /var/lib/ca-certificates
+allow  /var/lib/ca-certificates
-whitelist /var/lib/dbus
+allow  /var/lib/dbus
-whitelist /var/lib/menu-xdg
+allow  /var/lib/menu-xdg
-whitelist /var/lib/uim
+allow  /var/lib/uim
-whitelist /var/cache/fontconfig
+allow  /var/cache/fontconfig
-whitelist /var/tmp
+allow  /var/tmp
-whitelist /var/run
+allow  /var/run
-whitelist /var/lock
+allow  /var/lock
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@ -6,11 +6,11 @@ include 0ad.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/0ad
+nodeny  ${HOME}/.cache/0ad
-noblacklist ${HOME}/.config/0ad
+nodeny  ${HOME}/.config/0ad
-noblacklist ${HOME}/.local/share/0ad
+nodeny  ${HOME}/.local/share/0ad
-blacklist /usr/libexec
+deny  /usr/libexec
 include disable-common.inc
 include disable-devel.inc
@ -23,11 +23,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
 mkdir ${HOME}/.local/share/0ad
-whitelist ${HOME}/.cache/0ad
+allow  ${HOME}/.cache/0ad
-whitelist ${HOME}/.config/0ad
+allow  ${HOME}/.config/0ad
-whitelist ${HOME}/.local/share/0ad
+allow  ${HOME}/.local/share/0ad
-whitelist /usr/share/0ad
+allow  /usr/share/0ad
-whitelist /usr/share/games
+allow  /usr/share/games
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@ -6,8 +6,8 @@ include 2048-qt.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/2048-qt
+nodeny  ${HOME}/.config/2048-qt
-noblacklist ${HOME}/.config/xiaoyong
+nodeny  ${HOME}/.config/xiaoyong
 include disable-common.inc
 include disable-devel.inc
@ -18,8 +18,8 @@ include disable-programs.inc
 mkdir ${HOME}/.config/2048-qt
 mkdir ${HOME}/.config/xiaoyong
-whitelist ${HOME}/.config/2048-qt
+allow  ${HOME}/.config/2048-qt
-whitelist ${HOME}/.config/xiaoyong
+allow  ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@ -5,7 +5,7 @@ include Cryptocat.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Cryptocat
+nodeny  ${HOME}/.config/Cryptocat
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
@ -5,10 +5,10 @@ include Discord.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/discord
+nodeny  ${HOME}/.config/discord
 mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
+allow  ${HOME}/.config/discord
 private-bin Discord
 private-opt Discord
--- a/etc/profile-a-l/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
@ -5,10 +5,10 @@ include DiscordCanary.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/discordcanary
+nodeny  ${HOME}/.config/discordcanary
 mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
+allow  ${HOME}/.config/discordcanary
 private-bin DiscordCanary
 private-opt DiscordCanary
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@ -6,8 +6,8 @@ include Fritzing.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Fritzing
+nodeny  ${HOME}/.config/Fritzing
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@ -5,7 +5,7 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.jd
+nodeny  ${HOME}/.jd
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 mkdir ${HOME}/.jd
-whitelist ${HOME}/.jd
+allow  ${HOME}/.jd
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@ -6,7 +6,7 @@ include abiword.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/abiword
+nodeny  ${HOME}/.config/abiword
 include disable-common.inc
 include disable-devel.inc
@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-whitelist /usr/share/abiword-3.0
+allow  /usr/share/abiword-3.0
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@ -5,13 +5,13 @@ include abrowser.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.mozilla
 mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/abrowser
+allow  ${HOME}/.cache/mozilla/abrowser
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.mozilla
 # private-etc must first be enabled in firefox-common.profile
 #private-etc abrowser
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@ -7,8 +7,8 @@ include agetpkg.local
 # Persistent global definitions
 include globals.local
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@ -23,7 +23,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@ -4,22 +4,22 @@ include akonadi_control.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/akonadi*
+nodeny  ${HOME}/.cache/akonadi*
-noblacklist ${HOME}/.config/akonadi*
+nodeny  ${HOME}/.config/akonadi*
-noblacklist ${HOME}/.config/baloorc
+nodeny  ${HOME}/.config/baloorc
-noblacklist ${HOME}/.config/emaildefaults
+nodeny  ${HOME}/.config/emaildefaults
-noblacklist ${HOME}/.config/emailidentities
+nodeny  ${HOME}/.config/emailidentities
-noblacklist ${HOME}/.config/kmail2rc
+nodeny  ${HOME}/.config/kmail2rc
-noblacklist ${HOME}/.config/mailtransports
+nodeny  ${HOME}/.config/mailtransports
-noblacklist ${HOME}/.config/specialmailcollectionsrc
+nodeny  ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.local/share/akonadi*
+nodeny  ${HOME}/.local/share/akonadi*
-noblacklist ${HOME}/.local/share/apps/korganizer
+nodeny  ${HOME}/.local/share/apps/korganizer
-noblacklist ${HOME}/.local/share/contacts
+nodeny  ${HOME}/.local/share/contacts
-noblacklist ${HOME}/.local/share/local-mail
+nodeny  ${HOME}/.local/share/local-mail
-noblacklist ${HOME}/.local/share/notes
+nodeny  ${HOME}/.local/share/notes
-noblacklist /sbin
+nodeny  /sbin
-noblacklist /tmp/akonadi-*
+nodeny  /tmp/akonadi-*
-noblacklist /usr/sbin
+nodeny  /usr/sbin
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@ -6,9 +6,9 @@ include akregator.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/akregatorrc
+nodeny  ${HOME}/.config/akregatorrc
-noblacklist ${HOME}/.local/share/akregator
+nodeny  ${HOME}/.local/share/akregator
-noblacklist ${HOME}/.local/share/kxmlgui5/akregator
+nodeny  ${HOME}/.local/share/kxmlgui5/akregator
 include disable-common.inc
 include disable-devel.inc
@ -21,10 +21,10 @@ include disable-shell.inc
 mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
 mkdir ${HOME}/.local/share/kxmlgui5/akregator
-whitelist ${HOME}/.config/akregatorrc
+allow  ${HOME}/.config/akregatorrc
-whitelist ${HOME}/.local/share/akregator
+allow  ${HOME}/.local/share/akregator
-whitelist ${HOME}/.local/share/kssl
+allow  ${HOME}/.local/share/kssl
-whitelist ${HOME}/.local/share/kxmlgui5/akregator
+allow  ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 # Whitelist your system icon directory,varies by distro
-whitelist /usr/share/alacarte
+allow  /usr/share/alacarte
-whitelist /usr/share/app-info
+allow  /usr/share/app-info
-whitelist /usr/share/desktop-directories
+allow  /usr/share/desktop-directories
-whitelist /usr/share/icons
+allow  /usr/share/icons
-whitelist /var/lib/app-info/icons
+allow  /var/lib/app-info/icons
-whitelist /var/lib/flatpak/exports/share/applications
+allow  /var/lib/flatpak/exports/share/applications
-whitelist /var/lib/flatpak/exports/share/icons
+allow  /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@ -6,7 +6,7 @@ include alienarena.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/cor-games
+nodeny  ${HOME}/.local/share/cor-games
 include disable-common.inc
 include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/cor-games
-whitelist ${HOME}/.local/share/cor-games
+allow  ${HOME}/.local/share/cor-games
-whitelist /usr/share/alienarena
+allow  /usr/share/alienarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/alpine.profile
+++ b/etc/profile-a-l/alpine.profile
@ -10,28 +10,28 @@ include globals.local
 # Workaround for bug https://github.com/netblue30/firejail/issues/2747
 # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
-noblacklist /var/mail
+nodeny  /var/mail
-noblacklist /var/spool/mail
+nodeny  /var/spool/mail
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
-noblacklist ${HOME}/.addressbook
+nodeny  ${HOME}/.addressbook
-noblacklist ${HOME}/.alpine-smime
+nodeny  ${HOME}/.alpine-smime
-noblacklist ${HOME}/.mailcap
+nodeny  ${HOME}/.mailcap
-noblacklist ${HOME}/.mh_profile
+nodeny  ${HOME}/.mh_profile
-noblacklist ${HOME}/.mime.types
+nodeny  ${HOME}/.mime.types
-noblacklist ${HOME}/.newsrc
+nodeny  ${HOME}/.newsrc
-noblacklist ${HOME}/.pine-crash
+nodeny  ${HOME}/.pine-crash
-noblacklist ${HOME}/.pine-debug1
+nodeny  ${HOME}/.pine-debug1
-noblacklist ${HOME}/.pine-debug2
+nodeny  ${HOME}/.pine-debug2
-noblacklist ${HOME}/.pine-debug3
+nodeny  ${HOME}/.pine-debug3
-noblacklist ${HOME}/.pine-debug4
+nodeny  ${HOME}/.pine-debug4
-noblacklist ${HOME}/.pine-interrupted-mail
+nodeny  ${HOME}/.pine-interrupted-mail
-noblacklist ${HOME}/.pinerc
+nodeny  ${HOME}/.pinerc
-noblacklist ${HOME}/.pinercex
+nodeny  ${HOME}/.pinercex
-noblacklist ${HOME}/.signature
+nodeny  ${HOME}/.signature
-noblacklist ${HOME}/mail
+nodeny  ${HOME}/mail
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@ -60,8 +60,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.pine-debug4
 #whitelist ${HOME}/.signature
 #whitelist ${HOME}/mail
-whitelist /var/mail
+allow  /var/mail
-whitelist /var/spool/mail
+allow  /var/spool/mail
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@ -6,7 +6,7 @@ include amarok.local
 # Persistent global definitions
 include globals.local
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@ -6,7 +6,7 @@ include amule.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.aMule
+nodeny  ${HOME}/.aMule
 include disable-common.inc
 include disable-devel.inc
@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.aMule
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
-whitelist ${HOME}/.aMule
+allow  ${HOME}/.aMule
 include whitelist-common.inc
 caps.drop all
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@ -5,13 +5,13 @@ include android-studio.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Google
+nodeny  ${HOME}/.config/Google
-noblacklist ${HOME}/.AndroidStudio*
+nodeny  ${HOME}/.AndroidStudio*
-noblacklist ${HOME}/.android
+nodeny  ${HOME}/.android
-noblacklist ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
+nodeny  ${HOME}/.jack-settings
-noblacklist ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.tooling
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@ -6,8 +6,8 @@ include anki.local
 # Persistent global definitions
 include globals.local
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
-noblacklist ${HOME}/.local/share/Anki2
+nodeny  ${HOME}/.local/share/Anki2
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@ -23,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/Anki2
-whitelist ${DOCUMENTS}
+allow  ${DOCUMENTS}
-whitelist ${HOME}/.local/share/Anki2
+allow  ${HOME}/.local/share/Anki2
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@ -5,7 +5,7 @@ include anydesk.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.anydesk
+nodeny  ${HOME}/.anydesk
 include disable-common.inc
 include disable-devel.inc
@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.anydesk
-whitelist ${HOME}/.anydesk
+allow  ${HOME}/.anydesk
 include whitelist-common.inc
 caps.drop all
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@ -5,13 +5,13 @@ include aosp.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.android
+nodeny  ${HOME}/.android
-noblacklist ${HOME}/.bash_history
+nodeny  ${HOME}/.bash_history
-noblacklist ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
+nodeny  ${HOME}/.jack-settings
-noblacklist ${HOME}/.repo_.gitconfig.json
+nodeny  ${HOME}/.repo_.gitconfig.json
-noblacklist ${HOME}/.repoconfig
+nodeny  ${HOME}/.repoconfig
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.tooling
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@ -6,9 +6,9 @@ include apostrophe.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.texlive20*
+nodeny  ${HOME}/.texlive20*
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@ -31,12 +31,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-whitelist /usr/libexec/webkit2gtk-4.0
+allow  /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/apostrophe
+allow  /usr/share/apostrophe
-whitelist /usr/share/texlive
+allow  /usr/share/texlive
-whitelist /usr/share/texmf
+allow  /usr/share/texmf
-whitelist /usr/share/pandoc-*
+allow  /usr/share/pandoc-*
-whitelist /usr/share/perl5
+allow  /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@ -7,7 +7,7 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 include disable-common.inc
 include disable-devel.inc
@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-whitelist /usr/share/arch-audit
+allow  /usr/share/arch-audit
 include whitelist-usr-share-common.inc
 apparmor
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@ -6,7 +6,7 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@ -4,7 +4,7 @@ include archiver-common.local
 # common profile for archiver/compression tools
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 # Comment/uncomment the relevant include file(s) in your archiver-common.local
 # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@ -5,12 +5,12 @@ include ardour5.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/ardour4
+nodeny  ${HOME}/.config/ardour4
-noblacklist ${HOME}/.config/ardour5
+nodeny  ${HOME}/.config/ardour5
-noblacklist ${HOME}/.lv2
+nodeny  ${HOME}/.lv2
-noblacklist ${HOME}/.vst
+nodeny  ${HOME}/.vst
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@ -6,9 +6,9 @@ include arduino.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.arduino15
+nodeny  ${HOME}/.arduino15
-noblacklist ${HOME}/Arduino
+nodeny  ${HOME}/Arduino
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@ -6,12 +6,12 @@ include aria2c.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.aria2
+nodeny  ${HOME}/.aria2
-noblacklist ${HOME}/.config/aria2
+nodeny  ${HOME}/.config/aria2
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.netrc
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@ -6,8 +6,8 @@ include ark.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/arkrc
+nodeny  ${HOME}/.config/arkrc
-noblacklist ${HOME}/.local/share/kxmlgui5/ark
+nodeny  ${HOME}/.local/share/kxmlgui5/ark
 include disable-common.inc
 include disable-devel.inc
@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-whitelist /usr/share/ark
+allow  /usr/share/ark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@ -6,7 +6,7 @@ include arm.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.arm
+nodeny  ${HOME}/.arm
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 mkdir ${HOME}/.arm
-whitelist ${HOME}/.arm
+allow  ${HOME}/.arm
 include whitelist-common.inc
 caps.drop all
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@ -6,12 +6,12 @@ include artha.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/artha.conf
+nodeny  ${HOME}/.config/artha.conf
-noblacklist ${HOME}/.config/artha.log
+nodeny  ${HOME}/.config/artha.log
-noblacklist ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/enchant
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 include disable-common.inc
 include disable-devel.inc
@ -28,8 +28,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/artha.conf
 #whitelist ${HOME}/.config/artha.log
 #whitelist ${HOME}/.config/enchant
-whitelist /usr/share/artha
+allow  /usr/share/artha
-whitelist /usr/share/wordnet
+allow  /usr/share/wordnet
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@ -6,7 +6,7 @@ include assogiate.local
 # Persistent global definitions
 include globals.local
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-whitelist ${PICTURES}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@ -6,11 +6,11 @@ include asunder.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/asunder
+nodeny  ${HOME}/.config/asunder
-noblacklist ${HOME}/.asunder_album_genre
+nodeny  ${HOME}/.asunder_album_genre
-noblacklist ${HOME}/.asunder_album_title
+nodeny  ${HOME}/.asunder_album_title
-noblacklist ${HOME}/.asunder_album_artist
+nodeny  ${HOME}/.asunder_album_artist
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
 ignore apparmor
 ignore disable-mnt
-noblacklist ${HOME}/.atom
+nodeny  ${HOME}/.atom
-noblacklist ${HOME}/.config/Atom
+nodeny  ${HOME}/.config/Atom
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@ -6,9 +6,9 @@ include atril.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/atril
+nodeny  ${HOME}/.cache/atril
-noblacklist ${HOME}/.config/atril
+nodeny  ${HOME}/.config/atril
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 #noblacklist ${HOME}/.local/share
 # it seems to use only ${HOME}/.local/share/webkitgtk
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@ -6,9 +6,9 @@ include audacious.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Audaciousrc
+nodeny  ${HOME}/.config/Audaciousrc
-noblacklist ${HOME}/.config/audacious
+nodeny  ${HOME}/.config/audacious
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@ -6,9 +6,9 @@ include audacity.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.audacity-data
+nodeny  ${HOME}/.audacity-data
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@ -7,7 +7,7 @@ include audio-recorder.local
 # Persistent global definitions
 include globals.local
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 include disable-common.inc
 include disable-devel.inc
@ -17,10 +17,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-whitelist ${MUSIC}
+allow  ${MUSIC}
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
-whitelist /usr/share/audio-recorder
+allow  /usr/share/audio-recorder
-whitelist /usr/share/gstreamer-1.0
+allow  /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@ -6,7 +6,7 @@ include authenticator-rs.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/authenticator-rs
+nodeny  ${HOME}/.local/share/authenticator-rs
 include disable-common.inc
 include disable-devel.inc
@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/authenticator-rs
-whitelist ${HOME}/.local/share/authenticator-rs
+allow  ${HOME}/.local/share/authenticator-rs
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
-whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+allow  /usr/share/uk.co.grumlimited.authenticator-rs
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@ -6,8 +6,8 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/Authenticator
+nodeny  ${HOME}/.cache/Authenticator
-noblacklist ${HOME}/.config/Authenticator
+nodeny  ${HOME}/.config/Authenticator
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@ -7,8 +7,8 @@ include autokey-common.local
 # added by caller profile
 #include globals.local
-noblacklist ${HOME}/.config/autokey
+nodeny  ${HOME}/.config/autokey
-noblacklist ${HOME}/.local/share/autokey
+nodeny  ${HOME}/.local/share/autokey
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@ -5,9 +5,9 @@ include avidemux.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.avidemux6
+nodeny  ${HOME}/.avidemux6
-noblacklist ${HOME}/.config/avidemux3_qt5rc
+nodeny  ${HOME}/.config/avidemux3_qt5rc
-noblacklist ${VIDEOS}
+nodeny  ${VIDEOS}
 include disable-common.inc
 include disable-devel.inc
@ -20,9 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.avidemux6
 mkdir ${HOME}/.config/avidemux3_qt5rc
-whitelist ${HOME}/.avidemux6
+allow  ${HOME}/.avidemux6
-whitelist ${HOME}/.config/avidemux3_qt5rc
+allow  ${HOME}/.config/avidemux3_qt5rc
-whitelist ${VIDEOS}
+allow  ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@ -6,7 +6,7 @@ include aweather.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/aweather
+nodeny  ${HOME}/.config/aweather
 include disable-common.inc
 include disable-devel.inc
@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 mkdir ${HOME}/.config/aweather
-whitelist ${HOME}/.config/aweather
+allow  ${HOME}/.config/aweather
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@ -7,7 +7,7 @@ include awesome.local
 include globals.local
 # all applications started in awesome will run in this profile
-noblacklist ${HOME}/.config/awesome
+nodeny  ${HOME}/.config/awesome
 include disable-common.inc
 caps.drop all
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@ -6,7 +6,7 @@ include ballbuster.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.ballbuster.hs
+nodeny  ${HOME}/.ballbuster.hs
 include disable-common.inc
 include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkfile ${HOME}/.ballbuster.hs
-whitelist ${HOME}/.ballbuster.hs
+allow  ${HOME}/.ballbuster.hs
-whitelist /usr/share/ballbuster
+allow  /usr/share/ballbuster
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@ -12,12 +12,12 @@ include globals.local
 # read-write ${HOME}/.local/share/baloo
 # ignore read-write
-noblacklist ${HOME}/.config/baloofilerc
+nodeny  ${HOME}/.config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloofilerc
+nodeny  ${HOME}/.kde/share/config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloorc
+nodeny  ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
+nodeny  ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
+nodeny  ${HOME}/.kde4/share/config/baloorc
-noblacklist ${HOME}/.local/share/baloo
+nodeny  ${HOME}/.local/share/baloo
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@ -6,13 +6,13 @@ include balsa.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.balsa
+nodeny  ${HOME}/.balsa
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
+nodeny  ${HOME}/.signature
-noblacklist ${HOME}/mail
+nodeny  ${HOME}/mail
-noblacklist /var/mail
+nodeny  /var/mail
-noblacklist /var/spool/mail
+nodeny  /var/spool/mail
 include disable-common.inc
 include disable-devel.inc
@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
-whitelist ${HOME}/.balsa
+allow  ${HOME}/.balsa
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.signature
+allow  ${HOME}/.signature
-whitelist ${HOME}/mail
+allow  ${HOME}/mail
-whitelist ${RUNUSER}/gnupg
+allow  ${RUNUSER}/gnupg
-whitelist /usr/share/balsa
+allow  /usr/share/balsa
-whitelist /usr/share/gnupg
+allow  /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  /usr/share/gnupg2
-whitelist /var/mail
+allow  /var/mail
-whitelist /var/spool/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@ -6,9 +6,9 @@ include barrier.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Debauchee/Barrier.conf
+nodeny  ${HOME}/.config/Debauchee/Barrier.conf
-noblacklist ${HOME}/.local/share/barrier
+nodeny  ${HOME}/.local/share/barrier
-noblacklist ${PATH}/openssl
+nodeny  ${PATH}/openssl
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@ -5,13 +5,13 @@ include basilisk.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/moonchild productions/basilisk
+nodeny  ${HOME}/.cache/moonchild productions/basilisk
-noblacklist ${HOME}/.moonchild productions/basilisk
+nodeny  ${HOME}/.moonchild productions/basilisk
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-whitelist ${HOME}/.cache/moonchild productions/basilisk
+allow  ${HOME}/.cache/moonchild productions/basilisk
-whitelist ${HOME}/.moonchild productions
+allow  ${HOME}/.moonchild productions
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@ -7,10 +7,10 @@ include bcompare.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/bcompare
+nodeny  ${HOME}/.config/bcompare
 # In case the user decides to include disable-programs.inc, still allow
 # KDE's Gwenview to view images via right click -> Open With -> Associated Application
-noblacklist ${HOME}/.config/gwenviewrc
+nodeny  ${HOME}/.config/gwenviewrc
 # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@ -19,10 +19,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
-noblacklist ${HOME}/.config/Beaker Browser
+nodeny  ${HOME}/.config/Beaker Browser
 mkdir ${HOME}/.config/Beaker Browser
-whitelist ${HOME}/.config/Beaker Browser
+allow  ${HOME}/.config/Beaker Browser
 # Redirect
 include electron.profile
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@ -6,11 +6,11 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.bibletime
+nodeny  ${HOME}/.bibletime
-noblacklist ${HOME}/.sword
+nodeny  ${HOME}/.sword
-noblacklist ${HOME}/.local/share/bibletime
+nodeny  ${HOME}/.local/share/bibletime
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 include disable-common.inc
 include disable-devel.inc
@ -22,12 +22,12 @@ include disable-programs.inc
 mkdir ${HOME}/.bibletime
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.local/share/bibletime
-whitelist ${HOME}/.bibletime
+allow  ${HOME}/.bibletime
-whitelist ${HOME}/.sword
+allow  ${HOME}/.sword
-whitelist ${HOME}/.local/share/bibletime
+allow  ${HOME}/.local/share/bibletime
-whitelist /usr/share/bibletime
+allow  /usr/share/bibletime
-whitelist /usr/share/doc/bibletime
+allow  /usr/share/doc/bibletime
-whitelist /usr/share/sword
+allow  /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@ -6,7 +6,7 @@ include bijiben.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/bijiben
+nodeny  ${HOME}/.local/share/bijiben
 include disable-common.inc
 include disable-devel.inc
@ -18,12 +18,12 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.local/share/bijiben
-whitelist ${HOME}/.local/share/bijiben
+allow  ${HOME}/.local/share/bijiben
-whitelist ${HOME}/.cache/tracker
+allow  ${HOME}/.cache/tracker
-whitelist /usr/libexec/webkit2gtk-4.0
+allow  /usr/libexec/webkit2gtk-4.0
-whitelist /usr/share/bijiben
+allow  /usr/share/bijiben
-whitelist /usr/share/tracker
+allow  /usr/share/tracker
-whitelist /usr/share/tracker3
+allow  /usr/share/tracker3
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@ -6,8 +6,8 @@ include bitcoin-qt.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.bitcoin
+nodeny  ${HOME}/.bitcoin
-noblacklist ${HOME}/.config/Bitcoin
+nodeny  ${HOME}/.config/Bitcoin
 include disable-common.inc
 include disable-devel.inc
@ -19,8 +19,8 @@ include disable-shell.inc
 mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
-whitelist ${HOME}/.bitcoin
+allow  ${HOME}/.bitcoin
-whitelist ${HOME}/.config/Bitcoin
+allow  ${HOME}/.config/Bitcoin
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@ -8,8 +8,8 @@ include globals.local
 ignore noexec ${HOME}
-noblacklist /sbin
+nodeny  /sbin
-noblacklist /usr/sbin
+nodeny  /usr/sbin
 # noblacklist /var/log
 include disable-common.inc
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@ -11,12 +11,12 @@ ignore include whitelist-usr-share-common.inc
 ignore noexec /tmp
-noblacklist ${HOME}/.config/Bitwarden
+nodeny  ${HOME}/.config/Bitwarden
 include disable-shell.inc
 mkdir ${HOME}/.config/Bitwarden
-whitelist ${HOME}/.config/Bitwarden
+allow  ${HOME}/.config/Bitwarden
 machine-id
 no3d
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@ -7,7 +7,7 @@ include blackbox.local
 include globals.local
 # all applications started in blackbox will run in this profile
-noblacklist ${HOME}/.blackbox
+nodeny  ${HOME}/.blackbox
 include disable-common.inc
 caps.drop all
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@ -6,7 +6,7 @@ include blender.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/blender
+nodeny  ${HOME}/.config/blender
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 # Allow usage of AMD GPU by OpenCL
-noblacklist /sys/module
+nodeny  /sys/module
-whitelist /sys/module/amdgpu
+allow  /sys/module/amdgpu
 read-only /sys/module/amdgpu
 caps.drop all
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@ -6,7 +6,7 @@ include bless.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/bless
+nodeny  ${HOME}/.config/bless
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@ -4,7 +4,7 @@ include blobby.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.blobby
+nodeny  ${HOME}/.blobby
 include disable-common.inc
 include disable-devel.inc
@ -16,9 +16,9 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.blobby
-whitelist ${HOME}/.blobby
+allow  ${HOME}/.blobby
 include whitelist-common.inc
-whitelist /usr/share/blobby
+allow  /usr/share/blobby
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@ -6,7 +6,7 @@ include blobwars.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.parallelrealities/blobwars
+nodeny  ${HOME}/.parallelrealities/blobwars
 include disable-common.inc
 include disable-devel.inc
@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
-whitelist ${HOME}/.parallelrealities/blobwars
+allow  ${HOME}/.parallelrealities/blobwars
-whitelist /usr/share/blobwars
+allow  /usr/share/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
-noblacklist ${HOME}/.cache/bnox
+nodeny  ${HOME}/.cache/bnox
-noblacklist ${HOME}/.config/bnox
+nodeny  ${HOME}/.config/bnox
 mkdir ${HOME}/.cache/bnox
 mkdir ${HOME}/.config/bnox
-whitelist ${HOME}/.cache/bnox
+allow  ${HOME}/.cache/bnox
-whitelist ${HOME}/.config/bnox
+allow  ${HOME}/.config/bnox
 # Redirect
 include chromium-common.profile
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@ -5,7 +5,7 @@ include brackets.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/Brackets
+nodeny  ${HOME}/.config/Brackets
 #noblacklist /opt/brackets
 #noblacklist /opt/google
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@ -6,7 +6,7 @@ include brasero.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/brasero
+nodeny  ${HOME}/.config/brasero
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@ -14,24 +14,24 @@ ignore noexec /tmp
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
-noblacklist ${HOME}/.cache/BraveSoftware
+nodeny  ${HOME}/.cache/BraveSoftware
-noblacklist ${HOME}/.config/BraveSoftware
+nodeny  ${HOME}/.config/BraveSoftware
-noblacklist ${HOME}/.config/brave
+nodeny  ${HOME}/.config/brave
-noblacklist ${HOME}/.config/brave-flags.conf
+nodeny  ${HOME}/.config/brave-flags.conf
 # brave uses gpg for built-in password manager
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 mkdir ${HOME}/.cache/BraveSoftware
 mkdir ${HOME}/.config/BraveSoftware
 mkdir ${HOME}/.config/brave
-whitelist ${HOME}/.cache/BraveSoftware
+allow  ${HOME}/.cache/BraveSoftware
-whitelist ${HOME}/.config/BraveSoftware
+allow  ${HOME}/.config/BraveSoftware
-whitelist ${HOME}/.config/brave
+allow  ${HOME}/.config/brave
-whitelist ${HOME}/.config/brave-flags.conf
+allow  ${HOME}/.config/brave-flags.conf
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.gnupg
 # Brave sandbox needs read access to /proc/config.gz
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 # Redirect
 include chromium-common.profile
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@ -6,7 +6,7 @@ include bzflag.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.bzf
+nodeny  ${HOME}/.bzf
 include disable-common.inc
 include disable-devel.inc
@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 mkdir ${HOME}/.bzf
-whitelist ${HOME}/.bzf
+allow  ${HOME}/.bzf
 include whitelist-common.inc
 include whitelist-var-common.inc
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@ -6,9 +6,9 @@ include calibre.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.cache/calibre
+nodeny  ${HOME}/.cache/calibre
-noblacklist ${HOME}/.config/calibre
+nodeny  ${HOME}/.config/calibre
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@ -6,7 +6,7 @@ include calligra.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.local/share/kxmlgui5/calligra
+nodeny  ${HOME}/.local/share/kxmlgui5/calligra
 include disable-common.inc
 include disable-devel.inc
--- a/etc/profile-a-l/calligragemini.profile
+++ b/etc/profile-a-l/calligragemini.profile
@ -6,7 +6,7 @@ include calligragemini.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.local/share/calligragemini
+nodeny  ${HOME}/.local/share/calligragemini
 # Redirect
 include calligra.profile
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@ -6,7 +6,7 @@ include calligraplan.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
+nodeny  ${HOME}/.local/share/kxmlgui5/calligraplan
 # Redirect
 include calligra.profile
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@ -6,7 +6,7 @@ include calligraplanwork.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
+nodeny  ${HOME}/.local/share/kxmlgui5/calligraplanwork
 # Redirect
 include calligra.profile
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@ -6,7 +6,7 @@ include calligrasheets.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrasheets
 # Redirect
 include calligra.profile
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@ -6,7 +6,7 @@ include calligrastage.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrastage
 # Redirect
 include calligra.profile
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@ -6,7 +6,7 @@ include calligrawords.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrawords
 # Redirect
 include calligra.profile
--- a/Show more
+++ b/Show more