diff --git a/rspamd.changes b/rspamd.changes
index 6720344..5e06c8e 100644
--- a/rspamd.changes
+++ b/rspamd.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Oct  9 17:51:10 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- fix apparmor profile
+  - allow reading the webapp dir to make the builtin webserver work
+  - modernize the profile to use a short profile name
+  - remove php abstraction, replaced with rule to read the icu data
+    files
+  - remove all file rules that are covered by the base and
+    nameservice abstraction
+  - allow include (with "if exists) for local/rspamd and
+    local/usr.bin.rspamd (for backrwards compat)
+
 -------------------------------------------------------------------
 Mon Oct  5 10:42:14 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>
 
diff --git a/usr.bin.rspamd b/usr.bin.rspamd
index 41a0306..aa65088 100644
--- a/usr.bin.rspamd
+++ b/usr.bin.rspamd
@@ -3,31 +3,33 @@
 
 # based on https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/rspamd/templates/apparmor.d/usr.bin.rspamd
 
-
-/usr/bin/rspamd {
+profile rspamd /usr/bin/rspamd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
-  #include <abstractions/php>
-  #include <local/usr.bin.rspamd>
+  #include <abstractions/ssl_certs>
 
-  /dev/shm/rhm.* rw,
-  /etc/gai.conf r,
-  /etc/host.conf r,
-  /etc/hosts r,
-  /etc/magic r,
-  /etc/nsswitch.conf r,
-  /etc/resolv.conf r,
-  /etc/rspamd/** r,
-  /lib/x86_64-linux-gnu/ld-*.so mr,
-  /proc/sys/kernel/random/uuid r,
   /usr/bin/rspamd mr,
+
+  /etc/rspamd/** r,
+
+  /srv/www/webapps/rspamd/ r,
+  /srv/www/webapps/rspamd/** r,
   /usr/share/rspamd/ r,
   /usr/share/rspamd/** r,
-  /var/cache/nscd/hosts r,
+
   /var/lib/rspamd/ r,
   /var/lib/rspamd/** rwk,
+
   /var/log/rspamd/rspamd.log* rwk,
   /{var/,}run/rspamd/* rwk,
 
-}
+  /dev/shm/rhm.* rw,
+  /etc/magic r,
+  /proc/sys/kernel/random/uuid r,
+
+  /usr/share/icu/*/icu*.dat r,
+
+  #include if exists <local/usr.bin.rspamd>
+  #include if exists <local/rspamd>
+}
\ No newline at end of file