diff --git a/profiles/apparmor.d/abstractions/ldapclient b/profiles/apparmor.d/abstractions/ldapclient
index e3922ca6b..0c527282f 100644
--- a/profiles/apparmor.d/abstractions/ldapclient
+++ b/profiles/apparmor.d/abstractions/ldapclient
@@ -18,4 +18,7 @@
   /etc/sasl2/*              r,
   /usr/lib{,32,64}/sasl2/*  r,
 
+  # local LDAP name service daemon
+  /{,var/}run/nslcd/socket  rw,
+
   #include <abstractions/ssl_certs>
diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.statd b/profiles/apparmor/profiles/extras/sbin.rpc.statd
index 82298e466..7a602abc0 100644
--- a/profiles/apparmor/profiles/extras/sbin.rpc.statd
+++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd
@@ -13,17 +13,38 @@
 profile rpc.statd /{usr/,}sbin/rpc.statd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+
+  # needed to sanely drop privileges
+  capability setgid,
+  capability setuid,
+
+  # changes ownership of pidfile
+  capability chown,
+
+  # not sure why this is needed
+  capability setpcap,
+
+  owner @{PROC}/@{pid}/fd/         r,
+  @{PROC}/fs/lockd/nlm_end_grace   w,
+  @{PROC}/sys/fs/nfs/**            r,
+  @{PROC}/sys/fs/nfs/nsm_local_state w,
+
+  /etc/netconfig                   r,
   /etc/rpc                         r,
-  /{usr/,}sbin/rpc.statd           rmix,
-  /sm                              rw,
-  /sm.bak                          rw,
-  /state                           rw,
+  /{usr/,}sbin/rpc.statd           mrix,
+  /{usr/,}sbin/sm-notify           mrix,
+  /var/lib/nfs/sm/                 r,
   /var/lib/nfs/sm/*                rw,
-  /var/lib/nfs/statd               rw,
-  /var/lib/nfs/statd/sm            r,
+  /var/lib/nfs/sm.bak/             r,
+  /var/lib/nfs/statd/              rw,
+  /var/lib/nfs/statd/sm/           r,
   /var/lib/nfs/statd/sm/*          rwl,
   /var/lib/nfs/statd/state         rw,
-  /var/lib/nfs/statd/sm.bak        r,
+  /var/lib/nfs/statd/sm.bak/       r,
   /var/lib/nfs/statd/sm.bak/*      rwl,
-  /{,var/}run/rpc.statd.pid           w,
+  /var/lib/nfs/state               rwk,
+  /var/lib/nfs/state.new           rwl,
+  /{,var/}run/rpc.statd.pid        w,
+  /{,var/}run/rpcbind.sock         rw,
+  /{,var/}run/sm-notify.pid        w,
 }
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
index 5f18bd06b..60674dd5c 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
@@ -19,5 +19,5 @@
 
   /usr/bin/finger        mix,
   /var/log/lastlog       r,
-  /{,var/}run/utmp          r,
+  /{,var/}run/utmp       rk,
 }
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
index 7fa27e249..e89e78cb1 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
@@ -14,6 +14,7 @@
 /usr/sbin/lighttpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+  #include <abstractions/perl>
   #include <abstractions/web-data>
 
   # needed to change max file descriptors
@@ -26,6 +27,8 @@
   capability setgid,
   capability setuid,
 
+  @{PROC}/loadavg r,
+
   /etc/lighttpd r,
   /etc/lighttpd/*.conf r,
   /etc/lighttpd/conf.d/*.conf r,
@@ -50,7 +53,17 @@
   /var/log/lighttpd/*.log rw,
   # include_shell
   /{usr/,}bin/bash mix,
+  /{usr/,}bin/dash mix,
   /{usr/,}bin/zsh mix,
   /{usr/,}bin/cat mix,
+
+  # Debian/Ubuntu integration in default installation
+  /etc/mime.types r,
+  /usr/share/lighttpd/ r,
+  /usr/share/lighttpd/*.pl mrix,
+  /etc/lighttpd/conf-available/ r,
+  /etc/lighttpd/conf-available/*.conf r,
+  /etc/lighttpd/conf-enabled/ r,
+  /etc/lighttpd/conf-enabled/*.conf r,
 }
 
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sshd b/profiles/apparmor/profiles/extras/usr.sbin.sshd
index a4863e0da..c24b29b3e 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -129,6 +129,7 @@
   /etc.legal r,
   /etc/motd r,
   /{,var/}run/motd{,.dynamic}{,.new} rw,
+  /tmp/krb5cc* wk,
   /tmp/ssh-[a-zA-Z0-9]*/ w,
   /tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,