/usr/{lib,libexec} -> @{libexec}

apparmor.d/groups/browsers/firefox

@@ -75,7 +75,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   /usr/share/doc/{,**} r,
 
   #
-  /usr/{lib,libexec}/gvfsd-metadata rPx -> gvfsd-metadata,
+  @{libexec}/gvfsd-metadata rPx -> gvfsd-metadata,
 
   # Firefox home files
   owner @{MOZ_HOMEDIR}/ rw,

apparmor.d/groups/bus/dbus-daemon

@@ -29,7 +29,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}{lib,libexec}/* rPUx,
+  @{libexec}/* rPUx,
   /{usr/,}lib/ibus/ibus-* rPx,
   /{usr/,}bin/ r,
   /{usr/,}bin/[a-z0-9]* rPUx,

apparmor.d/groups/desktop/accounts-daemon

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
-@{exec_path} += /usr/{lib,libexec}/accounts-daemon
+@{exec_path} += @{libexec}/accounts-daemon
 profile accounts-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/wutmp>

apparmor.d/groups/desktop/at-spi-bus-launcher

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
-@{exec_path} += /usr/{lib,libexec}/at-spi-bus-launcher
+@{exec_path} += @{libexec}/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/desktop/at-spi2-registryd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi2-registryd
-@{exec_path} += /usr/{lib,libexec}/at-spi2-registryd
+@{exec_path} += @{libexec}/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/desktop/blueman-mechanism

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/{lib,libexec}/blueman-mechanism
+@{exec_path} = @{libexec}/blueman-mechanism
 @{exec_path} += /{usr/,}lib/blueman/blueman-mechanism
 profile blueman-mechanism @{exec_path} {
   include <abstractions/base>
@@ -24,7 +24,7 @@ profile blueman-mechanism @{exec_path} {
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
-  /usr/{lib,libexec}/ r,
+  @{libexec}/ r,
 
   /var/lib/blueman/network.state rw,
 

apparmor.d/groups/desktop/blueman-rfcomm-watcher

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/{lib,libexec}/blueman-rfcomm-watcher
+@{exec_path} = @{libexec}/blueman-rfcomm-watcher
 profile blueman-rfcomm-watcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
@@ -14,7 +14,7 @@ profile blueman-rfcomm-watcher @{exec_path} {
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,
 
-  /usr/{lib,libexec}/ r,
+  @{libexec}/ r,
 
   owner @{PROC}/@{pid}/mounts r,
 

apparmor.d/groups/desktop/bluetoothd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/bluetooth/bluetoothd
-@{exec_path} += /usr/{lib,libexec}/bluetooth/bluetoothd
+@{exec_path} += @{libexec}/bluetooth/bluetoothd
 profile bluetoothd @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/desktop/colord

@@ -18,7 +18,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /{usr/,}lib/colord/colord-sane  rPx,
-  /usr/{lib,libexec}/colord-sane  rPx,
+  @{libexec}/colord-sane  rPx,
 
   owner /var/lib/colord/** r,
   owner /var/lib/colord/.cache/ rw,

apparmor.d/groups/desktop/colord-sane

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/colord/colord-sane
-@{exec_path} += /usr/{lib,libexec}/colord-sane
+@{exec_path} += @{libexec}/colord-sane
 profile colord-sane @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/devices-usb>

apparmor.d/groups/desktop/colord-session

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/colord/colord-session /usr/{lib,libexec}/colord-session
+@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session
 profile colord-session @{exec_path} flags=(complain) {
   include <abstractions/base>
 

apparmor.d/groups/desktop/dconf-service

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/dconf/dconf-service /usr/{lib,libexec}/dconf-service
+@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 

apparmor.d/groups/desktop/obexd

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/{lib,libexec}/bluetooth/obexd
+@{exec_path} = @{libexec}/bluetooth/obexd
 profile obexd @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-download-strict>

apparmor.d/groups/gnome/gjs-console

@@ -24,7 +24,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
   /{usr/,}bin/          r,
   /{usr/,}bin/[a-z0-9]* rPUx,
-  /usr/{lib,libexec}/** rPUx,
+  @{libexec}/** rPUx,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,

apparmor.d/groups/gnome/gnome-shell

@@ -37,9 +37,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/Xwayland                   rPx,
-  /{usr/,}{lib,libexec}/polkit-1/polkit* rPx,
-  /{usr/,}{lib,libexec}/*                rPUx,
+  /{usr/,}bin/Xwayland        rPx,
+  @{libexec}/polkit-1/polkit* rPx,
+  @{libexec}/*                rPUx,
 
   /usr/share/backgrounds/{,**} r,
   /usr/share/desktop-directories/{,*.directory} r,

apparmor.d/groups/gvfs/gvfs-afc-volume-monitor

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfs-afc-volume-monitor
-@{exec_path} += /usr/{lib,libexec}/gvfs-afc-volume-monitor
+@{exec_path} += @{libexec}/gvfs-afc-volume-monitor
 profile gvfs-afc-volume-monitor @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfs-goa-volume-monitor

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfs-goa-volume-monitor
-@{exec_path} += /usr/{lib,libexec}/gvfs-goa-volume-monitor
+@{exec_path} += @{libexec}/gvfs-goa-volume-monitor
 profile gvfs-goa-volume-monitor @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfs-gphoto2-volume-monitor
-@{exec_path} += /usr/{lib,libexec}/gvfs-gphoto2-volume-monitor
+@{exec_path} += @{libexec}/gvfs-gphoto2-volume-monitor
 profile gvfs-gphoto2-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfs-mtp-volume-monitor
-@{exec_path} += /usr/{lib,libexec}/gvfs-mtp-volume-monitor
+@{exec_path} += @{libexec}/gvfs-mtp-volume-monitor
 profile gvfs-mtp-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/devices-usb>

apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfs-udisks2-volume-monitor
-@{exec_path} += /usr/{lib,libexec}/gvfs-udisks2-volume-monitor
+@{exec_path} += @{libexec}/gvfs-udisks2-volume-monitor
 profile gvfs-udisks2-volume-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>

apparmor.d/groups/gvfs/gvfsd

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd
-@{exec_path} += /usr/{lib,libexec}/gvfsd
+@{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
   include <abstractions/base>
 
@@ -18,7 +18,7 @@ profile gvfsd @{exec_path} {
 
   # Don't strip env here.
   /{usr/,}lib/gvfs/gvfsd-*    rpx,
-  /usr/{lib,libexec}/gvfsd-*  rpx,
+  @{libexec}/gvfsd-*  rpx,
 
   /usr/share/gvfs/{,**} r,
 

apparmor.d/groups/gvfs/gvfsd-admin

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-admin
-@{exec_path} += /usr/{lib,libexec}/gvfsd-admin
+@{exec_path} += @{libexec}/gvfsd-admin
 profile gvfsd-admin @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-afc

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-afc
-@{exec_path} += /usr/{lib,libexec}/gvfsd-afc
+@{exec_path} += @{libexec}/gvfsd-afc
 profile gvfsd-afc @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-afp

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-afp
-@{exec_path} += /usr/{lib,libexec}/gvfsd-afp
+@{exec_path} += @{libexec}/gvfsd-afp
 profile gvfsd-afp @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-afp-browse

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-afp-browse
-@{exec_path} += /usr/{lib,libexec}/gvfsd-afp-browse
+@{exec_path} += @{libexec}/gvfsd-afp-browse
 profile gvfsd-afp-browse @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-archive

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-archive
-@{exec_path} += /usr/{lib,libexec}/gvfsd-archive
+@{exec_path} += @{libexec}/gvfsd-archive
 profile gvfsd-archive @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>

apparmor.d/groups/gvfs/gvfsd-burn

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-burn
-@{exec_path} += /usr/{lib,libexec}/gvfsd-burn
+@{exec_path} += @{libexec}/gvfsd-burn
 profile gvfsd-burn @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-cdda

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-cdda
-@{exec_path} += /usr/{lib,libexec}/gvfsd-cdda
+@{exec_path} += @{libexec}/gvfsd-cdda
 profile gvfsd-cdda @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-computer

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-computer
-@{exec_path} += /usr/{lib,libexec}/gvfsd-computer
+@{exec_path} += @{libexec}/gvfsd-computer
 profile gvfsd-computer @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-dav

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-dav
-@{exec_path} += /usr/{lib,libexec}/gvfsd-dav
+@{exec_path} += @{libexec}/gvfsd-dav
 profile gvfsd-dav @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gvfs/gvfsd-dnssd

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-dnssd
-@{exec_path} += /usr/{lib,libexec}/gvfsd-dnssd
+@{exec_path} += @{libexec}/gvfsd-dnssd
 profile gvfsd-dnssd @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-ftp

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-ftp
-@{exec_path} += /usr/{lib,libexec}/gvfsd-ftp
+@{exec_path} += @{libexec}/gvfsd-ftp
 profile gvfsd-ftp @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>

apparmor.d/groups/gvfs/gvfsd-fuse

@@ -7,8 +7,10 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
+# DENIED operation="mount" info="failed mntpnt match" error=-13 profile="gvfsd-fuse" name="/home/alex/.cache/gvfs/" comm="gvfsd-fuse" fstype="fuse.gvfsd-fuse" srcname="gvfsd-fuse" flags="rw, nosuid, nodev"
+
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-fuse
-@{exec_path} += /usr/{lib,libexec}/gvfsd-fuse
+@{exec_path} += @{libexec}/gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-google

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-google
-@{exec_path} += /usr/{lib,libexec}/gvfsd-google
+@{exec_path} += @{libexec}/gvfsd-google
 profile gvfsd-google @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-gphoto2

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-gphoto2
-@{exec_path} += /usr/{lib,libexec}/gvfsd-gphoto2
+@{exec_path} += @{libexec}/gvfsd-gphoto2
 profile gvfsd-gphoto2 @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-http

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-http
-@{exec_path} += /usr/{lib,libexec}/gvfsd-http
+@{exec_path} += @{libexec}/gvfsd-http
 profile gvfsd-http @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>

apparmor.d/groups/gvfs/gvfsd-localtest

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-localtest
-@{exec_path} += /usr/{lib,libexec}/gvfsd-localtest
+@{exec_path} += @{libexec}/gvfsd-localtest
 profile gvfsd-localtest @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-metadata

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-metadata
-@{exec_path} += /usr/{lib,libexec}/gvfsd-metadata
+@{exec_path} += @{libexec}/gvfsd-metadata
 profile gvfsd-metadata @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/groups/gvfs/gvfsd-mtp

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-mtp
-@{exec_path} += /usr/{lib,libexec}/gvfsd-mtp
+@{exec_path} += @{libexec}/gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>

apparmor.d/groups/gvfs/gvfsd-network

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-network
-@{exec_path} += /usr/{lib,libexec}/gvfsd-network
+@{exec_path} += @{libexec}/gvfsd-network
 profile gvfsd-network @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/gvfs/gvfsd-nfs

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-nfs
-@{exec_path} += /usr/{lib,libexec}/gvfsd-nfs
+@{exec_path} += @{libexec}/gvfsd-nfs
 profile gvfsd-nfs @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gvfs/gvfsd-recent

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-recent
-@{exec_path} += /usr/{lib,libexec}/gvfsd-recent
+@{exec_path} += @{libexec}/gvfsd-recent
 profile gvfsd-recent @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gvfs/gvfsd-sftp

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-sftp
-@{exec_path} += /usr/{lib,libexec}/gvfsd-sftp
+@{exec_path} += @{libexec}/gvfsd-sftp
 profile gvfsd-sftp @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/gvfs/gvfsd-smb

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-smb
-@{exec_path} += /usr/{lib,libexec}/gvfsd-smb
+@{exec_path} += @{libexec}/gvfsd-smb
 profile gvfsd-smb @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>

apparmor.d/groups/gvfs/gvfsd-smb-browse

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-smb-browse
-@{exec_path} += /usr/{lib,libexec}/gvfsd-smb-browse
+@{exec_path} += @{libexec}/gvfsd-smb-browse
 profile gvfsd-smb-browse @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gvfs/gvfsd-trash

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/gvfs/gvfsd-trash
-@{exec_path} += /usr/{lib,libexec}/gvfsd-trash
+@{exec_path} += @{libexec}/gvfsd-trash
 profile gvfsd-trash @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/systemd/systemd-coredump

@@ -26,7 +26,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) {
 
   /{usr/,}bin/* r,
   /{usr/,}sbin/* r,
-  /usr/{lib,libexec}/** r,
+  @{libexec}/** r,
 
   /etc/systemd/coredump.conf r,
 

apparmor.d/profiles-a-l/gparted

@@ -26,7 +26,7 @@ profile gparted @{exec_path} {
   /{usr/,}bin/gawk        rix,
 
   /{usr/,}lib/udisks2/udisks2-inhibit  rix,
-  /usr/{lib,libexec}/udisks2/udisks2-inhibit rix,
+  @{libexec}/udisks2/udisks2-inhibit rix,
   @{run}/udev/rules.d/ rw,
   @{run}/udev/rules.d/90-udisks-inhibit.rules rw,
 

apparmor.d/profiles-a-l/labwc

@@ -29,7 +29,7 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
   # Apps allowed to run
   /{usr/,}{s,}bin/* rPUx,
   /{usr/,}bin/*  rPUx,
-  /usr/{lib,libexec}/* rPUx,
+  @{libexec}/* rPUx,
 
   owner @{user_config_dirs}/labwc/ r,
   owner @{user_config_dirs}/labwc/* r,

apparmor.d/profiles-a-l/lightdm

@@ -116,7 +116,7 @@ profile lightdm @{exec_path} {
   /var/cache/lightdm/dmrc/*.dmrc* rw,
 
   /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
-  /usr/{lib,libexec}/at-spi-bus-launcher             rPUx,
+  @{libexec}/at-spi-bus-launcher             rPUx,
 
   include if exists <local/lightdm>
 }

apparmor.d/profiles-a-l/lightdm-gtk-greeter

@@ -51,7 +51,7 @@ profile lightdm-gtk-greeter @{exec_path} {
   @{HOME}/.face r,
 
   /{usr/,}lib/at-spi2-core/at-spi-bus-launcher rPUx,
-  /usr/{lib,libexec}/at-spi-bus-launcher       rPUx,
+  @{libexec}/at-spi-bus-launcher       rPUx,
 
 
   profile systemd {

apparmor.d/profiles-m-z/mission-control

@@ -14,7 +14,7 @@ profile mission-control @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /usr/{lib,libexec}/* rPUx,  # FIXME: Needed ?
+  @{libexec}/* rPUx,  # FIXME: Needed ?
 
   /usr/share/telepathy/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

apparmor.d/profiles-m-z/openbox

@@ -25,7 +25,7 @@ profile openbox @{exec_path} {
   /{usr/,}sbin/*                     rPUx,
   /{usr/,}bin/*                      rPUx,
   /usr/local/bin/*                   rPUx,
-  /usr/{lib,libexec}/*               rPUx,
+  @{libexec}/*               rPUx,
   /{usr/,}lib/@{multiarch}/*/**      rPUx,
 
   /usr/share/themes/*/openbox-3/themerc r,
@@ -65,7 +65,7 @@ profile openbox @{exec_path} {
     /{usr/,}sbin/*                     rPUx,
     /{usr/,}bin/*                      rPUx,
     /usr/local/bin/*                   rPUx,
-    /usr/{lib,libexec}/*               rPUx,
+    @{libexec}/*               rPUx,
     /{usr/,}lib/@{multiarch}/*/**      rPUx,
 
     /usr/local/lib/python*/dist-packages/ r,

apparmor.d/profiles-m-z/rtkit-daemon

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 
-@{exec_path} = /usr/{lib,libexec}/rtkit-daemon
+@{exec_path} = @{libexec}/rtkit-daemon
 profile rtkit-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-z/udisksd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/udisks2/udisksd
-@{exec_path} += /usr/{lib,libexec}/udisks2/udisksd
+@{exec_path} += @{libexec}/udisks2/udisksd
 profile udisksd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-m-z/upowerd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/upower/upowerd
-@{exec_path} += /usr/{lib,libexec}/upowerd
+@{exec_path} += @{libexec}/upowerd
 profile upowerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/devices-usb>

apparmor.d/tunables/xdg-user-dirs.d/complete

@@ -23,6 +23,9 @@
 # Common mountpoints
 @{MOUNTS}=/media/ @{run}/media /mnt
 
+# Libexec path. Different in some distribution
+@{libexec}=/usr/lib
+
 # Extra user personal directories
 @{XDG_PROJECTS_DIR}="Projects"
 @{XDG_BOOKS_DIR}="Books"