diff --git a/oz-init/init.go b/oz-init/init.go
index 397eef5..47f8e6d 100644
--- a/oz-init/init.go
+++ b/oz-init/init.go
@@ -628,7 +628,7 @@ func (st *initState) setupFilesystem(extra []oz.WhitelistItem) error {
 	if st.config.UseFullDev {
 		mo.add(fs.MountFullDev)
 	}
-	mo.add(fs.MountShm, fs.MountTmp, fs.MountPts)
+	mo.add(fs.MountShm, /*fs.MountTmp, */fs.MountPts)
 	if !st.profile.NoSysProc {
 		mo.add(fs.MountProc, fs.MountSys)
 	}
diff --git a/oz-init/rootfs.go b/oz-init/rootfs.go
index 3d4fc2d..7380fb7 100644
--- a/oz-init/rootfs.go
+++ b/oz-init/rootfs.go
@@ -131,6 +131,12 @@ func setupRootfs(fsys *fs.Filesystem, uid, gid uint32, useFullDev bool) error {
 		}
 	}
 
+	tp := path.Join(fsys.Root(), "/tmp")
+	tflags := uintptr(syscall.MS_NODEV | syscall.MS_NOSUID | syscall.MS_NOEXEC | syscall.MS_REC)
+	if err := syscall.Mount("", tp, "tmpfs", tflags, "mode=777"); err != nil {
+		return err
+	}
+
 	for _, sl := range append(basicSymlinks, deviceSymlinks...) {
 		if err := fsys.CreateSymlink(sl[0], sl[1]); err != nil {
 			return err