diff --git a/packaging/linux/portmaster.service b/packaging/linux/portmaster.service
index 5490ac6f..c16068d9 100644
--- a/packaging/linux/portmaster.service
+++ b/packaging/linux/portmaster.service
@@ -34,8 +34,9 @@ AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_ne
 CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
 StateDirectory=portmaster
 # TODO(ppacher): add --disable-software-updates once it's merged and the release process changed.
-ExecStart=/usr/bin/portmaster-core --data /opt/safing/portmaster -- $PORTMASTER_ARGS
-ExecStopPost=-/usr/bin/portmaster-core recover-iptables
+WorkingDirectory=/var/lib/portmaster/data
+ExecStart=/usr/lib/portmaster/portmaster-core --data /var/lib/portmaster/data -devmode -- $PORTMASTER_ARGS
+ExecStopPost=-/usr/bin/portmaster/portmaster-core recover-iptables
 
 [Install]
 WantedBy=multi-user.target
diff --git a/packaging/linux/postinst b/packaging/linux/postinst
index 8f727403..ab056723 100644
--- a/packaging/linux/postinst
+++ b/packaging/linux/postinst
@@ -1,5 +1,16 @@
 #!/bin/bash
 
+chmod +x /usr/lib/portmaster/portmaster-core
+
+#
+# Fix selinux permissions for portmaster-core if we have semanage
+# available.
+#
+if command -V semanage >/dev/null 2>&1; then
+    semanage fcontext -a -t bin_t -s system_u $(realpath /usr/lib)'/portmaster/portmaster-core' || :
+    restorecon -R /usr/lib/portmaster/portmaster-core 2>/dev/null >&2 || :
+fi
+
 systemctl daemon-reload
 systemctl enable portmaster.service
 
diff --git a/packaging/linux/postrm b/packaging/linux/postrm
index a9bf588e..9dddf8e9 100644
--- a/packaging/linux/postrm
+++ b/packaging/linux/postrm
@@ -1 +1,10 @@
 #!/bin/bash
+
+#
+# Remove selinux permissions for portmaster-core if we have semanage
+# available.
+#
+if command -V semanage >/dev/null 2>&1; then
+    semanage fcontext --delete $(realpath /usr/lib)'/portmaster/portmaster-core' || :
+    restorecon -R /usr/lib/portmaster/portmaster-core 2>/dev/null >&2 || :
+fi
\ No newline at end of file
diff --git a/service/updates/module.go b/service/updates/module.go
index 989ad020..31de626c 100644
--- a/service/updates/module.go
+++ b/service/updates/module.go
@@ -63,7 +63,7 @@ func New(instance instance) (*Updates, error) {
 
 	binIndex := registry.UpdateIndex{
 		Directory:         "/usr/lib/portmaster",
-		DownloadDirectory: "/var/portmaster/new_bin",
+		DownloadDirectory: "/var/lib/portmaster/new_bin",
 		Ignore:            []string{"databases", "intel", "config.json"},
 		IndexURLs:         []string{"http://localhost:8000/test-binary.json"},
 		IndexFile:         "bin-index.json",
@@ -71,8 +71,8 @@ func New(instance instance) (*Updates, error) {
 	}
 
 	intelIndex := registry.UpdateIndex{
-		Directory:         "/var/portmaster/intel",
-		DownloadDirectory: "/var/portmaster/new_intel",
+		Directory:         "/var/lib/portmaster/intel",
+		DownloadDirectory: "/var/lib/portmaster/new_intel",
 		IndexURLs:         []string{"http://localhost:8000/test-intel.json"},
 		IndexFile:         "intel-index.json",
 		AutoApply:         true,