The Hardening type in Omni/Deploy/Manifest.hs needs a readWritePaths :: [Text] field so services can specify paths that should be writable even with ProtectSystem=strict. Example: Ava needs ReadWritePaths=/var/lib/omni to write to the task database.
Git Commits
b3d71191Add ReadWritePaths to Hardening schema (t-317)