diff --git a/audit-2.8.4-rundir.patch b/audit-2.8.4-rundir.patch
new file mode 100644
index 0000000..4e693b2
--- /dev/null
+++ b/audit-2.8.4-rundir.patch
@@ -0,0 +1,26 @@
+diff -Nru audit-2.8.4.orig/init.d/auditd.state audit-2.8.4/init.d/auditd.state
+--- audit-2.8.4.orig/init.d/auditd.state	2018-05-21 19:38:08.000000000 +0200
++++ audit-2.8.4/init.d/auditd.state	2019-01-05 08:46:05.999451866 +0100
+@@ -7,7 +7,7 @@
+ 
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ prog="auditd"
+-state_file="/var/run/auditd.state"
++state_file="/run/auditd.state"
+ . /etc/init.d/functions
+ 
+ printf "Getting auditd internal state: "
+diff -Nru audit-2.8.4.orig/src/auditd.c audit-2.8.4/src/auditd.c
+--- audit-2.8.4.orig/src/auditd.c	2018-05-21 19:38:08.000000000 +0200
++++ audit-2.8.4/src/auditd.c	2019-01-05 08:44:18.153983329 +0100
+@@ -66,8 +66,8 @@
+ /* Local data */
+ static int fd = -1, pipefds[2] = {-1, -1};
+ static struct daemon_conf config;
+-static const char *pidfile = "/var/run/auditd.pid";
+-static const char *state_file = "/var/run/auditd.state";
++static const char *pidfile = "/run/auditd.pid";
++static const char *state_file = "/run/auditd.state";
+ static int init_pipe[2];
+ static int do_fork = 1, opt_aggregate_only = 0, config_dir_set = 0;
+ static struct auditd_event *cur_event = NULL, *reconfig_ev = NULL;
diff --git a/audit-2.8.4-usrsbin.patch b/audit-2.8.4-usrsbin.patch
new file mode 100644
index 0000000..8e95856
--- /dev/null
+++ b/audit-2.8.4-usrsbin.patch
@@ -0,0 +1,61 @@
+diff -Nru audit-2.8.4.orig/init.d/auditd.conf audit-2.8.4/init.d/auditd.conf
+--- audit-2.8.4.orig/init.d/auditd.conf	2018-05-21 19:38:08.000000000 +0200
++++ audit-2.8.4/init.d/auditd.conf	2019-01-05 08:37:15.638139602 +0100
+@@ -13,7 +13,7 @@
+ num_logs = 5
+ priority_boost = 4
+ disp_qos = lossy
+-dispatcher = /sbin/audispd
++dispatcher = /usr/sbin/audispd
+ name_format = NONE
+ ##name = mydomain
+ max_log_file_action = ROTATE
+diff -Nru audit-2.8.4.orig/init.d/auditd.cron audit-2.8.4/init.d/auditd.cron
+--- audit-2.8.4.orig/init.d/auditd.cron	2018-05-21 19:38:08.000000000 +0200
++++ audit-2.8.4/init.d/auditd.cron	2019-01-05 08:39:37.092758696 +0100
+@@ -5,7 +5,7 @@
+ # based on a cron job.
+ ##########
+ 
+-/sbin/service auditd rotate
++/usr/sbin/service auditd rotate
+ EXITVALUE=$?
+ if [ $EXITVALUE != 0 ]; then
+     /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]"
+diff -Nru audit-2.8.4.orig/init.d/auditd.service audit-2.8.4/init.d/auditd.service
+--- audit-2.8.4.orig/init.d/auditd.service	2018-06-19 20:16:43.000000000 +0200
++++ audit-2.8.4/init.d/auditd.service	2019-01-05 08:38:06.846363989 +0100
+@@ -13,16 +13,16 @@
+ 
+ [Service]
+ Type=forking
+-PIDFile=/var/run/auditd.pid
+-ExecStart=/sbin/auditd
++PIDFile=/run/auditd.pid
++ExecStart=/usr/sbin/auditd
+ ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
+ ## and comment/delete the next line and uncomment the auditctl line.
+ ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+-ExecStartPost=-/sbin/augenrules --load
+-#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
++ExecStartPost=-/usr/sbin/augenrules --load
++#ExecStartPost=-/usr/sbin/auditctl -R /etc/audit/audit.rules
+ # By default we don't clear the rules on exit. To enable this, uncomment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
++#ExecStopPost=/usr/sbin/auditctl -R /etc/audit/audit-stop.rules
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -Nru audit-2.8.4.orig/init.d/augenrules audit-2.8.4/init.d/augenrules
+--- audit-2.8.4.orig/init.d/augenrules	2018-05-21 19:38:08.000000000 +0200
++++ audit-2.8.4/init.d/augenrules	2019-01-05 08:39:12.764652379 +0100
+@@ -39,7 +39,7 @@
+ 
+ try_load() {
+ 	if [ $LoadRules -eq 1 ] ; then
+-		/sbin/auditctl -R ${DestinationFile}
++		/usr/sbin/auditctl -R ${DestinationFile}
+ 		RETVAL=$?
+ 	fi
+ }
diff --git a/audit.spec b/audit.spec
index a6f7fa7..4663f1c 100644
--- a/audit.spec
+++ b/audit.spec
@@ -1,6 +1,6 @@
 Name:          audit
 Version:       2.8.4
-Release:       1mamba
+Release:       4mamba
 Summary:       User space tools for kernel auditing
 Group:         System/Tools
 Vendor:        openmamba
@@ -8,7 +8,8 @@ Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
 URL:           http://people.redhat.com/sgrubb/audit
 Source:        http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
-Patch0:        libaudit-2.6.6-usrsbin.patch
+Patch0:        audit-2.8.4-usrsbin.patch
+Patch1:        audit-2.8.4-rundir.patch
 License:       GPL, LGPL
 ## AUTOBUILDREQ-BEGIN
 BuildRequires: glibc-devel
@@ -101,10 +102,8 @@ The audispd-plugins package provides plugins for the real-time interface to the
 
 %prep
 %setup -q
-#%patch0 -p1
-
-# Fix auditctl path in augenrules
-sed -i "s|[[:space:]]/sbin/auditctl | %{_sbindir}/auditctl |" init.d/augenrules
+%patch0 -p1
+%patch1 -p1
 
 %build
 #autoreconf -v --install
@@ -114,9 +113,7 @@ sed -i "s|[[:space:]]/sbin/auditctl | %{_sbindir}/auditctl |" init.d/augenrules
   --enable-gssapi-krb5=yes \
   --with-libcap-ng=yes \
   --with-python=yes \
-  --enable-systemd=yes \
-  --bindir=/bin \
-  --sbindir=/sbin
+  --enable-systemd=yes
   
 %make
 
@@ -182,17 +179,17 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 %dir %{_libexecdir}/initscripts/legacy-actions/auditd
 %{_libexecdir}/initscripts/legacy-actions/auditd/*
 %attr(750,root,root) %dir %{_localstatedir}/log/audit
-%attr(750,root,root) /sbin/audispd
-%attr(750,root,root) /sbin/auditctl
-%attr(750,root,root) /sbin/auditd
-%attr(750,root,root) /sbin/augenrules
-%attr(750,root,root) /sbin/aureport
-%attr(750,root,root) /sbin/ausearch
-%attr(750,root,root) /sbin/autrace
-%attr(755,root,root) /bin/aulast
-%attr(755,root,root) /bin/aulastlog
-%attr(755,root,root) /bin/ausyscall
-%attr(750,root,root) /bin/auvirt
+%attr(750,root,root) %{_sbindir}/audispd
+%attr(750,root,root) %{_sbindir}/auditctl
+%attr(750,root,root) %{_sbindir}/auditd
+%attr(750,root,root) %{_sbindir}/augenrules
+%attr(750,root,root) %{_sbindir}/aureport
+%attr(750,root,root) %{_sbindir}/ausearch
+%attr(750,root,root) %{_sbindir}/autrace
+%attr(755,root,root) %{_bindir}/aulast
+%attr(755,root,root) %{_bindir}/aulastlog
+%attr(755,root,root) %{_bindir}/ausyscall
+%attr(750,root,root) %{_bindir}/auvirt
 %dir %{_prefix}/lib/golang/src/pkg/redhat.com/audit
 %{_mandir}/man5/audispd.conf.5*
 %{_mandir}/man5/auditd.conf.5*
@@ -262,9 +259,9 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-prelude.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-remote.conf
-%attr(750,root,root) /sbin/audispd-zos-remote
-%attr(750,root,root) /sbin/audisp-prelude
-%attr(750,root,root) /sbin/audisp-remote
+%attr(750,root,root) %{_sbindir}/audispd-zos-remote
+%attr(750,root,root) %{_sbindir}/audisp-prelude
+%attr(750,root,root) %{_sbindir}/audisp-remote
 %{_mandir}/man5/zos-remote.conf.5*
 %{_mandir}/man8/audispd-zos-remote.8*
 %{_mandir}/man5/audisp-prelude.conf.5*
@@ -273,6 +270,15 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 %{_mandir}/man8/audisp-remote.8*
 
 %changelog
+* Sat Jan 05 2019 Silvan Calarco <silvan.calarco@mambasoft.it> 2.8.4-4mamba
+- apply path for /usr/sbin and rundir under /run
+
+* Fri Jan 04 2019 Silvan Calarco <silvan.calarco@mambasoft.it> 2.8.4-3mamba
+- other fix for auditd.service /usr/sbin path instead of /sbin
+
+* Sun Dec 30 2018 Silvan Calarco <silvan.calarco@mambasoft.it> 2.8.4-2mamba
+- install binaries under /usr/sbin and /usr/bin
+
 * Wed Sep 12 2018 Automatic Build System <autodist@mambasoft.it> 2.8.4-1mamba
 - automatic version update by autodist
 
diff --git a/libaudit-2.6.6-usrsbin.patch b/libaudit-2.6.6-usrsbin.patch
deleted file mode 100644
index c740e19..0000000
--- a/libaudit-2.6.6-usrsbin.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff -Nru audit-2.4.4.orig/init.d/auditd.conf audit-2.4.4/init.d/auditd.conf
---- audit-2.4.4.orig/init.d/auditd.conf	2015-08-13 22:56:25.000000000 +0200
-+++ audit-2.4.4/init.d/auditd.conf	2015-12-01 19:54:24.403584662 +0100
-@@ -10,7 +10,7 @@
- freq = 20
- num_logs = 5
- disp_qos = lossy
--dispatcher = /sbin/audispd
-+dispatcher = /usr/sbin/audispd
- name_format = NONE
- ##name = mydomain
- max_log_file = 6 
---- audit-2.6.6/init.d/auditd.service.orig	2016-08-11 19:51:33.493168550 +0200
-+++ audit-2.6.6/init.d/auditd.service	2016-08-12 00:43:16.758055860 +0200
-@@ -9,12 +9,12 @@
- Documentation=man:auditd(8) https://people.redhat.com/sgrubb/audit/
- 
- [Service]
--ExecStart=/sbin/auditd -n
-+ExecStart=/usr/sbin/auditd -n
- ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
- ## and comment/delete the next line and uncomment the auditctl line.
- ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
--ExecStartPost=-/sbin/augenrules --load
--#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-+ExecStartPost=-/usr/sbin/augenrules --load
-+#ExecStartPost=-/usr/sbin/auditctl -R /etc/audit/audit.rules
- ExecReload=/bin/kill -HUP $MAINPID
- # By default we don't clear the rules on exit. To enable this, uncomment
- # the next line after copying the file to /etc/systemd/system/auditd.service