diff --git a/cmd/vetting/main.go b/cmd/vetting/main.go
index f4e9edf..00036ca 100644
--- a/cmd/vetting/main.go
+++ b/cmd/vetting/main.go
@@ -136,9 +136,15 @@ func main() {
 		Interval:          time.Duration(cfg.Janitor.IntervalMinutes) * time.Minute,
 	}, &janitor.StoreAdapter{Runs: runStore, Artifacts: artifactStore, Logs: logHub})
 
+	// Anchor tftp_root and the pxe runtime dir under artifacts.dir's
+	// parent (typically /var/lib/vetting), not logs.dir's parent. The
+	// production systemd unit's ReadWritePaths=/var/lib/vetting /var/log/vetting
+	// sandbox forbids writing outside those trees, so deriving from
+	// /var/log/vetting would land us at /var/log/{tftp,pxe} — unwritable.
+	stateRoot := filepath.Dir(cfg.Artifacts.Dir)
 	tftpRoot := cfg.PXE.TFTPRoot
 	if tftpRoot == "" {
-		tftpRoot = filepath.Join(cfg.Logs.Dir, "..", "tftp")
+		tftpRoot = filepath.Join(stateRoot, "tftp")
 	}
 	var supervisor *pxe.Supervisor
 	if cfg.PXE.Enabled {
@@ -147,7 +153,7 @@ func main() {
 			Interface:       cfg.PXE.Interface,
 			DHCPRange:       cfg.PXE.DHCPRange,
 			OrchestratorURL: cfg.PXE.OrchestratorURL,
-			RuntimeDir:      filepath.Join(cfg.Logs.Dir, "..", "pxe"),
+			RuntimeDir:      filepath.Join(stateRoot, "pxe"),
 			TFTPRoot:        tftpRoot,
 			LiveDir:         cfg.PXE.LiveDir,
 		})