diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
index 200af99f..21ea1734 100644
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@@ -1771,6 +1771,14 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
   if (!sepolicy)
     return FALSE;
 
+  /* we want our /usr overlay to have the same permission bits as the one we'll shadow */
+  mode_t usr_mode;
+  { struct stat stbuf;
+    if (!glnx_fstatat (deployment_dfd, "usr", &stbuf, 0, error))
+      return FALSE;
+    usr_mode = stbuf.st_mode;
+  }
+
   const char *ovl_options = NULL;
   static const char hotfix_ovl_options[] = "lowerdir=usr,upperdir=.usr-ovl-upper,workdir=.usr-ovl-work";
   switch (unlocked_state)
@@ -1784,9 +1792,9 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
          * directly for hotfixes.  The ostree-prepare-root.c helper
          * is also set up to detect and mount these.
          */
-        if (!mkdir_unmasked (deployment_dfd, ".usr-ovl-upper", 0755, cancellable, error))
+        if (!mkdir_unmasked (deployment_dfd, ".usr-ovl-upper", usr_mode, cancellable, error))
           return FALSE;
-        if (!mkdir_unmasked (deployment_dfd, ".usr-ovl-work", 0755, cancellable, error))
+        if (!mkdir_unmasked (deployment_dfd, ".usr-ovl-work", usr_mode, cancellable, error))
           return FALSE;
         ovl_options = hotfix_ovl_options;
       }
@@ -1804,7 +1812,7 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
         { g_auto(OstreeSepolicyFsCreatecon) con = { 0, };
 
           if (!_ostree_sepolicy_preparefscreatecon (&con, sepolicy,
-                                                    "/usr", 0755, error))
+                                                    "/usr", usr_mode, error))
             return FALSE;
 
           if (g_mkdtemp_full (development_ovldir, 0755) == NULL)
@@ -1812,10 +1820,10 @@ ostree_sysroot_deployment_unlock (OstreeSysroot     *self,
         }
 
         development_ovl_upper = glnx_strjoina (development_ovldir, "/upper");
-        if (!mkdir_unmasked (AT_FDCWD, development_ovl_upper, 0755, cancellable, error))
+        if (!mkdir_unmasked (AT_FDCWD, development_ovl_upper, usr_mode, cancellable, error))
           return FALSE;
         development_ovl_work = glnx_strjoina (development_ovldir, "/work");
-        if (!mkdir_unmasked (AT_FDCWD, development_ovl_work, 0755, cancellable, error))
+        if (!mkdir_unmasked (AT_FDCWD, development_ovl_work, usr_mode, cancellable, error))
           return FALSE;
         ovl_options = glnx_strjoina ("lowerdir=usr,upperdir=", development_ovl_upper,
                                      ",workdir=", development_ovl_work);