diff --git a/profiles/apparmor.d/abstractions/private-files b/profiles/apparmor.d/abstractions/private-files
index b1c348f4c..8bd096a96 100644
--- a/profiles/apparmor.d/abstractions/private-files
+++ b/profiles/apparmor.d/abstractions/private-files
@@ -13,14 +13,14 @@
   deny @{HOME}/.*.bak mrwkl,
 
   # special attention to (potentially) executable files
-  audit deny @{HOME}/bin/** wl,
-  audit deny @{HOME}/.config/autostart/** wl,
-  audit deny @{HOME}/.config/upstart/** wl,
-  audit deny @{HOME}/.init/** wl,
-  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
-  audit deny @{HOME}/.kde{,4}/env/** wl,
-  audit deny @{HOME}/.local/share/thumbnailers/** wl,
-  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
+  audit deny @{HOME}/bin/{,**} wl,
+  audit deny @{HOME}/.config/autostart/{,**} wl,
+  audit deny @{HOME}/.config/upstart/{,**} wl,
+  audit deny @{HOME}/.init/{,**} wl,
+  audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
+  audit deny @{HOME}/.kde{,4}/env/{,**} wl,
+  audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
+  audit deny @{HOME}/.pki/{,nssdb}/{,*.so{,.[0-9]*}} wl,
 
   # don't allow reading/updating of run control files
   deny @{HOME}/.*rc mrk,