From 2eed3b725f6458141363b9a8b2a5b65c350d8eb7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 9 Jul 2023 13:30:27 +0100
Subject: [PATCH] refactor(profiles): use @{bin} and @{lib} in profiles (2)

---
 apparmor.d/groups/bus/dbus-daemon             | 30 +++---
 .../groups/bus/dbus-daemon-launch-helper      | 12 +--
 apparmor.d/groups/bus/dbus-run-session        | 12 +--
 apparmor.d/groups/bus/ibus-daemon             |  8 +-
 apparmor.d/groups/bus/ibus-dconf              |  4 +-
 apparmor.d/groups/bus/ibus-engine-simple      |  4 +-
 apparmor.d/groups/bus/ibus-engine-table       |  2 +-
 apparmor.d/groups/bus/ibus-extension-gtk3     |  4 +-
 apparmor.d/groups/bus/ibus-memconf            |  2 +-
 apparmor.d/groups/bus/ibus-portal             |  8 +-
 apparmor.d/groups/bus/ibus-x11                |  4 +-
 apparmor.d/groups/children/child-dpkg         | 10 +-
 apparmor.d/groups/children/child-dpkg-divert  |  4 +-
 apparmor.d/groups/children/child-open         | 94 +++++++++----------
 apparmor.d/groups/children/child-pager        | 10 +-
 apparmor.d/groups/children/child-systemctl    |  4 +-
 apparmor.d/groups/cron/cron                   | 14 +--
 apparmor.d/groups/cron/cron-anacron           |  8 +-
 apparmor.d/groups/cron/cron-apport            |  6 +-
 apparmor.d/groups/cron/cron-apt               | 62 ++++++------
 apparmor.d/groups/cron/cron-apt-compat        | 18 ++--
 apparmor.d/groups/cron/cron-apt-listbugs      | 18 ++--
 apparmor.d/groups/cron/cron-apt-show-versions |  4 +-
 apparmor.d/groups/cron/cron-apt-xapian-index  | 16 ++--
 apparmor.d/groups/cron/cron-aptitude          | 22 ++---
 apparmor.d/groups/cron/cron-cracklib          |  6 +-
 apparmor.d/groups/cron/cron-debsums           | 18 ++--
 apparmor.d/groups/cron/cron-debtags           |  2 +-
 apparmor.d/groups/cron/cron-dlocate           |  4 +-
 apparmor.d/groups/cron/cron-etckeeper         |  8 +-
 apparmor.d/groups/cron/cron-exim4-base        | 26 ++---
 .../groups/cron/cron-ipset-autoban-save       |  4 +-
 apparmor.d/groups/cron/cron-logrotate         |  6 +-
 apparmor.d/groups/cron/cron-man-db            | 12 +--
 apparmor.d/groups/cron/cron-mlocate           | 18 ++--
 apparmor.d/groups/cron/cron-plocate           | 18 ++--
 .../groups/cron/cron-popularity-contest       | 64 ++++++-------
 apparmor.d/groups/cron/cron-sysstat           |  4 +-
 apparmor.d/groups/cron/crontab                | 16 ++--
 apparmor.d/groups/freedesktop/accounts-daemon | 14 +--
 .../groups/freedesktop/at-spi-bus-launcher    |  6 +-
 .../groups/freedesktop/at-spi2-registryd      |  2 +-
 apparmor.d/groups/freedesktop/colord          |  6 +-
 apparmor.d/groups/freedesktop/colord-sane     |  2 +-
 apparmor.d/groups/freedesktop/colord-session  |  2 +-
 apparmor.d/groups/freedesktop/cpupower        | 10 +-
 apparmor.d/groups/freedesktop/dconf           |  2 +-
 apparmor.d/groups/freedesktop/dconf-editor    |  2 +-
 apparmor.d/groups/freedesktop/dconf-service   |  2 +-
 .../groups/freedesktop/desktop-file-install   |  2 +-
 apparmor.d/groups/freedesktop/fc-list         |  2 +-
 apparmor.d/groups/freedesktop/geoclue         |  2 +-
 apparmor.d/groups/freedesktop/pipewire        |  6 +-
 .../groups/freedesktop/pipewire-media-session |  2 +-
 apparmor.d/groups/freedesktop/pipewire-pulse  |  4 +-
 apparmor.d/groups/freedesktop/plymouth        |  2 +-
 .../freedesktop/plymouth-set-default-theme    | 10 +-
 apparmor.d/groups/freedesktop/plymouthd       |  2 +-
 .../groups/freedesktop/polkit-agent-helper    |  4 +-
 .../polkit-kde-authentication-agent           |  6 +-
 .../polkit-mate-authentication-agent          |  4 +-
 apparmor.d/groups/freedesktop/polkitd         |  2 +-
 apparmor.d/groups/freedesktop/pulseaudio      |  8 +-
 .../freedesktop/update-desktop-database       |  2 +-
 .../groups/freedesktop/update-mime-database   |  2 +-
 apparmor.d/groups/freedesktop/upower          |  2 +-
 apparmor.d/groups/freedesktop/upowerd         |  2 +-
 apparmor.d/groups/freedesktop/xdg-dbus-proxy  |  2 +-
 .../groups/freedesktop/xdg-desktop-icon       |  2 +-
 .../groups/freedesktop/xdg-desktop-menu       | 32 +++----
 .../groups/freedesktop/xdg-desktop-portal     | 16 ++--
 .../freedesktop/xdg-desktop-portal-gnome      |  2 +-
 .../groups/freedesktop/xdg-desktop-portal-gtk |  2 +-
 .../groups/freedesktop/xdg-desktop-portal-kde |  2 +-
 .../groups/freedesktop/xdg-document-portal    | 10 +-
 apparmor.d/groups/freedesktop/xdg-email       | 18 ++--
 .../groups/freedesktop/xdg-icon-resource      | 24 ++---
 apparmor.d/groups/freedesktop/xdg-mime        | 48 +++++-----
 apparmor.d/groups/freedesktop/xdg-open        | 36 +++----
 .../groups/freedesktop/xdg-permission-store   |  2 +-
 apparmor.d/groups/freedesktop/xdg-screensaver | 30 +++---
 apparmor.d/groups/freedesktop/xdg-settings    | 42 ++++-----
 apparmor.d/groups/freedesktop/xdg-user-dir    |  6 +-
 .../freedesktop/xdg-user-dirs-gtk-update      |  2 +-
 .../groups/freedesktop/xdg-user-dirs-update   |  2 +-
 apparmor.d/groups/freedesktop/xhost           |  2 +-
 apparmor.d/groups/freedesktop/xkbcomp         |  2 +-
 apparmor.d/groups/freedesktop/xorg            | 20 ++--
 apparmor.d/groups/freedesktop/xprop           |  2 +-
 apparmor.d/groups/freedesktop/xrandr          |  2 +-
 apparmor.d/groups/freedesktop/xrdb            | 12 +--
 apparmor.d/groups/freedesktop/xset            |  2 +-
 apparmor.d/groups/freedesktop/xsetroot        |  2 +-
 apparmor.d/groups/freedesktop/xwayland        |  6 +-
 apparmor.d/groups/gpg/dirmngr                 |  2 +-
 apparmor.d/groups/gpg/gpg                     | 14 +--
 apparmor.d/groups/gpg/gpg-agent               | 10 +-
 apparmor.d/groups/gpg/gpg-connect-agent       |  4 +-
 apparmor.d/groups/gpg/gpgconf                 | 16 ++--
 apparmor.d/groups/gpg/gpgsm                   |  2 +-
 apparmor.d/groups/gpg/scdaemon                |  2 +-
 101 files changed, 538 insertions(+), 538 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon
index 8e59372c..4e0d7e80 100644
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dbus-daemon
+@{exec_path} = @{bin}/dbus-daemon
 profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -38,21 +38,21 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/ r,
+  @{bin}/ r,
 
-  @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd                         rPx,
-  @{libexec}/*                                                           rPUx,
-  @{libexec}/gnome-shell/gnome-shell-calendar-server                      rPx,
-  @{libexec}/kauth/*                                                      rPx,
-  @{libexec}/kf5/kiod5                                                   rPUx,
-  @{libexec}/xfce[0-9]/xfconf/xfconfd                                     rPx,
-  /{usr/,}bin/[a-z0-9]*                                                  rPUx,
-  /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper                    rPx,
-  /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd                            rPUx,
-  /{usr/,}lib/@{multiarch}/xfce[0-9]/xfconf/xfconfd                       rPx,
-  /{usr/,}lib/atril/atrild                                                rPx,
-  /{usr/,}lib/ibus/ibus-*                                                 rPx,
-  /{usr/,}lib/telepathy/mission-control-5                                 rPx,
+  @{bin}/[a-z0-9]*                                                       rPUx,
+  @{lib}/{,at-spi2{,-core}/}at-spi2-registryd                             rPx,
+  @{lib}/@{multiarch}/tumbler-1/tumblerd                                 rPUx,
+  @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd                            rPx,
+  @{lib}/*                                                               rPUx,
+  @{lib}/atril/atrild                                                     rPx,
+  @{lib}/dbus-1*/dbus-daemon-launch-helper                                rPx,
+  @{lib}/gnome-shell/gnome-shell-calendar-server                          rPx,
+  @{lib}/ibus/ibus-*                                                      rPx,
+  @{lib}/kauth/*                                                          rPx,
+  @{lib}/kf5/kiod5                                                       rPUx,
+  @{lib}/telepathy/mission-control-5                                      rPx,
+  @{lib}/xfce[0-9]/xfconf/xfconfd                                         rPx,
   /usr/share/gnome-documents/org.gnome.Documents                          rPx,
   /usr/share/org.gnome.Characters/org.gnome.Characters                    rPx,
   /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService  rPx,
diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper
index 607a3678..66863855 100644
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib{,exec}/dbus-1*/dbus-daemon-launch-helper
+@{exec_path} = @{lib}/dbus-1*/dbus-daemon-launch-helper
 profile dbus-daemon-launch-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
@@ -18,11 +18,11 @@ profile dbus-daemon-launch-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/{,cups-pk-helper/}cups-pk-helper-mechanism     rPx,
-  @{libexec}/kauth/*                                        rPx,
-  @{libexec}/language-selector/ls-dbus-backend              rPx,
-  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
-  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
+  @{lib}/{,cups-pk-helper/}cups-pk-helper-mechanism     rPx,
+  @{lib}/@{multiarch}/cups-pk-helper-mechanism          rPx,
+  @{lib}/kauth/*                                        rPx,
+  @{lib}/language-selector/ls-dbus-backend              rPx,
+  @{lib}/software-properties/software-properties-dbus   rPx,
 
   /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
   /usr/share/usb-creator/usb-creator-helper rPx,
diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session
index 775bd492..df7db5d8 100644
--- a/apparmor.d/groups/bus/dbus-run-session
+++ b/apparmor.d/groups/bus/dbus-run-session
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dbus-run-session
+@{exec_path} = @{bin}/dbus-run-session
 profile dbus-run-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -16,11 +16,11 @@ profile dbus-run-session @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dbus-daemon           rPx,
-  /{usr/,}bin/gnome-session         rix,
-  /{usr/,}bin/gnome-shell           rPx,
-  /{usr/,}bin/gsettings             rPx,
-  @{libexec}/gnome-session-binary   rPx,
+  @{bin}/dbus-daemon           rPx,
+  @{bin}/gnome-session         rix,
+  @{bin}/gnome-shell           rPx,
+  @{bin}/gsettings             rPx,
+  @{lib}/gnome-session-binary  rPx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/gdm/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon
index e27136d4..593ac6d4 100644
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ibus-daemon
+@{exec_path} = @{bin}/ibus-daemon
 profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -45,9 +45,9 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}lib/ibus/ibus-*  rPx,
-  @{libexec}/ibus-*        rPx,
+  @{bin}/{,ba,da}sh   rix,
+  @{lib}/ibus/ibus-*  rPx,
+  @{lib}/ibus-*       rPx,
 
   /usr/share/ibus/{,**} r,
   /usr/share/ibus-table/tables/ r,
diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf
index 8daaaf97..5cf0a452 100644
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ibus/ibus-dconf
-@{exec_path} += @{libexec}/ibus-dconf
+@{exec_path} = @{lib}/ibus/ibus-dconf
+@{exec_path} += @{lib}/ibus-dconf
 profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple
index e34cce53..1a038d1b 100644
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ibus/ibus-engine-simple
-@{exec_path} += @{libexec}/ibus-engine-simple
+@{exec_path} = @{lib}/ibus/ibus-engine-simple
+@{exec_path} += @{lib}/ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/ibus>
diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table
index 395f89f9..eb369637 100644
--- a/apparmor.d/groups/bus/ibus-engine-table
+++ b/apparmor.d/groups/bus/ibus-engine-table
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/ibus-engine-table
+@{exec_path} = @{lib}/ibus-engine-table
 profile ibus-engine-table @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3
index 8000f6c4..079b3364 100644
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ibus/ibus-extension-gtk3
-@{exec_path} += @{libexec}/ibus-extension-gtk3
+@{exec_path} = @{lib}/ibus/ibus-extension-gtk3
+@{exec_path} += @{lib}/ibus-extension-gtk3
 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf
index 74283f55..794e9ad2 100644
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/ibus-memconf
+@{exec_path} = @{lib}/ibus-memconf
 profile ibus-memconf @{exec_path} {
   include <abstractions/base>
   include <abstractions/ibus>
diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal
index 1e87044b..6f3ef69f 100644
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ibus/ibus-portal
-@{exec_path} += @{libexec}/ibus-portal
+@{exec_path} = @{lib}/ibus/ibus-portal
+@{exec_path} += @{lib}/ibus-portal
 profile ibus-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -29,8 +29,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/gio/modules/{,*} r,
-  /{usr/,}lib/locale/locale-archive r,
+  @{lib}/gio/modules/{,*} r,
+  @{lib}/locale/locale-archive r,
 
   /usr/share/locale/locale.alias r,
 
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index f3f8064d..0b17454e 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/ibus/ibus-x11
-@{exec_path} += @{libexec}/ibus-x11
+@{exec_path} = @{lib}/ibus/ibus-x11
+@{exec_path} += @{lib}/ibus-x11
 profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg
index 5252f0fd..cd3b138a 100644
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@@ -12,7 +12,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to /{usr/,}bin/dpkg by default
+# Do not attach to @{bin}/dpkg by default
 profile child-dpkg {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -21,14 +21,14 @@ profile child-dpkg {
   capability dac_read_search,
   capability setgid,
 
-  /{usr/,}bin/dpkg mr,
+  @{bin}/dpkg mr,
 
   # Do not strip env to avoid errors like the following:
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
-  /{usr/,}bin/dpkg-query rpx,
-  /{usr/,}bin/dpkg-deb rPx,
-  /{usr/,}bin/dpkg-split rPx,
+  @{bin}/dpkg-query rpx,
+  @{bin}/dpkg-deb rPx,
+  @{bin}/dpkg-split rPx,
 
   /etc/dpkg/dpkg.cfg.d/{,*} r,
   /etc/dpkg/dpkg.cfg r,
diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert
index d9708464..03199d3c 100644
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@@ -12,11 +12,11 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to /{usr/,}bin/dpkg-divert by default
+# Do not attach to @{bin}/dpkg-divert by default
 profile child-dpkg-divert {
   include <abstractions/base>
 
-  /{usr/,}bin/dpkg-divert mr,
+  @{bin}/dpkg-divert mr,
 
   /var/lib/dpkg/arch r,
   /var/lib/dpkg/status r,
diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open
index 656aed6b..eca5bae5 100644
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@@ -6,7 +6,7 @@
 # intended to be used only via "Px -> child-open" exec transitions
 # from other profiles. 
 
-# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
+# Instead of allowing the run of all software in @{bin}/, the purpose of
 # this profile is to list all GUI program that can open resources.
 
 # Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
@@ -21,71 +21,71 @@ profile child-open {
   include <abstractions/base>
   include <abstractions/xdg-open>
 
-  /{usr/,}bin/exo-open                                     mr,
-  /{usr/,}bin/xdg-open                                     mr,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
-  /{usr/,}lib/gio-launch-desktop                           mrix,
+  @{bin}/exo-open                                     mr,
+  @{bin}/xdg-open                                     mr,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
+  @{lib}/gio-launch-desktop                           mrix,
 
-  /{usr/,}bin/{,ba,da}sh        rix,
-  /{usr/,}bin/{,m,g}awk         rix,
-  /{usr/,}bin/basename          rix,
-  /{usr/,}bin/readlink          rix,
+  @{bin}/{,ba,da}sh        rix,
+  @{bin}/{,m,g}awk         rix,
+  @{bin}/basename          rix,
+  @{bin}/readlink          rix,
 
   # Sandbox managers
-  /{usr/,}bin/bwrap            rPUx,
-  /{usr/,}bin/firejail         rPUx,
-  /{usr/,}bin/flatpak          rPUx,
-  /{usr/,}bin/snap             rPUx,
+  @{bin}/bwrap            rPUx,
+  @{bin}/firejail         rPUx,
+  @{bin}/flatpak          rPUx,
+  @{bin}/snap             rPUx,
 
   # Files explorer
-  /{usr/,}bin/nautilus          rPx,
+  @{bin}/nautilus          rPx,
 
   # Firefox
-  /{usr/,}bin/firefox{,.sh,-esr,-bin}                                            rPx,
-  /{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}            rPx,
+  @{bin}/firefox{,.sh,-esr,-bin}                                                 rPx,
+  @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                         rPx,
   /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
   # Brave
   /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin}          rPx,
   # Chromium
-  /{usr/,}lib/chromium/chromium                                                  rPx,
+  @{lib}/chromium/chromium                                                       rPx,
   # Chrome
   /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable}  rPx,
   # Opera
-  /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}     rPx,
+  @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}          rPx,
 
   # Text editors
-  /{usr/,}bin/code              rPx,
-  /{usr/,}bin/gedit            rPUx,
+  @{bin}/code                  rPx,
+  @{bin}/gedit                 rPUx,
   /usr/share/code/{bin/,}code   rPx,
 
   # Others
-  /{usr/,}bin/*Foliate         rPUx,
-  /{usr/,}bin/discord{,-ptb}    rPx,
-  /{usr/,}bin/draw.io          rPUx,
-  /{usr/,}bin/dropbox           rPx,
-  /{usr/,}bin/engrampa          rPx,
-  /{usr/,}bin/eog              rPUx,
-  /{usr/,}bin/evince            rPx,
-  /{usr/,}bin/filezilla         rPx,
-  /{usr/,}bin/file-roller      rPUx,
-  /{usr/,}bin/flameshot         rPx,
-  /{usr/,}bin/geany             rPx,
-  /{usr/,}bin/gnome-calculator rPUx,
-  /{usr/,}bin/gnome-disk-image-mounter rPx,
-  /{usr/,}bin/gnome-disks       rPx,
-  /{usr/,}bin/kgx               rPx,
-  /{usr/,}bin/okular            rPx,
-  /{usr/,}bin/qbittorrent       rPx,
-  /{usr/,}bin/qpdfview          rPx,
-  /{usr/,}bin/smplayer          rPx,
-  /{usr/,}bin/spacefm           rPx,
-  /{usr/,}bin/teams            rPUx,
-  /{usr/,}bin/telegram-desktop  rPx,
-  /{usr/,}bin/thunderbird       rPx,
-  /{usr/,}bin/transmission-gtk  rPx,
-  /{usr/,}bin/viewnior         rPUx,
-  /{usr/,}bin/vlc               rPx,
-  /{usr/,}bin/xarchiver         rPx,
+  @{bin}/*Foliate         rPUx,
+  @{bin}/discord{,-ptb}    rPx,
+  @{bin}/draw.io          rPUx,
+  @{bin}/dropbox           rPx,
+  @{bin}/engrampa          rPx,
+  @{bin}/eog              rPUx,
+  @{bin}/evince            rPx,
+  @{bin}/file-roller      rPUx,
+  @{bin}/filezilla         rPx,
+  @{bin}/flameshot         rPx,
+  @{bin}/geany             rPx,
+  @{bin}/gnome-calculator rPUx,
+  @{bin}/gnome-disk-image-mounter rPx,
+  @{bin}/gnome-disks       rPx,
+  @{bin}/kgx               rPx,
+  @{bin}/okular            rPx,
+  @{bin}/qbittorrent       rPx,
+  @{bin}/qpdfview          rPx,
+  @{bin}/smplayer          rPx,
+  @{bin}/spacefm           rPx,
+  @{bin}/teams            rPUx,
+  @{bin}/telegram-desktop  rPx,
+  @{bin}/thunderbird       rPx,
+  @{bin}/transmission-gtk  rPx,
+  @{bin}/viewnior         rPUx,
+  @{bin}/vlc               rPx,
+  @{bin}/xarchiver         rPx,
 
   include if exists <usr/child-open.d>
   include if exists <local/child-open>
diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index e7f532e0..c2536ea2 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -13,7 +13,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to /{usr/,}bin/pager by default
+# Do not attach to @{bin}/pager by default
 profile child-pager {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -23,10 +23,10 @@ profile child-pager {
 
   signal (receive) set=(stop, cont, term, kill),
 
-  /{usr/,}bin/       r,
-  /{usr/,}bin/pager mr,
-  /{usr/,}bin/less  mr,
-  /{usr/,}bin/more  mr,
+  @{bin}/       r,
+  @{bin}/pager mr,
+  @{bin}/less  mr,
+  @{bin}/more  mr,
 
   @{system_share_dirs}/terminfo/{,**} r,
 
diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl
index c01bb79d..70fe2bf3 100644
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@@ -13,7 +13,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to /{usr/,}bin/systemctl by default
+# Do not attach to @{bin}/systemctl by default
 profile child-systemctl flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
        interface=org.freedesktop.systemd[0-9].Manager
        member=GetUnitFileState,
 
-  /{usr/,}bin/systemctl mr,
+  @{bin}/systemctl mr,
 
   /etc/machine-id r,
   /etc/systemd/user/{,**} rwl,
diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index 8ab18f85..8ee5388e 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/cron
+@{exec_path} = @{bin}/cron
 profile cron @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
@@ -28,13 +28,13 @@ profile cron @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/nice        rix,
-  /{usr/,}bin/ionice      rix,
-  /{usr/,}bin/run-parts   rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/nice        rix,
+  @{bin}/ionice      rix,
+  @{bin}/run-parts   rPx,
 
-  /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
-  /{usr/,}lib/sysstat/debian-sa1       rPUx,
+  @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
+  @{lib}/sysstat/debian-sa1       rPUx,
   /usr/share/rsync/scripts/rrsync      rPUx,
 
   /etc/cron.d/{,*} r,
diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron
index 14f6b2f3..2bf9235b 100644
--- a/apparmor.d/groups/cron/cron-anacron
+++ b/apparmor.d/groups/cron/cron-anacron
@@ -12,10 +12,10 @@ profile cron-anacron @{exec_path} {
 
   @{exec_path} r,
 
-  /{usr/,}{s,}bin/anacron           rPx,
-  /{usr/,}bin/{,ba,da}sh            rix,
-  /{usr/,}bin/cat                   rix,
-  /{usr/,}bin/date                  rix,
+  @{bin}/anacron           rPx,
+  @{bin}/{,ba,da}sh            rix,
+  @{bin}/cat                   rix,
+  @{bin}/date                  rix,
 
   @{sys}/class/power_supply/ r,
   @{sys}/devices/**/power_supply/{,**} r,
diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport
index 3c37534a..6b7b8196 100644
--- a/apparmor.d/groups/cron/cron-apport
+++ b/apparmor.d/groups/cron/cron-apport
@@ -12,9 +12,9 @@ profile cron-apport @{exec_path} {
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh            rix,
-  /{usr/,}bin/find                  rix,
-  /{usr/,}bin/rm                    rix,
+  @{bin}/{,ba,da}sh            rix,
+  @{bin}/find                  rix,
+  @{bin}/rm                    rix,
 
   / r,
   /var/crash/ r,
diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt
index 80740a7e..41f5f931 100644
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}sbin/cron-apt
+@{exec_path} = @{bin}/cron-apt
 profile cron-apt @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -16,36 +16,36 @@ profile cron-apt @{exec_path} {
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/dotlockfile rix,
-  /{usr/,}bin/sed         rix,
-  /{usr/,}bin/mktemp      rix,
-  /{usr/,}bin/diff        rix,
-  /{usr/,}bin/mkdir       rix,
-  /{usr/,}bin/rmdir       rix,
-  /{usr/,}bin/rm          rix,
-  /{usr/,}bin/{,e}grep    rix,
-  /{usr/,}bin/md5sum      rix,
-  /{usr/,}bin/stat        rix,
-  /{usr/,}bin/date        rix,
-  /{usr/,}bin/cat         rix,
-  /{usr/,}bin/expr        rix,
-  /{usr/,}bin/cp          rix,
-  /{usr/,}bin/dd          rix,
-  /{usr/,}bin/cksum       rix,
-  /{usr/,}bin/{m,g,}awk   rix,
-  /{usr/,}bin/sleep       rix,
-  /{usr/,}bin/mv          rix,
-  /{usr/,}bin/logger      rix,
-  /{usr/,}bin/ls          rix,
-  /{usr/,}bin/touch       rix,
-  /{usr/,}bin/uname       rix,
-  /{usr/,}bin/fold        rix,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/dotlockfile rix,
+  @{bin}/sed         rix,
+  @{bin}/mktemp      rix,
+  @{bin}/diff        rix,
+  @{bin}/mkdir       rix,
+  @{bin}/rmdir       rix,
+  @{bin}/rm          rix,
+  @{bin}/{,e}grep    rix,
+  @{bin}/md5sum      rix,
+  @{bin}/stat        rix,
+  @{bin}/date        rix,
+  @{bin}/cat         rix,
+  @{bin}/expr        rix,
+  @{bin}/cp          rix,
+  @{bin}/dd          rix,
+  @{bin}/cksum       rix,
+  @{bin}/{m,g,}awk   rix,
+  @{bin}/sleep       rix,
+  @{bin}/mv          rix,
+  @{bin}/logger      rix,
+  @{bin}/ls          rix,
+  @{bin}/touch       rix,
+  @{bin}/uname       rix,
+  @{bin}/fold        rix,
 
-  /{usr/,}bin/apt-get     rPx,
-  /{usr/,}bin/apt-file    rPx,
-  /{usr/,}bin/aptitude{,-curses} rPx,
-  /{usr/,}sbin/exim4      rPx,
+  @{bin}/apt-get     rPx,
+  @{bin}/apt-file    rPx,
+  @{bin}/aptitude{,-curses} rPx,
+  @{bin}/exim4      rPx,
 
   /usr/share/cron-apt/{,*} r,
 
@@ -70,7 +70,7 @@ profile cron-apt @{exec_path} {
   /var/log/cron-apt/lastfullmessage rw,
 
   # For the "ls" command
-  /{usr/,}lib/locale/locale-archive r,
+  @{lib}/locale/locale-archive r,
 
   # TMP
         /tmp/ r,
diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat
index c2200b58..4a47184b 100644
--- a/apparmor.d/groups/cron/cron-apt-compat
+++ b/apparmor.d/groups/cron/cron-apt-compat
@@ -11,18 +11,18 @@ profile cron-apt-compat @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh            rix,
+  @{bin}/{,ba,da}sh            rix,
 
-  /{usr/,}sbin/on_ac_power          rPx,
+  @{bin}/on_ac_power          rPx,
 
-  /{usr/,}bin/apt-config            rPx,
-  /{usr/,}lib/apt/apt.systemd.daily rPx,
+  @{bin}/apt-config            rPx,
+  @{lib}/apt/apt.systemd.daily rPx,
 
-  /{usr/,}bin/dd                    rix,
-  /{usr/,}bin/cksum                 rix,
-  /{usr/,}bin/cut                   rix,
-  /{usr/,}bin/which{,.debianutils}                 rix,
-  /{usr/,}bin/sleep                 rix,
+  @{bin}/dd                    rix,
+  @{bin}/cksum                 rix,
+  @{bin}/cut                   rix,
+  @{bin}/which{,.debianutils}  rix,
+  @{bin}/sleep                 rix,
 
   include if exists <local/cron-apt-compat>
 }
diff --git a/apparmor.d/groups/cron/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs
index 23833a57..af24625c 100644
--- a/apparmor.d/groups/cron/cron-apt-listbugs
+++ b/apparmor.d/groups/cron/cron-apt-listbugs
@@ -11,9 +11,9 @@ profile cron-apt-listbugs @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
+  @{lib}/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
 
   @{run}/systemd/system r,
 
@@ -21,14 +21,14 @@ profile cron-apt-listbugs @{exec_path} {
   profile prefclean {
     include <abstractions/base>
 
-    /{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
+    @{lib}/ruby/vendor_ruby/aptlistbugs/prefclean mr,
 
-    /{usr/,}bin/{,ba,da}sh rix,
-    /{usr/,}bin/mktemp     rix,
-    /{usr/,}bin/rm         rix,
-    /{usr/,}bin/cp         rix,
-    /{usr/,}bin/date       rix,
-    /{usr/,}bin/cat        rix,
+    @{bin}/{,ba,da}sh rix,
+    @{bin}/mktemp     rix,
+    @{bin}/rm         rix,
+    @{bin}/cp         rix,
+    @{bin}/date       rix,
+    @{bin}/cat        rix,
 
     /var/spool/apt-listbugs/lastprefclean rw,
 
diff --git a/apparmor.d/groups/cron/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions
index d4161f7b..b04848af 100644
--- a/apparmor.d/groups/cron/cron-apt-show-versions
+++ b/apparmor.d/groups/cron/cron-apt-show-versions
@@ -11,9 +11,9 @@ profile cron-apt-show-versions @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/apt-show-versions rPx,
+  @{bin}/apt-show-versions rPx,
 
   # For shell pwd
   / r,
diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index
index 9c986e35..b0d00928 100644
--- a/apparmor.d/groups/cron/cron-apt-xapian-index
+++ b/apparmor.d/groups/cron/cron-apt-xapian-index
@@ -11,17 +11,17 @@ profile cron-apt-xapian-index @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/which{,.debianutils}      rix,
-  /{usr/,}bin/{,e}grep   rix,
+  @{bin}/which{,.debianutils}      rix,
+  @{bin}/{,e}grep   rix,
 
-  /{usr/,}bin/nice       rix,
-  /{usr/,}bin/ionice     rix,
+  @{bin}/nice       rix,
+  @{bin}/ionice     rix,
 
-  /{usr/,}sbin/ r,
-  /{usr/,}sbin/update-apt-xapian-index rPx,
-  /{usr/,}sbin/on_ac_power             rPx,
+  @{bin}/ r,
+  @{bin}/update-apt-xapian-index rPx,
+  @{bin}/on_ac_power             rPx,
 
   # For shell pwd
   / r,
diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude
index a425ebc0..20b93733 100644
--- a/apparmor.d/groups/cron/cron-aptitude
+++ b/apparmor.d/groups/cron/cron-aptitude
@@ -11,20 +11,20 @@ profile cron-aptitude @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/date       rix,
-  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/which{,.debianutils}      rix,
-  /{usr/,}bin/dirname    rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/mv         rix,
+  @{bin}/cp         rix,
+  @{bin}/date       rix,
+  @{bin}/basename   rix,
+  @{bin}/which{,.debianutils}      rix,
+  @{bin}/dirname    rix,
+  @{bin}/rm         rix,
+  @{bin}/mv         rix,
 
-  /{usr/,}bin/savelog    rix,
-  /{usr/,}bin/cmp        rix,
+  @{bin}/savelog    rix,
+  @{bin}/cmp        rix,
 
-  /{usr/,}bin/gzip       rix,
+  @{bin}/gzip       rix,
 
   /var/lib/aptitude/pkgstates r,
 
diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib
index f1218290..ec8e9b3a 100644
--- a/apparmor.d/groups/cron/cron-cracklib
+++ b/apparmor.d/groups/cron/cron-cracklib
@@ -13,9 +13,9 @@ profile cron-cracklib @{exec_path} {
 
   @{exec_path} r,
   
-  /{usr/,}bin/{,ba,da}sh        rix,
-  /{usr/,}bin/logger            rix,
-  /{usr/,}sbin/update-cracklib  rPx,
+  @{bin}/{,ba,da}sh        rix,
+  @{bin}/logger            rix,
+  @{bin}/update-cracklib  rPx,
 
   /etc/cracklib/cracklib.conf r,
 
diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums
index 72d4cf83..04088a2e 100644
--- a/apparmor.d/groups/cron/cron-debsums
+++ b/apparmor.d/groups/cron/cron-debsums
@@ -12,16 +12,16 @@ profile cron-debsums @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/true       rix,
-  /{usr/,}bin/logger     rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/{,e}grep   rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/true       rix,
+  @{bin}/logger     rix,
+  @{bin}/sed        rix,
+  @{bin}/{,e}grep   rix,
 
-  /{usr/,}bin/ionice     rix,
+  @{bin}/ionice     rix,
 
-  /{usr/,}bin/debsums    rPx,
-  /{usr/,}bin/tee        rCx -> tee,
+  @{bin}/debsums    rPx,
+  @{bin}/tee        rCx -> tee,
 
   /etc/ r,
   /etc/default/debsums r,
@@ -38,7 +38,7 @@ profile cron-debsums @{exec_path} {
     # Needed to write to /proc/self/fd/3
     capability dac_override,
 
-    /{usr/,}bin/tee mr,
+    @{bin}/tee mr,
 
     owner @{PROC}/@{pid}/fd/3 rw,
 
diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags
index b959ac89..13b3fd1c 100644
--- a/apparmor.d/groups/cron/cron-debtags
+++ b/apparmor.d/groups/cron/cron-debtags
@@ -11,7 +11,7 @@ profile cron-debtags @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
   /usr/bin/debtags       rPx,
 
diff --git a/apparmor.d/groups/cron/cron-dlocate b/apparmor.d/groups/cron/cron-dlocate
index b01269a9..c16750f4 100644
--- a/apparmor.d/groups/cron/cron-dlocate
+++ b/apparmor.d/groups/cron/cron-dlocate
@@ -11,9 +11,9 @@ profile cron-dlocate @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
-  /{usr/,}bin/{,ba,da}sh        rix,
+  @{bin}/{,ba,da}sh        rix,
 
-  /{usr/,}sbin/update-dlocatedb rPx,
+  @{bin}/update-dlocatedb rPx,
 
   include if exists <local/cron-dlocate>
 }
diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper
index b8de92ac..f1b7df91 100644
--- a/apparmor.d/groups/cron/cron-etckeeper
+++ b/apparmor.d/groups/cron/cron-etckeeper
@@ -13,10 +13,10 @@ profile cron-etckeeper @{exec_path} {
 
   @{exec_path} r,
   
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/rm          rix,
-  /{usr/,}bin/find        rix,
-  /{usr/,}bin/etckeeper   rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/rm          rix,
+  @{bin}/find        rix,
+  @{bin}/etckeeper   rPx,
 
   /etc/etckeeper/daily    rix,
   /etc/etckeeper/etckeeper.conf r,
diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base
index 1f16af99..118834dc 100644
--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@@ -24,22 +24,22 @@ profile cron-exim4-base @{exec_path} {
   network netlink raw,
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/logger     rix,
-  /{usr/,}bin/mail       rix,
-  /{usr/,}bin/hostname   rix,
-  /{usr/,}bin/xargs      rix,
-  /{usr/,}bin/find       rix,
-  /{usr/,}sbin/eximstats rix,
+  @{bin}/sed        rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/logger     rix,
+  @{bin}/mail       rix,
+  @{bin}/hostname   rix,
+  @{bin}/xargs      rix,
+  @{bin}/find       rix,
+  @{bin}/eximstats rix,
 
-  /{usr/,}sbin/exim4     rPx,
-  /{usr/,}sbin/exim_tidydb       rix,
+  @{bin}/exim4     rPx,
+  @{bin}/exim_tidydb       rix,
 
-  /{usr/,}sbin/start-stop-daemon rix,
-  /{usr/,}sbin/runuser           rix,
+  @{bin}/start-stop-daemon rix,
+  @{bin}/runuser           rix,
 
   /etc/default/exim4 r,
 
diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save
index 98278c87..ea99212f 100644
--- a/apparmor.d/groups/cron/cron-ipset-autoban-save
+++ b/apparmor.d/groups/cron/cron-ipset-autoban-save
@@ -12,9 +12,9 @@ profile cron-ipset-autoban-save @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}sbin/ipset     rix,
+  @{bin}/ipset     rix,
 
   /etc/peerblock/autoban rw,
 
diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate
index 9cdb1952..86ed4f03 100644
--- a/apparmor.d/groups/cron/cron-logrotate
+++ b/apparmor.d/groups/cron/cron-logrotate
@@ -11,11 +11,11 @@ profile cron-logrotate @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}sbin/logrotate rPx,
+  @{bin}/logrotate rPx,
 
-  /{usr/,}bin/logger     rix,
+  @{bin}/logger     rix,
 
   # For shell pwd
   / r,
diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db
index 81e75610..52dc649c 100644
--- a/apparmor.d/groups/cron/cron-man-db
+++ b/apparmor.d/groups/cron/cron-man-db
@@ -16,14 +16,14 @@ profile cron-man-db @{exec_path} {
   capability setuid,
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh         rix,
+  @{bin}/{,ba,da}sh         rix,
 
-  /{usr/,}bin/{,e}grep           rix,
-  /{usr/,}sbin/start-stop-daemon rix,
-  /{usr/,}bin/xargs              rix,
-  /{usr/,}bin/find               rix,
+  @{bin}/{,e}grep           rix,
+  @{bin}/start-stop-daemon rix,
+  @{bin}/xargs              rix,
+  @{bin}/find               rix,
 
-  /{usr/,}bin/mandb              rPx,
+  @{bin}/mandb              rPx,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate
index 4b9370fd..2206899a 100644
--- a/apparmor.d/groups/cron/cron-mlocate
+++ b/apparmor.d/groups/cron/cron-mlocate
@@ -12,17 +12,17 @@ profile cron-mlocate @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/which{,.debianutils}      rix,
-  /{usr/,}bin/true       rix,
-  /{usr/,}bin/flock      rix,
-  /{usr/,}bin/nocache    rix,
-  /{usr/,}bin/ionice     rix,
-  /{usr/,}bin/nice       rix,
+  @{bin}/which{,.debianutils}      rix,
+  @{bin}/true       rix,
+  @{bin}/flock      rix,
+  @{bin}/nocache    rix,
+  @{bin}/ionice     rix,
+  @{bin}/nice       rix,
 
-  /{usr/,}bin/updatedb.mlocate rPx,
-  /{usr/,}sbin/on_ac_power     rPx,
+  @{bin}/updatedb.mlocate rPx,
+  @{bin}/on_ac_power     rPx,
 
   @{run}/mlocate.daily.lock rwk,
 
diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate
index 210ca9c0..2db31659 100644
--- a/apparmor.d/groups/cron/cron-plocate
+++ b/apparmor.d/groups/cron/cron-plocate
@@ -12,17 +12,17 @@ profile cron-plocate @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh rix,
 
-  /{usr/,}bin/which{,.debianutils}      rix,
-  /{usr/,}bin/true       rix,
-  /{usr/,}bin/flock      rix,
-  /{usr/,}bin/nocache    rix,
-  /{usr/,}bin/ionice     rix,
-  /{usr/,}bin/nice       rix,
+  @{bin}/which{,.debianutils}      rix,
+  @{bin}/true       rix,
+  @{bin}/flock      rix,
+  @{bin}/nocache    rix,
+  @{bin}/ionice     rix,
+  @{bin}/nice       rix,
 
-  /{usr/,}sbin/updatedb.plocate rPx,
-  /{usr/,}sbin/on_ac_power      rPx,
+  @{bin}/updatedb.plocate rPx,
+  @{bin}/on_ac_power      rPx,
 
   @{run}/plocate.daily.lock rwk,
 
diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest
index 2bd878ef..ee488945 100644
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@@ -11,28 +11,28 @@ profile cron-popularity-contest @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh          rix,
+  @{bin}/{,ba,da}sh          rix,
 
-  /{usr/,}sbin/popularity-contest rPx,
+  @{bin}/popularity-contest rPx,
 
-  /{usr/,}bin/logger              rix,
-  /{usr/,}bin/date                rix,
-  /{usr/,}bin/mktemp              rix,
-  /{usr/,}bin/mkdir               rix,
-  /{usr/,}bin/rm                  rix,
-  /{usr/,}bin/mv                  rix,
-  /{usr/,}bin/cat                 rix,
-  /{usr/,}bin/setsid              rix,
+  @{bin}/logger              rix,
+  @{bin}/date                rix,
+  @{bin}/mktemp              rix,
+  @{bin}/mkdir               rix,
+  @{bin}/rm                  rix,
+  @{bin}/mv                  rix,
+  @{bin}/cat                 rix,
+  @{bin}/setsid              rix,
 
   # To send reports via TOR
-  /{usr/,}bin/torify              rix,
-  /{usr/,}bin/torsocks            rix,
-  /{usr/,}sbin/getcap             rix,
+  @{bin}/torify              rix,
+  @{bin}/torsocks            rix,
+  @{bin}/getcap             rix,
 
   /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
-  /{usr/,}bin/gpg{,2}             rCx -> gpg,
-  /{usr/,}sbin/runuser            rCx -> runuser,
-  /{usr/,}bin/savelog             rCx -> savelog,
+  @{bin}/gpg{,2}             rCx -> gpg,
+  @{bin}/runuser            rCx -> runuser,
+  @{bin}/savelog             rCx -> savelog,
 
   /usr/share/popularity-contest/ r,
   /usr/share/popularity-contest/default.conf r,
@@ -62,18 +62,18 @@ profile cron-popularity-contest @{exec_path} {
   profile savelog {
     include <abstractions/base>
 
-    /{usr/,}bin/savelog mr,
+    @{bin}/savelog mr,
 
-    /{usr/,}bin/date       rix,
-    /{usr/,}bin/basename   rix,
-    /{usr/,}bin/which{,.debianutils}      rix,
-    /{usr/,}bin/dirname    rix,
-    /{usr/,}bin/rm         rix,
-    /{usr/,}bin/mv         rix,
-    /{usr/,}bin/touch      rix,
-    /{usr/,}bin/gzip       rix,
+    @{bin}/date       rix,
+    @{bin}/basename   rix,
+    @{bin}/which{,.debianutils}      rix,
+    @{bin}/dirname    rix,
+    @{bin}/rm         rix,
+    @{bin}/mv         rix,
+    @{bin}/touch      rix,
+    @{bin}/gzip       rix,
 
-    /{usr/,}bin/{,ba,da}sh rix,
+    @{bin}/{,ba,da}sh rix,
 
     /var/log/ r,
     /var/log/popularity-contest.[0-9]*.gz rw,
@@ -91,11 +91,11 @@ profile cron-popularity-contest @{exec_path} {
     include <abstractions/nameservice-strict>
     include <abstractions/authentication>
 
-    /{usr/,}sbin/runuser mr,
+    @{bin}/runuser mr,
 
-    /{usr/,}bin/{,ba,da}sh          rix,
+    @{bin}/{,ba,da}sh          rix,
 
-    /{usr/,}sbin/popularity-contest rPx,
+    @{bin}/popularity-contest rPx,
 
     owner @{PROC}/@{pids}/loginuid r,
           @{PROC}/1/limits r,
@@ -113,7 +113,7 @@ profile cron-popularity-contest @{exec_path} {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    /{usr/,}bin/gpg{,2} mr,
+    @{bin}/gpg{,2} mr,
 
     /usr/share/popularity-contest/debian-popcon.gpg r,
 
@@ -141,9 +141,9 @@ profile cron-popularity-contest @{exec_path} {
     network netlink raw,
 
     /usr/share/popularity-contest/popcon-upload r,
-    /{usr/,}bin/perl r,
+    @{bin}/perl r,
 
-    /{usr/,}bin/gzip rix,
+    @{bin}/gzip rix,
 
     /var/log/ r,
     /var/log/popularity-contest.new.gpg r,
diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat
index fe412784..53f02e61 100644
--- a/apparmor.d/groups/cron/cron-sysstat
+++ b/apparmor.d/groups/cron/cron-sysstat
@@ -13,8 +13,8 @@ profile cron-sysstat @{exec_path} {
 
   @{exec_path} r,
   
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}lib/sysstat/sa2 rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{lib}/sysstat/sa2 rPx,
 
   /etc/default/sysstat r,
 
diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index 39fe7892..b8f65974 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/crontab
+@{exec_path} = @{bin}/crontab
 profile crontab @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -17,11 +17,11 @@ profile crontab @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh      rix,
+  @{bin}/{,ba,da}sh      rix,
 
   # When editing the crontab file
-  /{usr/,}bin/sensible-editor rCx -> editor,
-  /{usr/,}bin/vim.*           rCx -> editor,
+  @{bin}/sensible-editor rCx -> editor,
+  @{bin}/vim.*           rCx -> editor,
 
   /etc/cron.{allow,deny} r,
 
@@ -38,10 +38,10 @@ profile crontab @{exec_path} {
 
     capability fsetid,
 
-    /{usr/,}bin/sensible-editor mr,
-    /{usr/,}bin/vim.*           mrix,
-    /{usr/,}bin/{,ba,da}sh       rix,
-    /{usr/,}bin/which{,.debianutils}            rix,
+    @{bin}/sensible-editor mr,
+    @{bin}/vim.*           mrix,
+    @{bin}/{,ba,da}sh       rix,
+    @{bin}/which{,.debianutils}            rix,
 
     owner @{HOME}/.selected_editor r,
 
diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon
index 8ecb5544..a3074669 100644
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,accountsservice/}accounts-daemon
+@{exec_path} = @{lib}/{,accountsservice/}accounts-daemon
 profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -43,13 +43,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/cat rix,
+  @{bin}/adduser     rPx,
+  @{bin}/cat         rix,
+  @{bin}/chage       rPx,
+  @{bin}/passwd      rPx,
+  @{bin}/userdel     rPx,
+  @{bin}/usermod     rPx,
 
-  /{usr/,}{s,}bin/adduser rPx,
-  /{usr/,}{s,}bin/usermod rPx,
-  /{usr/,}{s,}bin/userdel rPx,
-  /{usr/,}bin/passwd      rPx,
-  /{usr/,}bin/chage       rPx,
   /usr/share/language-tools/language-validate   rPx,
   /usr/share/language-tools/set-language-helper rPUx,
 
diff --git a/apparmor.d/groups/freedesktop/at-spi-bus-launcher b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
index 320b0cde..a1a82e4b 100644
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi-bus-launcher
+@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session>
@@ -29,8 +29,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dbus-daemon         rPx,
-  /{usr/,}bin/dbus-broker-launch rPUx,
+  @{bin}/dbus-daemon         rPx,
+  @{bin}/dbus-broker-launch rPUx,
 
   /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/dconf/profile/gdm r,
diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd
index 8796f87b..12045871 100644
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd
+@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index 80aef433..eb182a28 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,colord/}colord
+@{exec_path} = @{lib}/{,colord/}colord
 profile colord @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -57,8 +57,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/colord/colord-sane  rPx,
-  @{libexec}/colord-sane          rPx,
+  @{lib}/colord/colord-sane  rPx,
+  @{lib}/colord-sane          rPx,
 
   /etc/machine-id r,
   /etc/udev/hwdb.bin r,
diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane
index d66a0d7c..def8c0fc 100644
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ b/apparmor.d/groups/freedesktop/colord-sane
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,colord/}colord-sane
+@{exec_path} = @{lib}/{,colord/}colord-sane
 profile colord-sane @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session
index 85a9a9df..28dbaca9 100644
--- a/apparmor.d/groups/freedesktop/colord-session
+++ b/apparmor.d/groups/freedesktop/colord-session
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,colord/}colord-session
+@{exec_path} = @{lib}/{,colord/}colord-session
 profile colord-session @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower
index 9f25cf70..e0c85aa4 100644
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/cpupower
+@{exec_path} = @{bin}/cpupower
 profile cpupower @{exec_path} {
   include <abstractions/base>
 
@@ -19,9 +19,9 @@ profile cpupower @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/kmod       rCx -> kmod,
-  /{usr/,}bin/man        rPx,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/kmod       rCx -> kmod,
+  @{bin}/man        rPx,
 
   @{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
   @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
@@ -43,7 +43,7 @@ profile cpupower @{exec_path} {
   profile kmod {
     include <abstractions/base>
 
-    /{usr/,}bin/kmod mr,
+    @{bin}/kmod mr,
 
     @{PROC}/cmdline r,
     #@{PROC}/modules r,
diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf
index 19c76c3b..f904a756 100644
--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dconf
+@{exec_path} = @{bin}/dconf
 profile dconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor
index 5a8c60e9..b68999c4 100644
--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dconf-editor
+@{exec_path} = @{bin}/dconf-editor
 profile dconf-editor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service
index f24057ad..5982630a 100644
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,dconf/}dconf-service
+@{exec_path} = @{lib}/{,dconf/}dconf-service
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install
index d5903645..f6af7c39 100644
--- a/apparmor.d/groups/freedesktop/desktop-file-install
+++ b/apparmor.d/groups/freedesktop/desktop-file-install
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/desktop-file-install
+@{exec_path} = @{bin}/desktop-file-install
 profile desktop-file-install @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list
index b9a49e68..8bfbacc0 100644
--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/fc-list
+@{exec_path} = @{bin}/fc-list
 profile fc-list @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue
index b2d716d0..63ad11ee 100644
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/geoclue @{libexec}/geoclue-2.0/demos/agent
+@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
 profile geoclue @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index 76b9af9c..9ea1267a 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pipewire
+@{exec_path} = @{bin}/pipewire
 profile pipewire @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
@@ -44,8 +44,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pactl                   rix,
-  /{usr/,}bin/pipewire-media-session  rPx,
+  @{bin}/pactl                   rix,
+  @{bin}/pipewire-media-session  rPx,
 
   /usr/share/pipewire/pipewire*.conf r,
 
diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session
index 0fbe1607..48991510 100644
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pipewire-media-session
+@{exec_path} = @{bin}/pipewire-media-session
 profile pipewire-media-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse
index c495a8d9..ea1b7caa 100644
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pipewire-pulse
+@{exec_path} = @{bin}/pipewire-pulse
 profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
@@ -19,7 +19,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pactl rix,
+  @{bin}/pactl rix,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth
index 059df5a3..9953dac0 100644
--- a/apparmor.d/groups/freedesktop/plymouth
+++ b/apparmor.d/groups/freedesktop/plymouth
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/plymouth
+@{exec_path} = @{bin}/plymouth
 profile plymouth @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme
index 8eabdeee..4a58e7ed 100644
--- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme
+++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme
@@ -6,16 +6,16 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/plymouth-set-default-theme
+@{exec_path} = @{bin}/plymouth-set-default-theme
 profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{m,g,}awk   rix,
-  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/plymouth    rPx,
-  /{usr/,}bin/{,ba,da}sh  rix,
+  @{bin}/{m,g,}awk   rix,
+  @{bin}/grep        rix,
+  @{bin}/plymouth    rPx,
+  @{bin}/{,ba,da}sh  rix,
 
   /etc/plymouth/{,*} r,
 
diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd
index 350ff237..a9f36e13 100644
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,}bin/plymouthd
+@{exec_path} = @{bin}/plymouthd
 profile plymouthd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index 231fafee..59b6ed66 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9]
-@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
+@{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]
+@{exec_path} += @{lib}/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/authentication>
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index ffe8caaa..41fb4a40 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib{,exec}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
-@{exec_path} += /{usr/,}lib{,exec}/polkit-kde-authentication-agent-[0-9]
+@{exec_path} = @{lib}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
+@{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
 profile polkit-kde-authentication-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -29,7 +29,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
index 8a6cbf85..cb1a4a7a 100644
--- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
+@{exec_path} = @{lib}/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
 profile polkit-mate-authentication-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -24,7 +24,7 @@ profile polkit-mate-authentication-agent @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
   /usr/share/X11/xkb/** r,
 
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 76b9e269..46e28842 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,polkit-1/}polkitd
+@{exec_path} = @{lib}/{,polkit-1/}polkitd
 profile polkitd @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 5904a6c7..9a1bd8c9 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/pulseaudio
+@{exec_path} = @{bin}/pulseaudio
 profile pulseaudio @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
@@ -132,9 +132,9 @@ profile pulseaudio @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{libexec}/pulse/gsettings-helper mrix,
-  /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
-  /{usr/,}lib/pulse-*/modules/*.so mr,
+  @{lib}/pulse/gsettings-helper mrix,
+  @{lib}/@{multiarch}/pulse/gconf-helper mrix,
+  @{lib}/pulse-*/modules/*.so mr,
 
   /usr/share/pulseaudio/{,**} r,
 
diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database
index e316cfa4..46735b40 100644
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/update-desktop-database
+@{exec_path} = @{bin}/update-desktop-database
 profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database
index f4a74d09..f234a689 100644
--- a/apparmor.d/groups/freedesktop/update-mime-database
+++ b/apparmor.d/groups/freedesktop/update-mime-database
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/update-mime-database
+@{exec_path} = @{bin}/update-mime-database
 profile update-mime-database @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower
index db4eb0c7..c3325598 100644
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/upower
+@{exec_path} = @{bin}/upower
 profile upower @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index cbff00ae..09e0dbee 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/{,upower/}upowerd
+@{exec_path} = @{lib}/{,upower/}upowerd
 profile upowerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index 263a0137..3ddbc9d4 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-dbus-proxy
+@{exec_path} = @{bin}/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon
index a069396d..e70eed32 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-icon
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-desktop-icon
+@{exec_path} = @{bin}/xdg-desktop-icon
 profile xdg-desktop-icon @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu
index 7d2b1798..ccc49fce 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-menu
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-desktop-menu
+@{exec_path} = @{bin}/xdg-desktop-menu
 profile xdg-desktop-menu @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -14,22 +14,22 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/mkdir      rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/cut        rix,
-  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/touch      rix,
-  /{usr/,}bin/{m,g,}awk  rix,
-  /{usr/,}bin/whoami     rix,
-  /{usr/,}bin/mv         rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/readlink   rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/mkdir      rix,
+  @{bin}/sed        rix,
+  @{bin}/cut        rix,
+  @{bin}/basename   rix,
+  @{bin}/rm         rix,
+  @{bin}/cp         rix,
+  @{bin}/cat        rix,
+  @{bin}/touch      rix,
+  @{bin}/{m,g,}awk  rix,
+  @{bin}/whoami     rix,
+  @{bin}/mv         rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/readlink   rix,
 
-  /{usr/,}bin/update-desktop-database rPx,
+  @{bin}/update-desktop-database rPx,
 
   owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
   owner @{user_share_dirs}/applications/chrome-*.desktop rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 13540f1f..c88f1c3c 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/xdg-desktop-portal
+@{exec_path} = @{lib}/xdg-desktop-portal
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-network-manager-strict>
@@ -107,14 +107,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/nautilus    rPx,
-  /{usr/,}bin/snap        rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/nautilus    rPx,
+  @{bin}/snap        rPx,
 
-  /{usr/,}bin/kreadconfig5                                 rPx,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
-  /{usr/,}lib/xdg-desktop-portal-validate-icon             rPUx,
+  @{bin}/kreadconfig5                                 rPx,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
+  @{lib}/xdg-desktop-portal-validate-icon             rPUx,
 
   / r,
   /.flatpak-info r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 0e1618b5..ccec152f 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
+@{exec_path} = @{lib}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
index e50493ae..13b3bdbe 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
+@{exec_path} = @{lib}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-accessibility-strict>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
index 7eb2a33b..f695815b 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/xdg-desktop-portal-kde
+@{exec_path} = @{lib}/xdg-desktop-portal-kde
 profile xdg-desktop-portal-kde @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index 5152d6c4..10d57f82 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/xdg-document-portal
+@{exec_path} = @{lib}/xdg-document-portal
 profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
@@ -51,8 +51,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/flatpak         rCx -> flatpak,
-  /{usr/,}bin/fusermount{,3}  rCx -> fusermount,
+  @{bin}/flatpak         rCx -> flatpak,
+  @{bin}/fusermount{,3}  rCx -> fusermount,
 
   / r,
 
@@ -73,7 +73,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   profile flatpak {
     include <abstractions/base>
 
-    /{usr/,}bin/flatpak mr,
+    @{bin}/flatpak mr,
 
     / r,
     /etc/flatpak/remotes.d/{,*} r,
@@ -103,7 +103,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   #   network inet stream,
   #   network inet6 stream,
 
-    /{usr/,}bin/fusermount{,3} mr,
+    @{bin}/fusermount{,3} mr,
 
     /etc/fuse{,3}.conf r,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email
index 5de0dd91..19bcb29e 100644
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@@ -7,20 +7,20 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-email
+@{exec_path} = @{bin}/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
   include <abstractions/base>
 
   @{exec_path}  r,
 
-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/{,e}grep    rix,
-  /{usr/,}bin/basename    rix,
-  /{usr/,}bin/gio         rPx,
-  /{usr/,}bin/readlink    rix,
-  /{usr/,}bin/sed         rix,
-  /{usr/,}bin/which       rix,
-  /{usr/,}bin/xdg-mime    rPx,
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/{,e}grep    rix,
+  @{bin}/basename    rix,
+  @{bin}/gio         rPx,
+  @{bin}/readlink    rix,
+  @{bin}/sed         rix,
+  @{bin}/which       rix,
+  @{bin}/xdg-mime    rPx,
 
   owner /dev/tty[0-9]* rw,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource
index 28b009c3..75818743 100644
--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-icon-resource
+@{exec_path} = @{bin}/xdg-icon-resource
 profile xdg-icon-resource @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -14,18 +14,18 @@ profile xdg-icon-resource @{exec_path} flags=(complain) {
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/whoami     rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/mkdir      rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/touch      rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/whoami     rix,
+  @{bin}/sed        rix,
+  @{bin}/basename   rix,
+  @{bin}/mkdir      rix,
+  @{bin}/cp         rix,
+  @{bin}/rm         rix,
+  @{bin}/readlink   rix,
+  @{bin}/touch      rix,
 
-  /{usr/,}bin/gtk{,4}-update-icon-cache rPx,
+  @{bin}/gtk{,4}-update-icon-cache rPx,
 
   /usr/share/**/icons/**.png r,
   /usr/share/icons/**.png rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index dd504f54..4765171c 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -7,30 +7,30 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-mime
+@{exec_path} = @{bin}/xdg-mime
 profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/{m,g,}awk  rix,
-  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/cut        rix,
-  /{usr/,}bin/file       rix,
-  /{usr/,}bin/head       rix,
-  /{usr/,}bin/mv         rix,
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/tr         rix,
-  /{usr/,}bin/uname      rix,
-  /{usr/,}bin/which{,.debianutils}      rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/{m,g,}awk  rix,
+  @{bin}/basename   rix,
+  @{bin}/cut        rix,
+  @{bin}/file       rix,
+  @{bin}/head       rix,
+  @{bin}/mv         rix,
+  @{bin}/readlink   rix,
+  @{bin}/sed        rix,
+  @{bin}/tr         rix,
+  @{bin}/uname      rix,
+  @{bin}/which{,.debianutils}      rix,
 
-  /{usr/,}bin/gio        rPx,
-  /{usr/,}bin/mimetype   rPx,
-  /{usr/,}bin/xprop      rPx,
+  @{bin}/gio        rPx,
+  @{bin}/mimetype   rPx,
+  @{bin}/xprop      rPx,
 
   /usr/share/terminfo/x/xterm-256color r,
 
@@ -51,10 +51,10 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
   #
   # Should this be allowed? Xdg-mime works fine without this.
-  #/{usr/,}bin/dbus-launch        rCx -> dbus,
-  #/{usr/,}bin/dbus-send          rCx -> dbus,
-  deny /{usr/,}bin/dbus-launch rx,
-  deny /{usr/,}bin/dbus-send   rx,
+  #@{bin}/dbus-launch        rCx -> dbus,
+  #@{bin}/dbus-send          rCx -> dbus,
+  deny @{bin}/dbus-launch rx,
+  deny @{bin}/dbus-send   rx,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
@@ -62,9 +62,9 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    /{usr/,}bin/dbus-launch   mr,
-    /{usr/,}bin/dbus-send     mr,
-    /{usr/,}bin/dbus-daemon  rPx,
+    @{bin}/dbus-launch   mr,
+    @{bin}/dbus-send     mr,
+    @{bin}/dbus-daemon  rPx,
 
           @{HOME}/.Xauthority r,
     owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 9d87d7ae..109ebd9f 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-open
+@{exec_path} = @{bin}/xdg-open
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
@@ -15,23 +15,23 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/{,e}grep     rix,
-  /{usr/,}bin/sed          rix,
-  /{usr/,}bin/cut          rix,
-  /{usr/,}bin/which{,.debianutils}        rix,
-  /{usr/,}bin/cat          rix,
-  /{usr/,}bin/uname        rix,
+  @{bin}/{,ba,da}sh   rix,
+  @{bin}/{,e}grep     rix,
+  @{bin}/sed          rix,
+  @{bin}/cut          rix,
+  @{bin}/which{,.debianutils}        rix,
+  @{bin}/cat          rix,
+  @{bin}/uname        rix,
 
-  /{usr/,}bin/xprop        rPx,
-  /{usr/,}bin/xdg-mime     rPx,
+  @{bin}/xprop        rPx,
+  @{bin}/xdg-mime     rPx,
 
-  /{usr/,}bin/exo-open     rPx,
-  /{usr/,}bin/gio          rPx,
-  #/{usr/,}bin/kde-open5  rPUx,
+  @{bin}/exo-open     rPx,
+  @{bin}/gio          rPx,
+  #@{bin}/kde-open5  rPUx,
 
-  /{usr/,}bin/dbus-launch  rCx -> dbus,
-  /{usr/,}bin/dbus-send    rCx -> dbus,
+  @{bin}/dbus-launch  rCx -> dbus,
+  @{bin}/dbus-send    rCx -> dbus,
 
         /** r,
   owner /** rw,
@@ -46,9 +46,9 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    /{usr/,}bin/dbus-launch   mr,
-    /{usr/,}bin/dbus-send     mr,
-    /{usr/,}bin/dbus-daemon  rPx,
+    @{bin}/dbus-launch   mr,
+    @{bin}/dbus-send     mr,
+    @{bin}/dbus-daemon  rPx,
 
     # for dbus-launch
     owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store
index d5becb1e..9caf2829 100644
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{libexec}/xdg-permission-store
+@{exec_path} = @{lib}/xdg-permission-store
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver
index 5a90a5bd..96369786 100644
--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@@ -6,30 +6,30 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-screensaver
+@{exec_path} = @{bin}/xdg-screensaver
 profile xdg-screensaver @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} r,
 
-  /{usr/,}bin/             r,
+  @{bin}/             r,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/mv           rix,
-  /{usr/,}bin/{,e}grep     rix,
-  /{usr/,}bin/sed          rix,
-  /{usr/,}bin/which{,.debianutils}        rix,
-  /{usr/,}bin/cat          rix,
-  /{usr/,}bin/uname        rix,
+  @{bin}/{,ba,da}sh   rix,
+  @{bin}/mv           rix,
+  @{bin}/{,e}grep     rix,
+  @{bin}/sed          rix,
+  @{bin}/which{,.debianutils}        rix,
+  @{bin}/cat          rix,
+  @{bin}/uname        rix,
 
-  /{usr/,}bin/xautolock    rix,
-  /{usr/,}bin/dbus-send    rix,
+  @{bin}/xautolock    rix,
+  @{bin}/dbus-send    rix,
 
-  /{usr/,}bin/xprop        rPx,
-  /{usr/,}bin/xdg-mime     rPx,
-  /{usr/,}bin/xset         rPx,
-  /{usr/,}bin/hostname     rix,
+  @{bin}/xprop        rPx,
+  @{bin}/xdg-mime     rPx,
+  @{bin}/xset         rPx,
+  @{bin}/hostname     rix,
 
   /dev/dri/card[0-9] rw,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 823151ca..59b0214c 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -7,31 +7,31 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-settings
+@{exec_path} = @{bin}/xdg-settings
 profile xdg-settings @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} r,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/cut        rix,
-  /{usr/,}bin/mktemp     rix,
-  /{usr/,}bin/mv         rix,
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/sort       rix,
-  /{usr/,}bin/uname      rix,
-  /{usr/,}bin/wc         rix,
-  /{usr/,}bin/which{,.debianutils}      rix,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/basename   rix,
+  @{bin}/cat        rix,
+  @{bin}/cut        rix,
+  @{bin}/mktemp     rix,
+  @{bin}/mv         rix,
+  @{bin}/readlink   rix,
+  @{bin}/sed        rix,
+  @{bin}/sort       rix,
+  @{bin}/uname      rix,
+  @{bin}/wc         rix,
+  @{bin}/which{,.debianutils}      rix,
 
-  /{usr/,}bin/dbus-launch  rCx -> dbus,
-  /{usr/,}bin/dbus-send    rCx -> dbus,
-  /{usr/,}bin/xdg-mime     rPx,
-  /{usr/,}bin/xprop        rPx,
+  @{bin}/dbus-launch  rCx -> dbus,
+  @{bin}/dbus-send    rCx -> dbus,
+  @{bin}/xdg-mime     rPx,
+  @{bin}/xprop        rPx,
 
   /usr/share/terminfo/x/xterm-256color r,
 
@@ -61,9 +61,9 @@ profile xdg-settings @{exec_path} {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    /{usr/,}bin/dbus-launch   mr,
-    /{usr/,}bin/dbus-send     mr,
-    /{usr/,}bin/dbus-daemon  rPx,
+    @{bin}/dbus-launch   mr,
+    @{bin}/dbus-send     mr,
+    @{bin}/dbus-daemon  rPx,
 
     # for dbus-launch
     owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir
index d13a5c23..a0ae01ff 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dir
+++ b/apparmor.d/groups/freedesktop/xdg-user-dir
@@ -6,14 +6,14 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-user-dir
+@{exec_path} = @{bin}/xdg-user-dir
 profile xdg-user-dir @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh             rix,
-  /{usr/,}bin/env                    rix,
+  @{bin}/{,ba,da}sh             rix,
+  @{bin}/env                    rix,
 
   owner @{user_config_dirs}/user-dirs.dirs r,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
index d3adb24c..870899c3 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-user-dirs-gtk-update
+@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
 profile xdg-user-dirs-gtk-update @{exec_path} {
   include <abstractions/base>
   include <abstractions/gtk>
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
index 829f88bc..b3749ca7 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xdg-user-dirs-update
+@{exec_path} = @{bin}/xdg-user-dirs-update
 profile xdg-user-dirs-update @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost
index 6b4e5f3a..c963abfb 100644
--- a/apparmor.d/groups/freedesktop/xhost
+++ b/apparmor.d/groups/freedesktop/xhost
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xhost
+@{exec_path} = @{bin}/xhost
 profile xhost @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index c09d6808..50ec0cae 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xkbcomp
+@{exec_path} = @{bin}/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 4cdf6e6e..9d1732ff 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -7,10 +7,10 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/X
-@{exec_path} += /{usr/,}bin/Xorg{,.bin}
-@{exec_path} += /{usr/,}lib/Xorg{,.wrap}
-@{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
+@{exec_path}  = @{bin}/X
+@{exec_path} += @{bin}/Xorg{,.bin}
+@{exec_path} += @{lib}/Xorg{,.wrap}
+@{exec_path} += @{lib}/xorg/Xorg{,.wrap}
 profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
@@ -58,13 +58,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/xkbcomp    rPx,
-  /{usr/,}bin/pkexec     rPx,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/xkbcomp    rPx,
+  @{bin}/pkexec     rPx,
 
-  /{usr/,}lib/xorg/ r,
-  /{usr/,}lib/xorg/modules/ r,
-  /{usr/,}lib/xorg/modules/** mr,
+  @{lib}/xorg/ r,
+  @{lib}/xorg/modules/ r,
+  @{lib}/xorg/modules/** mr,
 
   /var/lib/xkb/server-[0-9]*.xkm rw,
   /var/lib/xkb/compiled/server-[0-9]*.xkm rw,
diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop
index c5003c88..23c1dadb 100644
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xprop
+@{exec_path} = @{bin}/xprop
 profile xprop @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr
index da8e9afe..83e75b95 100644
--- a/apparmor.d/groups/freedesktop/xrandr
+++ b/apparmor.d/groups/freedesktop/xrandr
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xrandr
+@{exec_path} = @{bin}/xrandr
 profile xrandr @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb
index 01f9645b..7de46f9e 100644
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@@ -7,18 +7,18 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xrdb
+@{exec_path} = @{bin}/xrdb
 profile xrdb @{exec_path} {
   include <abstractions/base>
   include <abstractions/X-strict>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,*-}cpp-[0-9]*             rix,
-  /{usr/,}bin/{,ba,da}sh                  rix,
-  /{usr/,}bin/cpp                         rix,
-  /{usr/,}lib{,32,64}/gcc/*/[0-9]*/cc1    rix,
-  /{usr/,}lib/llvm-[0-9]*/bin/clang       rix,
+  @{bin}/{,*-}cpp-[0-9]*             rix,
+  @{bin}/{,ba,da}sh                  rix,
+  @{bin}/cpp                         rix,
+  @{lib}/gcc/*/[0-9]*/cc1            rix,
+  @{lib}/llvm-[0-9]*/bin/clang       rix,
 
   /usr/include/stdc-predef.h r,
   /usr/etc/X11/xdm/Xresources r,
diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset
index 191478fd..d428daf4 100644
--- a/apparmor.d/groups/freedesktop/xset
+++ b/apparmor.d/groups/freedesktop/xset
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xset
+@{exec_path} = @{bin}/xset
 profile xset @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot
index 159128c1..3926a777 100644
--- a/apparmor.d/groups/freedesktop/xsetroot
+++ b/apparmor.d/groups/freedesktop/xsetroot
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/xsetroot
+@{exec_path} = @{bin}/xsetroot
 profile xsetroot @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index a173f800..2fffcf11 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = /{usr/,}bin/Xwayland
+@{exec_path}  = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dri-common>
@@ -25,8 +25,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/xkbcomp    rPx,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/xkbcomp    rPx,
 
   /usr/share/egl/{,**} r,
   /usr/share/fonts/{,**} r,
diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr
index bd53411b..8645605a 100644
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/dirmngr
+@{exec_path} = @{bin}/dirmngr
 profile dirmngr @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index 1ab8a99f..9c69827c 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gpg
+@{exec_path} = @{bin}/gpg
 profile gpg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -21,12 +21,12 @@ profile gpg @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/dirmngr           rPx,
-  /{usr/,}bin/gpg-agent         rPx,
-  /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpgconf           rPx,
-  /{usr/,}bin/gpgsm             rPx,
-  /{usr/,}lib/gnupg/scdaemon    rPx,
+  @{bin}/dirmngr           rPx,
+  @{bin}/gpg-agent         rPx,
+  @{bin}/gpg-connect-agent rPx,
+  @{bin}/gpgconf           rPx,
+  @{bin}/gpgsm             rPx,
+  @{lib}/gnupg/scdaemon    rPx,
 
   /etc/inputrc r,
 
diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index 22b089c7..b53735e8 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gpg-agent
+@{exec_path} = @{bin}/gpg-agent
 profile gpg-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -17,9 +17,9 @@ profile gpg-agent @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pinentry{,-*}  rPx,
-  /{usr/,}bin/scdaemon       rPx,
-  /{usr/,}lib/gnupg/scdaemon rPx,
+  @{bin}/pinentry{,-*}  rPx,
+  @{bin}/scdaemon       rPx,
+  @{lib}/gnupg/scdaemon rPx,
 
   /usr/share/gnupg/* r,
 
@@ -84,7 +84,7 @@ profile gpg-agent @{exec_path} {
   @{PROC}/@{pid}/fd/ r,
 
   # Silencer
-  deny /{usr/,}bin/.gnupg/ w,
+  deny @{bin}/.gnupg/ w,
 
   # file inherit
   owner /dev/tty[0-9]* rw,
diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent
index 81b02003..884e6468 100644
--- a/apparmor.d/groups/gpg/gpg-connect-agent
+++ b/apparmor.d/groups/gpg/gpg-connect-agent
@@ -6,14 +6,14 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gpg-connect-agent
+@{exec_path} = @{bin}/gpg-connect-agent
 profile gpg-connect-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpg-agent rPx,
+  @{bin}/gpg-agent rPx,
 
   /etc/inputrc r,
 
diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf
index 80c1a741..b9189f22 100644
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gpgconf
+@{exec_path} = @{bin}/gpgconf
 profile gpgconf @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -17,14 +17,14 @@ profile gpgconf @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpg{,2}           rPx,
-  /{usr/,}bin/gpg-agent         rPx,
-  /{usr/,}bin/dirmngr           rPx,
-  /{usr/,}bin/gpgsm             rPx,
-  /{usr/,}lib/gnupg/scdaemon    rPx,
+  @{bin}/gpg-connect-agent rPx,
+  @{bin}/gpg{,2}           rPx,
+  @{bin}/gpg-agent         rPx,
+  @{bin}/dirmngr           rPx,
+  @{bin}/gpgsm             rPx,
+  @{lib}/gnupg/scdaemon    rPx,
 
-  /{usr/,}bin/pinentry-*        rPx,
+  @{bin}/pinentry-*        rPx,
 
   /etc/gcrypt/hwf.deny r,
 
diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm
index c545c81f..aa223df1 100644
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/gpgsm
+@{exec_path} = @{bin}/gpgsm
 profile gpgsm @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon
index 01d59c0f..dc330e5b 100644
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/scdaemon /{usr/,}lib/gnupg/scdaemon
+@{exec_path} = @{bin}/scdaemon @{lib}/gnupg/scdaemon
 profile scdaemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/devices-usb>