diff --git a/packages/default.nix b/packages/default.nix
index 6c7f4d1993..0fcc711e2d 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -89,6 +89,7 @@ rec {
     copyToRoot = with dockerTools; [ caCertificates ];
     config = {
       Cmd = [ "${nunki.coordinator}/bin/coordinator" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
   initializer = dockerTools.buildImage {
@@ -97,6 +98,7 @@ rec {
     copyToRoot = with dockerTools; [ caCertificates ];
     config = {
       Cmd = [ "${nunki.initializer}/bin/initializer" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
 
@@ -106,6 +108,7 @@ rec {
     copyToRoot = [ openssl bash coreutils ncurses bashInteractive vim procps ];
     config = {
       Cmd = [ "bash" ];
+      Env = [ "PATH=/bin" ];
     };
   };
   port-forwarder = dockerTools.buildImage {
diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix
index 25713848ac..8121056ee0 100644
--- a/packages/genpolicy_msft.nix
+++ b/packages/genpolicy_msft.nix
@@ -49,6 +49,7 @@ rustPlatform.buildRustPackage rec {
       postFetch = "install -D $downloadedFile $out/genpolicy-settings.json";
     };
 
+    # Settings that allow exec into CVM pods - not safe for production use!
     settings-dev = applyPatches {
       src = settings;
       patches = [ ./genpolicy_msft_settings_dev.patch ];
diff --git a/packages/genpolicy_msft_settings_dev.patch b/packages/genpolicy_msft_settings_dev.patch
index 270db0a9be..39395a4e6b 100644
--- a/packages/genpolicy_msft_settings_dev.patch
+++ b/packages/genpolicy_msft_settings_dev.patch
@@ -4,27 +4,6 @@ new mode 100644
 index 7a732b1..0dd0457
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -282,19 +282,7 @@
-     "request_defaults": {
-         "CreateContainerRequest": {
-             "allow_env_regex": [
--                "^HOSTNAME=$(dns_label)$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
--                "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$",
--                "^$(svc_name)_SERVICE_PORT=$(ip_p)$",
--                "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
--                "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$",
--                "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
--                "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
--                "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
--                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
-+                ".*"
-             ]
-         },
-         "CopyFileRequest": [
 @@ -302,10 +290,12 @@
          ],
          "ExecProcessRequest": {