refactor(profiles): use @{bin} and @{lib} in profiles (3)

apparmor.d/groups/gnome/chrome-gnome-shell

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/chrome-gnome-shell
+@{exec_path} = @{bin}/chrome-gnome-shell
 profile chrome-gnome-shell @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -22,7 +22,7 @@ profile chrome-gnome-shell @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}bin/ r,
+  @{bin}/ r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 

apparmor.d/groups/gnome/evolution-addressbook-factory

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-addressbook-factory
+@{exec_path} = @{lib}/{,evolution-data-server/}evolution-addressbook-factory
 profile evolution-addressbook-factory @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>

apparmor.d/groups/gnome/evolution-alarm-notify

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify
+@{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify
 profile evolution-alarm-notify @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session>

apparmor.d/groups/gnome/evolution-calendar-factory

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-calendar-factory
+@{exec_path} = @{lib}/{,evolution-data-server/}evolution-calendar-factory
 profile evolution-calendar-factory @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>

apparmor.d/groups/gnome/evolution-source-registry

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,evolution-data-server/}evolution-source-registry
+@{exec_path} = @{lib}/{,evolution-data-server/}evolution-source-registry
 profile evolution-source-registry @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gdm

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/gdm{3,}
+@{exec_path} = @{bin}/gdm{3,}
 profile gdm @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -66,13 +66,13 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{libexec}/{,gdm/}gdm-session-worker  rPx,
+  @{bin}/{,ba,da}sh                rix,
-  /{usr/,}{s,}bin/prime-switch         rPUx,
+  @{bin}/pidof                     rPx,
-  /{usr/,}bin/{,ba,da}sh                rix,
+  @{bin}/plymouth                  rPx,
-  /{usr/,}bin/pidof                     rPx,
+  @{bin}/prime-switch             rPUx,
-  /{usr/,}bin/plymouth                  rPx,
+  @{bin}/sleep                     rix,
-  /{usr/,}bin/sleep                     rix,
+  @{lib}/{,gdm/}gdm-session-worker rPx,
-  /etc/gdm{3,}/PrimeOff/Default         rix,
+  /etc/gdm{3,}/PrimeOff/Default    rix,
 
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,

apparmor.d/groups/gnome/gdm-runtime-config

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} =  @{libexec}/gdm-runtime-config
+@{exec_path} =  @{lib}/gdm-runtime-config
 profile gdm-runtime-config @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gnome/gdm-session-worker

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gdm/}gdm-session-worker
+@{exec_path} = @{lib}/{,gdm/}gdm-session-worker
 profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
@@ -58,9 +58,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{libexec}/{,gdm/}gdm-wayland-session   rPx,
+  @{bin}/gnome-keyring-daemon             rPx,
-  @{libexec}/{,gdm/}gdm-x-session         rPx,
+  @{lib}/{,gdm/}gdm-wayland-session       rPx,
-  /{usr/,}bin/gnome-keyring-daemon        rPx,
+  @{lib}/{,gdm/}gdm-x-session             rPx,
   /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
   /etc/gdm{3,}/PostLogin/Default          rix,
   /etc/gdm{3,}/PrimeOff/Default           rix,

apparmor.d/groups/gnome/gdm-wayland-session

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gdm/}gdm-wayland-session
+@{exec_path} = @{lib}/{,gdm/}gdm-wayland-session
 profile gdm-wayland-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/bash>
@@ -38,33 +38,33 @@ profile gdm-wayland-session @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh           rix,
+  @{bin}/{,ba,da}sh           rix,
-  /{usr/,}bin/cat                  rix,
+  @{bin}/cat                  rix,
-  /{usr/,}bin/env                  rix,
+  @{bin}/env                  rix,
-  /{usr/,}bin/gettext              rix,
+  @{bin}/gettext              rix,
-  /{usr/,}bin/gettext.sh             r,
+  @{bin}/gettext.sh             r,
-  /{usr/,}bin/gnome-session        rix,
+  @{bin}/gnome-session        rix,
-  /{usr/,}bin/grep                 rix,
+  @{bin}/grep                 rix,
-  /{usr/,}bin/gsettings            rPx,
+  @{bin}/gsettings            rPx,
-  /{usr/,}bin/head                 rix,
+  @{bin}/head                 rix,
-  /{usr/,}bin/id                   rix,
+  @{bin}/id                   rix,
-  /{usr/,}bin/locale               rix,
+  @{bin}/locale               rix,
-  /{usr/,}bin/locale-check         rix,
+  @{bin}/locale-check         rix,
-  /{usr/,}bin/manpath              rix,
+  @{bin}/manpath              rix,
-  /{usr/,}bin/qmake                rix,
+  @{bin}/qmake                rix,
-  /{usr/,}bin/readlink             rix,
+  @{bin}/readlink             rix,
-  /{usr/,}bin/sed                  rix,
+  @{bin}/sed                  rix,
-  /{usr/,}bin/sort                 rix,
+  @{bin}/sort                 rix,
-  /{usr/,}bin/tr                   rix,
+  @{bin}/tr                   rix,
-  /{usr/,}bin/tty                  rix,
+  @{bin}/tty                  rix,
-  /{usr/,}bin/uname                rix,
+  @{bin}/uname                rix,
-  /{usr/,}bin/zsh                  rix,
+  @{bin}/zsh                  rix,
 
-  @{libexec}/gnome-session-binary  rPx,
+  @{lib}/gnome-session-binary  rPx,
-  /{usr/,}bin/dbus-daemon          rPx,
+  @{bin}/dbus-daemon          rPx,
-  /{usr/,}bin/dbus-run-session     rPx,
+  @{bin}/dbus-run-session     rPx,
-  /{usr/,}bin/dpkg-query           rpx,
+  @{bin}/dpkg-query           rpx,
-  /{usr/,}bin/flatpak             rPUx,
+  @{bin}/flatpak             rPUx,
 
   /usr/share/bash-completion/{,**} r,
   /usr/share/gdm/gdm.schemas r,

apparmor.d/groups/gnome/gdm-x-session

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gdm/}gdm-x-session
+@{exec_path} = @{lib}/{,gdm/}gdm-x-session
 profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -35,8 +35,8 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/Xorg              rPx,
+  @{bin}/Xorg              rPx,
-  /{usr/,}bin/dbus-run-session  rPx,
+  @{bin}/dbus-run-session  rPx,
   /etc/gdm{3,}/Xsession         rPx,
   /etc/gdm{3,}/Prime/Default    rix,
 

apparmor.d/groups/gnome/gdm-xsession

@@ -16,35 +16,35 @@ profile gdm-xsession @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh      rix,
+  @{bin}/{,ba,da}sh      rix,
-  /{usr/,}bin/{,e}grep        rix,
+  @{bin}/{,e}grep        rix,
-  /{usr/,}bin/{m,g,}awk       rix,
+  @{bin}/{m,g,}awk       rix,
-  /{usr/,}bin/cat             rix,
+  @{bin}/cat             rix,
-  /{usr/,}bin/expr            rix,
+  @{bin}/expr            rix,
-  /{usr/,}bin/gettext         rix,
+  @{bin}/gettext         rix,
-  /{usr/,}bin/gettext.sh      r,
+  @{bin}/gettext.sh      r,
-  /{usr/,}bin/gnome-session   rix,
+  @{bin}/gnome-session   rix,
-  /{usr/,}bin/gsettings       rPx,
+  @{bin}/gsettings       rPx,
-  /{usr/,}bin/id              rix,
+  @{bin}/id              rix,
-  /{usr/,}bin/locale          rix,
+  @{bin}/locale          rix,
-  /{usr/,}bin/locale-check    rix,
+  @{bin}/locale-check    rix,
-  /{usr/,}bin/mktemp          rix,
+  @{bin}/mktemp          rix,
-  /{usr/,}bin/sed             rix,
+  @{bin}/sed             rix,
-  /{usr/,}bin/tr              rix,
+  @{bin}/tr              rix,
-  /{usr/,}bin/truncate        rix,
+  @{bin}/truncate        rix,
-  /{usr/,}bin/tty             rix,
+  @{bin}/tty             rix,
-  /{usr/,}bin/zsh             rix,
+  @{bin}/zsh             rix,
 
   @{etc_ro}/X11/xdm/Xsession                        rPx,
-  /{usr/,}bin/dbus-update-activation-environment    rCx -> dbus,
+  @{bin}/dbus-update-activation-environment    rCx -> dbus,
-  /{usr/,}bin/flatpak                               rPUx,
+  @{bin}/flatpak                               rPUx,
-  /{usr/,}bin/systemctl                             rPx -> child-systemctl,
+  @{bin}/systemctl                             rPx -> child-systemctl,
-  /{usr/,}bin/xbrlapi                               rPx,
+  @{bin}/xbrlapi                               rPx,
-  /{usr/,}bin/xhost                                 rPx,
+  @{bin}/xhost                                 rPx,
-  /{usr/,}bin/im-launch                             rPx,
+  @{bin}/im-launch                             rPx,
-  /{usr/,}bin/gpgconf                               rPx,
+  @{bin}/gpgconf                               rPx,
-  @{libexec}/gnome-session-binary                   rPx,
+  @{lib}/gnome-session-binary                   rPx,
-  /{usr/,}bin/dpkg-query                            rpx,
+  @{bin}/dpkg-query                            rpx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/im-config/data/{,*} r,
@@ -62,7 +62,7 @@ profile gdm-xsession @{exec_path} {
   profile dbus {
     include <abstractions/base>
 
-    /{usr/,}bin/dbus-update-activation-environment mr,
+    @{bin}/dbus-update-activation-environment mr,
 
     owner @{run}/user/@{uid}/bus rw,
 

apparmor.d/groups/gnome/gio-launch-desktop

@@ -7,9 +7,9 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/gio
+@{exec_path}  = @{bin}/gio
-@{exec_path} += /{usr/,}bin/gio-launch-desktop
+@{exec_path} += @{bin}/gio-launch-desktop
-@{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
+@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -20,7 +20,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/gio-launch-desktop rix,
+  @{lib}/gio-launch-desktop rix,
 
   # System files
   /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,

apparmor.d/groups/gnome/gjs-console

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/gjs-console
+@{exec_path}  = @{bin}/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -74,9 +74,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   dbus bind bus=session name=org.gnome.Shell.Notifications,
 
   @{exec_path} mr,
-  /{usr/,}bin/          r,
+  @{bin}/          r,
-  /{usr/,}bin/[a-z0-9]* rPUx,
+  @{bin}/[a-z0-9]* rPUx,
-  @{libexec}/** rPUx,
+  @{lib}/** rPUx,
 
   /etc/openni2/OpenNI.ini r,
 

apparmor.d/groups/gnome/gkbd-keyboard-display

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gkbd-keyboard-display
+@{exec_path} = @{bin}/gkbd-keyboard-display
 profile gkbd-keyboard-display @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>

apparmor.d/groups/gnome/gnome-browser-connector-host

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-browser-connector-host
+@{exec_path} = @{bin}/gnome-browser-connector-host
 profile gnome-browser-connector-host @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
@@ -14,10 +14,10 @@ profile gnome-browser-connector-host @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/env             rix,
+  @{bin}/env             rix,
-  /{usr/,}bin/python3.[0-9]*  rix,
+  @{bin}/python3.[0-9]*  rix,
 
-  /{usr/,}lib/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
+  @{lib}/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 

apparmor.d/groups/gnome/gnome-calculator-search-provider

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-calculator-search-provider
+@{exec_path} = @{lib}/gnome-calculator-search-provider
 profile gnome-calculator-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gnome-calendar

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-calendar
+@{exec_path} = @{bin}/gnome-calendar
 profile gnome-calendar @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gnome-characters

@@ -20,7 +20,7 @@ profile gnome-characters @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,

apparmor.d/groups/gnome/gnome-characters-backgroudservice

@@ -15,7 +15,7 @@ profile gnome-characters-backgroudservice @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,

apparmor.d/groups/gnome/gnome-contacts

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-contacts
+@{exec_path} = @{bin}/gnome-contacts
 profile gnome-contacts @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gnome-contacts-search-provider

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-contacts-search-provider
+@{exec_path} = @{lib}/gnome-contacts-search-provider
 profile gnome-contacts-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gnome-control-center

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-control-center
+@{exec_path} = @{bin}/gnome-control-center
 profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
@@ -64,27 +64,27 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,b,d,rb}ash  rUx,
+  @{bin}/{,b,d,rb}ash  rUx,
-  /{usr/,}bin/{c,k,tc,z}sh  rUx,
+  @{bin}/{c,k,tc,z}sh  rUx,
 
-  /{usr/,}bin/gcm-viewer    rix,
+  @{bin}/gcm-viewer    rix,
-  /{usr/,}bin/grep          rix,
+  @{bin}/grep          rix,
-  /{usr/,}bin/locale        rix,
+  @{bin}/locale        rix,
-  /{usr/,}bin/sed           rix,
+  @{bin}/sed           rix,
 
-  @{libexec}/gnome-control-center-goa-helper          rPx,
+  @{bin}/bwrap                                  rPUx,
-  @{libexec}/gnome-control-center-print-renderer      rPx,
+  @{bin}/gkbd-keyboard-display                  rPUx,
-  /{usr/,}bin/gnome-software                         rPUx,
+  @{bin}/gnome-software                         rPUx,
-  /{usr/,}bin/gkbd-keyboard-display                  rPUx,
+  @{bin}/openvpn                                 rPx,
-  /{usr/,}bin/bwrap                                  rPUx,
+  @{bin}/passwd                                  rPx,
-  /{usr/,}bin/openvpn                                 rPx,
+  @{bin}/pkexec                                  rPx,
-  /{usr/,}bin/passwd                                  rPx,
+  @{bin}/software-properties-gtk                 rPx,
-  /{usr/,}bin/software-properties-gtk                 rPx,
+  @{bin}/usermod                                 rPx,
-  /{usr/,}bin/pkexec                                  rPx,
+  @{lib}/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
-  /{usr/,}{s,}bin/usermod                             rPx,
+  @{lib}/gnome-control-center-goa-helper         rPx,
-  /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/gnome-control-center-print-renderer     rPx,
-  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
-  /usr/share/language-tools/language2locale           rix,
+  /usr/share/language-tools/language2locale      rix,
 
   /snap/*/[0-9]*/**.png r,
   /usr/share/backgrounds/{,**} r,

apparmor.d/groups/gnome/gnome-control-center-goa-helper

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper
+@{exec_path} = @{lib}/gnome-control-center-goa-helper
 profile gnome-control-center-goa-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -29,9 +29,9 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bwrap  rPUx,
+  @{bin}/bwrap  rPUx,
 
-  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
+  @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/themes/{,**} r,

apparmor.d/groups/gnome/gnome-control-center-print-renderer

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-control-center-print-renderer
+@{exec_path} = @{lib}/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>

apparmor.d/groups/gnome/gnome-control-center-search-provider

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-control-center-search-provider
+@{exec_path} = @{lib}/gnome-control-center-search-provider
 profile gnome-control-center-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gnome-disk-image-mounter

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
+@{exec_path} = @{bin}/gnome-disk-image-mounter
 profile gnome-disk-image-mounter @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gnome-disks

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-disks
+@{exec_path} = @{bin}/gnome-disks
 profile gnome-disks @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -16,8 +16,8 @@ profile gnome-disks @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/X11/xkb/{,**} r,

apparmor.d/groups/gnome/gnome-extension-ding

@@ -142,11 +142,11 @@ profile gnome-extension-ding @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh            rix,
+  @{bin}/{,ba,da}sh            rix,
-  /{usr/,}bin/env                   rix,
+  @{bin}/env                   rix,
-  /{usr/,}bin/gjs-console           rix,
+  @{bin}/gjs-console           rix,
-  /{usr/,}bin/gnome-control-center  rPx,
+  @{bin}/gnome-control-center  rPx,
-  /{usr/,}bin/nautilus              rPx,
+  @{bin}/nautilus              rPx,
 
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
   /usr/share/thumbnailers/{,*.thumbnailer} r,

apparmor.d/groups/gnome/gnome-extension-manager

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/extension-manager
+@{exec_path} = @{bin}/extension-manager
 profile gnome-extension-manager @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -30,10 +30,10 @@ profile gnome-extension-manager @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
 
   /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
   /usr/share/themes/{,**} r,

apparmor.d/groups/gnome/gnome-extensions-app

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-extensions-app
+@{exec_path} = @{bin}/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -22,8 +22,8 @@ profile gnome-extensions-app @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
+  @{bin}/{,ba,da}sh  rix,
-  /{usr/,}bin/gjs-console rix,
+  @{bin}/gjs-console rix,
 
   /usr/share/gnome-shell/org.gnome.Extensions* r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,

apparmor.d/groups/gnome/gnome-keyring-daemon

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-keyring-daemon
+@{exec_path} = @{bin}/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -111,8 +111,8 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ssh-add   rix,
+  @{bin}/ssh-add   rix,
-  /{usr/,}bin/ssh-agent rPx,
+  @{bin}/ssh-agent rPx,
 
   /etc/gcrypt/hwf.deny r,
 

apparmor.d/groups/gnome/gnome-music

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-music
+@{exec_path} = @{bin}/gnome-music
 profile gnome-music @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -31,9 +31,9 @@ profile gnome-music @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}bin/ r,
+  @{bin}/ r,
-  /{usr/,}bin/python3.[0-9]* rix,
+  @{bin}/python3.[0-9]* rix,
-  /{usr/,}lib/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw,
+  @{lib}/python3.[0-9]*/site-packages//gnomemusic/__pycache__/{,**} rw,
 
   /usr/share/egl/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

apparmor.d/groups/gnome/gnome-photos-thumbnailer

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/gnome-photos-thumbnailer
+@{exec_path} = @{lib}/gnome-photos-thumbnailer
 profile gnome-photos-thumbnailer @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>

apparmor.d/groups/gnome/gnome-remote-desktop-daemon

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-remote-desktop-daemon
+@{exec_path} = @{lib}/gnome-remote-desktop-daemon
 profile gnome-remote-desktop-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gnome-session-binary

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-session-binary
+@{exec_path} = @{lib}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
@@ -135,57 +135,57 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,z,ba,da}sh                                 rix,
+  @{bin}/{,z,ba,da}sh                                  rix,
-  /{usr/,}bin/env                                          rix,
+  @{bin}/env                                           rix,
-  /{usr/,}bin/gnome-session                                rix,
+  @{bin}/gnome-session                                 rix,
-  /{usr/,}bin/grep                                         rix,
+  @{bin}/grep                                          rix,
-  /{usr/,}bin/gsettings                                    rPx,
+  @{bin}/gsettings                                     rPx,
-  /{usr/,}bin/gsettings-data-convert                       rix,
+  @{bin}/gsettings-data-convert                        rix,
-  /{usr/,}bin/mkdir                                        rix,
+  @{bin}/mkdir                                         rix,
-  /{usr/,}bin/session-migration                            rix,
+  @{bin}/session-migration                             rix,
-  /{usr/,}bin/xdg-user-dirs-gtk-update                     rix,
+  @{bin}/xdg-user-dirs-gtk-update                      rix,
-  @{libexec}/at-spi-bus-launcher                           rPx,
+  @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh  rix,
-  @{libexec}/gnome-session-check-accelerated               rix,
+  @{lib}/at-spi-bus-launcher                           rPx,
-  @{libexec}/gnome-session-check-accelerated-gl-helper     rix,
+  @{lib}/gnome-session-check-accelerated               rix,
-  @{libexec}/gnome-session-check-accelerated-gles-helper   rix,
+  @{lib}/gnome-session-check-accelerated-gl-helper     rix,
-  @{libexec}/gnome-session-failed                          rix,
+  @{lib}/gnome-session-check-accelerated-gles-helper   rix,
-  @{libexec}/{,gnome-shell/}gnome-shell-overrides-migration.sh  rix,
+  @{lib}/gnome-session-failed                          rix,
-  @{libexec}/gsd-*                                         rPx,
+  @{lib}/gsd-*                                         rPx,
 
   # TODO: rCx gio-launch-desktop and put all the following program in this
   #       subprofile. Not done yet as it breaks compatibility with Ubuntu/Debian
-  @{libexec}/gio-launch-desktop                            rix,
+  @{lib}/gio-launch-desktop                            rix,
 
-  /{usr/,}bin/aa-notify                                    rPx,
+  @{bin}/aa-notify                                       rPx,
-  /{usr/,}bin/baloo_file                                   rPx,
+  @{bin}/baloo_file                                      rPx,
-  @{libexec}/baloo_file                                    rPx,
+  @{bin}/blueman-applet                                  rPx,
-  /{usr/,}bin/blueman-applet                               rPx,
+  @{bin}/firewall-applet                                rPUx,
-  /{usr/,}bin/firewall-applet                             rPUx,
+  @{bin}/gnome-keyring-daemon                            rPx,
-  /{usr/,}bin/gnome-keyring-daemon                         rPx,
+  @{bin}/gnome-shell                                     rPx,
-  /{usr/,}bin/gnome-shell                                  rPx,
+  @{bin}/gnome-software                                 rPUx,
-  /{usr/,}bin/gnome-software                              rPUx,
+  @{bin}/im-launch                                       rPx,
-  /{usr/,}bin/im-launch                                    rPx,
+  @{bin}/keepassxc                                       rPx,
-  /{usr/,}bin/keepassxc                                    rPx,
+  @{bin}/parcellite                                     rPUx,
-  /{usr/,}bin/parcellite                                  rPUx,
+  @{bin}/pkcs11-register                                 rPx,
-  /{usr/,}bin/pkcs11-register                              rPx,
+  @{bin}/snap                                           rPUx,
-  /{usr/,}bin/snap                                        rPUx,
+  @{bin}/snapshot-detect                                rPUx,
-  /{usr/,}bin/snapshot-detect                             rPUx,
+  @{bin}/spice-vdagent                                   rPx,
-  /{usr/,}bin/spice-vdagent                                rPx,
+  @{bin}/start-pulseaudio-x11                            rPx,
-  /{usr/,}bin/start-pulseaudio-x11                         rPx,
+  @{bin}/ubuntu-report                                   rPx,
-  /{usr/,}bin/ubuntu-report                                rPx,
+  @{bin}/update-notifier                                 rPx,
-  /{usr/,}bin/update-notifier                              rPx,
+  @{bin}/xbrlapi                                         rPx,
-  /{usr/,}bin/xbrlapi                                      rPx,
+  @{bin}/xdg-user-dirs-update                            rPx,
-  /{usr/,}bin/xdg-user-dirs-update                         rPx,
+  @{lib}/@{multiarch}/libexec/kdeconnectd               rPUx,
-  /{usr/,}lib/@{multiarch}/libexec/kdeconnectd             rPUx,
+  @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
-  /{usr/,}lib/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx,
+  @{lib}/baloo_file                                      rPx,
-  /{usr/,}lib/caribou/caribou                              rPUx,
+  @{lib}/caribou/caribou                                rPUx,
-  /{usr/,}lib/thunderbird/thunderbird                      rPx,
+  @{lib}/deja-dup/deja-dup-monitor                      rPUx,
-  /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
+  @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
-  /{usr/,}lib/xapps/sn-watcher/*                           rPUx,
+  @{lib}/gsd-disk-utility-notify                         rPx,
-  /{usr/,}share/libpam-kwallet-common/pam_kwallet_init    rPUx,
+  @{lib}/thunderbird/thunderbird                         rPx,
-  @{libexec}/deja-dup/deja-dup-monitor                     rPUx,
+  @{lib}/update-notifier/ubuntu-advantage-notification   rPx,
-  @{libexec}/gsd-disk-utility-notify                       rPx,
+  @{lib}/xapps/sn-watcher/*                             rPUx,
-  @{libexec}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
+  /{usr/,}share/libpam-kwallet-common/pam_kwallet_init  rPUx,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,

apparmor.d/groups/gnome/gnome-session-ctl

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-session-ctl
+@{exec_path} = @{lib}/gnome-session-ctl
 profile gnome-session-ctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gnome-shell

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-shell
+@{exec_path} = @{bin}/gnome-shell
 profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -479,9 +479,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/Xwayland        rPx,
+  @{bin}/Xwayland         rPx,
-  @{libexec}/polkit-1/polkit* rPx,
+  @{lib}/polkit-1/polkit* rPx,
-  @{libexec}/*                rPUx,
+  @{lib}/*                rPUx,
 
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,
 

apparmor.d/groups/gnome/gnome-shell-calendar-server

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gnome-shell/}gnome-shell-calendar-server
+@{exec_path} = @{lib}/{,gnome-shell/}gnome-shell-calendar-server
 profile gnome-shell-calendar-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-shell-hotplug-sniffer
+@{exec_path} = @{lib}/gnome-shell-hotplug-sniffer
 profile gnome-shell-hotplug-sniffer @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gnome/gnome-software

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-software
+@{exec_path} = @{bin}/gnome-software
 profile gnome-software @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -34,13 +34,13 @@ profile gnome-software @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bwrap              rPUx,
+  @{bin}/bwrap               rPUx,
-  /{usr/,}bin/fusermount{,3}      rCx -> fusermount,
+  @{bin}/fusermount{,3}      rCx -> fusermount,
-  /{usr/,}bin/gpg{,2}             rCx -> gpg,
+  @{bin}/gpg{,2}             rCx -> gpg,
-  /{usr/,}bin/gpgconf             rCx -> gpg,
+  @{bin}/gpgconf             rCx -> gpg,
-  /{usr/,}bin/gpgsm               rCx -> gpg,
+  @{bin}/gpgsm               rCx -> gpg,
-  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/revokefs-fuse       rix,
+  @{lib}/revokefs-fuse       rix,
 
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/{,**} r,
@@ -110,9 +110,9 @@ profile gnome-software @{exec_path} {
   profile gpg {
     include <abstractions/base>
 
-    /{usr/,}bin/gpg{,2}  mr,
+    @{bin}/gpg{,2}  mr,
-    /{usr/,}bin/gpgconf  mr,
+    @{bin}/gpgconf  mr,
-    /{usr/,}bin/gpgsm    mr,
+    @{bin}/gpgsm    mr,
 
     @{HOME}/@{XDG_GPG_DIR}/*.conf r,
 
@@ -130,7 +130,7 @@ profile gnome-software @{exec_path} {
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
 

apparmor.d/groups/gnome/gnome-system-monitor

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-system-monitor
+@{exec_path} = @{bin}/gnome-system-monitor
 profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -26,7 +26,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pkexec rPx,
+  @{bin}/pkexec rPx,
 
   /usr/share/gnome-system-monitor/{,**} r,
 

apparmor.d/groups/gnome/gnome-terminal-server

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gnome-terminal-server
+@{exec_path} = @{lib}/gnome-terminal-server
 profile gnome-terminal-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -26,16 +26,16 @@ profile gnome-terminal-server @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  /{usr/,}bin/{,b,d,rb}ash         rUx,
+  @{bin}/{,b,d,rb}ash         rUx,
-  /{usr/,}bin/{c,k,tc,z}sh         rUx,
+  @{bin}/{c,k,tc,z}sh         rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
-  /{usr/,}bin/htop                 rPx,
+  @{bin}/htop                 rPx,
-  /{usr/,}bin/micro               rPUx,
+  @{bin}/micro               rPUx,
-  /{usr/,}bin/nvtop                rPx,
+  @{bin}/nvtop                rPx,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
+  @{lib}/gio-launch-desktop                          rPx -> child-open,
 
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
   /usr/share/X11/xkb/{,**} r,

apparmor.d/groups/gnome/gnome-tweaks

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gnome-tweaks
+@{exec_path} = @{bin}/gnome-tweaks
 profile gnome-tweaks @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -17,11 +17,11 @@ profile gnome-tweaks @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
+  @{bin}/ r,
-  /{usr/,}bin/ps rPx,
+  @{bin}/ps rPx,
-  /{usr/,}bin/python3.[0-9]* rix,
+  @{bin}/python3.[0-9]* rix,
 
-  /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
+  @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/gnome-tweaks/{,**} r,

apparmor.d/groups/gnome/goa-daemon

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/goa-daemon
+@{exec_path} = @{lib}/goa-daemon
 profile goa-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>

apparmor.d/groups/gnome/goa-identity-service

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/goa-identity-service
+@{exec_path} = @{lib}/goa-identity-service
 profile goa-identity-service @{exec_path} {
   include <abstractions/base>
   include <abstractions/authentication>

apparmor.d/groups/gnome/gsd-a11y-settings

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-a11y-settings
+@{exec_path} = @{lib}/gsd-a11y-settings
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gsd-color

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-color
+@{exec_path} = @{lib}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>

apparmor.d/groups/gnome/gsd-datetime

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-datetime
+@{exec_path} = @{lib}/gsd-datetime
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gsd-disk-utility-notify

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-disk-utility-notify
+@{exec_path} = @{lib}/gsd-disk-utility-notify
 profile gsd-disk-utility-notify @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gsd-housekeeping

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-housekeeping
+@{exec_path} = @{lib}/gsd-housekeeping
 profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>

apparmor.d/groups/gnome/gsd-keyboard

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-keyboard
+@{exec_path} = @{lib}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>

apparmor.d/groups/gnome/gsd-media-keys

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-media-keys
+@{exec_path} = @{lib}/gsd-media-keys
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
@@ -159,8 +159,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,

apparmor.d/groups/gnome/gsd-power

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-power
+@{exec_path} = @{lib}/gsd-power
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>

apparmor.d/groups/gnome/gsd-print-notifications

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-print-notifications
+@{exec_path} = @{lib}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -77,7 +77,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
        name=org.gnome.SettingsDaemon.PrintNotifications,
 
   @{exec_path} mr,
-  @{libexec}/gsd-printer rPx,
+  @{lib}/gsd-printer rPx,
 
   /etc/machine-id r,
   /etc/cups/client.conf r,

apparmor.d/groups/gnome/gsd-printer

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-printer
+@{exec_path} = @{lib}/gsd-printer
 profile gsd-printer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gsd-rfkill

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-rfkill
+@{exec_path} = @{lib}/gsd-rfkill
 profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gsd-screensaver-proxy

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-screensaver-proxy
+@{exec_path} = @{lib}/gsd-screensaver-proxy
 profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/gsd-sharing

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-sharing
+@{exec_path} = @{lib}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>

apparmor.d/groups/gnome/gsd-smartcard

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-smartcard
+@{exec_path} = @{lib}/gsd-smartcard
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gnome/gsd-sound

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-sound
+@{exec_path} = @{lib}/gsd-sound
 profile gsd-sound @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>

apparmor.d/groups/gnome/gsd-usb-protection

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-usb-protection
+@{exec_path} = @{lib}/gsd-usb-protection
 profile gsd-usb-protection @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gsd-wacom

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-wacom
+@{exec_path} = @{lib}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>

apparmor.d/groups/gnome/gsd-xsettings

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/gsd-xsettings
+@{exec_path} = @{lib}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
@@ -118,16 +118,16 @@ profile gsd-xsettings @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/cat                   rix,
+  @{bin}/cat                   rix,
-  /{usr/,}bin/which{,.debianutils}  rix,
+  @{bin}/which{,.debianutils}  rix,
 
-  @{libexec}/ibus-x11        rPx,
+  @{bin}/busctl         rPx,
-  /{usr/,}bin/busctl         rPx,
+  @{bin}/pactl          rPx,
-  /{usr/,}bin/pactl          rPx,
+  @{bin}/run-parts      rCx -> run-parts,
-  /{usr/,}bin/run-parts      rCx -> run-parts,
+  @{bin}/xprop          rPx,
-  /{usr/,}bin/xprop          rPx,
+  @{bin}/xrdb           rPx,
-  /{usr/,}bin/xrdb           rPx,
+  @{lib}/ibus-x11       rPx,
-  /{usr/,}lib/ibus/ibus-x11  rPx,
+  @{lib}/ibus/ibus-x11  rPx,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
@@ -155,7 +155,7 @@ profile gsd-xsettings @{exec_path} {
   profile run-parts {
     include <abstractions/base>
 
-    /{usr/,}bin/run-parts mr,
+    @{bin}/run-parts mr,
 
     /etc/X11/Xresources/ r,
 

apparmor.d/groups/gnome/kgx

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/kgx
+@{exec_path} = @{bin}/kgx
 profile kgx @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -26,16 +26,16 @@ profile kgx @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  /{usr/,}bin/{,b,d,rb}ash         rUx,
+  @{bin}/{,b,d,rb}ash         rUx,
-  /{usr/,}bin/{c,k,tc,z}sh         rUx,
+  @{bin}/{c,k,tc,z}sh         rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
-  /{usr/,}bin/htop                 rPx,
+  @{bin}/htop                 rPx,
-  /{usr/,}bin/micro               rPUx,
+  @{bin}/micro               rPUx,
-  /{usr/,}bin/nvtop                rPx,
+  @{bin}/nvtop                rPx,
 
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
+  @{lib}/gio-launch-desktop                          rPx -> child-open,
 
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,

apparmor.d/groups/gnome/mutter-x11-frames

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/mutter-x11-frames
+@{exec_path} = @{lib}/mutter-x11-frames
 profile mutter-x11-frames @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/nautilus

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/nautilus
+@{exec_path} = @{bin}/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -42,12 +42,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh          rix,
+  @{bin}/{,ba,da}sh          rix,
-  /{usr/,}bin/bwrap              rPUx,
+  @{bin}/bwrap              rPUx,
-  /{usr/,}bin/firejail           rPUx,
+  @{bin}/firejail           rPUx,
-  /{usr/,}bin/net                rPUx,
+  @{bin}/net                rPUx,
-  /{usr/,}bin/tracker3           rPUx,
+  @{bin}/tracker3           rPUx,
-  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop  rPx -> child-open,
 
   /usr/share/*ubuntu/applications/{,**} r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
@@ -65,8 +65,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   # Full access to user's data
   / r,
   /*/ r,
-  /{usr/,}bin/ r,
+  @{bin}/ r,
-  @{libexec}/ r,
+  @{lib}/ r,
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rw,

apparmor.d/groups/gnome/seahorse

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/seahorse
+@{exec_path} = @{bin}/seahorse
 profile seahorse @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -38,9 +38,9 @@ profile seahorse @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpgconf  rPx,
+  @{bin}/gpgconf  rPx,
-  /{usr/,}bin/gpg{,2}  rPx,
+  @{bin}/gpg{,2}  rPx,
-  /{usr/,}bin/gpgsm    rPx,
+  @{bin}/gpgsm    rPx,
 
   # freedesktop.org-strict
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

apparmor.d/groups/gnome/tracker-extract

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/tracker-extract-3
+@{exec_path} = @{lib}/tracker-extract-3
 profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/gnome/tracker-miner

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/tracker-miner-fs-{,control-}3
+@{exec_path} = @{lib}/tracker-miner-fs-{,control-}3
 profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>

apparmor.d/groups/grub/grub-bios-setup

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
+@{exec_path} = @{bin}/grub-bios-setup
 profile grub-bios-setup @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-check-signatures

@@ -13,10 +13,10 @@ profile grub-check-signatures @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
+  @{bin}/{,ba,da}sh   rix,
-  /{usr/,}bin/{m,g,}awk    rix,
+  @{bin}/{m,g,}awk    rix,
-  /{usr/,}bin//mktemp      rix,
+  @{bin}//mktemp      rix,
-  /{usr/,}bin//od          rix,
+  @{bin}//od          rix,
 
   /usr/share/debconf/frontend rPx,
 

apparmor.d/groups/grub/grub-editenv

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-editenv
+@{exec_path} = @{bin}/grub-editenv
 profile grub-editenv @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-file

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-file
+@{exec_path} = @{bin}/grub-file
 profile grub-file @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-fstest

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-fstest
+@{exec_path} = @{bin}/grub-fstest
 profile grub-fstest @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-glue-efi

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-glue-efi
+@{exec_path} = @{bin}/grub-glue-efi
 profile grub-glue-efi @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-install

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-install
+@{exec_path} = @{bin}/grub-install
 profile grub-install @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -18,11 +18,11 @@ profile grub-install @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh        rix,
+  @{bin}/{,ba,da}sh        rix,
-  /{usr/,}bin/efibootmgr        rix,
+  @{bin}/efibootmgr        rix,
-  /{usr/,}bin/kmod              rPx,
+  @{bin}/kmod              rPx,
-  /{usr/,}bin/lsb_release       rPx -> lsb_release,
+  @{bin}/lsb_release       rPx -> lsb_release,
-  /{usr/,}bin/udevadm           rPx,
+  @{bin}/udevadm           rPx,
 
   /usr/share/grub/{,**} r,
 

apparmor.d/groups/grub/grub-kbdcomp

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-kbdcomp
+@{exec_path} = @{bin}/grub-kbdcomp
 profile grub-kbdcomp @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-macbless

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-macbless
+@{exec_path} = @{bin}/grub-macbless
 profile grub-macbless @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-menulst2cfg

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-menulst2cfg
+@{exec_path} = @{bin}/grub-menulst2cfg
 profile grub-menulst2cfg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkconfig

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
+@{exec_path} = @{bin}/grub-mkconfig
 profile grub-mkconfig @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -19,44 +19,44 @@ profile grub-mkconfig @{exec_path} {
 
   /{usr/,}{local/,}{s,}bin/zfs     rPx,
   /{usr/,}{local/,}{s,}bin/zpool   rPx,
-  /{usr/,}{s,}bin/dmsetup          rPUx,
+  @{bin}/dmsetup             rPUx,
-  /{usr/,}{s,}bin/grub-probe       rPx,
+  @{bin}/grub-probe           rPx,
-  /{usr/,}bin/{,ba,da}sh           rix,
+  @{bin}/{,ba,da}sh           rix,
-  /{usr/,}bin/{e,f,}grep           rix,
+  @{bin}/{e,f,}grep           rix,
-  /{usr/,}bin/{m,g,}awk            rix,
+  @{bin}/{m,g,}awk            rix,
-  /{usr/,}bin/basename             rix,
+  @{bin}/basename             rix,
-  /{usr/,}bin/btrfs                rPx,
+  @{bin}/btrfs                rPx,
-  /{usr/,}bin/cat                  rix,
+  @{bin}/cat                  rix,
-  /{usr/,}bin/chmod                rix,
+  @{bin}/chmod                rix,
-  /{usr/,}bin/cut                  rix,
+  @{bin}/cut                  rix,
-  /{usr/,}bin/date                 rix,
+  @{bin}/date                 rix,
-  /{usr/,}bin/dirname              rix,
+  @{bin}/dirname              rix,
-  /{usr/,}bin/dpkg                 rPx,
+  @{bin}/dpkg                 rPx,
-  /{usr/,}bin/find                 rix,
+  @{bin}/find                 rix,
-  /{usr/,}bin/findmnt              rPx,
+  @{bin}/findmnt              rPx,
-  /{usr/,}bin/gettext              rix,
+  @{bin}/gettext              rix,
-  /{usr/,}bin/grub-mkrelpath       rPx,
+  @{bin}/grub-mkrelpath       rPx,
-  /{usr/,}bin/grub-script-check    rPx,
+  @{bin}/grub-script-check    rPx,
-  /{usr/,}bin/head                 rix,
+  @{bin}/head                 rix,
-  /{usr/,}bin/id                   rPx,
+  @{bin}/id                   rPx,
-  /{usr/,}bin/ls                   rix,
+  @{bin}/ls                   rix,
-  /{usr/,}bin/lsb_release          rPx -> lsb_release,
+  @{bin}/lsb_release          rPx -> lsb_release,
-  /{usr/,}bin/mktemp               rix,
+  @{bin}/mktemp               rix,
-  /{usr/,}bin/mount                rPx,
+  @{bin}/mount                rPx,
-  /{usr/,}bin/mountpoint           rix,
+  @{bin}/mountpoint           rix,
-  /{usr/,}bin/os-prober            rPx,
+  @{bin}/os-prober            rPx,
-  /{usr/,}bin/paste                rix,
+  @{bin}/paste                rix,
-  /{usr/,}bin/readlink             rix,
+  @{bin}/readlink             rix,
-  /{usr/,}bin/rm                   rix,
+  @{bin}/rm                   rix,
-  /{usr/,}bin/rmdir                rix,
+  @{bin}/rmdir                rix,
-  /{usr/,}bin/sed                  rix,
+  @{bin}/sed                  rix,
-  /{usr/,}bin/sort                 rix,
+  @{bin}/sort                 rix,
-  /{usr/,}bin/stat                 rix,
+  @{bin}/stat                 rix,
-  /{usr/,}bin/tail                 rix,
+  @{bin}/tail                 rix,
-  /{usr/,}bin/tr                   rix,
+  @{bin}/tr                   rix,
-  /{usr/,}bin/umount               rPx,
+  @{bin}/umount               rPx,
-  /{usr/,}bin/uname                rix,
+  @{bin}/uname                rix,
-  /{usr/,}bin/which{.debianutils,} rix,
+  @{bin}/which{.debianutils,} rix,
   /etc/grub.d/{**,}                rix,
 
   /boot/{**,} r,

apparmor.d/groups/grub/grub-mkdevicemap

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
+@{exec_path} = @{bin}/grub-mkdevicemap
 profile grub-mkdevicemap @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkfont

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkfont
+@{exec_path} = @{bin}/grub-mkfont
 profile grub-mkfont @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkimage

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkimage
+@{exec_path} = @{bin}/grub-mkimage
 profile grub-mkimage @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mklayout

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mklayout
+@{exec_path} = @{bin}/grub-mklayout
 profile grub-mklayout @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mknetdir

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mknetdir
+@{exec_path} = @{bin}/grub-mknetdir
 profile grub-mknetdir @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkpasswd-pbkdf2

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
+@{exec_path} = @{bin}/grub-mkpasswd-pbkdf2
 profile grub-mkpasswd-pbkdf2 @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkrelpath

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
+@{exec_path} = @{bin}/grub-mkrelpath
 profile grub-mkrelpath @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkrescue

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkrescue
+@{exec_path} = @{bin}/grub-mkrescue
 profile grub-mkrescue @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mkstandalone

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mkstandalone
+@{exec_path} = @{bin}/grub-mkstandalone
 profile grub-mkstandalone @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-mount

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-mount
+@{exec_path} = @{bin}/grub-mount
 profile grub-mount @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-multi-install

@@ -6,23 +6,23 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/grub/grub-multi-install
+@{exec_path} = @{lib}/grub/grub-multi-install
 profile grub-multi-install @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/grub-install   rPx,
+  @{bin}/grub-install       rPx,
-  /{usr/,}bin/{,ba,da}sh         rix,
+  @{bin}/{,ba,da}sh         rix,
-  /{usr/,}bin/{,e}grep           rix,
+  @{bin}/{,e}grep           rix,
-  /{usr/,}bin/cat                rix,
+  @{bin}/cat                rix,
-  /{usr/,}bin/dpkg-query         rpx,
+  @{bin}/dpkg-query         rpx,
-  /{usr/,}bin/readlink           rix,
+  @{bin}/readlink           rix,
-  /{usr/,}bin/sed                rix,
+  @{bin}/sed                rix,
-  /{usr/,}bin/sort               rix,
+  @{bin}/sort               rix,
-  /{usr/,}bin/touch              rix,
+  @{bin}/touch              rix,
-  /{usr/,}bin/udevadm            rPx,
+  @{bin}/udevadm            rPx,
   /usr/share/debconf/frontend    rPx,
 
   /usr/lib/terminfo/x/xterm-256color r,

apparmor.d/groups/grub/grub-ntldr-img

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-ntldr-img
+@{exec_path} = @{bin}/grub-ntldr-img
 profile grub-ntldr-img @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-probe

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-probe
+@{exec_path} = @{bin}/grub-probe
 profile grub-probe @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -18,9 +18,9 @@ profile grub-probe @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}{local/,}{s,}bin/zpool rPx,
-  /{usr/,}{s,}bin/lvm            rPx,
+  @{bin}/lvm            rPx,
-  /{usr/,}bin/lsb_release        rPx -> lsb_release,
+  @{bin}/lsb_release        rPx -> lsb_release,
-  /{usr/,}bin/udevadm            rPx,
+  @{bin}/udevadm            rPx,
 
   / r,
   /usr/share/grub/* r,

apparmor.d/groups/grub/grub-reboot

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-reboot
+@{exec_path} = @{bin}/grub-reboot
 profile grub-reboot @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-render-label

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-render-label
+@{exec_path} = @{bin}/grub-render-label
 profile grub-render-label @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-script-check

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-script-check
+@{exec_path} = @{bin}/grub-script-check
 profile grub-script-check @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-set-default

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/grub-set-default
+@{exec_path} = @{bin}/grub-set-default
 profile grub-set-default @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/grub-syslinux2cfg

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
+@{exec_path} = @{bin}/grub-syslinux2cfg
 profile grub-syslinux2cfg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/grub/update-grub

@@ -6,14 +6,14 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
+@{exec_path} = @{bin}/update-grub{2,}
 profile update-grub @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} mr,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
-  /{usr/,}{s,}bin/grub-mkconfig rPx,
+  @{bin}/grub-mkconfig rPx,
 
   include if exists <local/update-grub>
 }

apparmor.d/groups/gvfs/gvfs-afc-volume-monitor

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,gvfs/}gvfs-afc-volume-monitor
+@{exec_path} = @{lib}/{,gvfs/}gvfs-afc-volume-monitor
 profile gvfs-afc-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>