feat(profile): use @{sbin} for all program inside /usr/sbin.

2025-04-28 21:27:57 +02:00 · 2025-04-28 21:27:57 +02:00 · fd17a77b17
commit fd17a77b17
parent b8f2f38c72
270 changed files with 475 additions and 475 deletions
--- a/apparmor.d/abstractions/app/kmod
+++ b/apparmor.d/abstractions/app/kmod
@ -7,13 +7,13 @@
  include <abstractions/consoles>
-  @{bin}/depmod    mr,
+  @{sbin}/depmod    mr,
-  @{bin}/insmod    mr,
+  @{sbin}/insmod    mr,
  @{bin}/kmod       mr,
-  @{bin}/lsmod     mr,
+  @{sbin}/lsmod     mr,
-  @{bin}/modinfo   mr,
+  @{sbin}/modinfo   mr,
-  @{bin}/modprobe  mr,
+  @{sbin}/modprobe  mr,
-  @{bin}/rmmod     mr,
+  @{sbin}/rmmod     mr,
  @{lib}/modprobe.d/ r,
  @{lib}/modprobe.d/*.conf r,
--- a/apparmor.d/abstractions/authentication.d/complete
+++ b/apparmor.d/abstractions/authentication.d/complete
@ -6,7 +6,7 @@
  @{lib}/pam-tmpdir/pam-tmpdir-helper rPx,
  #aa:only abi3
-  @{bin}/unix_chkpwd rPx,
+  @{sbin}/unix_chkpwd rPx,
  #aa:only whonix
  @{lib}/security-misc/pam-abort-on-locked-password  rPx,
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -173,7 +173,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  # Shell based systemd unit services
  # TODO: create unit profile for all of them
-  @{bin}/ldconfig                   Px -> systemd-service,
+  @{sbin}/ldconfig                  Px -> systemd-service,
  @{bin}/mandb                      Px -> systemd-service,
  @{bin}/savelog                    Px -> systemd-service,
  @{coreutils_path}                 Px -> systemd-service,
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@ -21,7 +21,7 @@ profile systemd-service flags=(attach_disconnected) {
  capability chown,
  capability fsetid,
-  @{bin}/ldconfig      rix,
+  @{sbin}/ldconfig     rix,
  @{bin}/savelog       rix,
  @{bin}/systemctl     rix,
  @{bin}/gzip          rix,
@ -32,8 +32,8 @@ profile systemd-service flags=(attach_disconnected) {
  @{bin}/ifup          rPx,
  # shadow.service
-  @{bin}/pwck          rPx,
+  @{sbin}/pwck         rPx,
-  @{bin}/grpck         rPx,
+  @{sbin}/grpck        rPx,
  @{bin}/grub-editenv  rPx,
  @{bin}/ibus-daemon   rPx,
--- a/apparmor.d/groups/apparmor/aa-enforce
+++ b/apparmor.d/groups/apparmor/aa-enforce
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable
+@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable
 profile aa-enforce @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -17,7 +17,7 @@ profile aa-enforce @{exec_path} {
  @{exec_path} mr,
  @{bin}/ r,
-  @{bin}/apparmor_parser     rPx,
+  @{sbin}/apparmor_parser    rPx,
  /usr/share/terminfo/** r,
--- a/apparmor.d/groups/apparmor/aa-notify
+++ b/apparmor.d/groups/apparmor/aa-notify
@ -89,7 +89,7 @@ profile aa-notify @{exec_path} {
    ptrace read peer=aa-notify,
-    @{bin}/apparmor_parser Px,
+    @{sbin}/apparmor_parser Px,
    @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix,
    /usr/share/apparmor/** r,
--- a/apparmor.d/groups/apparmor/aa-status
+++ b/apparmor.d/groups/apparmor/aa-status
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status
+@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status
 profile aa-status @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/apparmor/aa-teardown
+++ b/apparmor.d/groups/apparmor/aa-teardown
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/aa-teardown
+@{exec_path} = @{sbin}/aa-teardown
 profile aa-teardown @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/apparmor/aa-unconfined
+++ b/apparmor.d/groups/apparmor/aa-unconfined
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/aa-unconfined
+@{exec_path} = @{sbin}/aa-unconfined
 profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/apparmor/apparmor.systemd
+++ b/apparmor.d/groups/apparmor/apparmor.systemd
@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} {
  @{sh_path}                  rix,
  @{bin}/{,e}grep             rix,
-  @{bin}/aa-status            rPx,
+  @{sbin}/aa-status           rPx,
-  @{bin}/apparmor_parser      rPx,
+  @{sbin}/apparmor_parser     rPx,
  @{bin}/getconf              rix,
  @{bin}/ls                   rix,
  @{bin}/sed                  rix,
  @{bin}/cat                  rix,
  @{bin}/sort                 rix,
-  @{bin}/sysctl               rix,
+  @{sbin}/sysctl              rix,
  @{bin}/systemd-detect-virt  rPx,
  @{bin}/xargs                rix,
--- a/apparmor.d/groups/apparmor/apparmor_parser
+++ b/apparmor.d/groups/apparmor/apparmor_parser
@ -8,7 +8,7 @@ include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
-@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
+@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
 profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd
+@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd
 profile apt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/apt>
@ -80,7 +80,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  @{bin}/df                              rPx,
  @{bin}/dmesg                           rPx,
  @{bin}/dpkg                            rPx,
-  @{bin}/dpkg-preconfigure               rPx,
+  @{sbin}/dpkg-preconfigure              rPx,
  @{bin}/dpkg-source                     rcx -> dpkg-source,
  @{bin}/etckeeper                       rPx,
  @{bin}/localepurge                     rPx,
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) {
  @{bin}/apt-listbugs       rPx,
  @{bin}/apt-listchanges    rPx,
  @{bin}/apt-show-versions  rPx,
-  @{bin}/dpkg-preconfigure rPx,
+  @{sbin}/dpkg-preconfigure rPx,
  @{bin}/debtags            rPx,
  @{bin}/localepurge       rPx,
  @{bin}/appstreamcli       rPx,
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/dpkg-preconfigure
+@{exec_path} = @{sbin}/dpkg-preconfigure
 profile dpkg-preconfigure @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@ -31,7 +31,7 @@ profile querybts @{exec_path} {
  @{bin}/ r,
  @{sh_path}        rix,
  @{bin}/stty       rix,
-  @{bin}/ldconfig   rix,
+  @{sbin}/ldconfig  rix,
  @{open_path} rPx -> child-open-browsers,
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -30,7 +30,7 @@ profile reportbug @{exec_path} {
  @{bin}/ r,
  @{python_path} r,
-  @{bin}/ldconfig         rix,
+  @{sbin}/ldconfig        rix,
  @{bin}/selinuxenabled   rix,
  @{sh_path}              rix,
  @{bin}/aa-enabled       rix,
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@ -45,7 +45,7 @@ profile synaptic @{exec_path} {
  @{bin}/deborphan          rPx,
  @{bin}/debtags            rPx,
  @{bin}/dpkg               rPx,
-  @{bin}/dpkg-preconfigure  rPx,
+  @{sbin}/dpkg-preconfigure rPx,
  @{bin}/localepurge        rPx,
  @{bin}/lsb_release        rPx -> lsb_release,
  @{bin}/pkexec             rCx -> pkexec,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -51,10 +51,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  @{bin}/apt-listchanges          rPx,
  @{bin}/dpkg                     rPx,
  @{bin}/dpkg-divert              rPx,
-  @{bin}/dpkg-preconfigure        rPx,
+  @{sbin}/dpkg-preconfigure       rPx,
  @{bin}/etckeeper                rPx,
  @{bin}/lsb_release              rPx -> lsb_release,
-  @{bin}/on_ac_power              rPx,
+  @{sbin}/on_ac_power             rPx,
  @{bin}/sendmail                rPUx,
  @{lib}/apt/methods/http{,s}     rPx,
  @{lib}/needrestart/apt-pinvoke  rPx,
--- a/apparmor.d/groups/bluetooth/blueman-mechanism
+++ b/apparmor.d/groups/bluetooth/blueman-mechanism
@ -36,9 +36,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
  /dev/rfkill rw,
  # For network AP
-  #@{bin}/ip                 rix,
+  #@{sbin}/ip                 rix,
-  #@{bin}/xtables-nft-multi rix,
+  #@{sbin}/xtables-nft-multi rix,
-  #@{bin}/dnsmasq           rPx,
+  #@{sbin}/dnsmasq           rPx,
  #@{bin}/dhclient          rPx,
  #      @{PROC}/sys/net/ipv4/ip_forward w,
  #      @{PROC}/sys/net/ipv4/conf/ r,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  @{bin}/kreadconfig{,5}                             rPx,
  @{bin}/plasma-browser-integration-host             rPx,
  @{bin}/speech-dispatcher                           rPx,
-  @{bin}/update-mime-database                        rPx,
+  @{sbin}/update-mime-database                       rPx,
  @{lib}/gvfsd-metadata                              rPx,
  @{lib}/mozilla/kmozillahelper                     rPUx,
  @{open_path}                                       rPx -> child-open,
--- a/apparmor.d/groups/cron/anacron
+++ b/apparmor.d/groups/cron/anacron
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/anacron
+@{exec_path} = @{sbin}/anacron
 profile anacron @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/cron
+@{exec_path} = @{sbin}/cron
 profile cron @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
--- a/apparmor.d/groups/cron/cron-anacron
+++ b/apparmor.d/groups/cron/cron-anacron
@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} {
  @{exec_path} r,
-  @{bin}/anacron           rPx,
+  @{sbin}/anacron           rPx,
  @{sh_path}                   rix,
  @{bin}/cat                   rix,
  @{bin}/date                  rix,
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/cron-apt
+@{exec_path} = @{sbin}/cron-apt
 profile cron-apt @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/cron/cron-apt-compat
+++ b/apparmor.d/groups/cron/cron-apt-compat
@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} {
  @{exec_path} r,
  @{sh_path}                   rix,
-  @{bin}/on_ac_power          rPx,
+  @{sbin}/on_ac_power          rPx,
  @{bin}/apt-config            rPx,
  @{lib}/apt/apt.systemd.daily rPx,
--- a/apparmor.d/groups/cron/cron-apt-xapian-index
+++ b/apparmor.d/groups/cron/cron-apt-xapian-index
@ -22,7 +22,7 @@ profile cron-apt-xapian-index @{exec_path} {
  @{bin}/ r,
  @{bin}/update-apt-xapian-index rPx,
-  @{bin}/on_ac_power             rPx,
+  @{sbin}/on_ac_power            rPx,
  # For shell pwd
  / r,
--- a/apparmor.d/groups/cron/cron-cracklib
+++ b/apparmor.d/groups/cron/cron-cracklib
@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} {
  @{sh_path}               rix,
  @{bin}/logger            rix,
-  @{bin}/update-cracklib  rPx,
+  @{sbin}/update-cracklib  rPx,
  /etc/cracklib/cracklib.conf r,
--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@ -39,8 +39,8 @@ profile cron-exim4-base @{exec_path} {
  @{bin}/exim4     rPx,
  @{bin}/exim_tidydb       rix,
-  @{bin}/start-stop-daemon rix,
+  @{sbin}/start-stop-daemon rix,
-  @{bin}/runuser           rix,
+  @{sbin}/runuser           rix,
  /etc/default/exim4 r,
--- a/apparmor.d/groups/cron/cron-ipset-autoban-save
+++ b/apparmor.d/groups/cron/cron-ipset-autoban-save
@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} {
  @{exec_path} r,
  @{sh_path}        rix,
-  @{bin}/ipset     rix,
+  @{sbin}/ipset     rix,
  /etc/peerblock/autoban rw,
--- a/apparmor.d/groups/cron/cron-logrotate
+++ b/apparmor.d/groups/cron/cron-logrotate
@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} {
  @{exec_path} r,
  @{sh_path}        rix,
-  @{bin}/logrotate rPx,
+  @{sbin}/logrotate rPx,
  @{bin}/logger     rix,
--- a/apparmor.d/groups/cron/cron-man-db
+++ b/apparmor.d/groups/cron/cron-man-db
@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} {
  @{sh_path}                rix,
  @{bin}/{,e}grep           rix,
-  @{bin}/start-stop-daemon rix,
+  @{sbin}/start-stop-daemon rix,
  @{bin}/xargs              rix,
  @{bin}/find               rix,
--- a/apparmor.d/groups/cron/cron-mlocate
+++ b/apparmor.d/groups/cron/cron-mlocate
@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} {
  @{bin}/nice       rix,
  @{bin}/updatedb.mlocate rPx,
-  @{bin}/on_ac_power     rPx,
+  @{sbin}/on_ac_power     rPx,
  @{run}/mlocate.daily.lock rwk,
--- a/apparmor.d/groups/cron/cron-plocate
+++ b/apparmor.d/groups/cron/cron-plocate
@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} {
  @{bin}/nice       rix,
  @{bin}/updatedb.plocate rPx,
-  @{bin}/on_ac_power      rPx,
+  @{sbin}/on_ac_power     rPx,
  @{run}/plocate.daily.lock rwk,
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} {
  # To send reports via TOR
  @{bin}/torify              rix,
  @{bin}/torsocks            rix,
-  @{bin}/getcap              rix,
+  @{sbin}/getcap             rix,
  /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
  @{bin}/gpg{,2}             rCx -> gpg,
-  @{bin}/runuser            rCx -> runuser,
+  @{sbin}/runuser            rCx -> runuser,
  @{bin}/savelog             rCx -> savelog,
  /usr/share/popularity-contest/ r,
@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} {
    include <abstractions/nameservice-strict>
    include <abstractions/authentication>
-    @{bin}/runuser mr,
+    @{sbin}/runuser mr,
    @{sh_path}                 rix,
    @{bin}/popularity-contest  rPx,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/crontab
+@{exec_path} = @{sbin}/crontab
 profile crontab @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/cups-browsed
+@{exec_path} = @{sbin}/cups-browsed
 profile cups-browsed @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/cups/cupsd
+++ b/apparmor.d/groups/cups/cupsd
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/cupsd
+@{exec_path} = @{sbin}/cupsd
 profile cupsd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  @{bin}/gs                  rix,
  @{bin}/gsc                 rix,
  @{bin}/hostname            rix,
-  @{bin}/ippfind             rix,
+  @{sbin}/ippfind            rix,
  @{bin}/mktemp              rix,
  @{bin}/printenv            rix,
  @{python_path}             rix,
--- a/apparmor.d/groups/filesystem/fsck.btrfs
+++ b/apparmor.d/groups/filesystem/fsck.btrfs
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/fsck.btrfs
+@{exec_path} = @{sbin}/fsck.btrfs
 profile fsck.btrfs @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/filesystem/fsck.fat
+++ b/apparmor.d/groups/filesystem/fsck.fat
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck
+@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck
 profile fsck.fat @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/lvm
+++ b/apparmor.d/groups/filesystem/lvm
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/lvm
+@{exec_path} = @{sbin}/lvm
 profile lvm @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/filesystem/lvmconfig
+++ b/apparmor.d/groups/filesystem/lvmconfig
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/lvmconfig
+@{exec_path} = @{sbin}/lvmconfig
 profile lvmconfig @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/filesystem/lvmdump
+++ b/apparmor.d/groups/filesystem/lvmdump
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/lvmdump
+@{exec_path} = @{sbin}/lvmdump
 profile lvmdump @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/filesystem/lvmpolld
+++ b/apparmor.d/groups/filesystem/lvmpolld
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/lvmpolld
+@{exec_path} = @{sbin}/lvmpolld
 profile lvmpolld @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/filesystem/mke2fs
+++ b/apparmor.d/groups/filesystem/mke2fs
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4
+@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4
 profile mke2fs @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
@ -19,7 +19,7 @@ profile mke2fs @{exec_path} {
  # To check for badblocks
  @{sh_path}        rix,
-  @{bin}/badblocks  rPx,
+  @{sbin}/badblocks rPx,
  /usr/share/file/misc/magic.mgc r,
--- a/apparmor.d/groups/filesystem/mkfs-btrfs
+++ b/apparmor.d/groups/filesystem/mkfs-btrfs
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/mkfs.btrfs
+@{exec_path} = @{sbin}/mkfs.btrfs
 profile mkfs-btrfs @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/mkswap
+++ b/apparmor.d/groups/filesystem/mkswap
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/mkswap
+@{exec_path} = @{sbin}/mkswap
 profile mkswap @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/mount-cifs
+++ b/apparmor.d/groups/filesystem/mount-cifs
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/mount.cifs
+@{exec_path} = @{sbin}/mount.cifs
 profile mount-cifs @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/filesystem/ntfsclone
+++ b/apparmor.d/groups/filesystem/ntfsclone
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/ntfsclone
+@{exec_path} = @{sbin}/ntfsclone
 profile ntfsclone @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/ntfscp
+++ b/apparmor.d/groups/filesystem/ntfscp
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/ntfscp
+@{exec_path} = @{sbin}/ntfscp
 profile ntfscp @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/ntfslabel
+++ b/apparmor.d/groups/filesystem/ntfslabel
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/ntfslabel
+@{exec_path} = @{sbin}/ntfslabel
 profile ntfslabel @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/ntfsresize
+++ b/apparmor.d/groups/filesystem/ntfsresize
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/ntfsresize
+@{exec_path} = @{sbin}/ntfsresize
 profile ntfsresize @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
--- a/apparmor.d/groups/filesystem/ntfsundelete
+++ b/apparmor.d/groups/filesystem/ntfsundelete
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/ntfsundelete
+@{exec_path} = @{sbin}/ntfsundelete
 profile ntfsundelete @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>
--- a/apparmor.d/groups/filesystem/udisksd
+++ b/apparmor.d/groups/filesystem/udisksd
@ -73,18 +73,18 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  @{sh_path}             rix,
  @{bin}/umount          rix,
-  @{bin}/dmidecode            rPx,
+  @{sbin}/dmidecode           rPx,
-  @{bin}/dumpe2fs             rPx,
+  @{sbin}/dumpe2fs            rPx,
  @{bin}/eject                rPx,
-  @{bin}/fsck.fat             rPx,
+  @{sbin}/fsck.fat            rPx,
-  @{bin}/lvm                 rPUx,
+  @{sbin}/lvm                 rPUx,
-  @{bin}/mke2fs               rPx,
+  @{sbin}/mke2fs              rPx,
-  @{bin}/mkfs.*               rPx,
+  @{sbin}/mkfs.*              rPx,
  @{bin}/mount.exfat-fuse    rPUx,
  @{bin}/ntfs-3g              rPx,
  @{bin}/ntfsfix              rPx,
-  @{bin}/sfdisk               rPx,
+  @{sbin}/sfdisk              rPx,
-  @{bin}/sgdisk               rPx,
+  @{sbin}/sgdisk              rPx,
  @{bin}/systemctl            rCx -> systemctl,
  @{bin}/systemd-escape       rPx,
  @{bin}/xfs_*               rPUx,
--- a/apparmor.d/groups/filesystem/umount.udisks2
+++ b/apparmor.d/groups/filesystem/umount.udisks2
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/umount.udisks2
+@{exec_path} = @{sbin}/umount.udisks2
 profile umount.udisks2 @{exec_path} flags=(complain) {
  include <abstractions/base>
--- a/apparmor.d/groups/firewall/firewalld
+++ b/apparmor.d/groups/firewall/firewalld
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/firewalld
+@{exec_path} = @{sbin}/firewalld
 profile firewalld @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app/kmod>
@ -34,14 +34,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
  @{bin}/ r,
  @{bin}/alts                     rix,
-  @{bin}/ebtables-legacy          rix,
+  @{sbin}/ebtables-legacy         rix,
-  @{bin}/ebtables-legacy-restore  rix,
+  @{sbin}/ebtables-legacy-restore rix,
  @{bin}/false                    rix,
-  @{bin}/ipset                    rix,
+  @{sbin}/ipset                   rix,
  @{bin}/kmod                     rix,
-  @{bin}/modprobe                 rix,
+  @{sbin}/modprobe                rix,
-  @{bin}/xtables-legacy-multi     rix,
+  @{sbin}/xtables-legacy-multi    rix,
-  @{bin}/xtables-nft-multi       rmix,
+  @{sbin}/xtables-nft-multi       rmix,
  /usr/local/lib/@{python_name}/dist-packages/ r,
--- a/apparmor.d/groups/firewall/nft
+++ b/apparmor.d/groups/firewall/nft
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/nft
+@{exec_path} = @{sbin}/nft
 profile nft @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/firewall/ufw
+++ b/apparmor.d/groups/firewall/ufw
@ -33,9 +33,9 @@ profile ufw @{exec_path} flags=(attach_disconnected) {
  @{bin}/ r,
  @{bin}/cat                   rix,
  @{bin}/env                   r,
-  @{bin}/sysctl                rix,
+  @{sbin}/sysctl               rix,
-  @{bin}/xtables-legacy-multi  rix,
+  @{sbin}/xtables-legacy-multi rix,
-  @{bin}/xtables-nft-multi     rix,
+  @{sbin}/xtables-nft-multi    rix,
  @{lib}/ufw/ufw-init          rix,
  /etc/default/ufw rw,
--- a/apparmor.d/groups/firewall/ufw-init
+++ b/apparmor.d/groups/firewall/ufw-init
@ -22,9 +22,9 @@ profile ufw-init @{exec_path} {
  @{exec_path} mr,
  @{sh_path}                   rix,
-  @{bin}/sysctl                rix,
+  @{sbin}/sysctl               rix,
-  @{bin}/xtables-legacy-multi  rix,
+  @{sbin}/xtables-legacy-multi rix,
-  @{bin}/xtables-nft-multi     rix,
+  @{sbin}/xtables-nft-multi    rix,
  /etc/default/ufw r,
  /etc/ufw/* r,
--- a/apparmor.d/groups/flatpak/flatpak-app
+++ b/apparmor.d/groups/flatpak/flatpak-app
@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
  @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
-  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
+  @{sbin}/update-mime-database         rPx -> flatpak-app//&update-mime-database,
  @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,
  @{lib}/kf5/kioslave5                 rPx,
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -27,13 +27,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
-  @{bin}/adduser     rPx,
+  @{sbin}/adduser    rPx,
  @{bin}/cat         rix,
  @{bin}/chage       rPx,
  @{bin}/passwd      rPx,
-  @{bin}/chpasswd    rPx,
+  @{sbin}/chpasswd   rPx,
-  @{bin}/userdel     rPx,
+  @{sbin}/userdel    rPx,
-  @{bin}/usermod     rPx,
+  @{sbin}/usermod    rPx,
  @{bin}/locale     rPUx,
  /usr/share/language-tools/language-validate   rPx,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/plymouthd
+@{exec_path} = @{sbin}/plymouthd
 profile plymouthd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/freedesktop/update-mime-database
+++ b/apparmor.d/groups/freedesktop/update-mime-database
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/update-mime-database
+@{exec_path} = @{sbin}/update-mime-database
 profile update-mime-database @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -60,11 +60,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{bin}/bwrap                                   rCx -> bwrap,
  @{bin}/gkbd-keyboard-display                   rPx,
  @{bin}/gnome-software                          rPx,
-  @{bin}/openvpn                                 rPx,
+  @{sbin}/openvpn                                rPx,
  @{bin}/passwd                                  rPx,
  @{bin}/pkexec                                  rCx -> pkexec,
  @{bin}/software-properties-gtk                 rPx,
-  @{bin}/usermod                                 rPx,
+  @{sbin}/usermod                                rPx,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
  @{lib}/cups/backend/snmp                       rPx,
  @{lib}/gnome-control-center-goa-helper         rPx,
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-install
+@{exec_path} = @{sbin}/grub-install
 profile grub-install @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/grub/grub-macbless
+++ b/apparmor.d/groups/grub/grub-macbless
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-macbless
+@{exec_path} = @{sbin}/grub-macbless
 profile grub-macbless @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-mkconfig
+@{exec_path} = @{sbin}/grub-mkconfig
 profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
@ -27,14 +27,14 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
  @{bin}/cut                  rix,
  @{bin}/date                 rix,
  @{bin}/dirname              rix,
-  @{bin}/dmsetup             rPUx,
+  @{sbin}/dmsetup             rPUx,
  @{bin}/dpkg                 rPx,
  @{bin}/find                 rix,
  @{bin}/findmnt              rPx,
  @{bin}/gettext              rix,
  @{bin}/grub-editenv         rPx,
  @{bin}/grub-mkrelpath       rPx,
-  @{bin}/grub-probe           rPx,
+  @{sbin}/grub-probe          rPx,
  @{bin}/grub-script-check    rPx,
  @{bin}/head                 rix,
  @{bin}/id                   rPx,
--- a/apparmor.d/groups/grub/grub-mkdevicemap
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-mkdevicemap
+@{exec_path} = @{sbin}/grub-mkdevicemap
 profile grub-mkdevicemap @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/grub/grub-multi-install
+++ b/apparmor.d/groups/grub/grub-multi-install
@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} {
  @{exec_path} mr,
-  @{bin}/grub-install       rPx,
+  @{sbin}/grub-install      rPx,
  @{sh_path}                rix,
  @{bin}/{,e}grep           rix,
  @{bin}/cat                rix,
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-probe
+@{exec_path} = @{sbin}/grub-probe
 profile grub-probe @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -20,7 +20,7 @@ profile grub-probe @{exec_path} {
  /{usr/,}{local/,}{s,}bin/zpool rPx,
  @{bin}/lsb_release        rPx -> lsb_release,
-  @{bin}/lvm                rPx,
+  @{sbin}/lvm               rPx,
  @{bin}/udevadm            rPx,
  /usr/share/grub/* r,
--- a/apparmor.d/groups/grub/grub-reboot
+++ b/apparmor.d/groups/grub/grub-reboot
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-reboot
+@{exec_path} = @{sbin}/grub-reboot
 profile grub-reboot @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/grub/grub-set-default
+++ b/apparmor.d/groups/grub/grub-set-default
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grub-set-default
+@{exec_path} = @{sbin}/grub-set-default
 profile grub-set-default @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/grub/update-grub
+++ b/apparmor.d/groups/grub/update-grub
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/update-grub{2,}
+@{exec_path} = @{sbin}/update-grub{2,}
 profile update-grub @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -15,7 +15,7 @@ profile update-grub @{exec_path} {
  @{exec_path} mr,
  @{sh_path}        rix,
-  @{bin}/grub-mkconfig rPx,
+  @{sbin}/grub-mkconfig rPx,
  /dev/tty@{int} rw,
--- a/apparmor.d/groups/kde/kauth-kded-smart-helper
+++ b/apparmor.d/groups/kde/kauth-kded-smart-helper
@ -22,7 +22,7 @@ profile kauth-kded-smart-helper @{exec_path} {
  @{exec_path} mr,
-  @{bin}/smartctl rPx,
+  @{sbin}/smartctl rPx,
  /usr/share/icu/@{int}.@{int}/*.dat r,
--- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
+++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} {
  @{exec_path} mr,
-  @{bin}/dmidecode  rPx,
+  @{sbin}/dmidecode  rPx,
  include if exists <local/kauth-kinfocenter-dmidecode-helper>
 }
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@ -39,7 +39,7 @@ profile kscreenlocker_greet @{exec_path} {
  @{lib}/libheif/ r,
  @{lib}/libheif/*.so* rm,
-  @{bin}/unix_chkpwd rPx,
+  @{sbin}/unix_chkpwd rPx,
  @{lib}/@{multiarch}/libexec/kcheckpass rPx,
  /usr/share/plasma/** r,
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} {
  @{bin}/sed        rix,
  @{bin}/stat       rix,
  @{bin}/tail       rix,
-  @{bin}/tcsh       rix,
+  @{sbin}/tcsh      rix,
  @{bin}/tempfile   rix,
  @{bin}/touch      rix,
  @{bin}/which{,.*} rix,
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/ModemManager
+@{exec_path} = @{sbin}/ModemManager
 profile ModemManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/NetworkManager
+@{exec_path} = @{sbin}/NetworkManager
 profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
@ -75,12 +75,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{sh_path}        rix,
-  @{bin}/nft        rix,
+  @{sbin}/nft       rix,
-  @{bin}/dnsmasq                                             rPx,
+  @{sbin}/dnsmasq                                            rPx,
  @{bin}/kmod                                                rPx,
  @{bin}/netconfig                                          rPUx,
-  @{bin}/resolvconf                                          rPx,
+  @{sbin}/resolvconf                                         rPx,
  @{bin}/systemctl                                           rCx -> systemctl,
  @{lib}/{,NetworkManager/}nm-daemon-helper                  rPx,
  @{lib}/{,NetworkManager/}nm-dhcp-helper                    rPx,
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/dhcpcd
+@{exec_path} = @{sbin}/dhcpcd
 profile dhcpcd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -35,7 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
  @{bin}/chmod                    rix,
  @{bin}/cmp                      rix,
  @{bin}/mkdir                    rix,
-  @{bin}/resolvconf               rPx,
+  @{sbin}/resolvconf              rPx,
  @{bin}/rm                       rix,
  @{bin}/sed                      rix,
  @{lib}/dhcpcd/dhcpcd-run-hooks  rix,
--- a/apparmor.d/groups/network/iwctl
+++ b/apparmor.d/groups/network/iwctl
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/iwctl
+@{exec_path} = @{sbin}/iwctl
 profile iwctl @{exec_path} {
  include <abstractions/base>
--- a/apparmor.d/groups/network/iwd
+++ b/apparmor.d/groups/network/iwd
@ -24,7 +24,7 @@ profile iwd @{exec_path} {
  network packet dgram,
  @{exec_path} mr,
-  @{bin}/resolvconf rPx,
+  @{sbin}/resolvconf rPx,
  /etc/iwd/{,**} r,
  /var/lib/iwd/{,**} rw,
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
-  @{bin}/ip  rix,
+  @{sbin}/ip  rix,
  "/opt/Mullvad VPN/resources/openvpn" rix,
  "/opt/Mullvad VPN/resources/*.so*" mr,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  @{bin}/gawk               rix,
  @{bin}/grep               rix,
  @{bin}/id                 rix,
-  @{bin}/invoke-rc.d        rCx -> invoke-rc,
+  @{sbin}/invoke-rc.d       rCx -> invoke-rc,
  @{bin}/logger             rix,
  @{bin}/mkdir              rix,
  @{bin}/mktemp             rix,
@ -101,7 +101,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  profile invoke-rc {
    include <abstractions/base>
-    @{bin}/invoke-rc.d rm,
+    @{sbin}/invoke-rc.d rm,
    @{sh_path}       rix,
    @{bin}/basename  rix,
    @{bin}/ls        rix,
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} {
  @{sh_path}         rix,
  @{bin}/kmod        rPx,
-  @{bin}/openvpn     rPx,
+  @{sbin}/openvpn    rPx,
  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
  @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@ -22,7 +22,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/openvpn
+@{exec_path} = @{sbin}/openvpn
 profile openvpn @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
  @{run}/openvpn/*.{pid,status} rw,
  @{run}/systemd/journal/dev-log r,
-  @{bin}/ip                                rix,
+  @{sbin}/ip                               rix,
  @{bin}/systemd-ask-password              rPx,
  @{lib}/nm-openvpn-service-openvpn-helper rPx,
  /etc/openvpn/force-user-traffic-via-vpn.sh    rCx -> force-user-traffic-via-vpn,
@ -83,9 +83,9 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
    @{sh_path}                rix,
    @{bin}/cut                rix,
-    @{bin}/ip                 rix,
+    @{sbin}/ip                rix,
    @{bin}/which{,.debianutils}  rix,
-    @{bin}/xtables-nft-multi rix,
+    @{sbin}/xtables-nft-multi rix,
    /etc/iproute2/rt_tables r,
    /etc/iproute2/rt_tables.d/{,*} r,
@ -110,8 +110,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
    @{bin}/{,e}grep   rix,
    @{bin}/cut        rix,
    @{bin}/env        rix,
-    @{bin}/ip         rix,
+    @{sbin}/ip        rix,
-    @{bin}/nft        rix,
+    @{sbin}/nft       rix,
    @{bin}/sed        rix,
    /etc/iproute2/rt_realms r,
--- a/apparmor.d/groups/network/tailscale
+++ b/apparmor.d/groups/network/tailscale
@ -23,7 +23,7 @@ profile tailscale @{exec_path} {
  @{exec_path} mr,
-  @{bin}/ip rPx,
+  @{sbin}/ip rPx,
  owner @{run}/tailscale/tailscaled.sock rw,
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -35,9 +35,9 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
-  @{bin}/ip                 rix,
+  @{sbin}/ip                rix,
  @{bin}/resolvectl         rPx,
-  @{bin}/xtables-nft-multi  rix,
+  @{sbin}/xtables-nft-multi rix,
  @{bin}/systemctl  rCx -> systemctl,
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@ -21,19 +21,19 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) {
  @{sh_path}                rix,
  @{bin}/cat                rix,
-  @{bin}/ip                 rPx,
+  @{sbin}/ip                rPx,
  @{bin}/mv                 rix,
-  @{bin}/nft                rix,
+  @{sbin}/nft               rix,
  @{bin}/readlink           rix,
-  @{bin}/resolvconf         rPx,
+  @{sbin}/resolvconf        rPx,
  @{bin}/resolvectl         rPx,
  @{bin}/rm                 rix,
  @{bin}/sort               rix,
  @{bin}/stat               rix,
  @{bin}/sync               rix,
-  @{bin}/sysctl             rCx -> sysctl,
+  @{sbin}/sysctl            rCx -> sysctl,
  @{bin}/wg                 rPx,
-  @{bin}/xtables-nft-multi  rix,
+  @{sbin}/xtables-nft-multi rix,
  /usr/share/terminfo/** r,
@ -49,7 +49,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) {
  profile sysctl flags=(attach_disconnected) {
    include <abstractions/base>
-    @{bin}/sysctl mr,
+    @{sbin}/sysctl mr,
    @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  @{bin}/bsdtar              rix,
  @{bin}/fc-match            rix,
  @{bin}/findmnt             rPx,
-  @{bin}/fsck                rix,
+  @{sbin}/fsck               rix,
  @{bin}/getent              rix,
  @{bin}/gzip                rix,
  @{bin}/hexdump             rix,
-  @{bin}/ldconfig            rix,
+  @{sbin}/ldconfig           rix,
  @{bin}/ldd                 rix,
  @{bin}/loadkeys            rix,
  @{bin}/objcopy             rix,
@ -45,7 +45,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  @{bin}/{depmod,insmod}     rPx,
  @{bin}/{kmod,lsmod}        rPx,
  @{bin}/{modinfo,rmmod}     rPx,
-  @{bin}/modprobe            rPx,
+  @{sbin}/modprobe           rPx,
  @{bin}/plymouth            rPx,
  @{bin}/plymouth-set-default-theme rPx,
  @{bin}/sbctl               rPx,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -69,35 +69,35 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
  @{bin}/ghc-pkg-@{version}          rix,
  @{bin}/gio-querymodules            rPx,
  @{bin}/glib-compile-schemas        rPx,
-  @{bin}/groupadd                    rPx,
+  @{sbin}/groupadd                   rPx,
  @{bin}/gtk-query-immodules-{2,3}.0 rPx,
  @{bin}/gtk{,4}-update-icon-cache   rPx,
-  @{bin}/iconvconfig                 rix,
+  @{sbin}/iconvconfig                rix,
  @{bin}/install-catalog             rPx,
  @{bin}/install-info                rPx,
  @{bin}/iscsi-iname                 rix,
  @{bin}/journalctl                  rPx,
  @{bin}/killall                     rix,
-  @{bin}/ldconfig                    rix,
+  @{sbin}/ldconfig                   rix,
-  @{bin}/locale-gen                  rPx,
+  @{sbin}/locale-gen                 rPx,
  @{bin}/mkinitcpio                  rPx,
-  @{bin}/needrestart                 rPx,
+  @{sbin}/needrestart                rPx,
  @{bin}/pacdiff                     rPx,
  @{bin}/pacman-key                  rPx,
  @{bin}/pkgfile                     rPUx,
  @{bin}/pkill                       rix,
  @{bin}/rsync                       rix,
  @{bin}/sbctl                       rPx,
-  @{bin}/setcap                      rix,
+  @{sbin}/setcap                     rix,
  @{bin}/setfacl                     rix,
-  @{bin}/sysctl                      rPx,
+  @{sbin}/sysctl                     rPx,
  @{bin}/systemctl                   rCx -> systemctl,
  @{bin}/systemd-*                   rPx,
  @{bin}/tput                        rix,
  @{bin}/update-ca-trust             rPx,
  @{bin}/update-desktop-database     rPx,
-  @{bin}/update-grub                 rPx,
+  @{sbin}/update-grub                rPx,
-  @{bin}/update-mime-database        rPx,
+  @{sbin}/update-mime-database       rPx,
  @{bin}/vercmp                      rix,
  @{bin}/which                       rix,
  @{bin}/xmlcatalog                  rix,
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@ -16,7 +16,7 @@ profile pacman-hook-depmod @{exec_path} {
  @{bin}/basename  rix,
  @{bin}/bash      rix,
-  @{bin}/depmod    rPx,
+  @{sbin}/depmod   rPx,
  @{bin}/kmod      rPx,
  @{bin}/rm        rix,
  @{bin}/rmdir     rix,
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{sh_path}    rix,
-  @{bin}/dkms   rPx,
+  @{sbin}/dkms  rPx,
  @{bin}/kmod   rPx,
  @{bin}/nproc  rix,
--- a/apparmor.d/groups/procps/sysctl
+++ b/apparmor.d/groups/procps/sysctl
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/sysctl
+@{exec_path} = @{sbin}/sysctl
 profile sysctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/shadow/chpasswd
+++ b/apparmor.d/groups/shadow/chpasswd
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/chpasswd
+@{exec_path} = @{sbin}/chpasswd
 profile chpasswd @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/shadow/groupadd
+++ b/apparmor.d/groups/shadow/groupadd
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/groupadd
+@{exec_path} = @{sbin}/groupadd
 profile groupadd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/shadow/groupdel
+++ b/apparmor.d/groups/shadow/groupdel
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/groupdel
+@{exec_path} = @{sbin}/groupdel
 profile groupdel @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/shadow/groupmod
+++ b/apparmor.d/groups/shadow/groupmod
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/groupmod
+@{exec_path} = @{sbin}/groupmod
 profile groupmod @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/shadow/grpck
+++ b/apparmor.d/groups/shadow/grpck
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/grpck
+@{exec_path} = @{sbin}/grpck
 profile grpck @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/shadow/pwck
+++ b/apparmor.d/groups/shadow/pwck
@ -6,7 +6,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/pwck
+@{exec_path} = @{sbin}/pwck
 profile pwck @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/shadow/useradd
+++ b/apparmor.d/groups/shadow/useradd
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/useradd
+@{exec_path} = @{sbin}/useradd
 profile useradd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
@ -25,7 +25,7 @@ profile useradd @{exec_path} {
  @{exec_path} mr,
  @{bin}/nscd    rix,
-  @{bin}/usermod rPx,
+  @{sbin}/usermod rPx,
  @{bin}/pam_tally2 rCx -> pam_tally2,
--- a/Show more
+++ b/Show more