diff --git a/profiles/apparmor.d/abstractions/hosts_access b/profiles/apparmor.d/abstractions/hosts_access
new file mode 100644
index 000000000..e5ea88c11
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/hosts_access
@@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/3.0>,
+
+  /etc/hosts.deny r,
+  /etc/hosts.allow r,
+
+  include if exists <abstractions/hosts_access.d>
diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng
index 6f8a19fbd..26e1234cf 100644
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -24,6 +24,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   include <abstractions/mysql>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/hosts_access>
 
   capability chown,
   capability dac_override,
@@ -47,8 +48,6 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   /etc/syslog-ng/conf.d/ r,
   /etc/syslog-ng/conf.d/* r,
   @{PROC}/kmsg r,
-  /etc/hosts.deny r,
-  /etc/hosts.allow r,
   /{usr/,}{bin,sbin}/syslog-ng mr,
   @{sys}/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
index 700e20fcd..c9d3fe4b1 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@@ -48,14 +48,13 @@ profile dovecot-dovecot-lda /usr/lib/dovecot/dovecot-lda flags=(attach_disconnec
     include <abstractions/nameservice>
     include <abstractions/user-tmp>
     include <abstractions/postfix-common>
+    include <abstractions/hosts_access>
 
     capability sys_ptrace,
 
     /etc/aliases rw,     # newaliases is a symlink to sendmail, so it's
     /etc/aliases.db rw,  # actually the same binary
     /etc/fstab r,
-    /etc/hosts.allow r,
-    /etc/hosts.deny r,
     /etc/mail/* r,
     /etc/mail/statistics rw,
     /etc/mtab r,
diff --git a/profiles/apparmor/profiles/extras/sbin.portmap b/profiles/apparmor/profiles/extras/sbin.portmap
index 3ffb56819..0d5b23936 100644
--- a/profiles/apparmor/profiles/extras/sbin.portmap
+++ b/profiles/apparmor/profiles/extras/sbin.portmap
@@ -15,13 +15,12 @@ include <tunables/global>
 profile portmap /{usr/,}sbin/portmap {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/hosts_access>
 
   capability net_bind_service,
   capability setuid,
   capability setgid,
 
   /etc/bindresvport.blacklist r,
-  /etc/hosts.allow	r,
-  /etc/hosts.deny	r,
   /{usr/,}sbin/portmap         rmix,
 }
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
index e381e0169..24f521e00 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -9,6 +9,7 @@ include <tunables/global>
   include <abstractions/dbus>
   include <abstractions/nameservice>
   include <abstractions/perl>
+  include <abstractions/hosts_access>
 
   capability chown,
   capability dac_override,
@@ -44,8 +45,6 @@ include <tunables/global>
   /etc/cups/printcap rw,
   /etc/cups/ssl rw,
   /etc/cups/yes/* rw,
-  /etc/hosts.allow r,
-  /etc/hosts.deny r,
   @{PROC}/meminfo r,
   @{PROC}/sys/dev/parport/** r,
   /sys/class/usb r,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
index 13f210a5d..098d78f93 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
@@ -15,6 +15,7 @@ include <tunables/global>
 /usr/sbin/dhcpd {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/hosts_access>
 
   capability dac_override,
   capability net_bind_service,
@@ -29,8 +30,6 @@ include <tunables/global>
   /db/dhcpd.leases*     lrw,
   /etc/dhcpd.conf	r,
   /etc/named.d/*	r,
-  /etc/hosts.allow	r,
-  /etc/hosts.deny	r,
   @{PROC}/net/dev	r,
   /usr/sbin/dhcpd	rmix,
   /var/lib/dhcp/{db/,}dhcpd{6,}.leases*	rwl,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.mysqld b/profiles/apparmor/profiles/extras/usr.sbin.mysqld
index cd0801944..8410467b1 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.mysqld
+++ b/profiles/apparmor/profiles/extras/usr.sbin.mysqld
@@ -21,13 +21,12 @@ include <tunables/global>
   include <abstractions/mysql>
   include <abstractions/nameservice>
   include <abstractions/user-tmp>
+  include <abstractions/hosts_access>
 
   capability dac_override,
   capability setgid,
   capability setuid,
 
-  /etc/hosts.allow r,
-  /etc/hosts.deny r,
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
   /etc/my.cnf.d/*.cnf r,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail
index f6e57e5cb..f1326d8de 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail
@@ -22,14 +22,13 @@ include <tunables/global>
   include <abstractions/nameservice>
   include <abstractions/user-tmp>
   include <abstractions/postfix-common>
+  include <abstractions/hosts_access>
 
   /usr/bin/procmail           Px,
 
   /etc/aliases.db             rw,
   /etc/aliases                rw,
   /etc/fstab                  r,
-  /etc/hosts.allow            r,
-  /etc/hosts.deny             r,
   /etc/ldap.conf              r,
   /etc/mail/*                 r,
   /etc/mail/statistics        rw,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail
index 85f5dbd1d..4bce297d8 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail
@@ -15,13 +15,12 @@ include <tunables/global>
 /usr/sbin/sendmail.sendmail {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/hosts_access>
 
   @{PROC}/loadavg             r,
   /etc/aliases                rw,
   /etc/aliases.db             rw,
   /etc/fstab                  r,
-  /etc/hosts.allow            r,
-  /etc/hosts.deny             r,
   /etc/ldap.conf              r,
   /etc/mail/statistics        rw,
   /etc/mail/*                 r,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sshd b/profiles/apparmor/profiles/extras/usr.sbin.sshd
index 8a04a5225..98927ddd5 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -25,6 +25,7 @@ include <tunables/global>
   include <abstractions/libpam-systemd>
   include <abstractions/nameservice>
   include <abstractions/wutmp>
+  include <abstractions/hosts_access>
 
   capability sys_chroot,
   capability sys_resource,
@@ -54,8 +55,6 @@ include <tunables/global>
   /dev/urandom r,
   /etc/default/locale r,
   /etc/environment r,
-  /etc/hosts.allow r,
-  /etc/hosts.deny r,
   /etc/modules.conf r,
   /etc/security/** r,
   /etc/ssh/** r,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd
index 0027fbae0..7d4862dfb 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd
@@ -17,13 +17,12 @@ include <tunables/global>
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/authentication>
+  include <abstractions/hosts_access>
 
   /dev/urandom               r,
   /etc/environment           r,
   /etc/fstab                 r,
   /etc/ftpusers              r,
-  /etc/hosts.allow           r,
-  /etc/hosts.deny            r,
   /etc/mtab                  r,
   /etc/shells                r,
   /etc/vsftpd.*              r,
diff --git a/profiles/apparmor/profiles/extras/usr.sbin.xinetd b/profiles/apparmor/profiles/extras/usr.sbin.xinetd
index 857fcd4e3..d5fb26a37 100644
--- a/profiles/apparmor/profiles/extras/usr.sbin.xinetd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.xinetd
@@ -15,13 +15,12 @@ include <tunables/global>
 /usr/sbin/xinetd {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/hosts_access>
 
   capability net_bind_service,
   capability setgid,
   capability setuid,
 
-  /etc/hosts.allow                 r,
-  /etc/hosts.deny                  r,
   /etc/xinetd.conf                 r,
   /etc/xinetd.d                    r,
   /etc/xinetd.d/*                  r,