On Tue, 23 Sept 2025 at 22:45, Ian Pilcher <[email protected]> wrote: > This was discussed in this issue[1], but the issue was closed without > any real resolution. (Giving a confined service access to everything > labeled var_run_t is most definitely not acceptable.)
Sorry, but this is a self-imposed restriction that doesn't need to be in place. You can absolutely change the policy to allow that access. If you want to sandbox a service, you can use the appropriate sandboxing properties, like TemporaryFilesystem=/run/ and then only BindPaths= the individual things you want it to access. If you don't want to change the policy to allow a service to access creds then yeah there's not much to do, but there's no reason not to.
