diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index 14f1a6828..18f5b0240 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
 #    Copyright (C) 2009-2011 Canonical Ltd.
+#    Copyright (C) 2011-2024 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -11,29 +12,11 @@
 
   abi <abi/4.0>,
 
-  # Many programs wish to perform nameservice-like operations, such as
-  # looking up users by name or id, groups by name or id, hosts by name
-  # or IP, etc. These operations may be performed through files, dns,
-  # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
-  @{etc_ro}/group          r,
-  @{etc_ro}/host.conf      r,
-  @{etc_ro}/hosts          r,
-  @{etc_ro}/nsswitch.conf  r,
-  @{etc_ro}/gai.conf       r,
-  @{etc_ro}/passwd         r,
-  @{etc_ro}/protocols      r,
-
-  # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
-  @{etc_ro}/authselect/nsswitch.conf r,
+  include <abstractions/nameservice-strict>
 
   # libtirpc (used for NIS/YP login) needs this
   @{etc_ro}/netconfig r,
 
-  # When using libnss-extrausers, the passwd and group files are merged from
-  # an alternate path
-  /var/lib/extrausers/group  r,
-  /var/lib/extrausers/passwd r,
-
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
@@ -41,16 +24,13 @@
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 
-  @{etc_ro}/resolv.conf r,
   # On systems where /etc/resolv.conf is managed programmatically, it is
   # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
-  @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+  @{run}/{NetworkManager,connman,netconfig}/resolv.conf r,
   @{etc_ro}/resolvconf/run/resolv.conf  r,
-  @{run}/systemd/resolve/stub-resolv.conf r,
   /mnt/wsl/resolv.conf r,
 
   @{etc_ro}/samba/lmhosts  r,
-  @{etc_ro}/services       r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -60,7 +40,7 @@
   /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
-  @{run}/nscd/db*  rmix,
+  @{run}/nscd/db*  mix,
 
   # make libnss-libvirt name resolution work.
   /var/lib/libvirt/dnsmasq/  r,
@@ -70,7 +50,6 @@
   # they are available
   /{usr/,}lib{,32,64}/libnss_*.so*      mr,
   /{usr/,}lib/@{multiarch}/libnss_*.so*      mr,
-  @{etc_ro}/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution
   @{run}/avahi-daemon/socket rw,
@@ -97,9 +76,6 @@
   # kerberos
   include <abstractions/kerberosclient>
 
-  #libnss-systemd
-  include <abstractions/nss-systemd>
-
   # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
   #   https://www.freedesktop.org/software/systemd/man/systemd.exec.html
   dbus send