diff --git a/cmd/snap/cmd_run.go b/cmd/snap/cmd_run.go
index 62acb47b521..a887b31307b 100644
--- a/cmd/snap/cmd_run.go
+++ b/cmd/snap/cmd_run.go
@@ -206,6 +206,8 @@ func maybeWaitForSecurityProfileRegeneration(cli *client.Client) error {
 		// the user or what do we do if we know snapd is down for maintenance?
 		if _, err := cli.SysInfo(); err == nil {
 			return nil
+		} else {
+			logger.Debugf("cannot obtain system info: %v", err)
 		}
 		// sleep a little bit for good measure
 		time.Sleep(1 * time.Second)
diff --git a/sandbox/apparmor/apparmor.go b/sandbox/apparmor/apparmor.go
index e08d9d4c325..895ece36441 100644
--- a/sandbox/apparmor/apparmor.go
+++ b/sandbox/apparmor/apparmor.go
@@ -395,6 +395,8 @@ func ParserMtime() int64 {
 		if fi, err := os.Stat(cmd.Path); err == nil {
 			mtime = fi.ModTime().Unix()
 		}
+	} else {
+		logger.Debugf("apparmor parser err: %v", err)
 	}
 	return mtime
 }
@@ -790,6 +792,7 @@ func AppArmorParser() (cmd *exec.Cmd, internal bool, err error) {
 	// installed snapd-apparmor support re-exec
 	if path, err := snapdtool.InternalToolPath("apparmor_parser"); err == nil {
 		if osutil.IsExecutable(path) && snapdAppArmorSupportsReexec() && !systemAppArmorLoadsSnapPolicy() {
+			logger.Debugf("checking internal apparmor_parser candidate at %v", path)
 			prefix := strings.TrimSuffix(path, "apparmor_parser")
 			snapdAbi30File := filepath.Join(prefix, "/apparmor.d/abi/3.0")
 			snapdAbi40File := filepath.Join(prefix, "/apparmor.d/abi/4.0")
@@ -828,6 +831,7 @@ func AppArmorParser() (cmd *exec.Cmd, internal bool, err error) {
 	for _, dir := range filepath.SplitList(parserSearchPath) {
 		path := filepath.Join(dir, "apparmor_parser")
 		if _, err := os.Stat(path); err == nil {
+			logger.Debugf("checking distro apparmor_parser at %v", path)
 			// Detect but ignore apparmor 4.0 ABI support.
 			//
 			// At present this causes some bugs with mqueue mediation that can
diff --git a/secboot/encrypt_sb_test.go b/secboot/encrypt_sb_test.go
index 9a7797b2a3d..2a271e4b503 100644
--- a/secboot/encrypt_sb_test.go
+++ b/secboot/encrypt_sb_test.go
@@ -90,6 +90,7 @@ func (s *encryptSuite) TestFormatEncryptedDeviceInvalidEncType(c *C) {
 type keymgrSuite struct {
 	testutil.BaseTest
 
+	rootDir       string
 	d             string
 	keymgrCmd     *testutil.MockCmd
 	udevadmCmd    *testutil.MockCmd
@@ -101,6 +102,10 @@ var _ = Suite(&keymgrSuite{})
 func (s *keymgrSuite) SetUpTest(c *C) {
 	s.BaseTest.SetUpTest(c)
 
+	s.rootDir = c.MkDir()
+	s.AddCleanup(func() { dirs.SetRootDir(dirs.GlobalRootDir) })
+	dirs.SetRootDir(s.rootDir)
+
 	s.d = c.MkDir()
 	s.systemdRunCmd = testutil.MockCommand(c, "systemd-run", `
 while true; do
@@ -115,7 +120,7 @@ while true; do
 done
 `)
 	s.AddCleanup(s.systemdRunCmd.Restore)
-	s.keymgrCmd = testutil.MockCommand(c, "snap-fde-keymgr", fmt.Sprintf(`
+	s.keymgrCmd = testutil.MockCommand(c, filepath.Join(dirs.DistroLibExecDir, "snap-fde-keymgr"), fmt.Sprintf(`
 set -e
 if [ "$1" = "change-encryption-key" ]; then
     cat > %s/input
@@ -205,7 +210,7 @@ func (s *keymgrSuite) TestStageEncryptionKeyBadUdev(c *C) {
 }
 
 func (s *keymgrSuite) TestStageTransitionEncryptionKeyBadKeymgr(c *C) {
-	keymgrCmd := testutil.MockCommand(c, "snap-fde-keymgr", `echo keymgr very unhappy; exit 1`)
+	keymgrCmd := testutil.MockCommand(c, filepath.Join(dirs.DistroLibExecDir, "snap-fde-keymgr"), `echo keymgr very unhappy; exit 1`)
 	defer keymgrCmd.Restore()
 	// update where /proc/self/exe resolves to
 	restore := snapdtool.MockOsReadlink(func(string) (string, error) {
@@ -332,10 +337,7 @@ done
 `)
 	s.AddCleanup(udevadmCmd.Restore)
 
-	s.AddCleanup(func() { dirs.SetRootDir(dirs.GlobalRootDir) })
-	dirs.SetRootDir(s.d)
-
-	snaptest.PopulateDir(s.d, [][]string{
+	snaptest.PopulateDir(s.rootDir, [][]string{
 		{"/sys/dev/block/600:3/dm/uuid", "CRYPT-LUKS2-5a522809c87e4dfa81a88dc5667d1304-foo"},
 		{"/sys/dev/block/600:3/dm/name", "foo"},
 		{"/sys/dev/block/600:4/dm/uuid", "CRYPT-LUKS2-5a522809c87e4dfa81a88dc5667d1305-bar"},
diff --git a/snapdtool/tool_linux.go b/snapdtool/tool_linux.go
index b696aa25a2b..2dd987b43c9 100644
--- a/snapdtool/tool_linux.go
+++ b/snapdtool/tool_linux.go
@@ -129,13 +129,6 @@ func InternalToolPath(tool string) (string, error) {
 			if osutil.IsExecutable(maybeTool) {
 				return maybeTool, nil
 			}
-		} else {
-			// or perhaps some other random location, make sure the tool
-			// exists there and is an executable
-			maybeTool := filepath.Join(filepath.Dir(exe), tool)
-			if osutil.IsExecutable(maybeTool) {
-				return maybeTool, nil
-			}
 		}
 	}
 
diff --git a/snapdtool/tool_test.go b/snapdtool/tool_test.go
index f94e1f6989f..4604b6d372d 100644
--- a/snapdtool/tool_test.go
+++ b/snapdtool/tool_test.go
@@ -286,7 +286,7 @@ func (s *toolSuite) TestInternalToolPathWithDevLocationFallback(c *C) {
 	c.Check(path, Equals, filepath.Join(dirs.DistroLibExecDir, "potato"))
 }
 
-func (s *toolSuite) TestInternalToolPathWithOtherDevLocationWhenExecutable(c *C) {
+func (s *toolSuite) TestInternalToolPathWithOtherDevLocationWhenExecutableFallback(c *C) {
 	restore := snapdtool.MockOsReadlink(func(string) (string, error) {
 		return filepath.Join(dirs.GlobalRootDir, "/tmp/snapd"), nil
 	})
@@ -300,7 +300,7 @@ func (s *toolSuite) TestInternalToolPathWithOtherDevLocationWhenExecutable(c *C)
 
 	path, err := snapdtool.InternalToolPath("potato")
 	c.Check(err, IsNil)
-	c.Check(path, Equals, filepath.Join(dirs.GlobalRootDir, "/tmp/potato"))
+	c.Check(path, Equals, filepath.Join(dirs.DistroLibExecDir, "potato"))
 }
 
 func (s *toolSuite) TestInternalToolPathWithOtherDevLocationNonExecutable(c *C) {