diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
index 636c31a3b0..0b9966452d 100644
--- a/src/libpriv/rpmostree-core.c
+++ b/src/libpriv/rpmostree-core.c
@@ -3829,6 +3829,11 @@ rpmostree_context_assemble (RpmOstreeContext      *self,
 
   rpmostree_output_progress_end ();
 
+  /* Some packages expect to be able to make temporary files here
+   * for obvious reasons, but we otherwise make `/var` read-only.
+   */
+  if (!glnx_shutil_mkdir_p_at (tmprootfs_dfd, "var/tmp", 0755, cancellable, error))
+    return FALSE;
   if (!rpmostree_rootfs_prepare_links (tmprootfs_dfd, cancellable, error))
     return FALSE;
 
diff --git a/src/libpriv/rpmostree-scripts.c b/src/libpriv/rpmostree-scripts.c
index 5391154b40..7379e811c8 100644
--- a/src/libpriv/rpmostree-scripts.c
+++ b/src/libpriv/rpmostree-scripts.c
@@ -291,7 +291,6 @@ run_script_in_bwrap_container (int rootfs_fd,
   const char *postscript_path_container = glnx_strjoina ("/usr", postscript_name);
   const char *postscript_path_host = postscript_path_container + 1;
   g_autoptr(RpmOstreeBwrap) bwrap = NULL;
-  gboolean created_var_tmp = FALSE;
   gboolean created_var_lib_rpmstate = FALSE;
   glnx_autofd int stdout_fd = -1;
   glnx_autofd int stderr_fd = -1;
@@ -308,29 +307,6 @@ run_script_in_bwrap_container (int rootfs_fd,
       goto out;
     }
 
-  /* We need to make the mount point in the case where we're doing
-   * package layering, since the host `/var` tree is empty.  We
-   * *could* point at the real `/var`...but that seems
-   * unnecessary/dangerous to me.  Daemons that need to perform data
-   * migrations should do them as part of their systemd units and not
-   * in %post.
-   *
-   * Another alternative would be to make a tmpfs with the compat
-   * symlinks.
-   */
-  if (mkdirat (rootfs_fd, "var/tmp", 0755) < 0)
-    {
-      if (errno == EEXIST)
-        ;
-      else
-        {
-          glnx_set_error_from_errno (error);
-          goto out;
-        }
-    }
-  else
-    created_var_tmp = TRUE;
-
   /* And similarly for /var/lib/rpm-state */
   if (var_lib_rpm_statedir)
     {
@@ -455,8 +431,6 @@ run_script_in_bwrap_container (int rootfs_fd,
  out:
   glnx_tmpfile_clear (&buffered_output);
   (void) unlinkat (rootfs_fd, postscript_path_host, 0);
-  if (created_var_tmp)
-    (void) unlinkat (rootfs_fd, "var/tmp", AT_REMOVEDIR);
   if (created_var_lib_rpmstate)
     (void) unlinkat (rootfs_fd, "var/lib/rpm-state", AT_REMOVEDIR);
   return ret;