diff --git a/hosts/common/programs/avahi.nix b/hosts/common/programs/avahi.nix
index 78bf7e2d3..abb3e4b74 100644
--- a/hosts/common/programs/avahi.nix
+++ b/hosts/common/programs/avahi.nix
@@ -16,6 +16,9 @@
     sandbox.method = "bwrap";
     sandbox.whitelistDbus = [ "system" ];
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
+    sandbox.extraPaths = [
+      "/"  #< else the daemon exits immediately. TODO: decrease this scope.
+    ];
   };
   services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
     enable = true;
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index ca2c63933..15f6b9402 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -67,8 +67,9 @@ let
           "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
         ] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
           "/var/run/avahi-daemon"  #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
-        ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
-          ++ sandbox.extraPaths
+        ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [
+          "/var/run/dbus/system_bus_socket"  #< XXX: use /var/run/..., for the rare program which requires that (i.e. avahi users)
+        ] ++ sandbox.extraPaths
         ;
 
         sandboxArgs = makeSandboxArgs {