From 27daa7c9bb75679d651a856c0fbfbedda04feafc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 9 Jul 2023 14:09:55 +0100
Subject: [PATCH] refactor(profiles): use @{bin} and @{lib} in profiles (3)

---
 apparmor.d/groups/gnome/chrome-gnome-shell    |   4 +-
 .../gnome/evolution-addressbook-factory       |   2 +-
 .../groups/gnome/evolution-alarm-notify       |   2 +-
 .../groups/gnome/evolution-calendar-factory   |   2 +-
 .../groups/gnome/evolution-source-registry    |   2 +-
 apparmor.d/groups/gnome/gdm                   |  16 +--
 apparmor.d/groups/gnome/gdm-runtime-config    |   2 +-
 apparmor.d/groups/gnome/gdm-session-worker    |   8 +-
 apparmor.d/groups/gnome/gdm-wayland-session   |  54 +++----
 apparmor.d/groups/gnome/gdm-x-session         |   6 +-
 apparmor.d/groups/gnome/gdm-xsession          |  56 ++++----
 apparmor.d/groups/gnome/gio-launch-desktop    |   8 +-
 apparmor.d/groups/gnome/gjs-console           |   8 +-
 apparmor.d/groups/gnome/gkbd-keyboard-display |   2 +-
 .../groups/gnome/gnome-browser-connector-host |   8 +-
 .../gnome/gnome-calculator-search-provider    |   2 +-
 apparmor.d/groups/gnome/gnome-calendar        |   2 +-
 apparmor.d/groups/gnome/gnome-characters      |   2 +-
 .../gnome/gnome-characters-backgroudservice   |   2 +-
 apparmor.d/groups/gnome/gnome-contacts        |   2 +-
 .../gnome/gnome-contacts-search-provider      |   2 +-
 apparmor.d/groups/gnome/gnome-control-center  |  40 +++---
 .../gnome/gnome-control-center-goa-helper     |   6 +-
 .../gnome/gnome-control-center-print-renderer |   2 +-
 .../gnome-control-center-search-provider      |   2 +-
 .../groups/gnome/gnome-disk-image-mounter     |   2 +-
 apparmor.d/groups/gnome/gnome-disks           |   6 +-
 apparmor.d/groups/gnome/gnome-extension-ding  |  10 +-
 .../groups/gnome/gnome-extension-manager      |   8 +-
 apparmor.d/groups/gnome/gnome-extensions-app  |   6 +-
 apparmor.d/groups/gnome/gnome-keyring-daemon  |   6 +-
 apparmor.d/groups/gnome/gnome-music           |   8 +-
 .../groups/gnome/gnome-photos-thumbnailer     |   2 +-
 .../groups/gnome/gnome-remote-desktop-daemon  |   2 +-
 apparmor.d/groups/gnome/gnome-session-binary  |  96 ++++++-------
 apparmor.d/groups/gnome/gnome-session-ctl     |   2 +-
 apparmor.d/groups/gnome/gnome-shell           |   8 +-
 .../groups/gnome/gnome-shell-calendar-server  |   2 +-
 .../groups/gnome/gnome-shell-hotplug-sniffer  |   2 +-
 apparmor.d/groups/gnome/gnome-software        |  24 ++--
 apparmor.d/groups/gnome/gnome-system-monitor  |   4 +-
 apparmor.d/groups/gnome/gnome-terminal-server |  16 +--
 apparmor.d/groups/gnome/gnome-tweaks          |  10 +-
 apparmor.d/groups/gnome/goa-daemon            |   2 +-
 apparmor.d/groups/gnome/goa-identity-service  |   2 +-
 apparmor.d/groups/gnome/gsd-a11y-settings     |   2 +-
 apparmor.d/groups/gnome/gsd-color             |   2 +-
 apparmor.d/groups/gnome/gsd-datetime          |   2 +-
 .../groups/gnome/gsd-disk-utility-notify      |   2 +-
 apparmor.d/groups/gnome/gsd-housekeeping      |   2 +-
 apparmor.d/groups/gnome/gsd-keyboard          |   2 +-
 apparmor.d/groups/gnome/gsd-media-keys        |   6 +-
 apparmor.d/groups/gnome/gsd-power             |   2 +-
 .../groups/gnome/gsd-print-notifications      |   4 +-
 apparmor.d/groups/gnome/gsd-printer           |   2 +-
 apparmor.d/groups/gnome/gsd-rfkill            |   2 +-
 apparmor.d/groups/gnome/gsd-screensaver-proxy |   2 +-
 apparmor.d/groups/gnome/gsd-sharing           |   2 +-
 apparmor.d/groups/gnome/gsd-smartcard         |   2 +-
 apparmor.d/groups/gnome/gsd-sound             |   2 +-
 apparmor.d/groups/gnome/gsd-usb-protection    |   2 +-
 apparmor.d/groups/gnome/gsd-wacom             |   2 +-
 apparmor.d/groups/gnome/gsd-xsettings         |  22 +--
 apparmor.d/groups/gnome/kgx                   |  16 +--
 apparmor.d/groups/gnome/mutter-x11-frames     |   2 +-
 apparmor.d/groups/gnome/nautilus              |  18 +--
 apparmor.d/groups/gnome/seahorse              |   8 +-
 apparmor.d/groups/gnome/tracker-extract       |   2 +-
 apparmor.d/groups/gnome/tracker-miner         |   2 +-
 apparmor.d/groups/grub/grub-bios-setup        |   2 +-
 apparmor.d/groups/grub/grub-check-signatures  |   8 +-
 apparmor.d/groups/grub/grub-editenv           |   2 +-
 apparmor.d/groups/grub/grub-file              |   2 +-
 apparmor.d/groups/grub/grub-fstest            |   2 +-
 apparmor.d/groups/grub/grub-glue-efi          |   2 +-
 apparmor.d/groups/grub/grub-install           |  12 +-
 apparmor.d/groups/grub/grub-kbdcomp           |   2 +-
 apparmor.d/groups/grub/grub-macbless          |   2 +-
 apparmor.d/groups/grub/grub-menulst2cfg       |   2 +-
 apparmor.d/groups/grub/grub-mkconfig          |  78 +++++-----
 apparmor.d/groups/grub/grub-mkdevicemap       |   2 +-
 apparmor.d/groups/grub/grub-mkfont            |   2 +-
 apparmor.d/groups/grub/grub-mkimage           |   2 +-
 apparmor.d/groups/grub/grub-mklayout          |   2 +-
 apparmor.d/groups/grub/grub-mknetdir          |   2 +-
 apparmor.d/groups/grub/grub-mkpasswd-pbkdf2   |   2 +-
 apparmor.d/groups/grub/grub-mkrelpath         |   2 +-
 apparmor.d/groups/grub/grub-mkrescue          |   2 +-
 apparmor.d/groups/grub/grub-mkstandalone      |   2 +-
 apparmor.d/groups/grub/grub-mount             |   2 +-
 apparmor.d/groups/grub/grub-multi-install     |  22 +--
 apparmor.d/groups/grub/grub-ntldr-img         |   2 +-
 apparmor.d/groups/grub/grub-probe             |   8 +-
 apparmor.d/groups/grub/grub-reboot            |   2 +-
 apparmor.d/groups/grub/grub-render-label      |   2 +-
 apparmor.d/groups/grub/grub-script-check      |   2 +-
 apparmor.d/groups/grub/grub-set-default       |   2 +-
 apparmor.d/groups/grub/grub-syslinux2cfg      |   2 +-
 apparmor.d/groups/grub/update-grub            |   6 +-
 .../groups/gvfs/gvfs-afc-volume-monitor       |   2 +-
 .../groups/gvfs/gvfs-goa-volume-monitor       |   2 +-
 .../groups/gvfs/gvfs-gphoto2-volume-monitor   |   2 +-
 .../groups/gvfs/gvfs-mtp-volume-monitor       |   2 +-
 .../groups/gvfs/gvfs-udisks2-volume-monitor   |   8 +-
 apparmor.d/groups/gvfs/gvfsd                  |   6 +-
 apparmor.d/groups/gvfs/gvfsd-admin            |   2 +-
 apparmor.d/groups/gvfs/gvfsd-afc              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-afp              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-afp-browse       |   2 +-
 apparmor.d/groups/gvfs/gvfsd-archive          |   2 +-
 apparmor.d/groups/gvfs/gvfsd-burn             |   2 +-
 apparmor.d/groups/gvfs/gvfsd-cdda             |   2 +-
 apparmor.d/groups/gvfs/gvfsd-computer         |   2 +-
 apparmor.d/groups/gvfs/gvfsd-dav              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-dnssd            |   2 +-
 apparmor.d/groups/gvfs/gvfsd-ftp              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-fuse             |   6 +-
 apparmor.d/groups/gvfs/gvfsd-google           |   2 +-
 apparmor.d/groups/gvfs/gvfsd-gphoto2          |   2 +-
 apparmor.d/groups/gvfs/gvfsd-http             |   2 +-
 apparmor.d/groups/gvfs/gvfsd-localtest        |   2 +-
 apparmor.d/groups/gvfs/gvfsd-metadata         |   2 +-
 apparmor.d/groups/gvfs/gvfsd-mtp              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-network          |   2 +-
 apparmor.d/groups/gvfs/gvfsd-nfs              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-recent           |   2 +-
 apparmor.d/groups/gvfs/gvfsd-sftp             |   4 +-
 apparmor.d/groups/gvfs/gvfsd-smb              |   2 +-
 apparmor.d/groups/gvfs/gvfsd-smb-browse       |   2 +-
 apparmor.d/groups/gvfs/gvfsd-trash            |   2 +-
 apparmor.d/groups/kde/baloo                   |   4 +-
 apparmor.d/groups/kde/drkonqi                 |   2 +-
 apparmor.d/groups/kde/gmenudbusmenuproxy      |   2 +-
 apparmor.d/groups/kde/kaccess                 |   4 +-
 apparmor.d/groups/kde/kactivitymanagerd       |   2 +-
 apparmor.d/groups/kde/kalendarac              |   4 +-
 apparmor.d/groups/kde/kauth-backlighthelper   |   2 +-
 .../groups/kde/kauth-chargethresholdhelper    |   2 +-
 apparmor.d/groups/kde/kauth-discretegpuhelper |   2 +-
 apparmor.d/groups/kde/kauth-fontinst          |   2 +-
 apparmor.d/groups/kde/kauth-kded-smart-helper |   4 +-
 .../kde/kauth-kinfocenter-dmidecode-helper    |   4 +-
 apparmor.d/groups/kde/kcminit                 |   4 +-
 apparmor.d/groups/kde/kconf_update            |   2 +-
 apparmor.d/groups/kde/kde-powerdevil          |   4 +-
 apparmor.d/groups/kde/kded5                   |  16 +--
 apparmor.d/groups/kde/kglobalaccel5           |   2 +-
 apparmor.d/groups/kde/kio_http_cache_cleaner  |   2 +-
 apparmor.d/groups/kde/kioslave5               |   8 +-
 apparmor.d/groups/kde/kreadconfig             |   2 +-
 .../groups/kde/kscreen_backend_launcher       |   2 +-
 apparmor.d/groups/kde/kscreenlocker-greet     |  12 +-
 apparmor.d/groups/kde/ksmserver               |  10 +-
 apparmor.d/groups/kde/kwalletd5               |  14 +-
 apparmor.d/groups/kde/kwalletmanager5         |   2 +-
 apparmor.d/groups/kde/kwin_x11                |   8 +-
 apparmor.d/groups/kde/plasma-discover         |  10 +-
 apparmor.d/groups/kde/plasmashell             |  14 +-
 apparmor.d/groups/kde/sddm                    |  56 ++++----
 apparmor.d/groups/kde/sddm-greeter            |   6 +-
 apparmor.d/groups/kde/sddm-xsession           |  56 ++++----
 apparmor.d/groups/kde/startplasma-x11         |  10 +-
 apparmor.d/groups/kde/utempter                |   2 +-
 apparmor.d/groups/kde/xdm-xsession            |  60 ++++----
 apparmor.d/groups/kde/xembedsniproxy          |   2 +-
 apparmor.d/groups/kde/xsettingsd              |   2 +-
 apparmor.d/groups/network/ModemManager        |   2 +-
 apparmor.d/groups/network/NetworkManager      |  32 ++---
 apparmor.d/groups/network/dhcpcd              |  18 +--
 apparmor.d/groups/network/iwctl               |   2 +-
 apparmor.d/groups/network/iwd                 |   2 +-
 apparmor.d/groups/network/mullvad-daemon      |   4 +-
 apparmor.d/groups/network/mullvad-gui         |   6 +-
 apparmor.d/groups/network/networkd-dispatcher |   6 +-
 apparmor.d/groups/network/nm-daemon-helper    |   2 +-
 apparmor.d/groups/network/nm-dhcp-helper      |   2 +-
 apparmor.d/groups/network/nm-dispatcher       |  42 +++---
 apparmor.d/groups/network/nm-iface-helper     |   2 +-
 apparmor.d/groups/network/nm-initrd-generator |   2 +-
 .../groups/network/nm-openvpn-auth-dialog     |   2 +-
 apparmor.d/groups/network/nm-openvpn-service  |  12 +-
 .../network/nm-openvpn-service-openvpn-helper |   2 +-
 apparmor.d/groups/network/nmcli               |   6 +-
 apparmor.d/groups/network/openvpn             |  34 ++---
 apparmor.d/groups/network/tailscale           |   4 +-
 apparmor.d/groups/network/tailscaled          |  12 +-
 apparmor.d/groups/network/wg                  |   2 +-
 apparmor.d/groups/network/wg-quick            |  26 ++--
 apparmor.d/groups/pacman/arch-audit           |   2 +-
 apparmor.d/groups/pacman/archlinux-java       |  20 +--
 .../groups/pacman/archlinux-keyring-wkd-sync  |  14 +-
 apparmor.d/groups/pacman/aurpublish           |  36 ++---
 apparmor.d/groups/pacman/mkinitcpio           | 104 +++++++-------
 apparmor.d/groups/pacman/paccache             |  24 ++--
 apparmor.d/groups/pacman/pacdiff              |  28 ++--
 apparmor.d/groups/pacman/pacman               | 136 +++++++++---------
 apparmor.d/groups/pacman/pacman-conf          |   2 +-
 apparmor.d/groups/pacman/pacman-hook-code     |  12 +-
 apparmor.d/groups/pacman/pacman-hook-dconf    |   6 +-
 apparmor.d/groups/pacman/pacman-hook-depmod   |  12 +-
 apparmor.d/groups/pacman/pacman-hook-dkms     |   8 +-
 .../groups/pacman/pacman-hook-fontconfig      |   6 +-
 apparmor.d/groups/pacman/pacman-hook-gio      |  10 +-
 apparmor.d/groups/pacman/pacman-hook-gtk      |  10 +-
 .../groups/pacman/pacman-hook-mkinitcpio      |  24 ++--
 .../pacman/pacman-hook-mkinitcpio-remove      |  10 +-
 apparmor.d/groups/pacman/pacman-hook-perl     |  12 +-
 apparmor.d/groups/pacman/pacman-hook-systemd  |  22 +--
 apparmor.d/groups/pacman/pacman-key           |  32 ++---
 apparmor.d/groups/pacman/reflector            |   4 +-
 apparmor.d/groups/ssh/sftp-server             |   4 +-
 apparmor.d/groups/ssh/ssh                     |   6 +-
 apparmor.d/groups/ssh/ssh-agent               |  18 +--
 apparmor.d/groups/ssh/ssh-agent-launch        |   4 +-
 apparmor.d/groups/ssh/ssh-keygen              |   2 +-
 apparmor.d/groups/ssh/sshd                    |  14 +-
 apparmor.d/groups/ssh/sshfs                   |   8 +-
 apparmor.d/groups/systemd/bootctl             |   8 +-
 apparmor.d/groups/systemd/busctl              |   8 +-
 apparmor.d/groups/systemd/coredumpctl         |  16 +--
 apparmor.d/groups/systemd/hostnamectl         |   2 +-
 apparmor.d/groups/systemd/journalctl          |   8 +-
 apparmor.d/groups/systemd/localectl           |   8 +-
 apparmor.d/groups/systemd/loginctl            |   6 +-
 apparmor.d/groups/systemd/networkctl          |   8 +-
 apparmor.d/groups/systemd/systemd-ac-power    |   2 +-
 apparmor.d/groups/systemd/systemd-analyze     |  14 +-
 .../groups/systemd/systemd-ask-password       |   2 +-
 apparmor.d/groups/systemd/systemd-backlight   |   2 +-
 apparmor.d/groups/systemd/systemd-binfmt      |   2 +-
 apparmor.d/groups/systemd/systemd-cat         |   4 +-
 apparmor.d/groups/systemd/systemd-cgls        |   8 +-
 apparmor.d/groups/systemd/systemd-cgtop       |   8 +-
 apparmor.d/groups/systemd/systemd-coredump    |   6 +-
 apparmor.d/groups/systemd/systemd-cryptsetup  |   2 +-
 apparmor.d/groups/systemd/systemd-delta       |   4 +-
 apparmor.d/groups/systemd/systemd-detect-virt |   2 +-
 apparmor.d/groups/systemd/systemd-dissect     |  10 +-
 .../systemd/systemd-environment-d-generator   |  10 +-
 apparmor.d/groups/systemd/systemd-escape      |   2 +-
 apparmor.d/groups/systemd/systemd-fsck        |   8 +-
 apparmor.d/groups/systemd/systemd-fsckd       |   2 +-
 apparmor.d/groups/systemd/systemd-homed       |  10 +-
 apparmor.d/groups/systemd/systemd-homework    |   2 +-
 apparmor.d/groups/systemd/systemd-hostnamed   |   2 +-
 apparmor.d/groups/systemd/systemd-hwdb        |   6 +-
 apparmor.d/groups/systemd/systemd-id128       |   2 +-
 apparmor.d/groups/systemd/systemd-inhibit     |   4 +-
 apparmor.d/groups/systemd/systemd-journald    |   2 +-
 apparmor.d/groups/systemd/systemd-localed     |   2 +-
 apparmor.d/groups/systemd/systemd-logind      |   2 +-
 .../groups/systemd/systemd-machine-id-setup   |   2 +-
 apparmor.d/groups/systemd/systemd-machined    |   2 +-
 apparmor.d/groups/systemd/systemd-makefs      |   6 +-
 .../groups/systemd/systemd-modules-load       |   2 +-
 apparmor.d/groups/systemd/systemd-mount       |  10 +-
 apparmor.d/groups/systemd/systemd-networkd    |   2 +-
 .../systemd/systemd-networkd-wait-online      |   2 +-
 apparmor.d/groups/systemd/systemd-oomd        |   2 +-
 apparmor.d/groups/systemd/systemd-path        |   2 +-
 apparmor.d/groups/systemd/systemd-portabled   |   2 +-
 apparmor.d/groups/systemd/systemd-random-seed |   2 +-
 apparmor.d/groups/systemd/systemd-remount-fs  |   4 +-
 apparmor.d/groups/systemd/systemd-resolve     |   4 +-
 apparmor.d/groups/systemd/systemd-resolved    |   2 +-
 apparmor.d/groups/systemd/systemd-rfkill      |   2 +-
 apparmor.d/groups/systemd/systemd-shutdown    |   2 +-
 apparmor.d/groups/systemd/systemd-sleep       |  14 +-
 apparmor.d/groups/systemd/systemd-sleep-grub2 |   8 +-
 .../groups/systemd/systemd-sleep-hdparm       |   2 +-
 .../groups/systemd/systemd-sleep-nvidia       |  12 +-
 .../groups/systemd/systemd-sleep-sysstat      |   2 +-
 apparmor.d/groups/systemd/systemd-sleep-tlp   |   4 +-
 .../groups/systemd/systemd-sleep-upgrades     |   2 +-
 .../groups/systemd/systemd-sulogin-shell      |   4 +-
 apparmor.d/groups/systemd/systemd-sysctl      |   2 +-
 apparmor.d/groups/systemd/systemd-sysusers    |   2 +-
 apparmor.d/groups/systemd/systemd-timedated   |   2 +-
 apparmor.d/groups/systemd/systemd-timesyncd   |   2 +-
 apparmor.d/groups/systemd/systemd-tmpfiles    |   2 +-
 .../systemd/systemd-tty-ask-password-agent    |   2 +-
 apparmor.d/groups/systemd/systemd-udevd       |  54 +++----
 apparmor.d/groups/systemd/systemd-update-done |   2 +-
 apparmor.d/groups/systemd/systemd-update-utmp |   2 +-
 .../groups/systemd/systemd-user-runtime-dir   |   2 +-
 .../groups/systemd/systemd-user-sessions      |   2 +-
 apparmor.d/groups/systemd/systemd-userdbd     |   4 +-
 apparmor.d/groups/systemd/systemd-userwork    |   2 +-
 .../groups/systemd/systemd-vconsole-setup     |  12 +-
 apparmor.d/groups/systemd/userdbctl           |   8 +-
 apparmor.d/groups/systemd/zram-generator      |   8 +-
 apparmor.d/groups/ubuntu/apport-checkreports  |   2 +-
 apparmor.d/groups/ubuntu/apport-gtk           |  48 +++----
 apparmor.d/groups/ubuntu/apt-esm-hook         |   4 +-
 apparmor.d/groups/ubuntu/apt-esm-json-hook    |   4 +-
 .../groups/ubuntu/check-new-release-gtk       |   8 +-
 apparmor.d/groups/ubuntu/cron-ubuntu-fan      |  18 +--
 apparmor.d/groups/ubuntu/do-release-upgrade   |   8 +-
 apparmor.d/groups/ubuntu/hwe-support-status   |   6 +-
 .../groups/ubuntu/list-oem-metapackages       |   6 +-
 .../groups/ubuntu/livepatch-notification      |   2 +-
 .../groups/ubuntu/notify-reboot-required      |   6 +-
 .../groups/ubuntu/notify-updates-outdated     |   4 +-
 .../groups/ubuntu/package-system-locked       |   6 +-
 apparmor.d/groups/ubuntu/pro                  |   2 +-
 apparmor.d/groups/ubuntu/release-upgrade-motd |  16 +--
 .../groups/ubuntu/software-properties-dbus    |   8 +-
 .../groups/ubuntu/software-properties-gtk     |  16 +--
 .../groups/ubuntu/subiquity-console-conf      |  28 ++--
 apparmor.d/groups/ubuntu/ubuntu-advantage     |  34 ++---
 .../ubuntu/ubuntu-advantage-desktop-daemon    |   4 +-
 .../ubuntu/ubuntu-advantage-notification      |   2 +-
 apparmor.d/groups/ubuntu/ubuntu-distro-info   |   2 +-
 apparmor.d/groups/ubuntu/ubuntu-report        |   4 +-
 apparmor.d/groups/ubuntu/update-manager       |  18 +--
 .../groups/ubuntu/update-motd-fsck-at-reboot  |  24 ++--
 .../ubuntu/update-motd-updates-available      |  28 ++--
 apparmor.d/groups/ubuntu/update-notifier      |  40 +++---
 apparmor.d/groups/virt/cni-bandwidth          |   2 +-
 apparmor.d/groups/virt/cni-bridge             |   2 +-
 apparmor.d/groups/virt/cni-calico             |   2 +-
 apparmor.d/groups/virt/cni-firewall           |   2 +-
 apparmor.d/groups/virt/cni-flannel            |   2 +-
 apparmor.d/groups/virt/cni-host-local         |   2 +-
 apparmor.d/groups/virt/cni-loopback           |   2 +-
 apparmor.d/groups/virt/cni-portmap            |   4 +-
 apparmor.d/groups/virt/cni-tuning             |   2 +-
 apparmor.d/groups/virt/cni-xtables-nft        |   4 +-
 apparmor.d/groups/virt/cockpit-askpass        |   2 +-
 apparmor.d/groups/virt/cockpit-bridge         |   8 +-
 .../groups/virt/cockpit-certificate-ensure    |   4 +-
 .../groups/virt/cockpit-certificate-helper    |  18 +--
 apparmor.d/groups/virt/cockpit-desktop        |   2 +-
 apparmor.d/groups/virt/cockpit-pcp            |   2 +-
 apparmor.d/groups/virt/cockpit-session        |   8 +-
 apparmor.d/groups/virt/cockpit-ssh            |   2 +-
 apparmor.d/groups/virt/cockpit-tls            |   2 +-
 apparmor.d/groups/virt/cockpit-ws             |   4 +-
 .../groups/virt/cockpit-wsinstance-factory    |   2 +-
 apparmor.d/groups/virt/containerd             |  13 +-
 .../groups/virt/containerd-shim-runc-v2       |   4 +-
 apparmor.d/groups/virt/docker-proxy           |   2 +-
 apparmor.d/groups/virt/dockerd                |  22 +--
 apparmor.d/groups/virt/k3s                    |  16 +--
 apparmor.d/groups/virt/libvirt-dbus           |   6 +-
 apparmor.d/groups/virt/libvirtd               |  54 +++----
 apparmor.d/groups/virt/virt-aa-helper         |   4 +-
 apparmor.d/groups/virt/virtinterfaced         |   6 +-
 apparmor.d/groups/virt/virtiofsd              |   2 +-
 apparmor.d/groups/virt/virtlockd              |   2 +-
 apparmor.d/groups/virt/virtlogd               |   2 +-
 apparmor.d/groups/virt/virtnetworkd           |   4 +-
 apparmor.d/groups/virt/virtnodedevd           |   4 +-
 apparmor.d/groups/virt/virtsecretd            |   2 +-
 apparmor.d/groups/virt/virtstoraged           |   6 +-
 355 files changed, 1473 insertions(+), 1472 deletions(-)

diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell
index 2c1ac4ef..7407e11b 100644
--- a/apparmor.d/groups/gnome/chrome-gnome-shell
+++ b/apparmor.d/groups/gnome/chrome-gnome-shell
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/chrome-gnome-shell
+@{exec_path} = @{bin}/chrome-gnome-shell
 profile chrome-gnome-shell @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -22,7 +22,7 @@ profile chrome-gnome-shell @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}bin/ r,
+  @{bin}/ r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory
index 87bdcd54..cc126530 100644
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-addressbook-factory
+@{exec_path} = @{lib}/{,evolution-data-server/}evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>
diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify
index e8e2209f..458b3738 100644
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify
+@{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify
 profile evolution-alarm-notify @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session>
diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory
index 59a5ae53..3fff1e26 100644
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-calendar-factory
+@{exec_path} = @{lib}/{,evolution-data-server/}evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>
diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry
index b128ece4..ea1b026a 100644
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-source-registry
+@{exec_path} = @{lib}/{,evolution-data-server/}evolution-source-registry
 profile evolution-source-registry @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
index e390493e..1c969bcc 100644
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/gdm{3,}
+@{exec_path} = @{bin}/gdm{3,}
 profile gdm @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -66,13 +66,13 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{libexec}/{,gdm/}gdm-session-worker  rPx,
-  /{usr/,}{s,}bin/prime-switch         rPUx,
-  /{usr/,}bin/{,ba,da}sh                rix,
-  /{usr/,}bin/pidof                     rPx,
-  /{usr/,}bin/plymouth                  rPx,
-  /{usr/,}bin/sleep                     rix,
-  /etc/gdm{3,}/PrimeOff/Default         rix,
+  @{bin}/{,ba,da}sh                rix,
+  @{bin}/pidof                     rPx,
+  @{bin}/plymouth                  rPx,
+  @{bin}/prime-switch             rPUx,
+  @{bin}/sleep                     rix,
+  @{lib}/{,gdm/}gdm-session-worker rPx,
+  /etc/gdm{3,}/PrimeOff/Default    rix,
 
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,
diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config
index 198a387f..58628f7e 100644
--- a/apparmor.d/groups/gnome/gdm-runtime-config
+++ b/apparmor.d/groups/gnome/gdm-runtime-config
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} =  @{libexec}/gdm-runtime-config
+@{exec_path} =  @{lib}/gdm-runtime-config
 profile gdm-runtime-config @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 5d683e05..d5e92f6b 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gdm/}gdm-session-worker
+@{exec_path} = @{lib}/{,gdm/}gdm-session-worker
 profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
@@ -58,9 +58,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{libexec}/{,gdm/}gdm-wayland-session   rPx,
-  @{libexec}/{,gdm/}gdm-x-session         rPx,
-  /{usr/,}bin/gnome-keyring-daemon        rPx,
+  @{bin}/gnome-keyring-daemon             rPx,
+  @{lib}/{,gdm/}gdm-wayland-session       rPx,
+  @{lib}/{,gdm/}gdm-x-session             rPx,
   /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
   /etc/gdm{3,}/PostLogin/Default          rix,
   /etc/gdm{3,}/PrimeOff/Default           rix,
diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session
index 7ec7de08..6526ab43 100644
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gdm/}gdm-wayland-session
+@{exec_path} = @{lib}/{,gdm/}gdm-wayland-session
 profile gdm-wayland-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/bash>
@@ -38,33 +38,33 @@ profile gdm-wayland-session @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh           rix,
-  /{usr/,}bin/cat                  rix,
-  /{usr/,}bin/env                  rix,
-  /{usr/,}bin/gettext              rix,
-  /{usr/,}bin/gettext.sh             r,
-  /{usr/,}bin/gnome-session        rix,
-  /{usr/,}bin/grep                 rix,
-  /{usr/,}bin/gsettings            rPx,
-  /{usr/,}bin/head                 rix,
-  /{usr/,}bin/id                   rix,
-  /{usr/,}bin/locale               rix,
-  /{usr/,}bin/locale-check         rix,
-  /{usr/,}bin/manpath              rix,
-  /{usr/,}bin/qmake                rix,
-  /{usr/,}bin/readlink             rix,
-  /{usr/,}bin/sed                  rix,
-  /{usr/,}bin/sort                 rix,
-  /{usr/,}bin/tr                   rix,
-  /{usr/,}bin/tty                  rix,
-  /{usr/,}bin/uname                rix,
-  /{usr/,}bin/zsh                  rix,
+  @{bin}/{,ba,da}sh           rix,
+  @{bin}/cat                  rix,
+  @{bin}/env                  rix,
+  @{bin}/gettext              rix,
+  @{bin}/gettext.sh             r,
+  @{bin}/gnome-session        rix,
+  @{bin}/grep                 rix,
+  @{bin}/gsettings            rPx,
+  @{bin}/head                 rix,
+  @{bin}/id                   rix,
+  @{bin}/locale               rix,
+  @{bin}/locale-check         rix,
+  @{bin}/manpath              rix,
+  @{bin}/qmake                rix,
+  @{bin}/readlink             rix,
+  @{bin}/sed                  rix,
+  @{bin}/sort                 rix,
+  @{bin}/tr                   rix,
+  @{bin}/tty                  rix,
+  @{bin}/uname                rix,
+  @{bin}/zsh                  rix,
 
-  @{libexec}/gnome-session-binary  rPx,
-  /{usr/,}bin/dbus-daemon          rPx,
-  /{usr/,}bin/dbus-run-session     rPx,
-  /{usr/,}bin/dpkg-query           rpx,
-  /{usr/,}bin/flatpak             rPUx,
+  @{lib}/gnome-session-binary  rPx,
+  @{bin}/dbus-daemon          rPx,
+  @{bin}/dbus-run-session     rPx,
+  @{bin}/dpkg-query           rpx,
+  @{bin}/flatpak             rPUx,
 
   /usr/share/bash-completion/{,**} r,
   /usr/share/gdm/gdm.schemas r,
diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session
index e05bbdca..50ba509b 100644
--- a/apparmor.d/groups/gnome/gdm-x-session
+++ b/apparmor.d/groups/gnome/gdm-x-session
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gdm/}gdm-x-session
+@{exec_path} = @{lib}/{,gdm/}gdm-x-session
 profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -35,8 +35,8 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/Xorg              rPx,
-  /{usr/,}bin/dbus-run-session  rPx,
+  @{bin}/Xorg              rPx,
+  @{bin}/dbus-run-session  rPx,
   /etc/gdm{3,}/Xsession         rPx,
   /etc/gdm{3,}/Prime/Default    rix,
 
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index 7c2c049a..ba51cf06 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -16,35 +16,35 @@ profile gdm-xsession @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh      rix,
-  /{usr/,}bin/{,e}grep        rix,
-  /{usr/,}bin/{m,g,}awk       rix,
-  /{usr/,}bin/cat             rix,
-  /{usr/,}bin/expr            rix,
-  /{usr/,}bin/gettext         rix,
-  /{usr/,}bin/gettext.sh      r,
-  /{usr/,}bin/gnome-session   rix,
-  /{usr/,}bin/gsettings       rPx,
-  /{usr/,}bin/id              rix,
-  /{usr/,}bin/locale          rix,
-  /{usr/,}bin/locale-check    rix,
-  /{usr/,}bin/mktemp          rix,
-  /{usr/,}bin/sed             rix,
-  /{usr/,}bin/tr              rix,
-  /{usr/,}bin/truncate        rix,
-  /{usr/,}bin/tty             rix,
-  /{usr/,}bin/zsh             rix,
+  @{bin}/{,ba,da}sh      rix,
+  @{bin}/{,e}grep        rix,
+  @{bin}/{m,g,}awk       rix,
+  @{bin}/cat             rix,
+  @{bin}/expr            rix,
+  @{bin}/gettext         rix,
+  @{bin}/gettext.sh      r,
+  @{bin}/gnome-session   rix,
+  @{bin}/gsettings       rPx,
+  @{bin}/id              rix,
+  @{bin}/locale          rix,
+  @{bin}/locale-check    rix,
+  @{bin}/mktemp          rix,
+  @{bin}/sed             rix,
+  @{bin}/tr              rix,
+  @{bin}/truncate        rix,
+  @{bin}/tty             rix,
+  @{bin}/zsh             rix,
 
   @{etc_ro}/X11/xdm/Xsession                        rPx,
-  /{usr/,}bin/dbus-update-activation-environment    rCx -> dbus,
-  /{usr/,}bin/flatpak                               rPUx,
-  /{usr/,}bin/systemctl                             rPx -> child-systemctl,
-  /{usr/,}bin/xbrlapi                               rPx,
-  /{usr/,}bin/xhost                                 rPx,
-  /{usr/,}bin/im-launch                             rPx,
-  /{usr/,}bin/gpgconf                               rPx,
-  @{libexec}/gnome-session-binary                   rPx,
-  /{usr/,}bin/dpkg-query                            rpx,
+  @{bin}/dbus-update-activation-environment    rCx -> dbus,
+  @{bin}/flatpak                               rPUx,
+  @{bin}/systemctl                             rPx -> child-systemctl,
+  @{bin}/xbrlapi                               rPx,
+  @{bin}/xhost                                 rPx,
+  @{bin}/im-launch                             rPx,
+  @{bin}/gpgconf                               rPx,
+  @{lib}/gnome-session-binary                   rPx,
+  @{bin}/dpkg-query                            rpx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/im-config/data/{,*} r,
@@ -62,7 +62,7 @@ profile gdm-xsession @{exec_path} {
   profile dbus {
     include <abstractions/base>
 
-    /{usr/,}bin/dbus-update-activation-environment mr,
+    @{bin}/dbus-update-activation-environment mr,
 
     owner @{run}/user/@{uid}/bus rw,
 
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index d87a3dee..ec79117c 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -7,9 +7,9 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/gio
-@{exec_path} += /{usr/,}bin/gio-launch-desktop
-@{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
+@{exec_path}  = @{bin}/gio
+@{exec_path} += @{bin}/gio-launch-desktop
+@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -20,7 +20,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/gio-launch-desktop rix,
+  @{lib}/gio-launch-desktop rix,
 
   # System files
   /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index e3d63ac5..60595f1c 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/gjs-console
+@{exec_path}  = @{bin}/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -74,9 +74,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   dbus bind bus=session name=org.gnome.Shell.Notifications,
 
   @{exec_path} mr,
-  /{usr/,}bin/          r,
-  /{usr/,}bin/[a-z0-9]* rPUx,
-  @{libexec}/** rPUx,
+  @{bin}/          r,
+  @{bin}/[a-z0-9]* rPUx,
+  @{lib}/** rPUx,
 
   /etc/openni2/OpenNI.ini r,
 
diff --git a/apparmor.d/groups/gnome/gkbd-keyboard-display b/apparmor.d/groups/gnome/gkbd-keyboard-display
index f3e82b11..5b2bef3d 100644
--- a/apparmor.d/groups/gnome/gkbd-keyboard-display
+++ b/apparmor.d/groups/gnome/gkbd-keyboard-display
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gkbd-keyboard-display
+@{exec_path} = @{bin}/gkbd-keyboard-display
 profile gkbd-keyboard-display @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host
index abc4601b..a5a088af 100644
--- a/apparmor.d/groups/gnome/gnome-browser-connector-host
+++ b/apparmor.d/groups/gnome/gnome-browser-connector-host
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-browser-connector-host
+@{exec_path} = @{bin}/gnome-browser-connector-host
 profile gnome-browser-connector-host @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
@@ -14,10 +14,10 @@ profile gnome-browser-connector-host @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/env             rix,
-  /{usr/,}bin/python3.[0-9]*  rix,
+  @{bin}/env             rix,
+  @{bin}/python3.[0-9]*  rix,
 
-  /{usr/,}lib/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
+  @{lib}/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider
index 59223da9..14506a3c 100644
--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-calculator-search-provider
+@{exec_path} = @{lib}/gnome-calculator-search-provider
 profile gnome-calculator-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar
index 081ecd17..b5935839 100644
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-calendar
+@{exec_path} = @{bin}/gnome-calendar
 profile gnome-calendar @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters
index b5b15620..8d75441f 100644
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@@ -20,7 +20,7 @@ profile gnome-characters @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
index 488c8954..ab2cfa1a 100644
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@@ -15,7 +15,7 @@ profile gnome-characters-backgroudservice @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts
index 0ddcf07b..569405ad 100644
--- a/apparmor.d/groups/gnome/gnome-contacts
+++ b/apparmor.d/groups/gnome/gnome-contacts
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-contacts
+@{exec_path} = @{bin}/gnome-contacts
 profile gnome-contacts @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider
index 0b8042f3..a0aa865a 100644
--- a/apparmor.d/groups/gnome/gnome-contacts-search-provider
+++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-contacts-search-provider
+@{exec_path} = @{lib}/gnome-contacts-search-provider
 profile gnome-contacts-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 3ac6983b..2623aedc 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-control-center
+@{exec_path} = @{bin}/gnome-control-center
 profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
@@ -64,27 +64,27 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,b,d,rb}ash  rUx,
-  /{usr/,}bin/{c,k,tc,z}sh  rUx,
+  @{bin}/{,b,d,rb}ash  rUx,
+  @{bin}/{c,k,tc,z}sh  rUx,
 
-  /{usr/,}bin/gcm-viewer    rix,
-  /{usr/,}bin/grep          rix,
-  /{usr/,}bin/locale        rix,
-  /{usr/,}bin/sed           rix,
+  @{bin}/gcm-viewer    rix,
+  @{bin}/grep          rix,
+  @{bin}/locale        rix,
+  @{bin}/sed           rix,
 
-  @{libexec}/gnome-control-center-goa-helper          rPx,
-  @{libexec}/gnome-control-center-print-renderer      rPx,
-  /{usr/,}bin/gnome-software                         rPUx,
-  /{usr/,}bin/gkbd-keyboard-display                  rPUx,
-  /{usr/,}bin/bwrap                                  rPUx,
-  /{usr/,}bin/openvpn                                 rPx,
-  /{usr/,}bin/passwd                                  rPx,
-  /{usr/,}bin/software-properties-gtk                 rPx,
-  /{usr/,}bin/pkexec                                  rPx,
-  /{usr/,}{s,}bin/usermod                             rPx,
-  /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
-  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
-  /usr/share/language-tools/language2locale           rix,
+  @{bin}/bwrap                                  rPUx,
+  @{bin}/gkbd-keyboard-display                  rPUx,
+  @{bin}/gnome-software                         rPUx,
+  @{bin}/openvpn                                 rPx,
+  @{bin}/passwd                                  rPx,
+  @{bin}/pkexec                                  rPx,
+  @{bin}/software-properties-gtk                 rPx,
+  @{bin}/usermod                                 rPx,
+  @{lib}/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/gnome-control-center-goa-helper         rPx,
+  @{lib}/gnome-control-center-print-renderer     rPx,
+  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  /usr/share/language-tools/language2locale      rix,
 
   /snap/*/[0-9]*/**.png r,
   /usr/share/backgrounds/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
index 0bd987ff..4e9d2286 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper
+@{exec_path} = @{lib}/gnome-control-center-goa-helper
 profile gnome-control-center-goa-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -29,9 +29,9 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bwrap  rPUx,
+  @{bin}/bwrap  rPUx,
 
-  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/themes/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
index 4bf642f5..779b9561 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-control-center-print-renderer
+@{exec_path} = @{lib}/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider
index 1de8082b..55cdd315 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-control-center-search-provider
+@{exec_path} = @{lib}/gnome-control-center-search-provider
 profile gnome-control-center-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter
index 7ef74bb1..1d54d4fc 100644
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
+@{exec_path} = @{bin}/gnome-disk-image-mounter
 profile gnome-disk-image-mounter @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks
index 27ac6ecd..0d1aba7f 100644
--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-disks
+@{exec_path} = @{bin}/gnome-disks
 profile gnome-disks @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -16,8 +16,8 @@ profile gnome-disks @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/X11/xkb/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 4417b939..b7d16b53 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -142,11 +142,11 @@ profile gnome-extension-ding @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh            rix,
-  /{usr/,}bin/env                   rix,
-  /{usr/,}bin/gjs-console           rix,
-  /{usr/,}bin/gnome-control-center  rPx,
-  /{usr/,}bin/nautilus              rPx,
+  @{bin}/{,ba,da}sh            rix,
+  @{bin}/env                   rix,
+  @{bin}/gjs-console           rix,
+  @{bin}/gnome-control-center  rPx,
+  @{bin}/nautilus              rPx,
 
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
   /usr/share/thumbnailers/{,*.thumbnailer} r,
diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager
index 23dd28ec..2e2b5623 100644
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/extension-manager
+@{exec_path} = @{bin}/extension-manager
 profile gnome-extension-manager @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -30,10 +30,10 @@ profile gnome-extension-manager @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
 
   /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
   /usr/share/themes/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index 9b5f38f2..2585e832 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-extensions-app
+@{exec_path} = @{bin}/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -22,8 +22,8 @@ profile gnome-extensions-app @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/gjs-console rix,
 
   /usr/share/gnome-shell/org.gnome.Extensions* r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon
index 12f817e5..0e5253c4 100644
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
+@{exec_path} = @{bin}/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -111,8 +111,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ssh-add   rix,
-  /{usr/,}bin/ssh-agent rPx,
+  @{bin}/ssh-add   rix,
+  @{bin}/ssh-agent rPx,
 
   /etc/gcrypt/hwf.deny r,
 
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index 1a9e1fb4..b38531f1 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-music
+@{exec_path} = @{bin}/gnome-music
 profile gnome-music @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -31,9 +31,9 @@ profile gnome-music @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}bin/ r,
-  /{usr/,}bin/python3.[0-9]* rix,
-  /{usr/,}lib/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw,
+  @{bin}/ r,
+  @{bin}/python3.[0-9]* rix,
+  @{lib}/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw,
 
   /usr/share/egl/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer
index 5a4f9796..b7e4e6a9 100644
--- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer
+++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/gnome-photos-thumbnailer
+@{exec_path} = @{lib}/gnome-photos-thumbnailer
 profile gnome-photos-thumbnailer @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>
diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
index 353cbab4..d70bbf72 100644
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-remote-desktop-daemon
+@{exec_path} = @{lib}/gnome-remote-desktop-daemon
 profile gnome-remote-desktop-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 03d837d8..cdb40652 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-session-binary
+@{exec_path} = @{lib}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
@@ -135,57 +135,57 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,z,ba,da}sh                                 rix,
-  /{usr/,}bin/env                                          rix,
-  /{usr/,}bin/gnome-session                                rix,
-  /{usr/,}bin/grep                                         rix,
-  /{usr/,}bin/gsettings                                    rPx,
-  /{usr/,}bin/gsettings-data-convert                       rix,
-  /{usr/,}bin/mkdir                                        rix,
-  /{usr/,}bin/session-migration                            rix,
-  /{usr/,}bin/xdg-user-dirs-gtk-update                     rix,
-  @{libexec}/at-spi-bus-launcher                           rPx,
-  @{libexec}/gnome-session-check-accelerated               rix,
-  @{libexec}/gnome-session-check-accelerated-gl-helper     rix,
-  @{libexec}/gnome-session-check-accelerated-gles-helper   rix,
-  @{libexec}/gnome-session-failed                          rix,
-  @{libexec}/{,gnome-shell/}gnome-shell-overrides-migration.sh  rix,
-  @{libexec}/gsd-*                                         rPx,
+  @{bin}/{,z,ba,da}sh                                  rix,
+  @{bin}/env                                           rix,
+  @{bin}/gnome-session                                 rix,
+  @{bin}/grep                                          rix,
+  @{bin}/gsettings                                     rPx,
+  @{bin}/gsettings-data-convert                        rix,
+  @{bin}/mkdir                                         rix,
+  @{bin}/session-migration                             rix,
+  @{bin}/xdg-user-dirs-gtk-update                      rix,
+  @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh  rix,
+  @{lib}/at-spi-bus-launcher                           rPx,
+  @{lib}/gnome-session-check-accelerated               rix,
+  @{lib}/gnome-session-check-accelerated-gl-helper     rix,
+  @{lib}/gnome-session-check-accelerated-gles-helper   rix,
+  @{lib}/gnome-session-failed                          rix,
+  @{lib}/gsd-*                                         rPx,
 
   # TODO: rCx gio-launch-desktop and put all the following program in this
   #       subprofile. Not done yet as it breaks compatibility with Ubuntu/Debian
-  @{libexec}/gio-launch-desktop                            rix,
+  @{lib}/gio-launch-desktop                            rix,
 
-  /{usr/,}bin/aa-notify                                    rPx,
-  /{usr/,}bin/baloo_file                                   rPx,
-  @{libexec}/baloo_file                                    rPx,
-  /{usr/,}bin/blueman-applet                               rPx,
-  /{usr/,}bin/firewall-applet                             rPUx,
-  /{usr/,}bin/gnome-keyring-daemon                         rPx,
-  /{usr/,}bin/gnome-shell                                  rPx,
-  /{usr/,}bin/gnome-software                              rPUx,
-  /{usr/,}bin/im-launch                                    rPx,
-  /{usr/,}bin/keepassxc                                    rPx,
-  /{usr/,}bin/parcellite                                  rPUx,
-  /{usr/,}bin/pkcs11-register                              rPx,
-  /{usr/,}bin/snap                                        rPUx,
-  /{usr/,}bin/snapshot-detect                             rPUx,
-  /{usr/,}bin/spice-vdagent                                rPx,
-  /{usr/,}bin/start-pulseaudio-x11                         rPx,
-  /{usr/,}bin/ubuntu-report                                rPx,
-  /{usr/,}bin/update-notifier                              rPx,
-  /{usr/,}bin/xbrlapi                                      rPx,
-  /{usr/,}bin/xdg-user-dirs-update                         rPx,
-  /{usr/,}lib/@{multiarch}/libexec/kdeconnectd             rPUx,
-  /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
-  /{usr/,}lib/caribou/caribou                              rPUx,
-  /{usr/,}lib/thunderbird/thunderbird                      rPx,
-  /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
-  /{usr/,}lib/xapps/sn-watcher/*                           rPUx,
-  /{usr/,}share/libpam-kwallet-common/pam_kwallet_init    rPUx,
-  @{libexec}/deja-dup/deja-dup-monitor                     rPUx,
-  @{libexec}/gsd-disk-utility-notify                       rPx,
-  @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
+  @{bin}/aa-notify                                       rPx,
+  @{bin}/baloo_file                                      rPx,
+  @{bin}/blueman-applet                                  rPx,
+  @{bin}/firewall-applet                                rPUx,
+  @{bin}/gnome-keyring-daemon                            rPx,
+  @{bin}/gnome-shell                                     rPx,
+  @{bin}/gnome-software                                 rPUx,
+  @{bin}/im-launch                                       rPx,
+  @{bin}/keepassxc                                       rPx,
+  @{bin}/parcellite                                     rPUx,
+  @{bin}/pkcs11-register                                 rPx,
+  @{bin}/snap                                           rPUx,
+  @{bin}/snapshot-detect                                rPUx,
+  @{bin}/spice-vdagent                                   rPx,
+  @{bin}/start-pulseaudio-x11                            rPx,
+  @{bin}/ubuntu-report                                   rPx,
+  @{bin}/update-notifier                                 rPx,
+  @{bin}/xbrlapi                                         rPx,
+  @{bin}/xdg-user-dirs-update                            rPx,
+  @{lib}/@{multiarch}/libexec/kdeconnectd               rPUx,
+  @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
+  @{lib}/baloo_file                                      rPx,
+  @{lib}/caribou/caribou                                rPUx,
+  @{lib}/deja-dup/deja-dup-monitor                      rPUx,
+  @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
+  @{lib}/gsd-disk-utility-notify                         rPx,
+  @{lib}/thunderbird/thunderbird                         rPx,
+  @{lib}/update-notifier/ubuntu-advantage-notification   rPx,
+  @{lib}/xapps/sn-watcher/*                             rPUx,
+  /{usr/,}share/libpam-kwallet-common/pam_kwallet_init  rPUx,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl
index 221ca00e..e6457817 100644
--- a/apparmor.d/groups/gnome/gnome-session-ctl
+++ b/apparmor.d/groups/gnome/gnome-session-ctl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-session-ctl
+@{exec_path} = @{lib}/gnome-session-ctl
 profile gnome-session-ctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index cad59c62..8d8a572e 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-shell
+@{exec_path} = @{bin}/gnome-shell
 profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -479,9 +479,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/Xwayland        rPx,
-  @{libexec}/polkit-1/polkit* rPx,
-  @{libexec}/*                rPUx,
+  @{bin}/Xwayland         rPx,
+  @{lib}/polkit-1/polkit* rPx,
+  @{lib}/*                rPUx,
 
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server
index 7b7f0114..c87e4cdb 100644
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gnome-shell/}gnome-shell-calendar-server
+@{exec_path} = @{lib}/{,gnome-shell/}gnome-shell-calendar-server
 profile gnome-shell-calendar-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
index c86e1047..0a54af2b 100644
--- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
+++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-shell-hotplug-sniffer
+@{exec_path} = @{lib}/gnome-shell-hotplug-sniffer
 profile gnome-shell-hotplug-sniffer @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 3f651447..3f60b6f1 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-software
+@{exec_path} = @{bin}/gnome-software
 profile gnome-software @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -34,13 +34,13 @@ profile gnome-software @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bwrap              rPUx,
-  /{usr/,}bin/fusermount{,3}      rCx -> fusermount,
-  /{usr/,}bin/gpg{,2}             rCx -> gpg,
-  /{usr/,}bin/gpgconf             rCx -> gpg,
-  /{usr/,}bin/gpgsm               rCx -> gpg,
-  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/revokefs-fuse       rix,
+  @{bin}/bwrap               rPUx,
+  @{bin}/fusermount{,3}      rCx -> fusermount,
+  @{bin}/gpg{,2}             rCx -> gpg,
+  @{bin}/gpgconf             rCx -> gpg,
+  @{bin}/gpgsm               rCx -> gpg,
+  @{lib}/gio-launch-desktop  rPx -> child-open,
+  @{lib}/revokefs-fuse       rix,
 
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/{,**} r,
@@ -110,9 +110,9 @@ profile gnome-software @{exec_path} {
   profile gpg {
     include <abstractions/base>
 
-    /{usr/,}bin/gpg{,2}  mr,
-    /{usr/,}bin/gpgconf  mr,
-    /{usr/,}bin/gpgsm    mr,
+    @{bin}/gpg{,2}  mr,
+    @{bin}/gpgconf  mr,
+    @{bin}/gpgsm    mr,
 
     @{HOME}/@{XDG_GPG_DIR}/*.conf r,
 
@@ -130,7 +130,7 @@ profile gnome-software @{exec_path} {
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
 
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 3031ce31..04233aa5 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-system-monitor
+@{exec_path} = @{bin}/gnome-system-monitor
 profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -26,7 +26,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pkexec rPx,
+  @{bin}/pkexec rPx,
 
   /usr/share/gnome-system-monitor/{,**} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index 5141bbd4..257b3fdf 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-terminal-server
+@{exec_path} = @{lib}/gnome-terminal-server
 profile gnome-terminal-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -26,16 +26,16 @@ profile gnome-terminal-server @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  /{usr/,}bin/{,b,d,rb}ash         rUx,
-  /{usr/,}bin/{c,k,tc,z}sh         rUx,
+  @{bin}/{,b,d,rb}ash         rUx,
+  @{bin}/{c,k,tc,z}sh         rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
-  /{usr/,}bin/htop                 rPx,
-  /{usr/,}bin/micro               rPUx,
-  /{usr/,}bin/nvtop                rPx,
+  @{bin}/htop                 rPx,
+  @{bin}/micro               rPUx,
+  @{bin}/nvtop                rPx,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
+  @{lib}/gio-launch-desktop                          rPx -> child-open,
 
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
   /usr/share/X11/xkb/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks
index 894c9d27..43ee2df2 100644
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-tweaks
+@{exec_path} = @{bin}/gnome-tweaks
 profile gnome-tweaks @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -17,11 +17,11 @@ profile gnome-tweaks @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
-  /{usr/,}bin/ps rPx,
-  /{usr/,}bin/python3.[0-9]* rix,
+  @{bin}/ r,
+  @{bin}/ps rPx,
+  @{bin}/python3.[0-9]* rix,
 
-  /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
+  @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/gnome-tweaks/{,**} r,
diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon
index 31825d41..80f50fd1 100644
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/goa-daemon
+@{exec_path} = @{lib}/goa-daemon
 profile goa-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>
diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service
index b84fa33d..4d6bca09 100644
--- a/apparmor.d/groups/gnome/goa-identity-service
+++ b/apparmor.d/groups/gnome/goa-identity-service
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/goa-identity-service
+@{exec_path} = @{lib}/goa-identity-service
 profile goa-identity-service @{exec_path} {
   include <abstractions/base>
   include <abstractions/authentication>
diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings
index 19617782..7c610f08 100644
--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-a11y-settings
+@{exec_path} = @{lib}/gsd-a11y-settings
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
index 670566c9..e9fc3d9b 100644
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-color
+@{exec_path} = @{lib}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime
index fc9b0591..bd544c67 100644
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-datetime
+@{exec_path} = @{lib}/gsd-datetime
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify
index 9943fdfd..5e3a67a2 100644
--- a/apparmor.d/groups/gnome/gsd-disk-utility-notify
+++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-disk-utility-notify
+@{exec_path} = @{lib}/gsd-disk-utility-notify
 profile gsd-disk-utility-notify @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping
index b032eb17..e30f21cf 100644
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-housekeeping
+@{exec_path} = @{lib}/gsd-housekeeping
 profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard
index 860cb278..f1ccb143 100644
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-keyboard
+@{exec_path} = @{lib}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index ed62831f..bfad1351 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-media-keys
+@{exec_path} = @{lib}/gsd-media-keys
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
@@ -159,8 +159,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index cc6f0ba2..1b17092c 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-power
+@{exec_path} = @{lib}/gsd-power
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications
index f1dfabe4..ee94a2c1 100644
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-print-notifications
+@{exec_path} = @{lib}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -77,7 +77,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
        name=org.gnome.SettingsDaemon.PrintNotifications,
 
   @{exec_path} mr,
-  @{libexec}/gsd-printer rPx,
+  @{lib}/gsd-printer rPx,
 
   /etc/machine-id r,
   /etc/cups/client.conf r,
diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer
index 6411d010..b0fd5854 100644
--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-printer
+@{exec_path} = @{lib}/gsd-printer
 profile gsd-printer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill
index 5fa41884..bff3469d 100644
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-rfkill
+@{exec_path} = @{lib}/gsd-rfkill
 profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy
index c7063ae5..60638f8e 100644
--- a/apparmor.d/groups/gnome/gsd-screensaver-proxy
+++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-screensaver-proxy
+@{exec_path} = @{lib}/gsd-screensaver-proxy
 profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing
index c47b27d4..9e370f5f 100644
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-sharing
+@{exec_path} = @{lib}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>
diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard
index 857f2cdc..86aae062 100644
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-smartcard
+@{exec_path} = @{lib}/gsd-smartcard
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound
index c84b8338..e20a34bc 100644
--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-sound
+@{exec_path} = @{lib}/gsd-sound
 profile gsd-sound @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection
index 4ab3a39e..8ce6b47d 100644
--- a/apparmor.d/groups/gnome/gsd-usb-protection
+++ b/apparmor.d/groups/gnome/gsd-usb-protection
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-usb-protection
+@{exec_path} = @{lib}/gsd-usb-protection
 profile gsd-usb-protection @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom
index 3ccb5aad..b7926549 100644
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-wacom
+@{exec_path} = @{lib}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index 14581715..3caf82c7 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-xsettings
+@{exec_path} = @{lib}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
@@ -118,16 +118,16 @@ profile gsd-xsettings @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/cat                   rix,
-  /{usr/,}bin/which{,.debianutils}  rix,
+  @{bin}/cat                   rix,
+  @{bin}/which{,.debianutils}  rix,
 
-  @{libexec}/ibus-x11        rPx,
-  /{usr/,}bin/busctl         rPx,
-  /{usr/,}bin/pactl          rPx,
-  /{usr/,}bin/run-parts      rCx -> run-parts,
-  /{usr/,}bin/xprop          rPx,
-  /{usr/,}bin/xrdb           rPx,
-  /{usr/,}lib/ibus/ibus-x11  rPx,
+  @{bin}/busctl         rPx,
+  @{bin}/pactl          rPx,
+  @{bin}/run-parts      rCx -> run-parts,
+  @{bin}/xprop          rPx,
+  @{bin}/xrdb           rPx,
+  @{lib}/ibus-x11       rPx,
+  @{lib}/ibus/ibus-x11  rPx,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
@@ -155,7 +155,7 @@ profile gsd-xsettings @{exec_path} {
   profile run-parts {
     include <abstractions/base>
 
-    /{usr/,}bin/run-parts mr,
+    @{bin}/run-parts mr,
 
     /etc/X11/Xresources/ r,
 
diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx
index 82632478..193e7eee 100644
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kgx
+@{exec_path} = @{bin}/kgx
 profile kgx @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -26,16 +26,16 @@ profile kgx @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  /{usr/,}bin/{,b,d,rb}ash         rUx,
-  /{usr/,}bin/{c,k,tc,z}sh         rUx,
+  @{bin}/{,b,d,rb}ash         rUx,
+  @{bin}/{c,k,tc,z}sh         rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
-  /{usr/,}bin/htop                 rPx,
-  /{usr/,}bin/micro               rPUx,
-  /{usr/,}bin/nvtop                rPx,
+  @{bin}/htop                 rPx,
+  @{bin}/micro               rPUx,
+  @{bin}/nvtop                rPx,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
+  @{lib}/gio-launch-desktop                          rPx -> child-open,
 
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index 23b68cd1..450526b6 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/mutter-x11-frames
+@{exec_path} = @{lib}/mutter-x11-frames
 profile mutter-x11-frames @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index f665559c..99fdee5b 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/nautilus
+@{exec_path} = @{bin}/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -42,12 +42,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh          rix,
-  /{usr/,}bin/bwrap              rPUx,
-  /{usr/,}bin/firejail           rPUx,
-  /{usr/,}bin/net                rPUx,
-  /{usr/,}bin/tracker3           rPUx,
-  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
+  @{bin}/{,ba,da}sh          rix,
+  @{bin}/bwrap              rPUx,
+  @{bin}/firejail           rPUx,
+  @{bin}/net                rPUx,
+  @{bin}/tracker3           rPUx,
+  @{lib}/gio-launch-desktop  rPx -> child-open,
 
   /usr/share/*ubuntu/applications/{,**} r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
@@ -65,8 +65,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   # Full access to user's data
   / r,
   /*/ r,
-  /{usr/,}bin/ r,
-  @{libexec}/ r,
+  @{bin}/ r,
+  @{lib}/ r,
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rw,
diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse
index 1d1072e9..2b00b9f5 100644
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/seahorse
+@{exec_path} = @{bin}/seahorse
 profile seahorse @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -38,9 +38,9 @@ profile seahorse @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpgconf  rPx,
-  /{usr/,}bin/gpg{,2}  rPx,
-  /{usr/,}bin/gpgsm    rPx,
+  @{bin}/gpgconf  rPx,
+  @{bin}/gpg{,2}  rPx,
+  @{bin}/gpgsm    rPx,
 
   # freedesktop.org-strict
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index 49c86a16..07b909f8 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/tracker-extract-3
+@{exec_path} = @{lib}/tracker-extract-3
 profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index 530a29fa..ceb33440 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
+@{exec_path} = @{lib}/tracker-miner-fs-{,control-}3
 profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup
index 3d0e5b0c..70fdaa56 100644
--- a/apparmor.d/groups/grub/grub-bios-setup
+++ b/apparmor.d/groups/grub/grub-bios-setup
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
+@{exec_path} = @{bin}/grub-bios-setup
 profile grub-bios-setup @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures
index f568bb24..5fec5349 100644
--- a/apparmor.d/groups/grub/grub-check-signatures
+++ b/apparmor.d/groups/grub/grub-check-signatures
@@ -13,10 +13,10 @@ profile grub-check-signatures @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/{m,g,}awk    rix,
-  /{usr/,}bin//mktemp      rix,
-  /{usr/,}bin//od          rix,
+  @{bin}/{,ba,da}sh   rix,
+  @{bin}/{m,g,}awk    rix,
+  @{bin}//mktemp      rix,
+  @{bin}//od          rix,
 
   /usr/share/debconf/frontend rPx,
 
diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv
index 5917b08c..90f070f6 100644
--- a/apparmor.d/groups/grub/grub-editenv
+++ b/apparmor.d/groups/grub/grub-editenv
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-editenv
+@{exec_path} = @{bin}/grub-editenv
 profile grub-editenv @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file
index dccf5d63..7266f502 100644
--- a/apparmor.d/groups/grub/grub-file
+++ b/apparmor.d/groups/grub/grub-file
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-file
+@{exec_path} = @{bin}/grub-file
 profile grub-file @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest
index 72b027a2..2b2681df 100644
--- a/apparmor.d/groups/grub/grub-fstest
+++ b/apparmor.d/groups/grub/grub-fstest
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-fstest
+@{exec_path} = @{bin}/grub-fstest
 profile grub-fstest @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi
index f6b59cf7..3c2c9336 100644
--- a/apparmor.d/groups/grub/grub-glue-efi
+++ b/apparmor.d/groups/grub/grub-glue-efi
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-glue-efi
+@{exec_path} = @{bin}/grub-glue-efi
 profile grub-glue-efi @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install
index 60557234..06238987 100644
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-install
+@{exec_path} = @{bin}/grub-install
 profile grub-install @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -18,11 +18,11 @@ profile grub-install @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh        rix,
-  /{usr/,}bin/efibootmgr        rix,
-  /{usr/,}bin/kmod              rPx,
-  /{usr/,}bin/lsb_release       rPx -> lsb_release,
-  /{usr/,}bin/udevadm           rPx,
+  @{bin}/{,ba,da}sh        rix,
+  @{bin}/efibootmgr        rix,
+  @{bin}/kmod              rPx,
+  @{bin}/lsb_release       rPx -> lsb_release,
+  @{bin}/udevadm           rPx,
 
   /usr/share/grub/{,**} r,
 
diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp
index fc17178d..01265031 100644
--- a/apparmor.d/groups/grub/grub-kbdcomp
+++ b/apparmor.d/groups/grub/grub-kbdcomp
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-kbdcomp
+@{exec_path} = @{bin}/grub-kbdcomp
 profile grub-kbdcomp @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless
index 0aad39a5..ec6905dc 100644
--- a/apparmor.d/groups/grub/grub-macbless
+++ b/apparmor.d/groups/grub/grub-macbless
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-macbless
+@{exec_path} = @{bin}/grub-macbless
 profile grub-macbless @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg
index d14f7c7e..6c1e0af1 100644
--- a/apparmor.d/groups/grub/grub-menulst2cfg
+++ b/apparmor.d/groups/grub/grub-menulst2cfg
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-menulst2cfg
+@{exec_path} = @{bin}/grub-menulst2cfg
 profile grub-menulst2cfg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index b78e5c75..6a533b38 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
+@{exec_path} = @{bin}/grub-mkconfig
 profile grub-mkconfig @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -19,44 +19,44 @@ profile grub-mkconfig @{exec_path} {
 
   /{usr/,}{local/,}{s,}bin/zfs     rPx,
   /{usr/,}{local/,}{s,}bin/zpool   rPx,
-  /{usr/,}{s,}bin/dmsetup          rPUx,
-  /{usr/,}{s,}bin/grub-probe       rPx,
-  /{usr/,}bin/{,ba,da}sh           rix,
-  /{usr/,}bin/{e,f,}grep           rix,
-  /{usr/,}bin/{m,g,}awk            rix,
-  /{usr/,}bin/basename             rix,
-  /{usr/,}bin/btrfs                rPx,
-  /{usr/,}bin/cat                  rix,
-  /{usr/,}bin/chmod                rix,
-  /{usr/,}bin/cut                  rix,
-  /{usr/,}bin/date                 rix,
-  /{usr/,}bin/dirname              rix,
-  /{usr/,}bin/dpkg                 rPx,
-  /{usr/,}bin/find                 rix,
-  /{usr/,}bin/findmnt              rPx,
-  /{usr/,}bin/gettext              rix,
-  /{usr/,}bin/grub-mkrelpath       rPx,
-  /{usr/,}bin/grub-script-check    rPx,
-  /{usr/,}bin/head                 rix,
-  /{usr/,}bin/id                   rPx,
-  /{usr/,}bin/ls                   rix,
-  /{usr/,}bin/lsb_release          rPx -> lsb_release,
-  /{usr/,}bin/mktemp               rix,
-  /{usr/,}bin/mount                rPx,
-  /{usr/,}bin/mountpoint           rix,
-  /{usr/,}bin/os-prober            rPx,
-  /{usr/,}bin/paste                rix,
-  /{usr/,}bin/readlink             rix,
-  /{usr/,}bin/rm                   rix,
-  /{usr/,}bin/rmdir                rix,
-  /{usr/,}bin/sed                  rix,
-  /{usr/,}bin/sort                 rix,
-  /{usr/,}bin/stat                 rix,
-  /{usr/,}bin/tail                 rix,
-  /{usr/,}bin/tr                   rix,
-  /{usr/,}bin/umount               rPx,
-  /{usr/,}bin/uname                rix,
-  /{usr/,}bin/which{.debianutils,} rix,
+  @{bin}/dmsetup             rPUx,
+  @{bin}/grub-probe           rPx,
+  @{bin}/{,ba,da}sh           rix,
+  @{bin}/{e,f,}grep           rix,
+  @{bin}/{m,g,}awk            rix,
+  @{bin}/basename             rix,
+  @{bin}/btrfs                rPx,
+  @{bin}/cat                  rix,
+  @{bin}/chmod                rix,
+  @{bin}/cut                  rix,
+  @{bin}/date                 rix,
+  @{bin}/dirname              rix,
+  @{bin}/dpkg                 rPx,
+  @{bin}/find                 rix,
+  @{bin}/findmnt              rPx,
+  @{bin}/gettext              rix,
+  @{bin}/grub-mkrelpath       rPx,
+  @{bin}/grub-script-check    rPx,
+  @{bin}/head                 rix,
+  @{bin}/id                   rPx,
+  @{bin}/ls                   rix,
+  @{bin}/lsb_release          rPx -> lsb_release,
+  @{bin}/mktemp               rix,
+  @{bin}/mount                rPx,
+  @{bin}/mountpoint           rix,
+  @{bin}/os-prober            rPx,
+  @{bin}/paste                rix,
+  @{bin}/readlink             rix,
+  @{bin}/rm                   rix,
+  @{bin}/rmdir                rix,
+  @{bin}/sed                  rix,
+  @{bin}/sort                 rix,
+  @{bin}/stat                 rix,
+  @{bin}/tail                 rix,
+  @{bin}/tr                   rix,
+  @{bin}/umount               rPx,
+  @{bin}/uname                rix,
+  @{bin}/which{.debianutils,} rix,
   /etc/grub.d/{**,}                rix,
 
   /boot/{**,} r,
diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap
index 4b1c7de9..c6d12bd7 100644
--- a/apparmor.d/groups/grub/grub-mkdevicemap
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
+@{exec_path} = @{bin}/grub-mkdevicemap
 profile grub-mkdevicemap @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont
index 60ebb3fc..355b7570 100644
--- a/apparmor.d/groups/grub/grub-mkfont
+++ b/apparmor.d/groups/grub/grub-mkfont
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkfont
+@{exec_path} = @{bin}/grub-mkfont
 profile grub-mkfont @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage
index 9ab08c47..908dd6fa 100644
--- a/apparmor.d/groups/grub/grub-mkimage
+++ b/apparmor.d/groups/grub/grub-mkimage
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkimage
+@{exec_path} = @{bin}/grub-mkimage
 profile grub-mkimage @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout
index 80a7dbec..ef31e8c3 100644
--- a/apparmor.d/groups/grub/grub-mklayout
+++ b/apparmor.d/groups/grub/grub-mklayout
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mklayout
+@{exec_path} = @{bin}/grub-mklayout
 profile grub-mklayout @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir
index 94cccd1e..6d40d08d 100644
--- a/apparmor.d/groups/grub/grub-mknetdir
+++ b/apparmor.d/groups/grub/grub-mknetdir
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mknetdir
+@{exec_path} = @{bin}/grub-mknetdir
 profile grub-mknetdir @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
index 840d8589..08c1bfde 100644
--- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
+++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
+@{exec_path} = @{bin}/grub-mkpasswd-pbkdf2
 profile grub-mkpasswd-pbkdf2 @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath
index efb2f712..a8f477fb 100644
--- a/apparmor.d/groups/grub/grub-mkrelpath
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
+@{exec_path} = @{bin}/grub-mkrelpath
 profile grub-mkrelpath @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue
index f4996dd0..f6d36017 100644
--- a/apparmor.d/groups/grub/grub-mkrescue
+++ b/apparmor.d/groups/grub/grub-mkrescue
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkrescue
+@{exec_path} = @{bin}/grub-mkrescue
 profile grub-mkrescue @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone
index b2474be7..50f52e18 100644
--- a/apparmor.d/groups/grub/grub-mkstandalone
+++ b/apparmor.d/groups/grub/grub-mkstandalone
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkstandalone
+@{exec_path} = @{bin}/grub-mkstandalone
 profile grub-mkstandalone @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount
index c37f32b7..6a4a4258 100644
--- a/apparmor.d/groups/grub/grub-mount
+++ b/apparmor.d/groups/grub/grub-mount
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mount
+@{exec_path} = @{bin}/grub-mount
 profile grub-mount @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install
index 9b23051f..88e8a037 100644
--- a/apparmor.d/groups/grub/grub-multi-install
+++ b/apparmor.d/groups/grub/grub-multi-install
@@ -6,23 +6,23 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/grub/grub-multi-install
+@{exec_path} = @{lib}/grub/grub-multi-install
 profile grub-multi-install @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/grub-install   rPx,
-  /{usr/,}bin/{,ba,da}sh         rix,
-  /{usr/,}bin/{,e}grep           rix,
-  /{usr/,}bin/cat                rix,
-  /{usr/,}bin/dpkg-query         rpx,
-  /{usr/,}bin/readlink           rix,
-  /{usr/,}bin/sed                rix,
-  /{usr/,}bin/sort               rix,
-  /{usr/,}bin/touch              rix,
-  /{usr/,}bin/udevadm            rPx,
+  @{bin}/grub-install       rPx,
+  @{bin}/{,ba,da}sh         rix,
+  @{bin}/{,e}grep           rix,
+  @{bin}/cat                rix,
+  @{bin}/dpkg-query         rpx,
+  @{bin}/readlink           rix,
+  @{bin}/sed                rix,
+  @{bin}/sort               rix,
+  @{bin}/touch              rix,
+  @{bin}/udevadm            rPx,
   /usr/share/debconf/frontend    rPx,
 
   /usr/lib/terminfo/x/xterm-256color r,
diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img
index da3cb7c5..f649dd43 100644
--- a/apparmor.d/groups/grub/grub-ntldr-img
+++ b/apparmor.d/groups/grub/grub-ntldr-img
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-ntldr-img
+@{exec_path} = @{bin}/grub-ntldr-img
 profile grub-ntldr-img @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
index 3d11dc9f..df234d1f 100644
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-probe
+@{exec_path} = @{bin}/grub-probe
 profile grub-probe @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -18,9 +18,9 @@ profile grub-probe @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}{local/,}{s,}bin/zpool rPx,
-  /{usr/,}{s,}bin/lvm            rPx,
-  /{usr/,}bin/lsb_release        rPx -> lsb_release,
-  /{usr/,}bin/udevadm            rPx,
+  @{bin}/lvm            rPx,
+  @{bin}/lsb_release        rPx -> lsb_release,
+  @{bin}/udevadm            rPx,
 
   / r,
   /usr/share/grub/* r,
diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot
index 361ec7ce..a5ca729b 100644
--- a/apparmor.d/groups/grub/grub-reboot
+++ b/apparmor.d/groups/grub/grub-reboot
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-reboot
+@{exec_path} = @{bin}/grub-reboot
 profile grub-reboot @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label
index b2f3091f..3756b1c7 100644
--- a/apparmor.d/groups/grub/grub-render-label
+++ b/apparmor.d/groups/grub/grub-render-label
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-render-label
+@{exec_path} = @{bin}/grub-render-label
 profile grub-render-label @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check
index 81a7fcbb..e3a45ad6 100644
--- a/apparmor.d/groups/grub/grub-script-check
+++ b/apparmor.d/groups/grub/grub-script-check
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-script-check
+@{exec_path} = @{bin}/grub-script-check
 profile grub-script-check @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default
index 15906373..876e4795 100644
--- a/apparmor.d/groups/grub/grub-set-default
+++ b/apparmor.d/groups/grub/grub-set-default
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-set-default
+@{exec_path} = @{bin}/grub-set-default
 profile grub-set-default @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg
index f03d70a9..a4cc60d8 100644
--- a/apparmor.d/groups/grub/grub-syslinux2cfg
+++ b/apparmor.d/groups/grub/grub-syslinux2cfg
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
+@{exec_path} = @{bin}/grub-syslinux2cfg
 profile grub-syslinux2cfg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub
index 883e679d..59e4f84d 100644
--- a/apparmor.d/groups/grub/update-grub
+++ b/apparmor.d/groups/grub/update-grub
@@ -6,14 +6,14 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
+@{exec_path} = @{bin}/update-grub{2,}
 profile update-grub @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} mr,
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}{s,}bin/grub-mkconfig rPx,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/grub-mkconfig rPx,
 
   include if exists <local/update-grub>
 }
diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
index ccd169e7..3b8321fa 100644
--- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfs-afc-volume-monitor
+@{exec_path} = @{lib}/{,gvfs/}gvfs-afc-volume-monitor
 profile gvfs-afc-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
index b6d0eb11..c74fb7df 100644
--- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfs-goa-volume-monitor
+@{exec_path} = @{lib}/{,gvfs/}gvfs-goa-volume-monitor
 profile gvfs-goa-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
index e8784980..5808b04d 100644
--- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfs-gphoto2-volume-monitor
+@{exec_path} = @{lib}/{,gvfs/}gvfs-gphoto2-volume-monitor
 profile gvfs-gphoto2-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
index 5e92ac8b..70b8d1c8 100644
--- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfs-mtp-volume-monitor
+@{exec_path} = @{lib}/{,gvfs/}gvfs-mtp-volume-monitor
 profile gvfs-mtp-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
index aff5b79a..24a42997 100644
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfs-udisks2-volume-monitor
+@{exec_path} = @{lib}/{,gvfs/}gvfs-udisks2-volume-monitor
 profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -57,10 +57,10 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/lsof   rix,
+  @{bin}/lsof   rix,
 
-  /{usr/,}bin/mount  rPx,
-  /{usr/,}bin/umount rPx,
+  @{bin}/mount  rPx,
+  @{bin}/umount rPx,
 
   /var/lib/gdm{3,}/.config/dconf/user r,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 516fb020..9fdeaf42 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd
+@{exec_path} = @{lib}/{,gvfs/}gvfsd
 profile gvfsd @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-gtk>
@@ -52,8 +52,8 @@ profile gvfsd @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh      rix,
-  @{libexec}/{,gvfs/}gvfsd-*  rpx,
+  @{bin}/{,ba,da}sh       rix,
+  @{lib}/{,gvfs/}gvfsd-*  rpx,
 
   /usr/share/gvfs/{,**} r,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin
index 453d6d01..a0774354 100644
--- a/apparmor.d/groups/gvfs/gvfsd-admin
+++ b/apparmor.d/groups/gvfs/gvfsd-admin
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-admin
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-admin
 profile gvfsd-admin @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc
index 447a5137..1c8d2ada 100644
--- a/apparmor.d/groups/gvfs/gvfsd-afc
+++ b/apparmor.d/groups/gvfs/gvfsd-afc
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-afc
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-afc
 profile gvfsd-afc @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp
index f965f1eb..327b62e8 100644
--- a/apparmor.d/groups/gvfs/gvfsd-afp
+++ b/apparmor.d/groups/gvfs/gvfsd-afp
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-afp
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-afp
 profile gvfsd-afp @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse
index 751accc3..91fb2b92 100644
--- a/apparmor.d/groups/gvfs/gvfsd-afp-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-afp-browse
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse
 profile gvfsd-afp-browse @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive
index 9760e9c8..6c1dee3e 100644
--- a/apparmor.d/groups/gvfs/gvfsd-archive
+++ b/apparmor.d/groups/gvfs/gvfsd-archive
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-archive
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-archive
 profile gvfsd-archive @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn
index b77f8161..ec054418 100644
--- a/apparmor.d/groups/gvfs/gvfsd-burn
+++ b/apparmor.d/groups/gvfs/gvfsd-burn
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-burn
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-burn
 profile gvfsd-burn @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda
index 8ac28f06..4c51537c 100644
--- a/apparmor.d/groups/gvfs/gvfsd-cdda
+++ b/apparmor.d/groups/gvfs/gvfsd-cdda
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-cdda
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda
 profile gvfsd-cdda @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer
index bea3ff2a..b834cdb2 100644
--- a/apparmor.d/groups/gvfs/gvfsd-computer
+++ b/apparmor.d/groups/gvfs/gvfsd-computer
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-computer
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-computer
 profile gvfsd-computer @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav
index 63e1d850..68d5f54b 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-dav
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-dav
 profile gvfsd-dav @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd
index 2978d100..183d102d 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-dnssd
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-dnssd
 profile gvfsd-dnssd @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp
index adb65c6b..863c8b50 100644
--- a/apparmor.d/groups/gvfs/gvfsd-ftp
+++ b/apparmor.d/groups/gvfs/gvfsd-ftp
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-ftp
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp
 profile gvfsd-ftp @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index 7583e26c..ff3d774b 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-fuse
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-gtk>
@@ -33,7 +33,7 @@ profile gvfsd-fuse @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
+  @{bin}/fusermount{,3} rCx -> fusermount,
 
   @{PROC}/sys/fs/pipe-max-size r,
 
@@ -51,7 +51,7 @@ profile gvfsd-fuse @{exec_path} {
     mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
     umount @{run}/user/@{uid}/**/,
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     /etc/fuse{,3}.conf r,
     /etc/machine-id r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google
index 8608cd62..5ba3254a 100644
--- a/apparmor.d/groups/gvfs/gvfsd-google
+++ b/apparmor.d/groups/gvfs/gvfsd-google
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-google
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-google
 profile gvfsd-google @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2
index 25b56950..f6eb0e43 100644
--- a/apparmor.d/groups/gvfs/gvfsd-gphoto2
+++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-gphoto2
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2
 profile gvfsd-gphoto2 @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http
index 6d1eeab0..55941c2e 100644
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-http
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-http
 profile gvfsd-http @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest
index 36937a5d..80849ddc 100644
--- a/apparmor.d/groups/gvfs/gvfsd-localtest
+++ b/apparmor.d/groups/gvfs/gvfsd-localtest
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-localtest
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest
 profile gvfsd-localtest @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata
index bbfc00af..5a8a5bb2 100644
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-metadata
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-metadata
 profile gvfsd-metadata @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-gtk>
diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp
index 34fa565b..086ba5fa 100644
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-mtp
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network
index 6bb56e4e..dd95aed1 100644
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-network
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-network
 profile gvfsd-network @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs
index f8014c7a..abfa41e3 100644
--- a/apparmor.d/groups/gvfs/gvfsd-nfs
+++ b/apparmor.d/groups/gvfs/gvfsd-nfs
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-nfs
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs
 profile gvfsd-nfs @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent
index 98814b33..035150d5 100644
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-recent
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-recent
 profile gvfsd-recent @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp
index 6e214970..0bed634f 100644
--- a/apparmor.d/groups/gvfs/gvfsd-sftp
+++ b/apparmor.d/groups/gvfs/gvfsd-sftp
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-sftp
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp
 profile gvfsd-sftp @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -16,7 +16,7 @@ profile gvfsd-sftp @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ssh  rPx,
+  @{bin}/ssh  rPx,
 
   owner @{run}/user/@{uid}/gvfsd-sftp/ rw,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb
index b7356c55..2259ac77 100644
--- a/apparmor.d/groups/gvfs/gvfsd-smb
+++ b/apparmor.d/groups/gvfs/gvfsd-smb
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-smb
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-smb
 profile gvfsd-smb @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse
index 719b8c52..c37b2dee 100644
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-smb-browse
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-smb-browse
 profile gvfsd-smb-browse @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash
index 1c942b82..7574fd48 100644
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfsd-trash
+@{exec_path} = @{lib}/{,gvfs/}gvfsd-trash
 profile gvfsd-trash @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-gtk>
diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index 58e66a50..50de39ef 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
  
-@{exec_path} = /{usr/,}bin/baloo_file @{libexec}/baloo_file
+@{exec_path} = @{bin}/baloo_file @{lib}/baloo_file
 profile baloo @{exec_path} {
   include <abstractions/base>
   include <abstractions/deny-sensitive-home>
@@ -22,7 +22,7 @@ profile baloo @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/baloo_file_extractor rix,
+  @{lib}/baloo_file_extractor rix,
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi
index c61c7a46..87adf94a 100644
--- a/apparmor.d/groups/kde/drkonqi
+++ b/apparmor.d/groups/kde/drkonqi
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/drkonqi
+@{exec_path} = @{lib}/drkonqi
 profile drkonqi @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy
index 6e06a8ce..e99cb5ec 100644
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gmenudbusmenuproxy
+@{exec_path} = @{bin}/gmenudbusmenuproxy
 profile gmenudbusmenuproxy @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess
index a8d8636a..ff564508 100644
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kaccess
+@{exec_path} = @{bin}/kaccess
 profile kaccess @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
@@ -17,7 +17,7 @@ profile kaccess @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gsettings rPx,
+  @{bin}/gsettings rPx,
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icons/{,**} r,
diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd
index b50fbac5..52190ac7 100644
--- a/apparmor.d/groups/kde/kactivitymanagerd
+++ b/apparmor.d/groups/kde/kactivitymanagerd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kactivitymanagerd
+@{exec_path} = @{lib}/kactivitymanagerd
 profile kactivitymanagerd @{exec_path} {
   include <abstractions/base>
   include <abstractions/qt5>
diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac
index af2dee65..17978924 100644
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kalendarac
+@{exec_path} = @{bin}/kalendarac
 profile kalendarac @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
@@ -17,7 +17,7 @@ profile kalendarac @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/akonadi_control rPx,
+  @{bin}/akonadi_control rPx,
 
   /usr/share/akonadi/firstrun/{,*} r,
   /usr/share/hwdata/*.ids r,
diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper
index 5ea56f91..b9149292 100644
--- a/apparmor.d/groups/kde/kauth-backlighthelper
+++ b/apparmor.d/groups/kde/kauth-backlighthelper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kauth/backlighthelper
+@{exec_path} = @{lib}/kauth/backlighthelper
 profile kauth-backlighthelper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper
index e70c0420..aff057c7 100644
--- a/apparmor.d/groups/kde/kauth-chargethresholdhelper
+++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kauth/chargethresholdhelper
+@{exec_path} = @{lib}/kauth/chargethresholdhelper
 profile kauth-chargethresholdhelper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper
index cc151d1d..6db19d0d 100644
--- a/apparmor.d/groups/kde/kauth-discretegpuhelper
+++ b/apparmor.d/groups/kde/kauth-discretegpuhelper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kauth/discretegpuhelper
+@{exec_path} = @{lib}/kauth/discretegpuhelper
 profile kauth-discretegpuhelper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst
index 93a128be..a7408d9b 100644
--- a/apparmor.d/groups/kde/kauth-fontinst
+++ b/apparmor.d/groups/kde/kauth-fontinst
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kauth/fontinst
+@{exec_path} = @{lib}/kauth/fontinst
 profile kauth-fontinst @{exec_path} {
   include <abstractions/base>
   include <abstractions/qt5>
diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper
index 5e3d1ba5..ed004668 100644
--- a/apparmor.d/groups/kde/kauth-kded-smart-helper
+++ b/apparmor.d/groups/kde/kauth-kded-smart-helper
@@ -6,14 +6,14 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kauth/kded-smart-helper
+@{exec_path} = @{lib}/kauth/kded-smart-helper
 profile kauth-kded-smart-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/smartctl rPx,
+  @{bin}/smartctl rPx,
 
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
 
diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
index b1f3d5e2..7e09f015 100644
--- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
+++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
@@ -6,13 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kauth/kinfocenter-dmidecode-helper
+@{exec_path} = @{lib}/kauth/kinfocenter-dmidecode-helper
 profile kauth-kinfocenter-dmidecode-helper @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/dmidecode  rPx,
+  @{bin}/dmidecode  rPx,
 
   include if exists <local/kauth-kinfocenter-dmidecode-helper>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit
index 62fe69f5..30421fd2 100644
--- a/apparmor.d/groups/kde/kcminit
+++ b/apparmor.d/groups/kde/kcminit
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kcminit
+@{exec_path} = @{bin}/kcminit
 profile kcminit @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
@@ -15,7 +15,7 @@ profile kcminit @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/xrdb rPx,
+  @{bin}/xrdb rPx,
 
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
   /usr/share/hwdata/pnp.ids r,
diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update
index 68abcac4..a77a6a7b 100644
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kf5/kconf_update
+@{exec_path} = @{lib}/kf5/kconf_update
 profile kconf_update @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 2f843343..b665e7b4 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/org_kde_powerdevil
+@{exec_path} = @{lib}/org_kde_powerdevil
 profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/qt5>
@@ -18,7 +18,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{libexec}/drkonqi rPx,
+  @{lib}/drkonqi rPx,
 
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5
index 00ee263f..5f7ae40d 100644
--- a/apparmor.d/groups/kde/kded5
+++ b/apparmor.d/groups/kde/kded5
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kded5
+@{exec_path} = @{bin}/kded5
 profile kded5 @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -33,12 +33,12 @@ profile kded5 @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/kf5/kconf_update    rPx,
-  @{libexec}/utempter/utempter   rPx,
-  /{usr/,}bin/kcminit            rPx,
-  /{usr/,}bin/pgrep              rCx -> pgrep,
-  /{usr/,}bin/setxkbmap          rix,
-  /{usr/,}bin/xsettingsd         rPx,
+  @{lib}/kf5/kconf_update    rPx,
+  @{lib}/utempter/utempter   rPx,
+  @{bin}/kcminit            rPx,
+  @{bin}/pgrep              rCx -> pgrep,
+  @{bin}/setxkbmap          rix,
+  @{bin}/xsettingsd         rPx,
 
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
@@ -110,7 +110,7 @@ profile kded5 @{exec_path} {
 
     ptrace (read),
 
-    /{usr/,}bin/pgrep mr,
+    @{bin}/pgrep mr,
 
     @{PROC}/ r,
     @{PROC}/@{pids}/cmdline r,
diff --git a/apparmor.d/groups/kde/kglobalaccel5 b/apparmor.d/groups/kde/kglobalaccel5
index 3d916dcf..9f8d495c 100644
--- a/apparmor.d/groups/kde/kglobalaccel5
+++ b/apparmor.d/groups/kde/kglobalaccel5
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kglobalaccel5
+@{exec_path} = @{bin}/kglobalaccel5
 profile kglobalaccel5 @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner
index 763f5f62..8a2ef2f3 100644
--- a/apparmor.d/groups/kde/kio_http_cache_cleaner
+++ b/apparmor.d/groups/kde/kio_http_cache_cleaner
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kf5/kio_http_cache_cleaner
+@{exec_path} = @{lib}/kf5/kio_http_cache_cleaner
 profile kio_http_cache_cleaner @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5
index b56d0f54..7c0bbd7d 100644
--- a/apparmor.d/groups/kde/kioslave5
+++ b/apparmor.d/groups/kde/kioslave5
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kf5/kioslave5
+@{exec_path} = @{lib}/kf5/kioslave5
 profile kioslave5 @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
@@ -28,9 +28,9 @@ profile kioslave5 @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/libheif/ r,
-  @{libexec}/libheif/*.so* rm,
-  @{libexec}/kf5/kio_http_cache_cleaner rPx,
+  @{lib}/libheif/ r,
+  @{lib}/libheif/*.so* rm,
+  @{lib}/kf5/kio_http_cache_cleaner rPx,
 
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig
index aff84ce5..2122dad6 100644
--- a/apparmor.d/groups/kde/kreadconfig
+++ b/apparmor.d/groups/kde/kreadconfig
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kreadconfig5
+@{exec_path} = @{bin}/kreadconfig5
 profile kreadconfig @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher
index 9800289d..6619ee91 100644
--- a/apparmor.d/groups/kde/kscreen_backend_launcher
+++ b/apparmor.d/groups/kde/kscreen_backend_launcher
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kf5/kscreen_backend_launcher
+@{exec_path} = @{lib}/kf5/kscreen_backend_launcher
 profile kscreen_backend_launcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/qt5>
diff --git a/apparmor.d/groups/kde/kscreenlocker-greet b/apparmor.d/groups/kde/kscreenlocker-greet
index d8279526..ca7ae0c9 100644
--- a/apparmor.d/groups/kde/kscreenlocker-greet
+++ b/apparmor.d/groups/kde/kscreenlocker-greet
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/kscreenlocker_greet
-@{exec_path} += /{usr/,}lib/@{multiarch}/libexec/kscreenlocker_greet
+@{exec_path} = @{lib}/kscreenlocker_greet
+@{exec_path} += @{lib}/@{multiarch}/libexec/kscreenlocker_greet
 profile kscreenlocker-greet @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-enumerate>
@@ -29,11 +29,11 @@ profile kscreenlocker-greet @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/libheif/ r,
-  @{libexec}/libheif/*.so* rm,
+  @{lib}/libheif/ r,
+  @{lib}/libheif/*.so* rm,
 
-  /{usr/,}{s,}bin/unix_chkpwd rPx,
-  /{usr/,}lib/@{multiarch}/libexec/kcheckpass rPx,
+  @{bin}/unix_chkpwd rPx,
+  @{lib}/@{multiarch}/libexec/kcheckpass rPx,
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index a2a087bc..026ab749 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ksmserver
+@{exec_path} = @{bin}/ksmserver
 profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -22,11 +22,11 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/rm rix,
+  @{bin}/rm rix,
 
-  @{libexec}/DiscoverNotifier rPUx, # TODO: rPx,
-  @{libexec}/drkonqi rPx,
-  @{libexec}/kscreenlocker_greet rPx,
+  @{lib}/DiscoverNotifier rPUx, # TODO: rPx,
+  @{lib}/drkonqi rPx,
+  @{lib}/kscreenlocker_greet rPx,
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/hwdata/pnp.ids r,
diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5
index d4ff6ff7..e74af2a8 100644
--- a/apparmor.d/groups/kde/kwalletd5
+++ b/apparmor.d/groups/kde/kwalletd5
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kwalletd5
+@{exec_path} = @{bin}/kwalletd5
 profile kwalletd5 @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -27,9 +27,9 @@ profile kwalletd5 @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpgconf rCx -> gpg,
-  /{usr/,}bin/gpg{,2} rCx -> gpg,
-  /{usr/,}bin/gpgsm   rCx -> gpg,
+  @{bin}/gpgconf rCx -> gpg,
+  @{bin}/gpg{,2} rCx -> gpg,
+  @{bin}/gpgsm   rCx -> gpg,
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/hwdata/pnp.ids r,
@@ -71,9 +71,9 @@ profile kwalletd5 @{exec_path} {
   profile gpg {
     include <abstractions/base>
 
-    /{usr/,}bin/gpgconf mr,
-    /{usr/,}bin/gpg{,2} mr,
-    /{usr/,}bin/gpgsm mr,
+    @{bin}/gpgconf mr,
+    @{bin}/gpg{,2} mr,
+    @{bin}/gpgsm mr,
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
diff --git a/apparmor.d/groups/kde/kwalletmanager5 b/apparmor.d/groups/kde/kwalletmanager5
index aab4e91a..76cce525 100644
--- a/apparmor.d/groups/kde/kwalletmanager5
+++ b/apparmor.d/groups/kde/kwalletmanager5
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kwalletmanager5
+@{exec_path} = @{bin}/kwalletmanager5
 profile kwalletmanager5 @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11
index a078be3c..97402727 100644
--- a/apparmor.d/groups/kde/kwin_x11
+++ b/apparmor.d/groups/kde/kwin_x11
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kwin_x11
+@{exec_path} = @{bin}/kwin_x11
 profile kwin_x11 @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
@@ -26,9 +26,9 @@ profile kwin_x11 @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh          rix,
-  /{usr/,}lib/kwin_killer_helper  rix,
-  @{libexec}/drkonqi              rPx,
+  @{bin}/{,ba,da}sh          rix,
+  @{lib}/kwin_killer_helper  rix,
+  @{lib}/drkonqi              rPx,
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover
index 054c2440..2263f876 100644
--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/plasma-discover
+@{exec_path} = @{bin}/plasma-discover
 profile plasma-discover @{exec_path} {
   include <abstractions/base>
   include <abstractions/mesa>
@@ -22,11 +22,11 @@ profile plasma-discover @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh                 rix,
-  /{usr/,}bin/kreadconfig5               rPx,
+  @{bin}/{,ba,da}sh                 rix,
+  @{bin}/kreadconfig5               rPx,
 
-  @{libexec}/kf5/kioslave5               rPx,
-  @{libexec}/kf5/kio_http_cache_cleaner  rPx,
+  @{lib}/kf5/kioslave5               rPx,
+  @{lib}/kf5/kio_http_cache_cleaner  rPx,
 
   /usr/share/kservices5/{,*} r,
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 1a8d9c84..6c95ebce 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/plasmashell
+@{exec_path} = @{bin}/plasmashell
 profile plasmashell @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -40,12 +40,12 @@ profile plasmashell @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/libheif/            r,
-  @{libexec}/libheif/*.so*      rm,
-  @{libexec}/kf5/kioslave5     rPx,
-  @{libexec}/kf5/kdesu{,d}     rix,
-  /{usr/,}bin/dolphin          rPUx, # TODO: rPx,
-  /{usr/,}bin/plasma-discover  rPUx,
+  @{lib}/libheif/            r,
+  @{lib}/libheif/*.so*      rm,
+  @{lib}/kf5/kioslave5     rPx,
+  @{lib}/kf5/kdesu{,d}     rix,
+  @{bin}/dolphin          rPUx, # TODO: rPx,
+  @{bin}/plasma-discover  rPUx,
 
   /usr/share/akonadi/firstrun/{,*} r,
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 8fb023e1..556d8050 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/sddm
+@{exec_path} = @{bin}/sddm
 profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/authentication>
@@ -39,35 +39,35 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib{,exec}/sddm/sddm-helper        rix,
-  /{usr/,}lib/@{multiarch}/sddm/sddm-helper  rix,
-  /{usr/,}lib/plasma-dbus-run-session-if-needed rix,
+  @{lib}/@{multiarch}/sddm/sddm-helper      rix,
+  @{lib}/plasma-dbus-run-session-if-needed  rix,
+  @{lib}/sddm/sddm-helper                   rix,
 
-  /{usr/,}{s,}bin/checkproc rix,
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/cat          rix,
-  /{usr/,}bin/tr           rix,
-  /{usr/,}bin/tty          rix,
-  /{usr/,}bin/xdm            r,
-  /{usr/,}bin/xmodmap      rix,
+  @{bin}/{,ba,da}sh   rix,
+  @{bin}/cat          rix,
+  @{bin}/checkproc    rix,
+  @{bin}/tr           rix,
+  @{bin}/tty          rix,
+  @{bin}/xdm            r,
+  @{bin}/xmodmap      rix,
 
-  /{usr/,}bin/sddm-greeter rPx,
-  /{usr/,}bin/Xorg         rPx,
-  /etc/sddm/Xsession       rPx,
+  @{bin}/sddm-greeter rPx,
+  @{bin}/Xorg         rPx,
+  /etc/sddm/Xsession  rPx,
 
-  /{usr/,}bin/flatpak     rPUx,
-  /{usr/,}bin/sway        rPUx,
-  /{usr/,}bin/xauth        rCx -> xauth,
-  /{usr/,}bin/xsetroot     rPx,
+  @{bin}/flatpak     rPUx,
+  @{bin}/sway        rPUx,
+  @{bin}/xauth        rCx -> xauth,
+  @{bin}/xsetroot     rPx,
 
-  @{etc_ro}/X11/xdm/Xsession       rPx,
-  /{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
-  /{usr/,}bin/gnome-keyring-daemon rPx,
-  /{usr/,}bin/kwalletd5            rPx,
-  /{usr/,}bin/startplasma-x11      rPx,
-  /{usr/,}bin/systemctl            rPx -> child-systemctl,
-  /{usr/,}bin/xrdb                 rPx,
-  /{usr/,}bin/xset                 rPx,
+  @{etc_ro}/X11/xdm/Xsession  rPx,
+  @{bin}/dbus-update-activation-environment rCx -> dbus,
+  @{bin}/gnome-keyring-daemon rPx,
+  @{bin}/kwalletd5            rPx,
+  @{bin}/startplasma-x11      rPx,
+  @{bin}/systemctl            rPx -> child-systemctl,
+  @{bin}/xrdb                 rPx,
+  @{bin}/xset                 rPx,
 
   /usr/etc/X11/xdm/Xsetup                 rix,
   /usr/share/sddm/scripts/wayland-session rix,
@@ -143,7 +143,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   profile xauth {
     include <abstractions/base>
 
-    /{usr/,}bin/xauth mr,
+    @{bin}/xauth mr,
 
     owner @{HOME}/.Xauthority-c  w,
     owner @{HOME}/.Xauthority-l  wl -> @{HOME}/.Xauthority-c,
@@ -163,7 +163,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   profile dbus {
     include <abstractions/base>
 
-    /{usr/,}bin/dbus-update-activation-environment mr,
+    @{bin}/dbus-update-activation-environment mr,
 
     owner @{user_share_dirs}/sddm/xorg-session.log w,
 
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index ea14d61f..37bafe82 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/sddm-greeter
+@{exec_path} = @{bin}/sddm-greeter
 profile sddm-greeter @{exec_path} {
   include <abstractions/base>
   include <abstractions/fontconfig-cache-read>
@@ -24,8 +24,8 @@ profile sddm-greeter @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/libheif/ r,
-  @{libexec}/libheif/*.so* rm,
+  @{lib}/libheif/ r,
+  @{lib}/libheif/*.so* rm,
 
   /usr/share/desktop-base/softwaves-theme/login/*.svg r,
   /usr/share/hwdata/pnp.ids r,
diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession
index 30b9c197..8365c16f 100644
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@@ -18,37 +18,37 @@ profile sddm-xsession @{exec_path} {
   @{exec_path} r,
 
   /{usr/,}{local,}bin/ r,
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/{m,g,}awk  rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/chmod      rix,
-  /{usr/,}bin/csh        rix,
-  /{usr/,}bin/date       rix,
-  /{usr/,}bin/fish       rix,
-  /{usr/,}bin/id         rix,
-  /{usr/,}bin/mktemp     rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/tcsh       rix,
-  /{usr/,}bin/tempfile   rix,
-  /{usr/,}bin/touch      rix,
-  /{usr/,}bin/which{,.*} rix,
-  /{usr/,}bin/zsh        rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/{m,g,}awk  rix,
+  @{bin}/cat        rix,
+  @{bin}/chmod      rix,
+  @{bin}/csh        rix,
+  @{bin}/date       rix,
+  @{bin}/fish       rix,
+  @{bin}/id         rix,
+  @{bin}/mktemp     rix,
+  @{bin}/rm         rix,
+  @{bin}/tcsh       rix,
+  @{bin}/tempfile   rix,
+  @{bin}/touch      rix,
+  @{bin}/which{,.*} rix,
+  @{bin}/zsh        rix,
 
-  /{usr/,}bin/dbus-update-activation-environment  rCx -> dbus,
-  /{usr/,}bin/flatpak                             rPUx,
-  /{usr/,}bin/numlockx                            rPx,
-  /{usr/,}bin/xhost                               rPx,
-  /{usr/,}bin/xrdb                                rPx,
+  @{bin}/dbus-update-activation-environment  rCx -> dbus,
+  @{bin}/flatpak                             rPUx,
+  @{bin}/numlockx                            rPx,
+  @{bin}/xhost                               rPx,
+  @{bin}/xrdb                                rPx,
   /etc/X11/Xsession                               rPx,
-  /{usr/,}bin/ssh-agent                           rPx,
-  /{usr/,}bin/udevadm                             rPx,
+  @{bin}/ssh-agent                           rPx,
+  @{bin}/udevadm                             rPx,
 
-  /{usr/,}bin/run-parts         rCx -> run-parts,
+  @{bin}/run-parts         rCx -> run-parts,
 
   # Allowed GUI sessions to start
-  #/{usr/,}bin/openbox-session  rPx,
-  #/{usr/,}bin/openbox          rPx,
+  #@{bin}/openbox-session  rPx,
+  #@{bin}/openbox          rPx,
 
   /etc/default/{,*} r,
   /etc/X11/{,**} r,
@@ -65,7 +65,7 @@ profile sddm-xsession @{exec_path} {
   profile run-parts {
     include <abstractions/base>
 
-    /{usr/,}bin/run-parts mr,
+    @{bin}/run-parts mr,
 
     /etc/X11/Xsession.d/ r,
     /etc/X11/Xresources/ r,
@@ -78,7 +78,7 @@ profile sddm-xsession @{exec_path} {
   profile dbus {
     include <abstractions/base>
 
-    /{usr/,}bin/dbus-update-activation-environment mr,
+    @{bin}/dbus-update-activation-environment mr,
 
     owner @{HOME}/.xsession-errors w,
 
diff --git a/apparmor.d/groups/kde/startplasma-x11 b/apparmor.d/groups/kde/startplasma-x11
index 98c4ab72..50c4322a 100644
--- a/apparmor.d/groups/kde/startplasma-x11
+++ b/apparmor.d/groups/kde/startplasma-x11
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/startplasma-x11
+@{exec_path} = @{bin}/startplasma-x11
 profile startplasma-x11 @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
@@ -15,10 +15,10 @@ profile startplasma-x11 @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/kapplymousetheme  rPUx,
-  /{usr/,}bin/ksplashqml        rPUx,
-  /{usr/,}bin/xrdb               rPx,
-  /{usr/,}bin/xsetroot           rPx,
+  @{bin}/kapplymousetheme  rPUx,
+  @{bin}/ksplashqml        rPUx,
+  @{bin}/xrdb               rPx,
+  @{bin}/xsetroot           rPx,
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/desktop-directories/{,**} r,
diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter
index 240893d8..65e39eae 100644
--- a/apparmor.d/groups/kde/utempter
+++ b/apparmor.d/groups/kde/utempter
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/utempter/utempter
+@{exec_path} = @{lib}/utempter/utempter
 profile utempter @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession
index 34486c18..47e86148 100644
--- a/apparmor.d/groups/kde/xdm-xsession
+++ b/apparmor.d/groups/kde/xdm-xsession
@@ -17,42 +17,42 @@ profile xdm-xsession @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/checkproc      rix,
-  /{usr/,}bin/{,ba,da}sh         rix,
-  /{usr/,}bin/basename           rix,
-  /{usr/,}bin/cat                rix,
-  /{usr/,}bin/dirname            rix,
-  /{usr/,}bin/gpg-agent          rix,
-  /{usr/,}bin/gpg-connect-agent  rix,
-  /{usr/,}bin/grep               rix,
-  /{usr/,}bin/locale             rix,
-  /{usr/,}bin/manpath            rix,
-  /{usr/,}bin/readlink           rix,
-  /{usr/,}bin/sed                rix,
-  /{usr/,}bin/ssh-agent          rix,
-  /{usr/,}bin/tr                 rix,
-  /{usr/,}bin/tty                rix,
-  /{usr/,}bin/uname              rix,
-  /{usr/,}bin/whoami             rix,
+  @{bin}/checkproc      rix,
+  @{bin}/{,ba,da}sh         rix,
+  @{bin}/basename           rix,
+  @{bin}/cat                rix,
+  @{bin}/dirname            rix,
+  @{bin}/gpg-agent          rix,
+  @{bin}/gpg-connect-agent  rix,
+  @{bin}/grep               rix,
+  @{bin}/locale             rix,
+  @{bin}/manpath            rix,
+  @{bin}/readlink           rix,
+  @{bin}/sed                rix,
+  @{bin}/ssh-agent          rix,
+  @{bin}/tr                 rix,
+  @{bin}/tty                rix,
+  @{bin}/uname              rix,
+  @{bin}/whoami             rix,
 
-  /{usr/,}bin/dbus-update-activation-environment rCx -> dbus,
-  /{usr/,}bin/flatpak                            rPUx,
-  /{usr/,}bin/pidof                              rPx,
-  /{usr/,}bin/startplasma-x11                    rPx,
-  /{usr/,}bin/systemctl                          rPx -> child-systemctl,
-  /{usr/,}bin/xdg-user-dirs-update               rPx,
-  /{usr/,}bin/xrdb                               rPx,
+  @{bin}/dbus-update-activation-environment rCx -> dbus,
+  @{bin}/flatpak                            rPUx,
+  @{bin}/pidof                              rPx,
+  @{bin}/startplasma-x11                    rPx,
+  @{bin}/systemctl                          rPx -> child-systemctl,
+  @{bin}/xdg-user-dirs-update               rPx,
+  @{bin}/xrdb                               rPx,
 
-  @{libexec}/gnome-session-binary                rPx,
-  /{usr/,}bin/gnome                              rix,
-  /{usr/,}bin/gnome-session                      rix,
-  /{usr/,}bin/gsettings                          rPx,
+  @{lib}/gnome-session-binary                rPx,
+  @{bin}/gnome                              rix,
+  @{bin}/gnome-session                      rix,
+  @{bin}/gsettings                          rPx,
 
   @{etc_ro}/X11/xdm/sys.xsession                    rix,
   @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh  rix,
   @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh    rix,
   @{HOME}/.xinitrc                                 rPix,
-  @{libexec}/xinit/xinitrc                          rix,
+  @{lib}/xinit/xinitrc                          rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/bash-completion/{,**} r,
@@ -96,7 +96,7 @@ profile xdm-xsession @{exec_path} {
   profile dbus {
     include <abstractions/base>
 
-    /{usr/,}bin/dbus-update-activation-environment mr,
+    @{bin}/dbus-update-activation-environment mr,
 
     owner @{user_share_dirs}/sddm/xorg-session.log rw,
 
diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy
index 3d4e7dc2..f1aebfa3 100644
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xembedsniproxy
+@{exec_path} = @{bin}/xembedsniproxy
 profile xembedsniproxy @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd
index cada4c2a..c02941c7 100644
--- a/apparmor.d/groups/kde/xsettingsd
+++ b/apparmor.d/groups/kde/xsettingsd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xsettingsd
+@{exec_path} = @{bin}/xsettingsd
 profile xsettingsd @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 44a9d227..919a9ba7 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{,s}bin/ModemManager
+@{exec_path} = @{bin}/ModemManager
 profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index cb050865..055ae9be 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{,s}bin/NetworkManager
+@{exec_path} = @{bin}/NetworkManager
 profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>
@@ -89,22 +89,22 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/nft        rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/nft        rix,
 
-  /{usr/,}{s,}bin/netconfig                                     rPUx,
-  /{usr/,}bin/dnsmasq                                            rPx,
-  /{usr/,}bin/kmod                                               rPx,
-  /{usr/,}bin/resolvconf                                         rPx,
-  /{usr/,}bin/systemctl                                          rPx -> child-systemctl,
-  @{libexec}/{,NetworkManager/}nm-dhcp-helper                    rPx,
-  @{libexec}/{,NetworkManager/}nm-dispatcher                     rPx,
-  @{libexec}/{,NetworkManager/}nm-iface-helper                   rPx,
-  @{libexec}/{,NetworkManager/}nm-initrd-generator               rPx,
-  @{libexec}/{,NetworkManager/}nm-openvpn-auth-dialog            rPx,
-  @{libexec}/{,NetworkManager/}nm-openvpn-service                rPx,
-  @{libexec}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
-  @{libexec}/{,NetworkManager/}nm-daemon-helper                  rPx,
+  @{bin}/dnsmasq                                             rPx,
+  @{bin}/kmod                                                rPx,
+  @{bin}/netconfig                                          rPUx,
+  @{bin}/resolvconf                                          rPx,
+  @{bin}/systemctl                                           rPx -> child-systemctl,
+  @{lib}/{,NetworkManager/}nm-daemon-helper                  rPx,
+  @{lib}/{,NetworkManager/}nm-dhcp-helper                    rPx,
+  @{lib}/{,NetworkManager/}nm-dispatcher                     rPx,
+  @{lib}/{,NetworkManager/}nm-iface-helper                   rPx,
+  @{lib}/{,NetworkManager/}nm-initrd-generator               rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog            rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-service                rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
 
   /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
 
diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd
index e58db055..8aab26b6 100644
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@@ -3,7 +3,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dhcpcd
+@{exec_path} = @{bin}/dhcpcd
 profile dhcpcd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -27,14 +27,14 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
   
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/cat rix,
-  /{usr/,}bin/chmod rix,
-  /{usr/,}bin/cmp rix,
-  /{usr/,}bin/mkdir rix,
-  /{usr/,}bin/rm rix,
-  /{usr/,}bin/sed rix,
-  /{usr/,}lib/dhcpcd/dhcpcd-run-hooks rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/cat rix,
+  @{bin}/chmod rix,
+  @{bin}/cmp rix,
+  @{bin}/mkdir rix,
+  @{bin}/rm rix,
+  @{bin}/sed rix,
+  @{lib}/dhcpcd/dhcpcd-run-hooks rix,
   /dev/tty rw,
   /var/lib/dhcpcd/*.lease{,6} rw,
   /var/lib/dhcpcd/secret rw,
diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl
index aa9a7892..67e882f9 100644
--- a/apparmor.d/groups/network/iwctl
+++ b/apparmor.d/groups/network/iwctl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/iwctl
+@{exec_path} = @{bin}/iwctl
 profile iwctl @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd
index c85017ee..c8d67a2f 100644
--- a/apparmor.d/groups/network/iwd
+++ b/apparmor.d/groups/network/iwd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/iwd/iwd
+@{exec_path} = @{lib}/iwd/iwd
 profile iwd @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index b6581c73..fc295338 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mullvad-daemon
+@{exec_path} = @{bin}/mullvad-daemon
 @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon
 profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
@@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ip  rix,
+  @{bin}/ip  rix,
 
   "/opt/Mullvad VPN/resources/openvpn" rix,
   "/opt/Mullvad VPN/resources/*.so*" mr,
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index f5fb7869..0eab9fa2 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -34,9 +34,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected)  {
 
   "/opt/Mullvad VPN/*.so*" mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gsettings   rix,
-  /{usr/,}bin/xdg-open    rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/gsettings   rix,
+  @{bin}/xdg-open    rPx,
 
   "/opt/Mullvad VPN/{,**}" r,
   /usr/share/themes/{,**} r,
diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher
index 3f03b7d4..f1ba6169 100644
--- a/apparmor.d/groups/network/networkd-dispatcher
+++ b/apparmor.d/groups/network/networkd-dispatcher
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/networkd-dispatcher
+@{exec_path} = @{bin}/networkd-dispatcher
 profile networkd-dispatcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -21,8 +21,8 @@ profile networkd-dispatcher @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
-  /{usr/,}bin/networkctl  rPx,
+  @{bin}/ r,
+  @{bin}/networkctl  rPx,
 
   /etc/networkd-dispatcher/{,**} r,
 
diff --git a/apparmor.d/groups/network/nm-daemon-helper b/apparmor.d/groups/network/nm-daemon-helper
index 8e33cbf8..b145916d 100644
--- a/apparmor.d/groups/network/nm-daemon-helper
+++ b/apparmor.d/groups/network/nm-daemon-helper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-daemon-helper
+@{exec_path} = @{lib}/{,NetworkManager/}nm-daemon-helper
 profile nm-daemon-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper
index e72f3458..dcaf1c5d 100644
--- a/apparmor.d/groups/network/nm-dhcp-helper
+++ b/apparmor.d/groups/network/nm-dhcp-helper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-dhcp-helper
+@{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper
 profile nm-dhcp-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus>
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index 5561a7ad..2c8bfdeb 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-dispatcher
+@{exec_path} = @{lib}/{,NetworkManager/}nm-dispatcher
 profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -26,28 +26,28 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/netconfig     rPUx,
-  /{usr/,}bin/{,ba,da}sh         rix,
-  /{usr/,}bin/basename           rix,
-  /{usr/,}bin/chronyc           rPUx,
-  /{usr/,}bin/date               rix,
-  /{usr/,}bin/gawk               rix,
-  /{usr/,}bin/grep               rix,
-  /{usr/,}bin/id                 rix,
-  /{usr/,}bin/mkdir              rix,
-  /{usr/,}bin/mktemp             rix,
-  /{usr/,}bin/nmcli              rix,
-  /{usr/,}bin/readlink           rix,
-  /{usr/,}bin/rm                 rix,
-  /{usr/,}bin/run-parts          rPx,
-  /{usr/,}bin/sed                rix,
-  /{usr/,}bin/systemctl          rPx -> child-systemctl,
-  /{usr/,}bin/systemd-cat        rPx,
-  /{usr/,}bin/tr                 rix,
+  @{bin}/{,ba,da}sh         rix,
+  @{bin}/basename           rix,
+  @{bin}/chronyc           rPUx,
+  @{bin}/date               rix,
+  @{bin}/gawk               rix,
+  @{bin}/grep               rix,
+  @{bin}/id                 rix,
+  @{bin}/mkdir              rix,
+  @{bin}/mktemp             rix,
+  @{bin}/netconfig         rPUx,
+  @{bin}/nmcli              rix,
+  @{bin}/readlink           rix,
+  @{bin}/rm                 rix,
+  @{bin}/run-parts          rPx,
+  @{bin}/sed                rix,
+  @{bin}/systemctl          rPx -> child-systemctl,
+  @{bin}/systemd-cat        rPx,
+  @{bin}/tr                 rix,
   /usr/share/tlp/tlp-readconfs  rPUx,
 
-  /{usr/,}lib/NetworkManager/dispatcher.d/ r,
-  /{usr/,}lib/NetworkManager/dispatcher.d/* rix,
+  @{lib}/NetworkManager/dispatcher.d/ r,
+  @{lib}/NetworkManager/dispatcher.d/* rix,
   /etc/NetworkManager/dispatcher.d/ r,
   /etc/NetworkManager/dispatcher.d/** rix,
 
diff --git a/apparmor.d/groups/network/nm-iface-helper b/apparmor.d/groups/network/nm-iface-helper
index e410367c..5698c84d 100644
--- a/apparmor.d/groups/network/nm-iface-helper
+++ b/apparmor.d/groups/network/nm-iface-helper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-iface-helper
+@{exec_path} = @{lib}/{,NetworkManager/}nm-iface-helper
 profile nm-iface-helper @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/nm-initrd-generator b/apparmor.d/groups/network/nm-initrd-generator
index b51c8ac2..db2ec415 100644
--- a/apparmor.d/groups/network/nm-initrd-generator
+++ b/apparmor.d/groups/network/nm-initrd-generator
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-initrd-generator
+@{exec_path} = @{lib}/{,NetworkManager/}nm-initrd-generator
 profile nm-initrd-generator @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog
index b0207504..0949d2f9 100644
--- a/apparmor.d/groups/network/nm-openvpn-auth-dialog
+++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-openvpn-auth-dialog
+@{exec_path} = @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog
 profile nm-openvpn-auth-dialog @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service
index edbdfc23..a886ac2a 100644
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-openvpn-service
+@{exec_path} = @{lib}/{,NetworkManager/}nm-openvpn-service
 profile nm-openvpn-service @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -18,11 +18,11 @@ profile nm-openvpn-service @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
-  @{libexec}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
-  /{usr/,}{s,}bin/openvpn rPx,
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/kmod rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/kmod        rPx,
+  @{bin}/openvpn     rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
 
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
 
diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
index 880f9d54..7fdc60da 100644
--- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
+++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,NetworkManager/}nm-openvpn-service-openvpn-helper
+@{exec_path} = @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper
 profile nm-openvpn-service-openvpn-helper @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli
index b959e344..5ab8aa7b 100644
--- a/apparmor.d/groups/network/nmcli
+++ b/apparmor.d/groups/network/nmcli
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/nmcli
+@{exec_path} = @{bin}/nmcli
 profile nmcli @{exec_path} {
   include <abstractions/base>
 
@@ -15,7 +15,7 @@ profile nmcli @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less rCx -> pager,
+  @{bin}/less rCx -> pager,
 
   owner @{HOME}/.nm-vpngate/*.ovpn r,
   owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@@ -30,7 +30,7 @@ profile nmcli @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    /{usr/,}bin/less  mr,
+    @{bin}/less  mr,
 
     owner @{HOME}/.lesshs* rw,
     owner @{user_cache_dirs}/.lesshs* rw,
diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn
index 6a02e631..e05610d9 100644
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@@ -22,7 +22,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/openvpn
+@{exec_path} = @{bin}/openvpn
 profile openvpn @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -50,7 +50,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{libexec}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
 
   /etc/openvpn/{,**} r,
 
@@ -62,9 +62,9 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
   @{run}/openvpn/*.{pid,status} rw,
   @{run}/systemd/journal/dev-log rw,
 
-  /{usr/,}{s,}bin/ip                            rix,
-  /{usr/,}bin/systemd-ask-password              rPx,
-  /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
+  @{bin}/ip                                rix,
+  @{bin}/systemd-ask-password              rPx,
+  @{lib}/nm-openvpn-service-openvpn-helper rPx,
   /etc/openvpn/force-user-traffic-via-vpn.sh    rCx -> force-user-traffic-via-vpn,
   /etc/openvpn/update-resolv-conf{,.sh}         rCx -> update-resolv,
 
@@ -82,11 +82,11 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
 
     /etc/openvpn/update-resolv-conf.sh r,
 
-    /{usr/,}bin/{,ba,da}sh         rix,
-    /{usr/,}bin/cut                rix,
-    /{usr/,}bin/which{,.debianutils}              rix,
-    /{usr/,}bin/ip                 rix,
-    /{usr/,}{s,}bin/xtables-nft-multi rix,
+    @{bin}/{,ba,da}sh         rix,
+    @{bin}/cut                rix,
+    @{bin}/ip                 rix,
+    @{bin}/which{,.debianutils}  rix,
+    @{bin}/xtables-nft-multi rix,
 
     /etc/iproute2/rt_tables r,
     /etc/iproute2/rt_tables.d/ r,
@@ -106,13 +106,13 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
     /etc/openvpn/ r,
     /etc/openvpn/force-user-traffic-via-vpn.sh r,
 
-    /{usr/,}bin/{,ba,da}sh rix,
-    /{usr/,}bin/sed        rix,
-    /{usr/,}bin/cut        rix,
-    /{usr/,}bin/{,e}grep   rix,
-    /{usr/,}bin/ip         rix,
-    /{usr/,}{s,}bin/nft    rix,
-    /{usr/,}bin/env        rix,
+    @{bin}/{,ba,da}sh rix,
+    @{bin}/{,e}grep   rix,
+    @{bin}/cut        rix,
+    @{bin}/env        rix,
+    @{bin}/ip         rix,
+    @{bin}/nft        rix,
+    @{bin}/sed        rix,
 
     /etc/iproute2/rt_realms r,
     /etc/iproute2/group r,
diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale
index 71e75abf..68cfd103 100644
--- a/apparmor.d/groups/network/tailscale
+++ b/apparmor.d/groups/network/tailscale
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/tailscale
+@{exec_path} = @{bin}/tailscale
 profile tailscale @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -21,7 +21,7 @@ profile tailscale @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ip rPx,
+  @{bin}/ip rPx,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled
index 8d7e0cf5..c6d72084 100644
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{,s}bin/tailscaled
+@{exec_path} = @{bin}/tailscaled
 profile tailscaled @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -30,11 +30,11 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/xtables-nft-multi  rix,
-  /{usr/,}bin/ip                     rix,
-  /{usr/,}bin/resolvectl             rPx,
+  @{bin}/ip                 rix,
+  @{bin}/resolvectl         rPx,
+  @{bin}/xtables-nft-multi  rix,
 
-  /{usr/,}bin/systemctl  rCx -> systemctl,
+  @{bin}/systemctl  rCx -> systemctl,
 
   /etc/iproute2/rt_tables r,
 
@@ -74,7 +74,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
 
     ptrace (read),
 
-    /{usr/,}bin/systemctl mr,
+    @{bin}/systemctl mr,
 
     /dev/net/tun rw,
 
diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg
index 6f4bf4ea..fa76a053 100644
--- a/apparmor.d/groups/network/wg
+++ b/apparmor.d/groups/network/wg
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/wg
+@{exec_path} = @{bin}/wg
 profile wg @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index 06ccb7d6..f60123bb 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/wg-quick
+@{exec_path} = @{bin}/wg-quick
 profile wg-quick @{exec_path} {
   include <abstractions/base>
 
@@ -16,17 +16,17 @@ profile wg-quick @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/nft            rix,
-  /{usr/,}{s,}bin/sysctl         rix,
-  /{usr/,}bin/{,ba,da}sh         rix,
-  /{usr/,}bin/cat                rix,
-  /{usr/,}bin/ip                 rPx,
-  /{usr/,}bin/readlink           rix,
-  /{usr/,}bin/resolvectl         rPx,
-  /{usr/,}bin/sort               rix,
-  /{usr/,}bin/stat               rix,
-  /{usr/,}bin/wg                 rPx,
-  /{usr/,}bin/xtables-nft-multi  rix,
+  @{bin}/{,ba,da}sh         rix,
+  @{bin}/cat                rix,
+  @{bin}/ip                 rPx,
+  @{bin}/nft                rix,
+  @{bin}/readlink           rix,
+  @{bin}/resolvectl         rPx,
+  @{bin}/sort               rix,
+  @{bin}/stat               rix,
+  @{bin}/sysctl             rix,
+  @{bin}/wg                 rPx,
+  @{bin}/xtables-nft-multi  rix,
 
   /usr/share/terminfo/x/xterm-256color r,
 
@@ -42,7 +42,7 @@ profile wg-quick @{exec_path} {
   /dev/tty rw,
 
   # Force the use as root
-  deny /{usr/,}bin/sudo x,
+  deny @{bin}/sudo x,
 
   include if exists <local/wg-quick>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit
index 6b1a12d5..91d38be9 100644
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/arch-audit
+@{exec_path} = @{bin}/arch-audit
 profile arch-audit @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java
index 06802b1f..591df121 100644
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/archlinux-java
+@{exec_path} = @{bin}/archlinux-java
 profile archlinux-java @{exec_path} {
   include <abstractions/base>
 
@@ -14,16 +14,16 @@ profile archlinux-java @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/basename  rix,
-  /{usr/,}bin/bash      rix,
-  /{usr/,}bin/dirname   rix,
-  /{usr/,}bin/id        rix,
-  /{usr/,}bin/ln        rix,
-  /{usr/,}bin/readlink  rix,
-  /{usr/,}bin/unlink    rix,
+  @{bin}/basename  rix,
+  @{bin}/bash      rix,
+  @{bin}/dirname   rix,
+  @{bin}/id        rix,
+  @{bin}/ln        rix,
+  @{bin}/readlink  rix,
+  @{bin}/unlink    rix,
 
-  /{usr/,}lib/jvm/default w,
-  /{usr/,}lib/jvm/default-runtime w,
+  @{lib}/jvm/default w,
+  @{lib}/jvm/default-runtime w,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
index 3077d56d..6f828b4b 100644
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/archlinux-keyring-wkd-sync
+@{exec_path} = @{bin}/archlinux-keyring-wkd-sync
 profile archlinux-keyring-wkd-sync @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -20,12 +20,12 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{m,g,}awk    rix,
-  /{usr/,}bin/bash         rix,
-  /{usr/,}bin/dirmngr      rix,
-  /{usr/,}bin/gpg{,2}      rix,
-  /{usr/,}bin/gpg-agent    rix,
-  /{usr/,}bin/pacman-conf  rix,
+  @{bin}/{m,g,}awk    rix,
+  @{bin}/bash         rix,
+  @{bin}/dirmngr      rix,
+  @{bin}/gpg{,2}      rix,
+  @{bin}/gpg-agent    rix,
+  @{bin}/pacman-conf  rix,
 
   /etc/pacman.conf r,
   /etc/pacman.d/*-mirrorlist r,
diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index c6cf22dc..1014c2eb 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -23,24 +23,24 @@ profile aurpublish @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/cat         rix,
-  /{usr/,}bin/chmod       rix,
-  /{usr/,}bin/curl        rix,
-  /{usr/,}bin/date        rix,
-  /{usr/,}bin/gettext     rix,
-  /{usr/,}bin/git         rPx,
-  /{usr/,}bin/gpg{,2}     rPx,
-  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/makepkg     rix,
-  /{usr/,}bin/mkdir       rix,
-  /{usr/,}bin/mktemp      rix,
-  /{usr/,}bin/mv          rix,
-  /{usr/,}bin/nproc       rix,
-  /{usr/,}bin/rm          rix,
-  /{usr/,}bin/sha512sum   rix,
-  /{usr/,}bin/tput        rix,
-  /{usr/,}bin/wc          rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/cat         rix,
+  @{bin}/chmod       rix,
+  @{bin}/curl        rix,
+  @{bin}/date        rix,
+  @{bin}/gettext     rix,
+  @{bin}/git         rPx,
+  @{bin}/gpg{,2}     rPx,
+  @{bin}/grep        rix,
+  @{bin}/makepkg     rix,
+  @{bin}/mkdir       rix,
+  @{bin}/mktemp      rix,
+  @{bin}/mv          rix,
+  @{bin}/nproc       rix,
+  @{bin}/rm          rix,
+  @{bin}/sha512sum   rix,
+  @{bin}/tput        rix,
+  @{bin}/wc          rix,
 
   /usr/share/makepkg/{,**} r,
   /usr/share/terminfo/x/xterm-256color r,
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 232e4014..828433eb 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/mkinitcpio
+@{exec_path} = @{bin}/mkinitcpio
 profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -21,54 +21,54 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} rmix,
 
-  /{usr/,}{s,}bin/ldconfig        rix,
-  /{usr/,}bin/{,ba}sh             rix,
-  /{usr/,}bin/{m,g,}awk           rix,
-  /{usr/,}bin/bsdtar              rix,
-  /{usr/,}bin/cat                 rix,
-  /{usr/,}bin/cp                  rix,
-  /{usr/,}bin/dd                  rix,
-  /{usr/,}bin/dirname             rix,
-  /{usr/,}bin/fc-match            rix,
-  /{usr/,}bin/find                rix,
-  /{usr/,}bin/findmnt             rPx,
-  /{usr/,}bin/fsck                rix,
-  /{usr/,}bin/getent              rix,
-  /{usr/,}bin/grep                rix,
-  /{usr/,}bin/gzip                rix,
-  /{usr/,}bin/hexdump             rix,
-  /{usr/,}bin/install             rix,
-  /{usr/,}bin/ldd                 rix,
-  /{usr/,}bin/ln                  rix,
-  /{usr/,}bin/loadkeys            rix,
-  /{usr/,}bin/mktemp              rix,
-  /{usr/,}bin/mv                  rix,
-  /{usr/,}bin/od                  rix,
-  /{usr/,}bin/readlink            rix,
-  /{usr/,}bin/realpath            rix,
-  /{usr/,}bin/rm                  rix,
-  /{usr/,}bin/sed                 rix,
-  /{usr/,}bin/sort                rix,
-  /{usr/,}bin/stat                rix,
-  /{usr/,}bin/sync                rix,
-  /{usr/,}bin/tee                 rix,
-  /{usr/,}bin/touch               rix,
-  /{usr/,}bin/tput                rix,
-  /{usr/,}bin/uname               rix,
-  /{usr/,}bin/xargs               rix,
-  /{usr/,}bin/xz                  rix,
-  /{usr/,}bin/zcat                rix,
-  /{usr/,}bin/zstd                rix,
+  @{bin}/{,ba}sh             rix,
+  @{bin}/{m,g,}awk           rix,
+  @{bin}/bsdtar              rix,
+  @{bin}/cat                 rix,
+  @{bin}/cp                  rix,
+  @{bin}/dd                  rix,
+  @{bin}/dirname             rix,
+  @{bin}/fc-match            rix,
+  @{bin}/find                rix,
+  @{bin}/findmnt             rPx,
+  @{bin}/fsck                rix,
+  @{bin}/getent              rix,
+  @{bin}/grep                rix,
+  @{bin}/gzip                rix,
+  @{bin}/hexdump             rix,
+  @{bin}/install             rix,
+  @{bin}/ldconfig            rix,
+  @{bin}/ldd                 rix,
+  @{bin}/ln                  rix,
+  @{bin}/loadkeys            rix,
+  @{bin}/mktemp              rix,
+  @{bin}/mv                  rix,
+  @{bin}/od                  rix,
+  @{bin}/readlink            rix,
+  @{bin}/realpath            rix,
+  @{bin}/rm                  rix,
+  @{bin}/sed                 rix,
+  @{bin}/sort                rix,
+  @{bin}/stat                rix,
+  @{bin}/sync                rix,
+  @{bin}/tee                 rix,
+  @{bin}/touch               rix,
+  @{bin}/tput                rix,
+  @{bin}/uname               rix,
+  @{bin}/xargs               rix,
+  @{bin}/xz                  rix,
+  @{bin}/zcat                rix,
+  @{bin}/zstd                rix,
 
-  /{usr/,}bin/{depmod,insmod}     rPx,
-  /{usr/,}bin/{kmod,lsmod}        rPx,
-  /{usr/,}bin/{modinfo,rmmod}     rPx,
-  /{usr/,}bin/modprobe            rPx,
-  /{usr/,}bin/plymouth            rPx,
-  /{usr/,}bin/plymouth-set-default-theme rPx,
+  @{bin}/{depmod,insmod}     rPx,
+  @{bin}/{kmod,lsmod}        rPx,
+  @{bin}/{modinfo,rmmod}     rPx,
+  @{bin}/modprobe            rPx,
+  @{bin}/plymouth            rPx,
+  @{bin}/plymouth-set-default-theme rPx,
 
-  /{usr/,}lib/initcpio/busybox    rix,
-  /{usr/,}lib{,32,64}/ld-*.so*    rix,
+  @{lib}/initcpio/busybox    rix,
+  @{lib}/ld-*.so*            rix,
 
   /etc/fstab r,
   /etc/initcpio/{,**} r,
@@ -88,11 +88,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Can copy any program to the initframs
   /{usr/,}{local/,}{s,}bin/ r,
-  /{usr/,}bin/[a-z0-9]* mr,
-  /{usr/,}lib/ r,
-  /{usr/,}lib/plymouth/plymouthd-* mr,
-  /{usr/,}lib/systemd/{,**} mr,
-  /{usr/,}lib/udev/[a-z0-9]* mr,
+  @{bin}/[a-z0-9]* mr,
+  @{lib}/ r,
+  @{lib}/plymouth/plymouthd-* mr,
+  @{lib}/systemd/{,**} mr,
+  @{lib}/udev/[a-z0-9]* mr,
 
   # Manage /boot
   / r,
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index 802d5d34..1433f1ef 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/paccache
+@{exec_path} = @{bin}/paccache
 profile paccache @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -16,17 +16,17 @@ profile paccache @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash         rix,
-  /{usr/,}bin/cat          rix,
-  /{usr/,}bin/{m,g,}awk    rix,
-  /{usr/,}bin/gettext      rix,
-  /{usr/,}bin/pacman       rPx,
-  /{usr/,}bin/pacman-conf  rPx,
-  /{usr/,}bin/pacsort      rix,
-  /{usr/,}bin/rm           rix,
-  /{usr/,}bin/stat         rix,
-  /{usr/,}bin/tput         rix,
-  /{usr/,}bin/xargs        rix,
+  @{bin}/{m,g,}awk    rix,
+  @{bin}/bash         rix,
+  @{bin}/cat          rix,
+  @{bin}/gettext      rix,
+  @{bin}/pacman       rPx,
+  @{bin}/pacman-conf  rPx,
+  @{bin}/pacsort      rix,
+  @{bin}/rm           rix,
+  @{bin}/stat         rix,
+  @{bin}/tput         rix,
+  @{bin}/xargs        rix,
 
   /usr/share/makepkg/util/*.sh r,
   /usr/share/terminfo/x/xterm-256color r,
diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
index 2c525797..801e9d39 100644
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pacdiff
+@{exec_path} = @{bin}/pacdiff
 profile pacdiff @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
@@ -18,19 +18,19 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/cat          rix,
-  /{usr/,}bin/cmp          rix,
-  /{usr/,}bin/find         rix,
-  /{usr/,}bin/{m,g,}awk    rix,
-  /{usr/,}bin/locate       rix,
-  /{usr/,}bin/pacman       rix,
-  /{usr/,}bin/pacman-conf  rPx,
-  /{usr/,}bin/pacsort      rix,
-  /{usr/,}bin/rm           rix,
-  /{usr/,}bin/sed          rix,
-  /{usr/,}bin/tput         rix,
-  /{usr/,}bin/vim          rix,
+  @{bin}/{,ba,da}sh   rix,
+  @{bin}/{m,g,}awk    rix,
+  @{bin}/cat          rix,
+  @{bin}/cmp          rix,
+  @{bin}/find         rix,
+  @{bin}/locate       rix,
+  @{bin}/pacman       rix,
+  @{bin}/pacman-conf  rPx,
+  @{bin}/pacsort      rix,
+  @{bin}/rm           rix,
+  @{bin}/sed          rix,
+  @{bin}/tput         rix,
+  @{bin}/vim          rix,
 
   # packages files
   / r,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 7c10ad1f..82f894bb 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pacman
+@{exec_path} = @{bin}/pacman
 profile pacman @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -45,70 +45,70 @@ profile pacman @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpg{,2}      rCx -> gpg,
-  /{usr/,}bin/gpgconf      rCx -> gpg,
-  /{usr/,}bin/gpgsm        rCx -> gpg,
+  @{bin}/gpg{,2}      rCx -> gpg,
+  @{bin}/gpgconf      rCx -> gpg,
+  @{bin}/gpgsm        rCx -> gpg,
   
-  /{usr/,}bin/sync                       mrix,
+  @{bin}/sync                       mrix,
 
   # Pacman hooks & install scripts
-  /{usr/,}{s,}bin/ldconfig                rix,
-  /{usr/,}bin/{,ba}sh                     rix,
-  /{usr/,}bin/cat                         rix,
-  /{usr/,}bin/chgrp                       rix,
-  /{usr/,}bin/chmod                       rix,
-  /{usr/,}bin/cp                          rix,
-  /{usr/,}bin/dot                         rix,
-  /{usr/,}bin/env                         rix,
-  /{usr/,}bin/filecap                     rix,
-  /{usr/,}bin/find                        rix,
-  /{usr/,}bin/gdbus                       rix,
-  /{usr/,}bin/getent                      rix,
-  /{usr/,}bin/gettext                     rix,
-  /{usr/,}bin/ghc-pkg-*                   rix,
-  /{usr/,}bin/grep                        rix,
-  /{usr/,}bin/head                        rix,
-  /{usr/,}bin/iscsi-iname                 rix,
-  /{usr/,}bin/killall                     rix,
-  /{usr/,}bin/ln                          rix,
-  /{usr/,}bin/perl                        rix,
-  /{usr/,}bin/pkill                       rix,
-  /{usr/,}bin/pwd                         rix,
-  /{usr/,}bin/rm                          rix,
-  /{usr/,}bin/sed                         rix,
-  /{usr/,}bin/setcap                      rix,
-  /{usr/,}bin/touch                       rix,
-  /{usr/,}bin/tput                        rix,
-  /{usr/,}bin/vercmp                      rix,
-  /{usr/,}bin/xmlcatalog                  rix,
-  /{usr/,}lib/ghc-*/bin/ghc-pkg           rix,
-  /{usr/,}bin/appstreamcli                rPx,
-  /{usr/,}bin/arch-audit                  rPx,
-  /{usr/,}bin/archlinux-java              rPx,
-  /{usr/,}bin/bootctl                     rPx,
-  /{usr/,}bin/dconf                       rPx,
-  /{usr/,}bin/fc-cache{,-32}              rPx,
-  /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
-  /{usr/,}bin/gio-querymodules            rPx,
-  /{usr/,}bin/glib-compile-schemas        rPx,
-  /{usr/,}bin/groupadd                    rPx,
-  /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
-  /{usr/,}bin/install-catalog             rPx,
-  /{usr/,}bin/install-info                rPx,
-  /{usr/,}bin/journalctl                  rPx,
-  /{usr/,}bin/locale-gen                  rPx,
-  /{usr/,}bin/mkinitcpio                  rPx,
-  /{usr/,}bin/pacdiff                     rPx,
-  /{usr/,}bin/pacman-key                  rPx,
-  /{usr/,}bin/sbctl                       rPx,
-  /{usr/,}bin/sysctl                      rPx,
-  /{usr/,}bin/systemctl                   rPx -> child-systemctl,
-  /{usr/,}bin/systemd-*                   rPx,
-  /{usr/,}bin/update-ca-trust             rPx,
-  /{usr/,}bin/update-desktop-database     rPx,
-  /{usr/,}bin/update-mime-database        rPx,
-  /{usr/,}lib/systemd/systemd-*           rPx,
-  /{usr/,}lib/vlc/vlc-cache-gen           rPx,
+  @{bin}/{,ba}sh                     rix,
+  @{bin}/appstreamcli                rPx,
+  @{bin}/arch-audit                  rPx,
+  @{bin}/archlinux-java              rPx,
+  @{bin}/bootctl                     rPx,
+  @{bin}/cat                         rix,
+  @{bin}/chgrp                       rix,
+  @{bin}/chmod                       rix,
+  @{bin}/cp                          rix,
+  @{bin}/dconf                       rPx,
+  @{bin}/dot                         rix,
+  @{bin}/env                         rix,
+  @{bin}/fc-cache{,-32}              rPx,
+  @{bin}/filecap                     rix,
+  @{bin}/find                        rix,
+  @{bin}/gdbus                       rix,
+  @{bin}/gdk-pixbuf-query-loaders    rPx,
+  @{bin}/getent                      rix,
+  @{bin}/gettext                     rix,
+  @{bin}/ghc-pkg-*                   rix,
+  @{bin}/gio-querymodules            rPx,
+  @{bin}/glib-compile-schemas        rPx,
+  @{bin}/grep                        rix,
+  @{bin}/groupadd                    rPx,
+  @{bin}/gtk-query-immodules-{2,3}.0 rPx,
+  @{bin}/head                        rix,
+  @{bin}/install-catalog             rPx,
+  @{bin}/install-info                rPx,
+  @{bin}/iscsi-iname                 rix,
+  @{bin}/journalctl                  rPx,
+  @{bin}/killall                     rix,
+  @{bin}/ldconfig                    rix,
+  @{bin}/ln                          rix,
+  @{bin}/locale-gen                  rPx,
+  @{bin}/mkinitcpio                  rPx,
+  @{bin}/pacdiff                     rPx,
+  @{bin}/pacman-key                  rPx,
+  @{bin}/perl                        rix,
+  @{bin}/pkill                       rix,
+  @{bin}/pwd                         rix,
+  @{bin}/rm                          rix,
+  @{bin}/sbctl                       rPx,
+  @{bin}/sed                         rix,
+  @{bin}/setcap                      rix,
+  @{bin}/sysctl                      rPx,
+  @{bin}/systemctl                   rPx -> child-systemctl,
+  @{bin}/systemd-*                   rPx,
+  @{bin}/touch                       rix,
+  @{bin}/tput                        rix,
+  @{bin}/update-ca-trust             rPx,
+  @{bin}/update-desktop-database     rPx,
+  @{bin}/update-mime-database        rPx,
+  @{bin}/vercmp                      rix,
+  @{bin}/xmlcatalog                  rix,
+  @{lib}/ghc-*/bin/ghc-pkg           rix,
+  @{lib}/systemd/systemd-*           rPx,
+  @{lib}/vlc/vlc-cache-gen           rPx,
   /opt/Mullvad*/resources/mullvad-setup   rPx,
   /usr/share/code-features/patch.sh       rPx,
   /usr/share/libalpm/scripts/*           rPUx,
@@ -160,13 +160,13 @@ profile pacman @{exec_path} {
 
     capability dac_read_search,
 
-    /{usr/,}bin/gpg{,2} mr,
-    /{usr/,}bin/gpgconf mr,
-    /{usr/,}bin/gpgsm   mr,
+    @{bin}/gpg{,2} mr,
+    @{bin}/gpgconf mr,
+    @{bin}/gpgsm   mr,
 
-    /{usr/,}bin/dirmngr           rix,
-    /{usr/,}bin/gpg-agent         rix,
-    /{usr/,}bin/gpg-connect-agent rix,
+    @{bin}/dirmngr           rix,
+    @{bin}/gpg-agent         rix,
+    @{bin}/gpg-connect-agent rix,
 
     /etc/pacman.d/gnupg/ rw,
     /etc/pacman.d/gnupg/** rwkl,
diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf
index 25b4728c..66525583 100644
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pacman-conf
+@{exec_path} = @{bin}/pacman-conf
 profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code
index 00d47d56..e9872617 100644
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@@ -14,13 +14,13 @@ profile pacman-hook-code @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba}sh     rix,
-  /{usr/,}bin/env         rix,
-  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/sed         rix,
+  @{bin}/{,ba}sh     rix,
+  @{bin}/env         rix,
+  @{bin}/grep        rix,
+  @{bin}/sed         rix,
 
-  /{usr/,}lib/code/product.json rw,
-  /{usr/,}lib/code/sed?????? rw,
+  @{lib}/code/product.json rw,
+  @{lib}/code/sed?????? rw,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf
index a4f0d2fa..3df5df96 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dconf
+++ b/apparmor.d/groups/pacman/pacman-hook-dconf
@@ -14,9 +14,9 @@ profile pacman-hook-dconf @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash  rix,
-  /{usr/,}bin/rm    rix,
-  /{usr/,}bin/dconf rPx,
+  @{bin}/bash  rix,
+  @{bin}/rm    rix,
+  @{bin}/dconf rPx,
 
   /etc/dconf/db/{,**} rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod
index bee1028f..b4492608 100644
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@@ -14,12 +14,12 @@ profile pacman-hook-depmod @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/basename  rix,
-  /{usr/,}bin/bash      rix,
-  /{usr/,}bin/depmod    rPx,
-  /{usr/,}bin/kmod      rPx,
-  /{usr/,}bin/rm        rix,
-  /{usr/,}bin/rmdir     rix,
+  @{bin}/basename  rix,
+  @{bin}/bash      rix,
+  @{bin}/depmod    rPx,
+  @{bin}/kmod      rPx,
+  @{bin}/rm        rix,
+  @{bin}/rmdir     rix,
 
   /usr/lib/modules/*/{,**} rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index 8c08ea49..45fc865a 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -17,10 +17,10 @@ profile pacman-hook-dkms @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash rix,
-  /{usr/,}bin/dkms rPx,
-  /{usr/,}bin/kmod rPx,
-  /{usr/,}bin/nproc rix,
+  @{bin}/bash rix,
+  @{bin}/dkms rPx,
+  @{bin}/kmod rPx,
+  @{bin}/nproc rix,
 
   /usr/src/ r,
   /usr/src/**.conf r,
diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig
index 38166f03..5ceeaed4 100644
--- a/apparmor.d/groups/pacman/pacman-hook-fontconfig
+++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig
@@ -14,9 +14,9 @@ profile pacman-hook-fontconfig @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash  rix,
-  /{usr/,}bin/ln    rix,
-  /{usr/,}bin/rm    rix,
+  @{bin}/bash  rix,
+  @{bin}/ln    rix,
+  @{bin}/rm    rix,
 
   /etc/fonts/conf.d/* rwl,
   /usr/share/fontconfig/conf.default/* r,
diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio
index b748c39c..a282ec3e 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gio
+++ b/apparmor.d/groups/pacman/pacman-hook-gio
@@ -14,12 +14,12 @@ profile pacman-hook-gio @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash             rix,
-  /{usr/,}bin/rmdir            rix,
-  /{usr/,}bin/gio-querymodules rPx,
+  @{bin}/bash             rix,
+  @{bin}/rmdir            rix,
+  @{bin}/gio-querymodules rPx,
 
-  /{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw,
-  /{usr/,}lib/gtk-{3,4}.0/**/*/ rw,
+  @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw,
+  @{lib}/gtk-{3,4}.0/**/*/ rw,
 
   /usr/lib/gio/modules/ rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk
index e110ded4..792732d9 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk
@@ -14,12 +14,12 @@ profile pacman-hook-gtk @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash  rix,
-  /{usr/,}bin/rm    rix,
-  /{usr/,}bin/rmdir rix,
+  @{bin}/bash  rix,
+  @{bin}/rm    rix,
+  @{bin}/rmdir rix,
 
-  /{usr/,}bin/gtk-update-icon-cache rPx,
-  /{usr/,}bin/gtk4-update-icon-cache rPx,
+  @{bin}/gtk-update-icon-cache rPx,
+  @{bin}/gtk4-update-icon-cache rPx,
 
   /usr/share/icons/{,**} rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index 0873d91c..380cc8e6 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -18,18 +18,18 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash       rix,
-  /{usr/,}bin/cmp        rix,
-  /{usr/,}bin/compgen    rix,
-  /{usr/,}bin/env        rix,
-  /{usr/,}bin/install    rix,
-  /{usr/,}bin/mkinitcpio rPx,
-  /{usr/,}bin/mv         rix,
-  /{usr/,}bin/od         rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/sort       rix,
-  /{usr/,}bin/stat       rix,
+  @{bin}/bash       rix,
+  @{bin}/cmp        rix,
+  @{bin}/compgen    rix,
+  @{bin}/env        rix,
+  @{bin}/install    rix,
+  @{bin}/mkinitcpio rPx,
+  @{bin}/mv         rix,
+  @{bin}/od         rix,
+  @{bin}/rm         rix,
+  @{bin}/sed        rix,
+  @{bin}/sort       rix,
+  @{bin}/stat       rix,
 
   /usr/share/mkinitcpio/*.preset r,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
index 2280c274..4450ab52 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
@@ -15,11 +15,11 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash  rix,
-  /{usr/,}bin/cmp   rix,
-  /{usr/,}bin/mv    rix,
-  /{usr/,}bin/rm    rix,
-  /{usr/,}bin/sed   rix,
+  @{bin}/bash  rix,
+  @{bin}/cmp   rix,
+  @{bin}/mv    rix,
+  @{bin}/rm    rix,
+  @{bin}/sed   rix,
 
   /usr/share/mkinitcpio/*.preset r,
   /etc/mkinitcpio.d/*.preset rw,
diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl
index b18a6005..dfae7208 100644
--- a/apparmor.d/groups/pacman/pacman-hook-perl
+++ b/apparmor.d/groups/pacman/pacman-hook-perl
@@ -15,13 +15,13 @@ profile pacman-hook-perl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/perl    rix,
-  /{usr/,}bin/bash    rix,
-  /{usr/,}bin/find    rix,
-  /{usr/,}bin/pacman  rPx,
-  /{usr/,}bin/sed     rix,
+  @{bin}/perl    rix,
+  @{bin}/bash    rix,
+  @{bin}/find    rix,
+  @{bin}/pacman  rPx,
+  @{bin}/sed     rix,
 
-  /{usr/,}lib/perl[0-9]*/{,**} r,
+  @{lib}/perl[0-9]*/{,**} r,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index 8cf65c3d..3fd46b11 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -15,18 +15,18 @@ profile pacman-hook-systemd @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash  rix,
-  /{usr/,}bin/touch rix,
+  @{bin}/bash  rix,
+  @{bin}/touch rix,
 
-  /{usr/,}bin/journalctl             rPx,
-  /{usr/,}bin/systemctl              rPx -> child-systemctl,
-  /{usr/,}bin/systemd-detect-virt    rPx,
-  /{usr/,}bin/systemd-hwdb           rPx,
-  /{usr/,}bin/systemd-sysusers       rPx,
-  /{usr/,}bin/systemd-tmpfiles       rPx,
-  /{usr/,}bin/udevadm                rPx,
-  /{usr/,}lib/systemd/systemd-binfmt rPx,
-  /{usr/,}lib/systemd/systemd-sysctl rPx,
+  @{bin}/journalctl             rPx,
+  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/systemd-detect-virt    rPx,
+  @{bin}/systemd-hwdb           rPx,
+  @{bin}/systemd-sysusers       rPx,
+  @{bin}/systemd-tmpfiles       rPx,
+  @{bin}/udevadm                rPx,
+  @{lib}/systemd/systemd-binfmt rPx,
+  @{lib}/systemd/systemd-sysctl rPx,
 
   /usr/ rw,
 
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 523b7b11..93e542b7 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pacman-key
+@{exec_path} = @{bin}/pacman-key
 profile pacman-key @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -16,18 +16,18 @@ profile pacman-key @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/basename     rix,
-  /{usr/,}bin/bash         rix,
-  /{usr/,}bin/chmod        rix,
-  /{usr/,}bin/{m,g,}awk    rix,
-  /{usr/,}bin/gettext      rix,
-  /{usr/,}bin/gpg{,2}      rCx -> gpg,
-  /{usr/,}bin/grep         rix,
-  /{usr/,}bin/pacman-conf  rPx,
-  /{usr/,}bin/touch        rix,
-  /{usr/,}bin/tput         rix,
-  /{usr/,}bin/vercmp       rix,
-  /{usr/,}bin/wc           rix,
+  @{bin}/basename     rix,
+  @{bin}/bash         rix,
+  @{bin}/chmod        rix,
+  @{bin}/{m,g,}awk    rix,
+  @{bin}/gettext      rix,
+  @{bin}/gpg{,2}      rCx -> gpg,
+  @{bin}/grep         rix,
+  @{bin}/pacman-conf  rPx,
+  @{bin}/touch        rix,
+  @{bin}/tput         rix,
+  @{bin}/vercmp       rix,
+  @{bin}/wc           rix,
 
   /usr/share/makepkg/{,**} r,
   /usr/share/pacman/keyrings/{,*} r,
@@ -45,9 +45,9 @@ profile pacman-key @{exec_path} {
     capability dac_read_search,
     capability mknod,
 
-    /{usr/,}bin/gpg{,2}     mr,
-    /{usr/,}bin/dirmngr    rix,
-    /{usr/,}bin/gpg-agent  rix,
+    @{bin}/gpg{,2}     mr,
+    @{bin}/dirmngr    rix,
+    @{bin}/gpg-agent  rix,
 
     /usr/share/pacman/keyrings/{,*} r,
 
diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector
index 337a8e80..71a77d57 100644
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/reflector
+@{exec_path} = @{bin}/reflector
 profile reflector @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -21,7 +21,7 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}bin/  r,
+  @{bin}/  r,
 
   /etc/xdg/reflector/reflector.conf r,
   /etc/pacman.d/mirrorlist rw,
diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server
index dc504d67..422c098d 100644
--- a/apparmor.d/groups/ssh/sftp-server
+++ b/apparmor.d/groups/ssh/sftp-server
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/openssh/sftp-server
-@{exec_path} += /{usr/,}lib/ssh/sftp-server
+@{exec_path} = @{lib}/openssh/sftp-server
+@{exec_path} += @{lib}/ssh/sftp-server
 profile sftp-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/openssl>
diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 8eb1ef4a..7e357cdb 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ssh
+@{exec_path} = @{bin}/ssh
 profile ssh @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -24,8 +24,8 @@ profile ssh @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,b,d,rb}ash  rix,
-  /{usr/,}bin/{c,k,tc,z}sh  rix,
+  @{bin}/{,b,d,rb}ash  rix,
+  @{bin}/{c,k,tc,z}sh  rix,
 
   @{etc_ro}/ssh/ssh_config r,
   @{etc_ro}/ssh/sshd_config r,
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index db1fb560..ba240045 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ssh-agent
+@{exec_path} = @{bin}/ssh-agent
 profile ssh-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -18,14 +18,14 @@ profile ssh-agent @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh            rix,
-  /{usr/,}bin/enlightenment_start  rPUx,
-  /{usr/,}bin/gpg-agent             rPx,
-  /{usr/,}bin/im-launch            rPUx,
-  /{usr/,}bin/kwalletaskpass       rPUx,
-  /{usr/,}bin/openbox-session       rPx,
-  /{usr/,}bin/startkde             rPUx,
-  /{usr/,}bin/sway                 rPUx,
+  @{bin}/{,ba,da}sh            rix,
+  @{bin}/enlightenment_start  rPUx,
+  @{bin}/gpg-agent             rPx,
+  @{bin}/im-launch            rPUx,
+  @{bin}/kwalletaskpass       rPUx,
+  @{bin}/openbox-session       rPx,
+  @{bin}/startkde             rPUx,
+  @{bin}/sway                 rPUx,
 
   owner @{HOME}/@{XDG_SSH_DIR}/ rw,
   owner @{HOME}/@{XDG_SSH_DIR}/* r,
diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch
index 10bebca7..bc02b550 100644
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@@ -6,13 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/openssh/agent-launch
+@{exec_path} = @{lib}/openssh/agent-launch
 profile ssh-agent-launch @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,z,ba,da}sh  rix,
+  @{bin}/{,z,ba,da}sh  rix,
 
   include if exists <local/ssh-agent-launch>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen
index 1d273d86..b314d158 100644
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ssh-keygen
+@{exec_path} = @{bin}/ssh-keygen
 
 profile ssh-keygen @{exec_path} {
   include <abstractions/base>
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index a0d2934e..29d7fc61 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -15,7 +15,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/sshd
+@{exec_path} = @{bin}/sshd
 profile sshd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
@@ -59,12 +59,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}{s,}bin/nologin          rPx,
-  /{usr/,}bin/{,b,d,rb}ash         rUx,
-  /{usr/,}bin/{c,k,tc,z}sh         rUx,
-  /{usr/,}bin/false                rix,
-  /{usr/,}bin/passwd               rPx,
-  /{usr/,}lib/openssh/sftp-server  rPx,
+  @{bin}/{,b,d,rb}ash         rUx,
+  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/false                rix,
+  @{bin}/nologin              rPx,
+  @{bin}/passwd               rPx,
+  @{lib}/openssh/sftp-server  rPx,
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs
index ff1c2b89..7791871a 100644
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/sshfs
+@{exec_path} = @{bin}/sshfs
 profile sshfs @{exec_path} flags=(complain) {
   include <abstractions/base>
 
@@ -14,8 +14,8 @@ profile sshfs @{exec_path} flags=(complain) {
 
   unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
 
-  /{usr/,}bin/ssh            rPx,
-  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
+  @{bin}/ssh            rPx,
+  @{bin}/fusermount{,3} rCx -> fusermount,
 
   /dev/fuse rw,
 
@@ -34,7 +34,7 @@ profile sshfs @{exec_path} flags=(complain) {
 
     unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
     mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 59cc16c4..77157542 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/bootctl
+@{exec_path} = @{bin}/bootctl
 profile bootctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
@@ -20,9 +20,9 @@ profile bootctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   /{boot,efi}/ r,
   /{boot,efi}/EFI/{,**} r,
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index 6cd88e78..97ab3af3 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/busctl
+@{exec_path} = @{bin}/busctl
 profile busctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -15,9 +15,9 @@ profile busctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/comm r,
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index 22612714..c282c115 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/coredumpctl
+@{exec_path}  = @{bin}/coredumpctl
 profile coredumpctl @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -18,11 +18,11 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gdb   rCx -> gdb,
+  @{bin}/gdb   rCx -> gdb,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
@@ -49,10 +49,10 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
     ptrace (trace),
 
-    /{usr/,}bin/gdb    mr,
-    /{usr/,}bin/iconv  rix,
+    @{bin}/gdb    mr,
+    @{bin}/iconv  rix,
 
-    /{usr/,}{s,}bin/* r,
+    @{bin}/* r,
 
     /usr/share/gcc-[0-9]*/python/{,**} r,
     /usr/share/gcc/** r,
diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl
index a6a59330..7f1bf1dc 100644
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/hostnamectl
+@{exec_path} = @{bin}/hostnamectl
 profile hostnamectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index df5dba29..249d0a6c 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/journalctl
+@{exec_path} = @{bin}/journalctl
 profile journalctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -23,9 +23,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl
index 75809d3c..a508b9df 100644
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/localectl
+@{exec_path} = @{bin}/localectl
 profile localectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
@@ -15,9 +15,9 @@ profile localectl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   /usr/share/kbd/keymaps/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl
index b3e7ca25..0b0e4183 100644
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@@ -27,9 +27,9 @@ profile loginctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   include if exists <local/loginctl>
 }
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index 3c6e44fc..3200f41a 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/networkctl
+@{exec_path} = @{bin}/networkctl
 profile networkctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -31,9 +31,9 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   /etc/udev/hwdb.bin r,
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/groups/systemd/systemd-ac-power b/apparmor.d/groups/systemd/systemd-ac-power
index 53675812..5189419d 100644
--- a/apparmor.d/groups/systemd/systemd-ac-power
+++ b/apparmor.d/groups/systemd/systemd-ac-power
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-ac-power
+@{exec_path} = @{lib}/systemd/systemd-ac-power
 profile systemd-ac-power @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index 2a417978..92d042b9 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-analyze
+@{exec_path} = @{bin}/systemd-analyze
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -36,15 +36,15 @@ profile systemd-analyze @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/systemd/system-environment-generators/* rix,
+  @{lib}/systemd/system-environment-generators/* rix,
 
-  /{usr/,}bin/pager     rPx -> child-pager,
-  /{usr/,}bin/less      rPx -> child-pager,
-  /{usr/,}bin/more      rPx -> child-pager,
-  /{usr/,}bin/man       rPx,
+  @{bin}/pager     rPx -> child-pager,
+  @{bin}/less      rPx -> child-pager,
+  @{bin}/more      rPx -> child-pager,
+  @{bin}/man       rPx,
 
   /usr/ r,
-  /{usr/,}lib/systemd/** r,
+  @{lib}/systemd/** r,
 
   /etc/default/locale r,
   /etc/locale.conf r,
diff --git a/apparmor.d/groups/systemd/systemd-ask-password b/apparmor.d/groups/systemd/systemd-ask-password
index 2f4bded5..487fdb03 100644
--- a/apparmor.d/groups/systemd/systemd-ask-password
+++ b/apparmor.d/groups/systemd/systemd-ask-password
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-ask-password
+@{exec_path} = @{bin}/systemd-ask-password
 profile systemd-ask-password @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight
index bcc9f182..48717f24 100644
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-backlight
+@{exec_path} = @{lib}/systemd/systemd-backlight
 profile systemd-backlight @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt
index a93bee25..7d7953f8 100644
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-binfmt
+@{exec_path} = @{lib}/systemd/systemd-binfmt
 profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat
index b66f8a79..cead724a 100644
--- a/apparmor.d/groups/systemd/systemd-cat
+++ b/apparmor.d/groups/systemd/systemd-cat
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-cat
+@{exec_path} = @{bin}/systemd-cat
 profile systemd-cat @{exec_path} {
   include <abstractions/base>
 
@@ -14,7 +14,7 @@ profile systemd-cat @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/cat rix,
+  @{bin}/cat rix,
 
   include if exists <local/systemd-cat>
 }
diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls
index 10b1671f..d7e8f48c 100644
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-cgls
+@{exec_path} = @{bin}/systemd-cgls
 profile systemd-cgls @{exec_path} {
   include <abstractions/base>
 
@@ -14,9 +14,9 @@ profile systemd-cgls @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop
index edb6b844..ee0fc15a 100644
--- a/apparmor.d/groups/systemd/systemd-cgtop
+++ b/apparmor.d/groups/systemd/systemd-cgtop
@@ -6,15 +6,15 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-cgtop
+@{exec_path} = @{bin}/systemd-cgtop
 profile systemd-cgtop @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index e000595d..c35c2a55 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}lib/systemd/systemd-coredump
+@{exec_path}  = @{lib}/systemd/systemd-coredump
 profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -27,9 +27,9 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   @{exec_path} mr,
 
-  @{libexec}/** r,
+  @{lib}/** r,
   / r,
-  /{usr/,}{s,}bin/* r,
+  @{bin}/* r,
   /opt/** r,
 
   /etc/systemd/coredump.conf r,
diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup
index cde503dd..9d5916f8 100644
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-cryptsetup
+@{exec_path} = @{lib}/systemd/systemd-cryptsetup
 profile systemd-cryptsetup @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta
index 6e3da17f..1c078de0 100644
--- a/apparmor.d/groups/systemd/systemd-delta
+++ b/apparmor.d/groups/systemd/systemd-delta
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-delta
+@{exec_path} = @{bin}/systemd-delta
 profile systemd-delta @{exec_path} {
   include <abstractions/base>
 
@@ -14,7 +14,7 @@ profile systemd-delta @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
 
   /etc/binfmt.d/{,**} r,
   /etc/modprobe.d/{,**} r,
diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt
index d9178ed3..e606a4bb 100644
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-detect-virt
+@{exec_path} = @{bin}/systemd-detect-virt
 profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect
index 61696e1f..9de04487 100644
--- a/apparmor.d/groups/systemd/systemd-dissect
+++ b/apparmor.d/groups/systemd/systemd-dissect
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-dissect
+@{exec_path} = @{bin}/systemd-dissect
 profile systemd-dissect @{exec_path} {
   include <abstractions/base>
 
@@ -19,10 +19,10 @@ profile systemd-dissect @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/fsck  rPx,
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/fsck  rPx,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   # Location of file system OS images
   @{user_build_dirs}/{,**} r,
diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator
index 4b3b14a5..8ca83620 100644
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-environment-d-generator
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/user-environment-generators/*
+@{exec_path} = @{lib}/systemd/user-environment-generators/*
 profile systemd-environment-d-generator @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
@@ -14,10 +14,10 @@ profile systemd-environment-d-generator @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/flatpak     rPUx,
-  /{usr/,}bin/gpgconf     rPx,
-  /{usr/,}bin/{m,g,}awk   rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/flatpak     rPUx,
+  @{bin}/gpgconf     rPx,
+  @{bin}/{m,g,}awk   rix,
 
   @{etc_ro}/environment r,
   @{etc_ro}/environment.d/{,**} r,
diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape
index 3e2d553e..b9ed66a0 100644
--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-escape
+@{exec_path} = @{bin}/systemd-escape
 profile systemd-escape @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck
index b01827a0..edafbbe8 100644
--- a/apparmor.d/groups/systemd/systemd-fsck
+++ b/apparmor.d/groups/systemd/systemd-fsck
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-fsck
+@{exec_path} = @{lib}/systemd/systemd-fsck
 profile systemd-fsck @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/e2fsck rPx,
-  /{usr/,}{s,}bin/fsck   rPx,
-  /{usr/,}{s,}bin/fsck.* rPx,
+  @{bin}/e2fsck rPx,
+  @{bin}/fsck   rPx,
+  @{bin}/fsck.* rPx,
 
   owner @{run}/systemd/quotacheck w,
   owner @{run}/systemd/fsck.progress rw,
diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd
index 94653689..eaff2b88 100644
--- a/apparmor.d/groups/systemd/systemd-fsckd
+++ b/apparmor.d/groups/systemd/systemd-fsckd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
+@{exec_path} = @{lib}/systemd/systemd-fsckd
 profile systemd-fsckd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed
index 38aeb3a0..4c09badd 100644
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-homed
+@{exec_path} = @{lib}/systemd/systemd-homed
 profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -40,10 +40,10 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/systemd/systemd-homework rPx,
-  /{usr/,}{s,}bin/mkfs.btrfs rPx,
-  /{usr/,}{s,}bin/mkfs.fat   rPx,
-  /{usr/,}{s,}bin/mke2fs     rPx,
+  @{lib}/systemd/systemd-homework rPx,
+  @{bin}/mkfs.btrfs rPx,
+  @{bin}/mkfs.fat   rPx,
+  @{bin}/mke2fs     rPx,
 
   /etc/machine-id r,
   /etc/systemd/homed.conf r,
diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework
index aeba866d..23578a0d 100644
--- a/apparmor.d/groups/systemd/systemd-homework
+++ b/apparmor.d/groups/systemd/systemd-homework
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-homework
+@{exec_path} = @{lib}/systemd/systemd-homework
 profile systemd-homework @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index b0bf2dba..9288266f 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
+@{exec_path} = @{lib}/systemd/systemd-hostnamed
 profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 945c555e..3a2dfd07 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -6,15 +6,15 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-hwdb
+@{exec_path} = @{bin}/systemd-hwdb
 profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} mr,
 
-  /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
-  /{usr/,}lib/udev/hwdb.bin w,
+  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* w,
+  @{lib}/udev/hwdb.bin w,
 
   /etc/udev/.#hwdb.bind* rw,
   /etc/udev/hwdb.bin rw,
diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128
index 34e44382..c51f0cc0 100644
--- a/apparmor.d/groups/systemd/systemd-id128
+++ b/apparmor.d/groups/systemd/systemd-id128
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-id128
+@{exec_path} = @{bin}/systemd-id128
 profile systemd-id128 @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit
index c9ca2152..f8648fb7 100644
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-inhibit
+@{exec_path} = @{bin}/systemd-inhibit
 profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -16,7 +16,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/cat rix,
+  @{bin}/cat rix,
 
   @{run}/systemd/inhibit/*.ref rw,
 
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 40682e31..9753d518 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-journald
+@{exec_path} = @{lib}/systemd/systemd-journald
 profile systemd-journald @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index 0dd7b0f3..6b0b880a 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-localed
+@{exec_path} = @{lib}/systemd/systemd-localed
 profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index f06e5893..2fddac34 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-logind
+@{exec_path} = @{lib}/systemd/systemd-logind
 profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup
index b2f09afc..328a5a70 100644
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-machine-id-setup
+@{exec_path} = @{bin}/systemd-machine-id-setup
 profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined
index dee231f0..7b62e994 100644
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-machined
+@{exec_path} = @{lib}/systemd/systemd-machined
 profile systemd-machined @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs
index 2144f299..4b8d30f9 100644
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-makefs
+@{exec_path} = @{lib}/systemd/systemd-makefs
 profile systemd-makefs @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
@@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/mkswap     rPx,
-  /{usr/,}bin/mkfs.*         rPx,
+  @{bin}/mkfs.*     rPx,
+  @{bin}/mkswap     rPx,
 
   include if exists <local/systemd-makefs>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load
index f97990a0..6b9bfcb3 100644
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-modules-load
+@{exec_path} = @{lib}/systemd/systemd-modules-load
 profile systemd-modules-load @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount
index f658baea..391a7c52 100644
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@@ -6,17 +6,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-mount
-@{exec_path} += /{usr/,}bin/systemd-umount
+@{exec_path} = @{bin}/systemd-mount
+@{exec_path} += @{bin}/systemd-umount
 profile systemd-mount @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index cf5f74da..8c998a1d 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-networkd
+@{exec_path} = @{lib}/systemd/systemd-networkd
 profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online
index 7dc88b71..cc73c1d2 100644
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-networkd-wait-online
+@{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
 profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd
index 51c95970..62a1ae1e 100644
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-oomd
+@{exec_path} = @{lib}/systemd/systemd-oomd
 profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path
index 1c26e402..ab319562 100644
--- a/apparmor.d/groups/systemd/systemd-path
+++ b/apparmor.d/groups/systemd/systemd-path
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-path
+@{exec_path} = @{bin}/systemd-path
 profile systemd-path @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled
index a0e2fd18..b3ebe043 100644
--- a/apparmor.d/groups/systemd/systemd-portabled
+++ b/apparmor.d/groups/systemd/systemd-portabled
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-portabled
+@{exec_path} = @{lib}/systemd/systemd-portabled
 profile systemd-portabled @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed
index a3c0bc9e..26c8ea1e 100644
--- a/apparmor.d/groups/systemd/systemd-random-seed
+++ b/apparmor.d/groups/systemd/systemd-random-seed
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-random-seed
+@{exec_path} = @{lib}/systemd/systemd-random-seed
 profile systemd-random-seed @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs
index 41f19b6a..0067eff3 100644
--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-remount-fs
+@{exec_path} = @{lib}/systemd/systemd-remount-fs
 profile systemd-remount-fs @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -21,7 +21,7 @@ profile systemd-remount-fs @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/mount rix,
+  @{bin}/mount rix,
 
   /etc/fstab r,
 
diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve
index def05d9a..06a91a11 100644
--- a/apparmor.d/groups/systemd/systemd-resolve
+++ b/apparmor.d/groups/systemd/systemd-resolve
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/resolvectl
-@{exec_path} += /{usr/,}bin/systemd-resolve
+@{exec_path} = @{bin}/resolvectl
+@{exec_path} += @{bin}/systemd-resolve
 profile systemd-resolve @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index d496317a..2e8672da 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-resolved
+@{exec_path} = @{lib}/systemd/systemd-resolved
 profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill
index b4c252ec..3c54e652 100644
--- a/apparmor.d/groups/systemd/systemd-rfkill
+++ b/apparmor.d/groups/systemd/systemd-rfkill
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-rfkill
+@{exec_path} = @{lib}/systemd/systemd-rfkill
 profile systemd-rfkill @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown
index 4c2a2f71..5622cc14 100644
--- a/apparmor.d/groups/systemd/systemd-shutdown
+++ b/apparmor.d/groups/systemd/systemd-shutdown
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-shutdown
+@{exec_path} = @{lib}/systemd/systemd-shutdown
 profile systemd-shutdown @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index fc524efb..7222c785 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-sleep
+@{exec_path} = @{lib}/systemd/systemd-sleep
 profile systemd-sleep @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -19,12 +19,12 @@ profile systemd-sleep @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/systemd/system-sleep/grub2.sleep          rPx,
-  /{usr/,}lib/systemd/system-sleep/hdparm               rPx,
-  /{usr/,}lib/systemd/system-sleep/nvidia               rPx,
-  /{usr/,}lib/systemd/system-sleep/sysstat.sleep        rPx,
-  /{usr/,}lib/systemd/system-sleep/tlp                  rPx,
-  /{usr/,}lib/systemd/system-sleep/unattended-upgrades  rPx,
+  @{lib}/systemd/system-sleep/grub2.sleep          rPx,
+  @{lib}/systemd/system-sleep/hdparm               rPx,
+  @{lib}/systemd/system-sleep/nvidia               rPx,
+  @{lib}/systemd/system-sleep/sysstat.sleep        rPx,
+  @{lib}/systemd/system-sleep/tlp                  rPx,
+  @{lib}/systemd/system-sleep/unattended-upgrades  rPx,
 
   /etc/systemd/sleep.conf r,
   /etc/systemd/sleep.conf.d/{,*} r,
diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub2
index 459f590c..f608c732 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-grub2
+++ b/apparmor.d/groups/systemd/systemd-sleep-grub2
@@ -6,15 +6,15 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-sleep/grub2.sleep
+@{exec_path} = @{lib}/systemd/system-sleep/grub2.sleep
 profile systemd-sleep-grub @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh       rix,
-  /{usr/,}bin/grep             rix,
-  /{usr/,}bin/uname            rix,
+  @{bin}/{,ba,da}sh       rix,
+  @{bin}/grep             rix,
+  @{bin}/uname            rix,
 
   /etc/sysconfig/bootloader r,
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm
index ee4d1de6..1c43d5a4 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-hdparm
+++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-sleep/hdparm
+@{exec_path} = @{lib}/systemd/system-sleep/hdparm
 profile systemd-sleep-hdparm @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia
index 441fb69f..77cd1d2e 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-nvidia
+++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-sleep/nvidia
+@{exec_path} = @{lib}/systemd/system-sleep/nvidia
 profile systemd-sleep-nvidia @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -16,11 +16,11 @@ profile systemd-sleep-nvidia @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh       rix,
-  /{usr/,}bin/nvidia-sleep.sh  rix,
-  /{usr/,}bin/chvt             rix,
-  /{usr/,}bin/cat              rix,
-  /{usr/,}bin/rm               rix,
+  @{bin}/{,ba,da}sh       rix,
+  @{bin}/nvidia-sleep.sh  rix,
+  @{bin}/chvt             rix,
+  @{bin}/cat              rix,
+  @{bin}/rm               rix,
 
   @{run}/nvidia-sleep/* rw,
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat
index 993d1565..52df3e50 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-sysstat
+++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-sleep/sysstat.sleep
+@{exec_path} = @{lib}/systemd/system-sleep/sysstat.sleep
 profile systemd-sleep-sysstat @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp
index ce43be0e..4a61f16b 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-tlp
+++ b/apparmor.d/groups/systemd/systemd-sleep-tlp
@@ -6,13 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-sleep/tlp
+@{exec_path} = @{lib}/systemd/system-sleep/tlp
 profile systemd-sleep-tlp @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/tlp rPUx,
+  @{bin}/tlp rPUx,
 
   include if exists <local/systemd-sleep-tlp>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades
index 267275ea..f05b9b1d 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-upgrades
+++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-sleep/unattended-upgrades
+@{exec_path} = @{lib}/systemd/system-sleep/unattended-upgrades
 profile systemd-sleep-upgrades @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell
index b6d9f899..7386d3c3 100644
--- a/apparmor.d/groups/systemd/systemd-sulogin-shell
+++ b/apparmor.d/groups/systemd/systemd-sulogin-shell
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-sulogin-shell
+@{exec_path} = @{lib}/systemd/systemd-sulogin-shell
 profile systemd-sulogin-shell @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
@@ -16,7 +16,7 @@ profile systemd-sulogin-shell @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/sulogin rPx,
+  @{bin}/sulogin rPx,
 
   include if exists <local/systemd-sulogin-shell>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl
index 8947d180..4ad1b165 100644
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
+@{exec_path} = @{lib}/systemd/systemd-sysctl
 profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index c8baa835..8f5afd5a 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-sysusers
+@{exec_path} = @{bin}/systemd-sysusers
 profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
index 21911870..7b03073d 100644
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-timedated
+@{exec_path} = @{lib}/systemd/systemd-timedated
 profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd
index 3b6ea99d..eb4d7264 100644
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
+@{exec_path} = @{lib}/systemd/systemd-timesyncd
 profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index 61b3ae3e..97829c88 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-tmpfiles
+@{exec_path} = @{bin}/systemd-tmpfiles
 profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
index 233feb05..b7a6eafa 100644
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/systemd-tty-ask-password-agent
+@{exec_path} = @{bin}/systemd-tty-ask-password-agent
 profile systemd-tty-ask-password-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 3c555f77..66b25bab 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/udevadm
-@{exec_path} += /{usr/,}lib/systemd/systemd-udevd
+@{exec_path}  = @{bin}/udevadm
+@{exec_path} += @{lib}/systemd/systemd-udevd
 profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -36,33 +36,33 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh        rix,
-  /{usr/,}bin/{,e}grep          rix,
-  /{usr/,}bin/cat               rix,
-  /{usr/,}bin/chgrp             rix,
-  /{usr/,}bin/chmod             rix,
-  /{usr/,}bin/cut               rix,
-  /{usr/,}bin/ln                rix,
-  /{usr/,}bin/logger            rix,
-  /{usr/,}bin/mknod             rPx,
-  /{usr/,}bin/nohup             rix,
-  /{usr/,}bin/perl              rix,
-  /{usr/,}bin/readlink          rix,
-  /{usr/,}bin/setfacl           rix,
-  /{usr/,}bin/snap              rPx,
-  /{usr/,}bin/unshare           rix,
+  @{bin}/{,ba,da}sh        rix,
+  @{bin}/{,e}grep          rix,
+  @{bin}/cat               rix,
+  @{bin}/chgrp             rix,
+  @{bin}/chmod             rix,
+  @{bin}/cut               rix,
+  @{bin}/ln                rix,
+  @{bin}/logger            rix,
+  @{bin}/mknod             rPx,
+  @{bin}/nohup             rix,
+  @{bin}/perl              rix,
+  @{bin}/readlink          rix,
+  @{bin}/setfacl           rix,
+  @{bin}/snap              rPx,
+  @{bin}/unshare           rix,
 
-  /{usr/,}{s,}bin/*             rpux,
-  audit /{usr/,}{s,}bin/lvm      rux,
+  @{bin}/*             rpux,
+  audit @{bin}/lvm      rux,
 
-  /{usr/,}lib/pm-utils/power.d/*          rPUx,
-  /{usr/,}lib/snapd/snap-device-helper     rPx,
-  /{usr/,}lib/crda/*                      rPUx,
-  /{usr/,}lib/gdm-runtime-config           rPx,
-  /{usr/,}lib/systemd/systemd-*            rPx,
-  @{libexec}/nfsrahead                    rPUx,
-  /{usr/,}lib/udev/*                      rPUx,
-  /{usr/,}lib/open-iscsi/net-interface-handler rPUx,
+  @{lib}/pm-utils/power.d/*          rPUx,
+  @{lib}/snapd/snap-device-helper     rPx,
+  @{lib}/crda/*                      rPUx,
+  @{lib}/gdm-runtime-config           rPx,
+  @{lib}/systemd/systemd-*            rPx,
+  @{lib}/nfsrahead                    rPUx,
+  @{lib}/udev/*                      rPUx,
+  @{lib}/open-iscsi/net-interface-handler rPUx,
   /usr/share/hplip/config_usb_printer.py  rPUx,
 
   /etc/console-setup/*.sh       rPUx,
diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done
index 2cd2407f..e497a554 100644
--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-update-done
+@{exec_path} = @{lib}/systemd/systemd-update-done
 profile systemd-update-done @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp
index b652795e..8828b6a2 100644
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp
+@{exec_path} = @{lib}/systemd/systemd-update-utmp
 profile systemd-update-utmp @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir
index c5c263a1..9037b992 100644
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-user-runtime-dir
+@{exec_path} = @{lib}/systemd/systemd-user-runtime-dir
 profile systemd-user-runtime-dir @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions
index 57a84b16..537a0180 100644
--- a/apparmor.d/groups/systemd/systemd-user-sessions
+++ b/apparmor.d/groups/systemd/systemd-user-sessions
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions
+@{exec_path} = @{lib}/systemd/systemd-user-sessions
 profile systemd-user-sessions @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd
index a74e59a4..3ef93d22 100644
--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-userdbd
+@{exec_path} = @{lib}/systemd/systemd-userdbd
 profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -23,7 +23,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/systemd/systemd-userwork rix,
+  @{lib}/systemd/systemd-userwork rix,
 
   /etc/shadow r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork
index 14f6bbbe..a3b5b1fa 100644
--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-userwork
+@{exec_path} = @{lib}/systemd/systemd-userwork
 profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup
index 2992b678..c8aec27a 100644
--- a/apparmor.d/groups/systemd/systemd-vconsole-setup
+++ b/apparmor.d/groups/systemd/systemd-vconsole-setup
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/systemd-vconsole-setup
+@{exec_path} = @{lib}/systemd/systemd-vconsole-setup
 profile systemd-vconsole-setup @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -21,11 +21,11 @@ profile systemd-vconsole-setup @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gzip        rix,
-  /{usr/,}bin/loadkeys    rix,
-  /{usr/,}bin/setfont     rix,
-  /{usr/,}bin/gzip        rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/gzip        rix,
+  @{bin}/loadkeys    rix,
+  @{bin}/setfont     rix,
+  @{bin}/gzip        rix,
 
   / r,
   /usr/share/kbd/{,**} r,
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index 48f7b345..34989a31 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/userdbctl
+@{exec_path} = @{bin}/userdbctl
 profile userdbctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -16,9 +16,9 @@ profile userdbctl @{exec_path} {
 
   @{exec_path} mr,
   
-  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/pager rPx -> child-pager,
+  @{bin}/less  rPx -> child-pager,
+  @{bin}/more  rPx -> child-pager,
+  @{bin}/pager rPx -> child-pager,
 
   /etc/shadow r,
   /etc/gshadow r,
diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator
index 6d176ebb..10ba1e35 100644
--- a/apparmor.d/groups/systemd/zram-generator
+++ b/apparmor.d/groups/systemd/zram-generator
@@ -6,16 +6,16 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/systemd/system-generators/zram-generator
+@{exec_path} = @{lib}/systemd/system-generators/zram-generator
 profile zram-generator @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/kmod                    rix,
-  /{usr/,}bin/systemd-detect-virt     rPx,
-  /{usr/,}lib/systemd/systemd-makefs  rPx,
+  @{bin}/kmod                    rix,
+  @{bin}/systemd-detect-virt     rPx,
+  @{lib}/systemd/systemd-makefs  rPx,
 
   /etc/systemd/zram-generator.conf r,
 
diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports
index 5eb039e4..18bd53aa 100644
--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@@ -15,7 +15,7 @@ profile apport-checkreports @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/python3.[0-9]* r,
+  @{bin}/python3.[0-9]* r,
 
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 52849f6c..31059064 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -31,27 +31,27 @@ profile apport-gtk @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/{,colord/}colord-sane  rPx,
-  /{usr/,}{s,}bin/killall5          rix,
-  /{usr/,}bin/{,ba,da}sh            rix,
-  /{usr/,}bin/{f,}grep              rix,
-  /{usr/,}bin/apt-cache             rPx,
-  /{usr/,}bin/cut                   rix,
-  /{usr/,}bin/dpkg                  rPx,
-  /{usr/,}bin/dpkg-divert           rPx,
-  /{usr/,}bin/dpkg-query            rpx,
-  /{usr/,}bin/gdb                   rCx -> gdb,
-  /{usr/,}bin/gsettings             rPx,
-  /{usr/,}bin/ischroot              rix,
-  /{usr/,}bin/journalctl            rPx,
-  /{usr/,}bin/kmod                  rPx,
-  /{usr/,}bin/ldd                   rix,
-  /{usr/,}bin/lsb_release           rPx -> lsb_release,
-  /{usr/,}bin/md5sum                rix,
-  /{usr/,}bin/pkexec                rPx, # TODO: rCx or something
-  /{usr/,}bin/systemctl             rPx -> child-systemctl,
-  /{usr/,}bin/which{,.debianutils}  rix,
-  /{usr/,}lib/@{multiarch}/ld*.so*  rix,
+  @{bin}/{,ba,da}sh             rix,
+  @{bin}/{f,}grep               rix,
+  @{bin}/apt-cache              rPx,
+  @{bin}/cut                    rix,
+  @{bin}/dpkg                   rPx,
+  @{bin}/dpkg-divert            rPx,
+  @{bin}/dpkg-query             rpx,
+  @{bin}/gdb                    rCx -> gdb,
+  @{bin}/gsettings              rPx,
+  @{bin}/ischroot               rix,
+  @{bin}/journalctl             rPx,
+  @{bin}/killall5               rix,
+  @{bin}/kmod                   rPx,
+  @{bin}/ldd                    rix,
+  @{bin}/lsb_release            rPx -> lsb_release,
+  @{bin}/md5sum                 rix,
+  @{bin}/pkexec                 rPx, # TODO: rCx or something
+  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/which{,.debianutils}   rix,
+  @{lib}/{,colord/}colord-sane  rPx,
+  @{lib}/@{multiarch}/ld*.so*   rix,
   /usr/share/apport/root_info_wrapper rix,
 
   /usr/share/alsa/{,**} r,
@@ -99,10 +99,10 @@ profile apport-gtk @{exec_path} {
     include <abstractions/fonts>
     include <abstractions/python>
 
-    /{usr/,}bin/gdb mr,
+    @{bin}/gdb mr,
   
-    /{usr/,}bin/iconv rix,
-    /{usr/,}{s,}bin/* r,
+    @{bin}/iconv rix,
+    @{bin}/* r,
 
     /usr/share/gcc/python/**/__pycache__/{,**} rw,
 
diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook
index c9456448..3971cd1a 100644
--- a/apparmor.d/groups/ubuntu/apt-esm-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-hook
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-hook
+@{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook
 profile apt-esm-hook @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -14,7 +14,7 @@ profile apt-esm-hook @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg  rPx -> child-dpkg,
+  @{bin}/dpkg  rPx -> child-dpkg,
 
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook
index de6cc303..ccad90bb 100644
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook
+@{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook
 profile apt-esm-json-hook @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -16,7 +16,7 @@ profile apt-esm-json-hook @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg         rPx,
+  @{bin}/dpkg         rPx,
 
   /var/lib/ubuntu-advantage/{,**} r,
   /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk
index 3d804216..b93a0c1f 100644
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk
+@{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk
 profile check-new-release-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -33,9 +33,9 @@ profile check-new-release-gtk @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg         rPx,
-  /{usr/,}bin/ischroot     rix,
-  /{usr/,}bin/lsb_release  rPx -> lsb_release,
+  @{bin}/dpkg         rPx,
+  @{bin}/ischroot     rix,
+  @{bin}/lsb_release  rPx -> lsb_release,
 
   /usr/share/distro-info/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
index ee5e23ac..50226bba 100644
--- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan
+++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
@@ -14,15 +14,15 @@ profile cron-ubuntu-fan @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,da,ba}sh  rix,
-  /{usr/,}{s,}bin/fanctl  rix,
-  /{usr/,}bin/flock       rix,
-  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/id          rix,
-  /{usr/,}bin/ip          rix,
-  /{usr/,}bin/mkdir       rix,
-  /{usr/,}bin/sed         rix,
-  /{usr/,}bin/touch       rix,
+  @{bin}/{,da,ba}sh  rix,
+  @{bin}/fanctl      rix,
+  @{bin}/flock       rix,
+  @{bin}/grep        rix,
+  @{bin}/id          rix,
+  @{bin}/ip          rix,
+  @{bin}/mkdir       rix,
+  @{bin}/sed         rix,
+  @{bin}/touch       rix,
 
   /etc/network/fan r,
 
diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade
index 65b04664..712e4634 100644
--- a/apparmor.d/groups/ubuntu/do-release-upgrade
+++ b/apparmor.d/groups/ubuntu/do-release-upgrade
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/do-release-upgrade
+@{exec_path} = @{bin}/do-release-upgrade
 profile do-release-upgrade @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -25,9 +25,9 @@ profile do-release-upgrade @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg         rPx -> child-dpkg,
-  /{usr/,}bin/ischroot     rix,
-  /{usr/,}bin/lsb_release  rPx -> lsb_release,
+  @{bin}/dpkg         rPx -> child-dpkg,
+  @{bin}/ischroot     rix,
+  @{bin}/lsb_release  rPx -> lsb_release,
 
   /usr/share/distro-info/*.csv r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status
index 83cb07e3..d1d71145 100644
--- a/apparmor.d/groups/ubuntu/hwe-support-status
+++ b/apparmor.d/groups/ubuntu/hwe-support-status
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/hwe-support-status
+@{exec_path} = @{bin}/hwe-support-status
 profile hwe-support-status @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -15,8 +15,8 @@ profile hwe-support-status @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg         rPx,
-  /{usr/,}bin/lsb_release  rPx -> lsb_release,
+  @{bin}/dpkg         rPx,
+  @{bin}/lsb_release  rPx -> lsb_release,
 
   /usr/share/distro-info/{,**} r,
 
diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages
index 24bd425e..2c7527b8 100644
--- a/apparmor.d/groups/ubuntu/list-oem-metapackages
+++ b/apparmor.d/groups/ubuntu/list-oem-metapackages
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/update-notifier/list-oem-metapackages
+@{exec_path} = @{lib}/update-notifier/list-oem-metapackages
 profile list-oem-metapackages @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
@@ -15,8 +15,8 @@ profile list-oem-metapackages @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg         rPx -> child-dpkg,
-  /{usr/,}bin/ischroot     rix,
+  @{bin}/dpkg         rPx -> child-dpkg,
+  @{bin}/ischroot     rix,
 
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification
index 3529ad13..b72c4768 100644
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification
+@{exec_path} = @{lib}/update-notifier/livepatch-notification
 profile livepatch-notification @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required
index a3c08298..f4692ec0 100644
--- a/apparmor.d/groups/ubuntu/notify-reboot-required
+++ b/apparmor.d/groups/ubuntu/notify-reboot-required
@@ -13,9 +13,9 @@ profile notify-reboot-required @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gettext     rix,
-  /{usr/,}bin/snap        rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/gettext     rix,
+  @{bin}/snap        rPx,
 
   /usr/share/update-notifier/notify-reboot-required r,
 
diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated
index e04b02fe..38c9bfed 100644
--- a/apparmor.d/groups/ubuntu/notify-updates-outdated
+++ b/apparmor.d/groups/ubuntu/notify-updates-outdated
@@ -13,8 +13,8 @@ profile notify-updates-outdated @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gettext     rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/gettext     rix,
 
   include if exists <local/notify-updates-outdated>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index 5ad67ae7..39e41ec6 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/update-notifier/package-system-locked
+@{exec_path} = @{lib}/update-notifier/package-system-locked
 profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
@@ -21,8 +21,8 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/fuser       rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/fuser       rix,
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/net/unix r,
diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/pro
index 52cfe5b6..3d1a2d56 100644
--- a/apparmor.d/groups/ubuntu/pro
+++ b/apparmor.d/groups/ubuntu/pro
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pro
+@{exec_path} = @{bin}/pro
 profile pro @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd
index 33043a49..b8dba571 100644
--- a/apparmor.d/groups/ubuntu/release-upgrade-motd
+++ b/apparmor.d/groups/ubuntu/release-upgrade-motd
@@ -6,19 +6,19 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd
+@{exec_path} = @{lib}/ubuntu-release-upgrader/release-upgrade-motd
 profile release-upgrade-motd @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh          rix,
-  /{usr/,}bin/date                rix,
-  /{usr/,}bin/expr                rix,
-  /{usr/,}bin/id                  rPx,
-  /{usr/,}bin/stat                rix,
-  /{usr/,}bin/cat                 rix,
-  /{usr/,}bin/do-release-upgrade  rPx,
+  @{bin}/{,ba,da}sh          rix,
+  @{bin}/date                rix,
+  @{bin}/expr                rix,
+  @{bin}/id                  rPx,
+  @{bin}/stat                rix,
+  @{bin}/cat                 rix,
+  @{bin}/do-release-upgrade  rPx,
 
   /var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus
index 97755324..786bdf7e 100644
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/software-properties/software-properties-dbus
+@{exec_path} = @{lib}/software-properties/software-properties-dbus
 profile software-properties-dbus @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -33,9 +33,9 @@ profile software-properties-dbus @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/python3.[0-9]*  rix,
-  /{usr/,}bin/env             rix,
-  /{usr/,}bin/lsb_release     rPx -> lsb_release,
+  @{bin}/python3.[0-9]*  rix,
+  @{bin}/env             rix,
+  @{bin}/lsb_release     rPx -> lsb_release,
 
   /usr/share/python-apt/{,**} r,
   /usr/share/distro-info/*.csv r,
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index afc25eba..e8c4fae6 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/software-properties-gtk
+@{exec_path} = @{bin}/software-properties-gtk
 profile software-properties-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -37,14 +37,14 @@ profile software-properties-gtk @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
+  @{bin}/ r,
 
-  /{usr/,}bin/aplay                    rPx,
-  /{usr/,}bin/apt-key                  rPx,
-  /{usr/,}bin/dpkg                     rPx -> child-dpkg,
-  /{usr/,}bin/ischroot                 rix,
-  /{usr/,}bin/lsb_release              rPx -> lsb_release,
-  /{usr/,}bin/ubuntu-advantage         rPx,
+  @{bin}/aplay                    rPx,
+  @{bin}/apt-key                  rPx,
+  @{bin}/dpkg                     rPx -> child-dpkg,
+  @{bin}/ischroot                 rix,
+  @{bin}/lsb_release              rPx -> lsb_release,
+  @{bin}/ubuntu-advantage         rPx,
 
   /usr/share/distro-info/*.csv r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf
index 07bfcfd6..c16a4171 100644
--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@@ -23,21 +23,21 @@ profile subiquity-console-conf @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,da,ba}sh  rix,
-  /{usr/,}bin/cat         rix,
-  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/ip          rix,
-  /{usr/,}bin/mkdir       rix,
-  /{usr/,}bin/mv          rix,
-  /{usr/,}bin/sleep       rix,
-  /{usr/,}bin/stty        rix,
-  /{usr/,}bin/tr          rix,
-  /{usr/,}bin/tty         rix,
+  @{bin}/{,da,ba}sh  rix,
+  @{bin}/cat         rix,
+  @{bin}/grep        rix,
+  @{bin}/ip          rix,
+  @{bin}/mkdir       rix,
+  @{bin}/mv          rix,
+  @{bin}/sleep       rix,
+  @{bin}/stty        rix,
+  @{bin}/tr          rix,
+  @{bin}/tty         rix,
 
+  @{bin}/journalctl                      rCx -> journalctl,
+  @{bin}/ssh-keygen                      rPx, 
+  @{bin}/sshd                            rPx, 
   /{snap/snapd/[0-9]*/,}{usr/,}bin/snap  rPx, # TODO: rCx,
-  /{usr/,}{,s}bin/sshd                   rPx, 
-  /{usr/,}bin/journalctl                 rCx -> journalctl,
-  /{usr/,}bin/ssh-keygen                 rPx, 
   /usr/lib/snapd/snap-recovery-chooser  rPUx,
   /usr/share/netplan/netplan.script     rPUx, # TODO: rPx,
 
@@ -98,7 +98,7 @@ profile subiquity-console-conf @{exec_path} {
   profile journalctl {
     include <abstractions/base>
 
-    /{usr/,}bin/journalctl mr,
+    @{bin}/journalctl mr,
 
     @{run}/log/ rw,
     /{run,var}/log/journal/ rw,
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage
index d54a4bc4..f4962c2e 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ubuntu-advantage
+@{exec_path} = @{bin}/ubuntu-advantage
 profile ubuntu-advantage @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -30,21 +30,21 @@ profile ubuntu-advantage @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ischroot                       rix,
+  @{bin}/ischroot                       rix,
 
-  /{usr/,}bin/apt                            rPx,
-  /{usr/,}bin/apt-cache                      rPx,
-  /{usr/,}bin/apt-config                     rPx,
-  /{usr/,}bin/apt-get                        rPx,
-  /{usr/,}bin/dpkg                           rPx -> child-dpkg,
-  /{usr/,}bin/ps                             rPx,
-  /{usr/,}bin/snap                           rPx,
-  /{usr/,}bin/systemctl                      rCx ->  systemctl,
-  /{usr/,}bin/systemd-detect-virt            rPx,
-  /{usr/,}bin/ubuntu-distro-info             rPx,
-  /{usr/,}lib/apt/apt-helper                 rix,
-  /{usr/,}lib/apt/methods/http{,s}           rPx,
-  /{usr/,}lib/ubuntu-advantage/apt-esm-hook  rPx,
+  @{bin}/apt                            rPx,
+  @{bin}/apt-cache                      rPx,
+  @{bin}/apt-config                     rPx,
+  @{bin}/apt-get                        rPx,
+  @{bin}/dpkg                           rPx -> child-dpkg,
+  @{bin}/ps                             rPx,
+  @{bin}/snap                           rPx,
+  @{bin}/systemctl                      rCx ->  systemctl,
+  @{bin}/systemd-detect-virt            rPx,
+  @{bin}/ubuntu-distro-info             rPx,
+  @{lib}/apt/apt-helper                 rix,
+  @{lib}/apt/methods/http{,s}           rPx,
+  @{lib}/ubuntu-advantage/apt-esm-hook  rPx,
 
   /etc/apt/auth.conf.d/{,**} rw,
   /etc/apt/trusted.gpg.d/{,**} rw,
@@ -72,9 +72,9 @@ profile ubuntu-advantage @{exec_path} {
 
     ptrace (read),
 
-    /{usr/,}bin/systemctl mr,
+    @{bin}/systemctl mr,
 
-    /{usr/,}bin/systemd-tty-ask-password-agent rix,
+    @{bin}/systemd-tty-ask-password-agent rix,
 
     owner @{run}/systemd/ask-password/ rw,
     owner @{run}/systemd/ask-password-block/* rw,
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
index 73088ebe..b11d555d 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/ubuntu-advantage-desktop-daemon
+@{exec_path} = @{lib}/ubuntu-advantage-desktop-daemon
 profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -36,7 +36,7 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected)
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ubuntu-advantage rPx,
+  @{bin}/ubuntu-advantage rPx,
 
   /var/lib/ubuntu-advantage/{,**} r,
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
index f125c704..f7016e87 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification
+@{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification
 profile ubuntu-advantage-notification @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info
index 7f390480..d4178d26 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-distro-info
+++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ubuntu-distro-info
+@{exec_path} = @{bin}/ubuntu-distro-info
 profile ubuntu-distro-info @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report
index ed2afd88..b95ac50f 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ubuntu-report
+@{exec_path} = @{bin}/ubuntu-report
 profile ubuntu-report @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -14,7 +14,7 @@ profile ubuntu-report @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg  rPx -> child-dpkg,
+  @{bin}/dpkg  rPx -> child-dpkg,
 
   owner @{user_cache_dirs}/ubuntu-report/{,*} r,
 
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 9af0533b..10f3e0f8 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/update-manager
+@{exec_path} = @{bin}/update-manager
 profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -57,14 +57,14 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg                     rPx -> child-dpkg,
-  /{usr/,}bin/hwe-support-status       rPx,
-  /{usr/,}bin/ischroot                 rix,
-  /{usr/,}bin/lsb_release              rPx -> lsb_release,
-  /{usr/,}bin/snap                    rPUx,
-  /{usr/,}bin/software-properties-gtk  rPx,
-  /{usr/,}bin/uname                    rix,
-  /{usr/,}lib/apt/methods/http{,s}     rPx,
+  @{bin}/dpkg                     rPx -> child-dpkg,
+  @{bin}/hwe-support-status       rPx,
+  @{bin}/ischroot                 rix,
+  @{bin}/lsb_release              rPx -> lsb_release,
+  @{bin}/snap                    rPUx,
+  @{bin}/software-properties-gtk  rPx,
+  @{bin}/uname                    rix,
+  @{lib}/apt/methods/http{,s}     rPx,
 
   /usr/share/distro-info/{,**} r,
   /usr/share/themes/{,**} r,
diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
index 42b55601..5a866d28 100644
--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@@ -6,22 +6,22 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot
+@{exec_path} = @{lib}/update-notifier/update-motd-fsck-at-reboot
 profile update-motd-fsck-at-reboot @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/dumpe2fs  rPx,
-  /{usr/,}bin/{,ba,da}sh    rix,
-  /{usr/,}bin/{m,g,}awk     rix,
-  /{usr/,}bin/cat           rix,
-  /{usr/,}bin/cut           rix,
-  /{usr/,}bin/date          rix,
-  /{usr/,}bin/grep          rix,
-  /{usr/,}bin/id            rix,
-  /{usr/,}bin/mount         rCx -> mount,
-  /{usr/,}bin/stat          rix,
+  @{bin}/dumpe2fs  rPx,
+  @{bin}/{,ba,da}sh    rix,
+  @{bin}/{m,g,}awk     rix,
+  @{bin}/cat           rix,
+  @{bin}/cut           rix,
+  @{bin}/date          rix,
+  @{bin}/grep          rix,
+  @{bin}/id            rix,
+  @{bin}/mount         rCx -> mount,
+  @{bin}/stat          rix,
 
   /var/lib/update-notifier/fsck-at-reboot rw,
 
@@ -32,7 +32,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
   profile mount {
     include <abstractions/base>
 
-    /{usr/,}bin/mount mr,
+    @{bin}/mount mr,
 
     @{run}/mount/utab r,
 
diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available
index 1b5fb749..878f0da8 100644
--- a/apparmor.d/groups/ubuntu/update-motd-updates-available
+++ b/apparmor.d/groups/ubuntu/update-motd-updates-available
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available
+@{exec_path} = @{lib}/update-notifier/update-motd-updates-available
 profile update-motd-updates-available @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -19,20 +19,20 @@ profile update-motd-updates-available @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/python3.[0-9]* r,
+  @{bin}/python3.[0-9]* r,
 
-  /{usr/,}bin/{,ba,da}sh                    rix,
-  /{usr/,}bin/apt-config                    rPx,
-  /{usr/,}bin/chmod                         rix,
-  /{usr/,}bin/dirname                       rix,
-  /{usr/,}bin/dpkg                          rPx -> child-dpkg,
-  /{usr/,}bin/find                          rix,
-  /{usr/,}bin/ischroot                      rix,
-  /{usr/,}bin/lsb_release                   rPx -> lsb_release,
-  /{usr/,}bin/mktemp                        rix,
-  /{usr/,}bin/mv                            rix,
-  /{usr/,}bin/rm                            rix,
-  /{usr/,}lib/update-notifier/apt_check.py  rix,
+  @{bin}/{,ba,da}sh                    rix,
+  @{bin}/apt-config                    rPx,
+  @{bin}/chmod                         rix,
+  @{bin}/dirname                       rix,
+  @{bin}/dpkg                          rPx -> child-dpkg,
+  @{bin}/find                          rix,
+  @{bin}/ischroot                      rix,
+  @{bin}/lsb_release                   rPx -> lsb_release,
+  @{bin}/mktemp                        rix,
+  @{bin}/mv                            rix,
+  @{bin}/rm                            rix,
+  @{lib}/update-notifier/apt_check.py  rix,
 
   /usr/share/distro-info/{,**} r,
 
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 89e68cb4..a5b63d98 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/update-notifier
+@{exec_path} = @{bin}/update-notifier
 profile update-notifier @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
@@ -31,27 +31,27 @@ profile update-notifier @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh                              rix,
-  /{usr/,}bin/ionice                                  rix,
-  /{usr/,}bin/ischroot                                rix,
-  /{usr/,}bin/nice                                    rix,
+  @{bin}/{,ba,da}sh                              rix,
+  @{bin}/ionice                                  rix,
+  @{bin}/ischroot                                rix,
+  @{bin}/nice                                    rix,
 
-  /{usr/,}bin/dpkg                                    rPx -> child-dpkg,
-  /{usr/,}bin/lsb_release                             rPx -> lsb_release,
-  /{usr/,}bin/pkexec                                  rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked
-  /{usr/,}bin/snap                                    rPx,
-  /{usr/,}bin/software-properties-gtk                 rPx,
-  /{usr/,}bin/systemctl                               rPx -> child-systemctl,
-  /{usr/,}bin/update-manager                          rPx,
-  /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx,
-  /{usr/,}lib/update-notifier/apt_check.py            rix,
-  /{usr/,}lib/update-notifier/list-oem-metapackages   rPx,
-  /{usr/,}lib/update-notifier/livepatch-notification  rPx,
-  /{usr/,}lib/update-notifier/package-system-locked   rPx,
-  /usr/share/apport/apport-checkreports               rPx,
-  /usr/share/apport/apport-gtk                        rPx,
+  @{bin}/dpkg                                    rPx -> child-dpkg,
+  @{bin}/lsb_release                             rPx -> lsb_release,
+  @{bin}/pkexec                                  rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked
+  @{bin}/snap                                    rPx,
+  @{bin}/software-properties-gtk                 rPx,
+  @{bin}/systemctl                               rPx -> child-systemctl,
+  @{bin}/update-manager                          rPx,
+  @{lib}/ubuntu-release-upgrader/check-new-release-gtk rPx,
+  @{lib}/update-notifier/apt_check.py            rix,
+  @{lib}/update-notifier/list-oem-metapackages   rPx,
+  @{lib}/update-notifier/livepatch-notification  rPx,
+  @{lib}/update-notifier/package-system-locked   rPx,
+  /usr/share/apport/apport-checkreports          rPx,
+  /usr/share/apport/apport-gtk                   rPx,
 
-  /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
+  @{lib}/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
 
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth
index a19504b8..fdd6eb28 100644
--- a/apparmor.d/groups/virt/cni-bandwidth
+++ b/apparmor.d/groups/virt/cni-bandwidth
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/bandwidth /opt/cni/bin/bandwidth
+@{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth
 profile cni-bandwidth @{exec_path} {
   include <abstractions/base>
   
diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge
index e2a3a76f..7e83b65d 100644
--- a/apparmor.d/groups/virt/cni-bridge
+++ b/apparmor.d/groups/virt/cni-bridge
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/bridge /opt/cni/bin/bridge
+@{exec_path} = @{lib}/cni/bridge /opt/cni/bin/bridge
 profile cni-bridge @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index a7639096..70927159 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
+@{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall
index 729329e5..d5483b7b 100644
--- a/apparmor.d/groups/virt/cni-firewall
+++ b/apparmor.d/groups/virt/cni-firewall
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/firewall /opt/cni/bin/firewall
+@{exec_path} = @{lib}/cni/firewall /opt/cni/bin/firewall
 profile cni-firewall @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel
index 1c21c261..1784dbbf 100644
--- a/apparmor.d/groups/virt/cni-flannel
+++ b/apparmor.d/groups/virt/cni-flannel
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
+@{exec_path} = @{lib}/cni/flannel /opt/cni/bin/flannel
 profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local
index 9ca86fb5..4272115c 100644
--- a/apparmor.d/groups/virt/cni-host-local
+++ b/apparmor.d/groups/virt/cni-host-local
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
+@{exec_path} = @{lib}/cni/host-local /opt/cni/bin/host-local
 profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index 5e432a94..bdf7c35c 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/loopback /opt/cni/bin/loopback
+@{exec_path} = @{lib}/cni/loopback /opt/cni/bin/loopback
 profile cni-loopback @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap
index 05d9e31e..2ea714eb 100644
--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/portmap /opt/cni/bin/portmap
+@{exec_path} = @{lib}/cni/portmap /opt/cni/bin/portmap
 profile cni-portmap @{exec_path} {
   include <abstractions/base>
 
@@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
+  @{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
 
   @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,
   
diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning
index dc14dfa4..80e3e6ff 100644
--- a/apparmor.d/groups/virt/cni-tuning
+++ b/apparmor.d/groups/virt/cni-tuning
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cni/tuning /opt/cni/bin/tuning
+@{exec_path} = @{lib}/cni/tuning /opt/cni/bin/tuning
 profile cni-tuning @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
index 465b6d11..b8eaddc9 100644
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
+@{exec_path} = @{bin}/xtables-nft-multi
 profile cni-xtables-nft {
     include <abstractions/base>
     include <abstractions/consoles>
@@ -24,7 +24,7 @@ profile cni-xtables-nft {
     network netlink raw,
 
     @{exec_path} mr,
-    /{usr/,}{s,}bin/xtables-legacy-multi mr,
+    @{bin}/xtables-legacy-multi mr,
   
     /etc/libnl/classid r,
     /etc/iptables/{,**} rw,
diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass
index 6164d04f..095433b7 100644
--- a/apparmor.d/groups/virt/cockpit-askpass
+++ b/apparmor.d/groups/virt/cockpit-askpass
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-askpass
+@{exec_path} = @{lib}/cockpit/cockpit-askpass
 profile cockpit-askpass @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index fc3009a4..e2bb2e47 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/cockpit-bridge
+@{exec_path} = @{bin}/cockpit-bridge
 profile cockpit-bridge @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
@@ -34,9 +34,9 @@ profile cockpit-bridge @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/journalctl rPx,
-  /{usr/,}lib/cockpit/cockpit-pcp rPx,
-  /{usr/,}lib/cockpit/cockpit-ssh rPx,
+  @{bin}/journalctl rPx,
+  @{lib}/cockpit/cockpit-pcp rPx,
+  @{lib}/cockpit/cockpit-ssh rPx,
 
   /usr/share/cockpit/{,**} r,
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure
index f91cdf30..3f9cc60d 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-ensure
+++ b/apparmor.d/groups/virt/cockpit-certificate-ensure
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-ensure
+@{exec_path} = @{lib}/cockpit/cockpit-certificate-ensure
 profile cockpit-certificate-ensure @{exec_path} {
   include <abstractions/base>
 
@@ -16,7 +16,7 @@ profile cockpit-certificate-ensure @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/cockpit/cockpit-certificate-helper rPx,
+  @{lib}/cockpit/cockpit-certificate-helper rPx,
 
   /etc/cockpit/ws-certs.d/{,*} r,
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index 938185be..35ae4397 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -6,21 +6,21 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-helper
+@{exec_path} = @{lib}/cockpit/cockpit-certificate-helper
 profile cockpit-certificate-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/chmod rix,
-  /{usr/,}bin/id rix,
-  /{usr/,}bin/mkdir rix,
-  /{usr/,}bin/mv rix,
-  /{usr/,}bin/rm rix,
-  /{usr/,}bin/sscg rix,
-  /{usr/,}bin/tr rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/chmod rix,
+  @{bin}/id rix,
+  @{bin}/mkdir rix,
+  @{bin}/mv rix,
+  @{bin}/rm rix,
+  @{bin}/sscg rix,
+  @{bin}/tr rix,
 
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop
index 0ad1798f..ab4a5bce 100644
--- a/apparmor.d/groups/virt/cockpit-desktop
+++ b/apparmor.d/groups/virt/cockpit-desktop
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-desktop
+@{exec_path} = @{lib}/cockpit/cockpit-desktop
 profile cockpit-desktop @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp
index 014128ab..1b11bd6d 100644
--- a/apparmor.d/groups/virt/cockpit-pcp
+++ b/apparmor.d/groups/virt/cockpit-pcp
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-pcp
+@{exec_path} = @{lib}/cockpit/cockpit-pcp
 profile cockpit-pcp @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index ca431636..644df827 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-session
+@{exec_path} = @{lib}/cockpit/cockpit-session
 profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
@@ -24,9 +24,9 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,z,ba,da}sh    rix,
-  /{usr/,}bin/cockpit-bridge  rPx,
-  /{usr/,}lib/cockpit/cockpit-pcp  rPx,
+  @{bin}/{,z,ba,da}sh    rix,
+  @{bin}/cockpit-bridge  rPx,
+  @{lib}/cockpit/cockpit-pcp  rPx,
 
   @{etc_ro}/environment r,
   /etc/group r,
diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh
index 259ba206..1c952775 100644
--- a/apparmor.d/groups/virt/cockpit-ssh
+++ b/apparmor.d/groups/virt/cockpit-ssh
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-ssh
+@{exec_path} = @{lib}/cockpit/cockpit-ssh
 profile cockpit-ssh @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls
index a1b011c2..6e951d69 100644
--- a/apparmor.d/groups/virt/cockpit-tls
+++ b/apparmor.d/groups/virt/cockpit-tls
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-tls
+@{exec_path} = @{lib}/cockpit/cockpit-tls
 profile cockpit-tls @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws
index dc040fe6..7c3bacb4 100644
--- a/apparmor.d/groups/virt/cockpit-ws
+++ b/apparmor.d/groups/virt/cockpit-ws
@@ -6,13 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-ws
+@{exec_path} = @{lib}/cockpit/cockpit-ws
 profile cockpit-ws @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}lib/cockpit/cockpit-session  rPx,
+  @{lib}/cockpit/cockpit-session  rPx,
 
   /usr/share/cockpit/{,**} r,
   /usr/share/pixmaps/{,**} r,
diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory
index 2fe951d0..c5e61907 100644
--- a/apparmor.d/groups/virt/cockpit-wsinstance-factory
+++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/cockpit/cockpit-wsinstance-factory
+@{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory
 profile cockpit-wsinstance-factory @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index e2e193fa..9f5073c4 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/containerd
+@{exec_path} = @{bin}/containerd
 profile containerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/devices-usb>
@@ -45,11 +45,12 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   signal (send) set=kill peer=cni-calico,
 
   @{exec_path} mr,
-  /{usr/,}{s,}bin/apparmor_parser rPx,
-  /{usr/,}bin/containerd-shim-runc-v2 rPUx,
-  /{usr/,}bin/kmod rPx,
-  /{usr/,}bin/unpigz rPUx,
-  /{usr/,}{local/,}{s,}bin/zfs rPx,
+
+  @{bin}/apparmor_parser          rPx,
+  @{bin}/containerd-shim-runc-v2 rPUx,
+  @{bin}/kmod                     rPx,
+  @{bin}/unpigz                  rPUx,
+  /{usr/,}{local/,}{s,}bin/zfs    rPx,
 
   / r,
 
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index 01430544..a38a903d 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/containerd-shim-runc-v2
+@{exec_path} = @{bin}/containerd-shim-runc-v2
 profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -29,7 +29,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}{s,}bin/runc rPUx,
+  @{bin}/runc rPUx,
 
   /tmp/runc-process[0-9]* rw,
   /tmp/pty[0-9]*/ rw,
diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy
index bbf66911..92ec9ed3 100644
--- a/apparmor.d/groups/virt/docker-proxy
+++ b/apparmor.d/groups/virt/docker-proxy
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/docker-proxy
+@{exec_path} = @{bin}/docker-proxy
 profile docker-proxy @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 28442564..3356d25a 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dockerd
+@{exec_path} = @{bin}/dockerd
 profile dockerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -53,21 +53,21 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}{s,}bin/apparmor_parser     rPx,
-  /{usr/,}{s,}bin/runc                rUx,
-  /{usr/,}{s,}bin/xtables-nft-multi   rix,
-  /{usr/,}bin/containerd              rPx,
-  /{usr/,}bin/docker-init             rix,
-  /{usr/,}bin/docker-proxy            rPx,
-  /{usr/,}bin/kmod                    rPx,
-  /{usr/,}bin/ps                      rPx,
-  /{usr/,}bin/unpigz                  rix,
+  @{bin}/apparmor_parser         rPx,
+  @{bin}/containerd              rPx,
+  @{bin}/docker-init             rix,
+  @{bin}/docker-proxy            rPx,
+  @{bin}/kmod                    rPx,
+  @{bin}/ps                      rPx,
+  @{bin}/runc                    rUx,
+  @{bin}/unpigz                  rix,
+  @{bin}/xtables-nft-multi       rix,
 
   # Docker needs full access of the containers it manages.
   # TODO: should be in a sub profile started with pivot_root, not supported yet.
   /{,**} rwl,
 
-  owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
+  owner @{lib}/docker/overlay2/*/work/{,**} rw,
   owner /var/lib/docker/{,**} rwk,
   owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
 
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 4a0f7d4c..e3e892b4 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -56,17 +56,17 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
   unix (bind,listen) type=stream addr=@xtables,
 
   @{exec_path} mr,
-  /{usr/,}bin/kmod rPx,
-  /{usr/,}bin/mount rPx,
-  /{usr/,}bin/systemd-run rix,
-  /{usr/,}bin/{nano,emacs,ed} rPUx,
-  /{usr/,}bin/vim{,.basic} rPUx,
-  /{usr/,}{s,}bin/xtables-nft-multi rPx -> cni-xtables-nft,
+  @{bin}/kmod rPx,
+  @{bin}/mount rPx,
+  @{bin}/systemd-run rix,
+  @{bin}/{nano,emacs,ed} rPUx,
+  @{bin}/vim{,.basic} rPUx,
+  @{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
 
-  @{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
+  @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
   /var/lib/rancher/k3s/data/@{hex}/bin/* rix,
 
-  @{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
+  @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
   /usr/share/mime/globs2 r,
 
   /etc/machine-id r,
diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus
index 057c245f..d2e722f3 100644
--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/libvirt-dbus
+@{exec_path} = @{bin}/libvirt-dbus
 profile libvirt-dbus @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -14,8 +14,8 @@ profile libvirt-dbus @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/libvirtd   rPx,
-  /{usr/,}{s,}bin/virtqemud  rPx,
+  @{bin}/libvirtd   rPx,
+  @{bin}/virtqemud  rPx,
 
   /usr/share/dbus-1/interfaces/org.libvirt.*.xml r,
 
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 698c892a..6a307639 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -14,7 +14,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/libvirtd
+@{exec_path} = @{bin}/libvirtd
 profile libvirtd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -90,38 +90,38 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{libexec}/libvirt/libvirt_iohelper                   rix,
-  @{libexec}/libvirt/libvirt_parthelper                 rix,
+  @{lib}/libvirt/libvirt_iohelper                   rix,
+  @{lib}/libvirt/libvirt_parthelper                 rix,
 
-  @{libexec}/xen-*/bin/libxl-save-helper               rPUx,
-  @{libexec}/xen-*/bin/pygrub                          rPUx,
+  @{lib}/udev/scsi_id                              rPUx,
+  @{lib}/xen-*/bin/libxl-save-helper               rPUx,
+  @{lib}/xen-*/bin/pygrub                          rPUx,
+  @{lib}/xen-common/bin/xen-toolstack              rPUx,
+  @{lib}/xen/bin/*                                 rPUx,
   /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu  rPUx,
   /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd        rux, # TODO: WIP
-  /{usr/,}lib{,64}/xen-common/bin/xen-toolstack        rPUx,
-  /{usr/,}lib{,64}/xen/bin/*                           rPUx,
-  /{usr/,}lib/udev/scsi_id                             rPUx,
 
   /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
 
-  /{usr/,}{s,}bin/dmidecode                            rPx,
-  /{usr/,}{s,}bin/dnsmasq                              rPx,
-  /{usr/,}{s,}bin/virtiofsd                            rux, # TODO: WIP
-  /{usr/,}{s,}bin/virtlogd                             rPx,
-  /{usr/,}bin/lvm                                      rUx,
-  /{usr/,}bin/mdevctl                                  rPx,
-  /{usr/,}bin/swtpm                                    rPx,
-  /{usr/,}bin/swtpm_ioctl                              rPx,
-  /{usr/,}bin/swtpm_setup                              rPx,
-  /{usr/,}bin/udevadm                                  rPx,
+  @{bin}/dmidecode                            rPx,
+  @{bin}/dnsmasq                              rPx,
+  @{bin}/lvm                                 rPUx,
+  @{bin}/mdevctl                              rPx,
+  @{bin}/swtpm                                rPx,
+  @{bin}/swtpm_ioctl                          rPx,
+  @{bin}/swtpm_setup                          rPx,
+  @{bin}/udevadm                              rPx,
+  @{bin}/virtiofsd                            rux, # TODO: WIP
+  @{bin}/virtlogd                             rPx,
 
-  /{usr/,}{s,}bin/xtables-nft-multi  rix,
-  /{usr/,}bin/{,ba,da}sh             rix,
-  /{usr/,}bin/ip                     rix,
-  /{usr/,}bin/tc                     rix,
-  /{usr/,}bin/xmllint                rix,
-  /{usr/,}bin/qemu-system*           rUx, # TODO: Integration with virt-aa-helper
-  /{usr/,}bin/qemu-img               rUx, # TODO: Integration with virt-aa-helper
-  /{usr/,}lib/libvirt/virt-aa-helper rPx,
+  @{bin}/{,ba,da}sh             rix,
+  @{bin}/ip                     rix,
+  @{bin}/qemu-img               rUx, # TODO: Integration with virt-aa-helper
+  @{bin}/qemu-system*           rUx, # TODO: Integration with virt-aa-helper
+  @{bin}/tc                     rix,
+  @{bin}/xmllint                rix,
+  @{bin}/xtables-nft-multi      rix,
+  @{lib}/libvirt/virt-aa-helper rPx,
 
   /etc/libvirt/hooks/**    rPUx,
   /etc/xen/scripts/**      rmix,
@@ -258,7 +258,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   /dev/ptmx rw,
 
   # Force the use of virt-aa-helper
-  audit deny /{usr/,}{s,}bin/apparmor_parser rwxl,
+  audit deny @{bin}/apparmor_parser rwxl,
   audit deny @{etc_rw}/apparmor.d/libvirt/** wxl,
   audit deny @{sys}/kernel/security/apparmor/features rwxl,
   audit deny @{sys}/kernel/security/apparmor/matching rwxl,
diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper
index 66b6dac5..4192d63a 100644
--- a/apparmor.d/groups/virt/virt-aa-helper
+++ b/apparmor.d/groups/virt/virt-aa-helper
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/libvirt/virt-aa-helper
+@{exec_path} = @{lib}/libvirt/virt-aa-helper
 profile virt-aa-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/openssl>
@@ -20,7 +20,7 @@ profile virt-aa-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/apparmor_parser rPx,
+  @{bin}/apparmor_parser rPx,
 
   /etc/apparmor.d/libvirt/* r,
   @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced
index 75f8162f..1753d2c5 100644
--- a/apparmor.d/groups/virt/virtinterfaced
+++ b/apparmor.d/groups/virt/virtinterfaced
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/virtinterfaced
+@{exec_path} = @{bin}/virtinterfaced
 profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -18,8 +18,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/gconv/gconv-modules rm,
-  /{usr/,}lib/gconv/gconv-modules.d/{,*} r,
+  @{lib}/gconv/gconv-modules rm,
+  @{lib}/gconv/gconv-modules.d/{,*} r,
 
         @{run}/systemd/inhibit/*.ref rw,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd
index 3642ae1c..1eef0508 100644
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/qemu/virtiofsd /{usr/,}{s,}bin/virtiofsd
+@{exec_path} = @{lib}/qemu/virtiofsd @{bin}/virtiofsd
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd
index b75c92a1..ca132d6c 100644
--- a/apparmor.d/groups/virt/virtlockd
+++ b/apparmor.d/groups/virt/virtlockd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/virtlockd
+@{exec_path} = @{bin}/virtlockd
 profile virtlockd @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd
index 494ffde1..4ffb2639 100644
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/virtlogd
+@{exec_path} = @{bin}/virtlogd
 profile virtlogd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd
index e2cac0f3..be00b8d6 100644
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/virtnetworkd
+@{exec_path} = @{bin}/virtnetworkd
 profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/openssl>
@@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dnsmasq rPx,
+  @{bin}/dnsmasq rPx,
 
         @{run}/utmp rk,
         @{run}/systemd/inhibit/*.ref rw,
diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd
index 35317bc8..444450ca 100644
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/virtnodedevd
+@{exec_path} = @{bin}/virtnodedevd
 profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/devices-usb>
@@ -21,7 +21,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/mdevctl rPx,
+  @{bin}/mdevctl rPx,
 
   /usr/share/hwdata/*.ids r,
 
diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd
index bf08855c..36a96a25 100644
--- a/apparmor.d/groups/virt/virtsecretd
+++ b/apparmor.d/groups/virt/virtsecretd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/virtsecretd
+@{exec_path} = @{bin}/virtsecretd
 profile virtsecretd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged
index 6aaba4f9..427dca0e 100644
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/virtstoraged
+@{exec_path} = @{bin}/virtstoraged
 profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -20,8 +20,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
-  /{usr/,}bin/qemu-img      rUx, # TODO: Integration with virt-aa-helper
+  @{bin}/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
+  @{bin}/qemu-img      rUx, # TODO: Integration with virt-aa-helper
 
   owner @{user_config_dirs}/libvirt/storage/{,**} rw,