From c9ef8573be8e170fc0166d58406c4f9805fa323e Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 4 Apr 2018 10:14:25 +0200
Subject: [PATCH] namespace: don't consider raw image read-only if /home in it
 is writable

---
 src/core/namespace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/core/namespace.c b/src/core/namespace.c
index e138d3ba02..0cce2b4584 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1105,7 +1105,9 @@ int setup_namespace(
         if (root_image) {
                 dissect_image_flags |= DISSECT_IMAGE_REQUIRE_ROOT;
 
-                if (protect_system == PROTECT_SYSTEM_STRICT && strv_isempty(read_write_paths))
+                if (protect_system == PROTECT_SYSTEM_STRICT &&
+                    protect_home != PROTECT_HOME_NO &&
+                    strv_isempty(read_write_paths))
                         dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
 
                 r = loop_device_make_by_path(root_image,