diff --git a/libssu/ssu.cpp b/libssu/ssu.cpp
index 7b50382..212ad8a 100644
--- a/libssu/ssu.cpp
+++ b/libssu/ssu.cpp
@@ -16,6 +16,7 @@
 #include <pwd.h>
 
 #include "ssu.h"
+#include "sandbox_p.h"
 #include "ssulog.h"
 #include "ssuvariables.h"
 #include "ssucoreconfig.h"
@@ -474,6 +475,8 @@ void Ssu::storeAuthorizedKeys(QByteArray data){
   } else
     return;
 
+  homePath = Sandbox::map(homePath);
+
   if (dir.exists(homePath + "/.ssh/authorized_keys")){
     ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1")
                   .arg(homePath));
diff --git a/libssu/ssudeviceinfo.cpp b/libssu/ssudeviceinfo.cpp
index d37446a..bdc2a51 100644
--- a/libssu/ssudeviceinfo.cpp
+++ b/libssu/ssudeviceinfo.cpp
@@ -15,6 +15,7 @@ extern "C" {
 #include <boardname.h>
 }
 
+#include "sandbox_p.h"
 #include "ssudeviceinfo.h"
 #include "ssucoreconfig.h"
 #include "ssulog.h"
@@ -165,7 +166,7 @@ QString SsuDeviceInfo::deviceModel(){
   // check if the device can be identified by testing for a file
   foreach (const QString &key, keys){
     QString value = boardMappings->value(key).toString();
-    if (dir.exists(value)){
+    if (dir.exists(Sandbox::map(value))){
       cachedModel = key;
       break;
     }
@@ -224,7 +225,7 @@ QString SsuDeviceInfo::deviceModel(){
   */
 
   // check if the device can be identified by a string in /proc/cpuinfo
-  procCpuinfo.setFileName("/proc/cpuinfo");
+  procCpuinfo.setFileName(Sandbox::map("/proc/cpuinfo"));
   procCpuinfo.open(QIODevice::ReadOnly | QIODevice::Text);
   if (procCpuinfo.isOpen()){
     QTextStream in(&procCpuinfo);
diff --git a/libssu/ssurepomanager.cpp b/libssu/ssurepomanager.cpp
index 720aeee..8567525 100644
--- a/libssu/ssurepomanager.cpp
+++ b/libssu/ssurepomanager.cpp
@@ -9,6 +9,7 @@
 #include <QRegExp>
 #include <QDirIterator>
 
+#include "sandbox_p.h"
 #include "ssudeviceinfo.h"
 #include "ssurepomanager.h"
 #include "ssucoreconfig.h"
@@ -154,7 +155,7 @@ void SsuRepoManager::update(){
   // assume configuration error if there are no device repos, and don't delete
   // anything, even in strict mode
   if ((deviceMode & Ssu::LenientMode) != Ssu::LenientMode && !repos.isEmpty()){
-    QDirIterator it(ZYPP_REPO_PATH, QDir::AllEntries|QDir::NoDot|QDir::NoDotDot);
+    QDirIterator it(Sandbox::map(ZYPP_REPO_PATH), QDir::AllEntries|QDir::NoDot|QDir::NoDotDot);
     while (it.hasNext()){
       it.next();
       if (it.fileName().left(4) != "ssu_"){
@@ -166,7 +167,7 @@ void SsuRepoManager::update(){
 
   // ... delete all ssu-managed repositories not valid for this device ...
   ssuFilters.append("ssu_*");
-  QDirIterator it(ZYPP_REPO_PATH, ssuFilters);
+  QDirIterator it(Sandbox::map(ZYPP_REPO_PATH), ssuFilters);
   while (it.hasNext()){
     QString f = it.next();
 
@@ -192,7 +193,7 @@ void SsuRepoManager::update(){
     }
 
     QString repoFilePath = QString("%1/ssu_%2_%3.repo")
-      .arg(ZYPP_REPO_PATH)
+      .arg(Sandbox::map(ZYPP_REPO_PATH))
       .arg(repo)
       .arg(rndMode ? "rnd" : "release");
 
diff --git a/ssuurlresolver/ssuurlresolver.cpp b/ssuurlresolver/ssuurlresolver.cpp
index be9dc25..30d9826 100644
--- a/ssuurlresolver/ssuurlresolver.cpp
+++ b/ssuurlresolver/ssuurlresolver.cpp
@@ -12,6 +12,7 @@
 #include <QStringList>
 #include <systemd/sd-journal.h>
 
+#include "libssu/sandbox_p.h"
 #include "libssu/ssulog.h"
 
 SsuUrlResolver::SsuUrlResolver(): QObject(){
@@ -30,7 +31,16 @@ void SsuUrlResolver::error(QString message){
   QCoreApplication::exit(1);
 }
 
-bool SsuUrlResolver::writeCredentials(QString filePath, QString credentialsScope){
+bool SsuUrlResolver::writeZyppCredentialsIfNeeded(QString credentialsScope){
+  QString filePath = Sandbox::map("/etc/zypp/credentials.d/" + credentialsScope);
+  QFileInfo credentialsFileInfo(filePath);
+
+  if (credentialsFileInfo.exists() &&
+      credentialsFileInfo.lastModified() > ssu.lastCredentialsUpdate()){
+    // zypp credentials up to date
+    return true;
+  }
+
   QFile credentialsFile(filePath);
   QPair<QString, QString> credentials = ssu.credentials(credentialsScope);
   SsuLog *ssuLog = SsuLog::instance();
@@ -126,12 +136,7 @@ void SsuUrlResolver::run(){
     QString credentialsScope = ssu.credentialsScope(repo, isRnd);
     if (!credentialsScope.isEmpty()){
       headerList.append(QString("credentials=%1").arg(credentialsScope));
-
-      QFileInfo credentialsFileInfo("/etc/zypp/credentials.d/" + credentialsScope);
-      if (!credentialsFileInfo.exists() ||
-          credentialsFileInfo.lastModified() <= ssu.lastCredentialsUpdate()){
-        writeCredentials(credentialsFileInfo.filePath(), credentialsScope);
-      }
+      writeZyppCredentialsIfNeeded(credentialsScope);
     } else
       ssuLog->print(LOG_DEBUG, "Skipping credential update due to missing credentials scope");
   }
diff --git a/ssuurlresolver/ssuurlresolver.h b/ssuurlresolver/ssuurlresolver.h
index db45d2e..ef65492 100644
--- a/ssuurlresolver/ssuurlresolver.h
+++ b/ssuurlresolver/ssuurlresolver.h
@@ -55,7 +55,7 @@ class SsuUrlResolver: public QObject {
     Ssu ssu;
     void error(QString message);
     void printJournal(int priority, QString message);
-    bool writeCredentials(QString filePath, QString credentialsScope);
+    bool writeZyppCredentialsIfNeeded(QString credentialsScope);
 
   public slots:
     void run();
diff --git a/tests/ut_rndssucli/rndssuclitest.cpp b/tests/ut_rndssucli/rndssuclitest.cpp
index 6ac423f..7966c91 100644
--- a/tests/ut_rndssucli/rndssuclitest.cpp
+++ b/tests/ut_rndssucli/rndssuclitest.cpp
@@ -26,9 +26,39 @@ void RndSsuCliTest::init(){
     QFAIL("Failed to activate sandbox");
   }
   setenv("LD_PRELOAD", qPrintable(QString("%1/libsandboxhook.so").arg(TESTS_PATH)), 1);
+
+  m_bus = new QProcess(this);
+  m_bus->start("dbus-daemon",
+      Args() << "--session" << "--nofork" << "--nopidfile" << "--print-address");
+  if (!m_bus->waitForReadyRead()){
+    QFAIL("Failed to run sandboxed D-Bus instance");
+  }
+  const QByteArray busAddress = m_bus->readAllStandardOutput();
+  setenv("DBUS_SESSION_BUS_ADDRESS", busAddress.constData(), 1);
+  setenv("DBUS_SYSTEM_BUS_ADDRESS", busAddress.constData(), 1);
+
+  m_ssud = new QProcess(this);
+  m_ssud->start("ssud");
+  if (!m_ssud->waitForStarted()){
+    QFAIL("Failed to run sandboxed ssud instance");
+  }
 }
 
 void RndSsuCliTest::cleanup(){
+  if (m_ssud->state() != QProcess::Running){
+    QFAIL("Sandboxed ssud instance exited unexpectedly");
+  }
+  delete m_ssud;
+  m_ssud = 0;
+
+  if (m_bus->state() != QProcess::Running){
+    QFAIL("Sandboxed D-Bus instance exited unexpectedly");
+  }
+  unsetenv("DBUS_SESSION_BUS_ADDRESS");
+  unsetenv("DBUS_SYSTEM_BUS_ADDRESS");
+  delete m_bus;
+  m_bus = 0;
+
   delete m_sandbox;
   m_sandbox = 0;
 }
diff --git a/tests/ut_rndssucli/rndssuclitest.h b/tests/ut_rndssucli/rndssuclitest.h
index aee55f4..ece6ff9 100644
--- a/tests/ut_rndssucli/rndssuclitest.h
+++ b/tests/ut_rndssucli/rndssuclitest.h
@@ -10,6 +10,8 @@
 
 #include <QObject>
 
+class QProcess;
+
 class Sandbox;
 
 class RndSsuCliTest: public QObject {
@@ -28,6 +30,8 @@ class RndSsuCliTest: public QObject {
 
   private:
     Sandbox *m_sandbox;
+    QProcess *m_bus;
+    QProcess *m_ssud;
 };
 
 #endif
diff --git a/tests/ut_urlresolver/urlresolvertest.cpp b/tests/ut_urlresolver/urlresolvertest.cpp
index fa7a020..7e48d2a 100644
--- a/tests/ut_urlresolver/urlresolvertest.cpp
+++ b/tests/ut_urlresolver/urlresolvertest.cpp
@@ -10,6 +10,7 @@
 #include <QtXml/QDomDocument>
 
 #include "constants.h"
+#include "libssu/sandbox_p.h"
 #include "testutils/process.h"
 
 void UrlResolverTest::initTestCase(){
@@ -243,45 +244,12 @@ void UrlResolverTest::checkSetCredentials(){
 }
 
 void UrlResolverTest::checkStoreAuthorizedKeys(){
-  struct Cleanup {
-    ~Cleanup(){
-      if (!tempHomePath.isEmpty()){
-        Process rmtemp;
-        rmtemp.execute("rm", QStringList() << "-rf" << tempHomePath);
-        if (rmtemp.hasError()){
-          qWarning("%s: Failed to remove temporary directory '%s': %s", Q_FUNC_INFO,
-              tempHomePath.constData(), qPrintable(rmtemp.fmtErrorMessage()));
-        }
-
-        if (!qputenv("HOME", originalHomePath)){
-          qFatal("%s: Failed to restore HOME environment variable", Q_FUNC_INFO);
-        }
-      }
-    }
-
-    QByteArray originalHomePath;
-    QByteArray tempHomePath;
-  } cleanup;
-
-  // Temporarily change HOME path so Ssu::storeAuthorizedKeys() does not touch
-  // real home directory
-  cleanup.originalHomePath = qgetenv("HOME");
-  QVERIFY(!cleanup.originalHomePath.isEmpty());
-
-  Process mktemp;
-  cleanup.tempHomePath = mktemp.execute("mktemp",
-      QStringList() << "-t" << "-d" << "ut_urlresolver.temp-home.XXX").trimmed().toLocal8Bit();
-  QVERIFY2(!mktemp.hasError(), qPrintable(mktemp.fmtErrorMessage()));
-
-  QVERIFY(qputenv("HOME", cleanup.tempHomePath));
-  QVERIFY2(QDir::homePath() == QString(cleanup.tempHomePath),
-      "QDir::homePath() does not change after qputenv(\"HOME\", \"...\")");
-
-  // Here starts the test itself
+  QVERIFY(QDir().mkpath(Sandbox::map(QDir::homePath())));
+
   QByteArray testData("# test data\n");
   ssu.storeAuthorizedKeys(testData);
 
-  QFile authorizedKeys(QDir::home().filePath(".ssh/authorized_keys"));
+  QFile authorizedKeys(Sandbox::map(QDir::home().filePath(".ssh/authorized_keys")));
   QVERIFY(authorizedKeys.open(QIODevice::ReadOnly));
 
   QVERIFY(authorizedKeys.readAll().split('\n').contains(testData.trimmed()));
@@ -296,7 +264,7 @@ void UrlResolverTest::checkStoreAuthorizedKeys(){
   const QFile::Permissions go_rwx =
     QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup |
     QFile::ReadOther | QFile::WriteOther | QFile::ExeOther;
-  QVERIFY((QFileInfo(QDir::home().filePath(".ssh")).permissions() & go_rwx) == 0);
+  QVERIFY((QFileInfo(Sandbox::map(QDir::home().filePath(".ssh"))).permissions() & go_rwx) == 0);
 }
 
 void UrlResolverTest::checkVerifyResponse(){