diff --git a/crates/lib/src/deploy.rs b/crates/lib/src/deploy.rs
index b003e70f7..3a6113b53 100644
--- a/crates/lib/src/deploy.rs
+++ b/crates/lib/src/deploy.rs
@@ -464,7 +464,7 @@ pub(crate) async fn cleanup(sysroot: &Storage) -> Result<()> {
 
     // We create clones (just atomic reference bumps) here to move to the thread.
     let repo = sysroot.repo();
-    let sysroot = sysroot.sysroot.clone();
+    let sysroot = sysroot.get_ostree_cloned()?;
     let repo_prune =
         ostree_ext::tokio_util::spawn_blocking_cancellable_flatten(move |cancellable| {
             let locked_sysroot = &SysrootLock::from_assumed_locked(&sysroot);
@@ -543,7 +543,7 @@ async fn deploy(
         None
     };
     // Clone all the things to move to worker thread
-    let sysroot_clone = sysroot.sysroot.clone();
+    let ostree = sysroot.get_ostree_cloned()?;
     // ostree::Deployment is incorrectly !Send 😢 so convert it to an integer
     let merge_deployment = merge_deployment.map(|d| d.index() as usize);
     let stateroot = stateroot.to_string();
@@ -553,7 +553,7 @@ async fn deploy(
     let r = async_task_with_spinner(
         "Deploying",
         spawn_blocking_cancellable_flatten(move |cancellable| -> Result<_> {
-            let sysroot = sysroot_clone;
+            let ostree = ostree;
             let stateroot = Some(stateroot);
             let mut opts = ostree::SysrootDeployTreeOpts::default();
 
@@ -565,11 +565,11 @@ async fn deploy(
             if let Some(kargs) = override_kargs.as_deref() {
                 opts.override_kernel_argv = Some(&kargs);
             }
-            let deployments = sysroot.deployments();
+            let deployments = ostree.deployments();
             let merge_deployment = merge_deployment.map(|m| &deployments[m]);
             let origin = glib::KeyFile::new();
             origin.load_from_data(&origin_data, glib::KeyFileFlags::NONE)?;
-            let d = sysroot.stage_tree_with_options(
+            let d = ostree.stage_tree_with_options(
                 stateroot.as_deref(),
                 &ostree_commit,
                 Some(&origin),
diff --git a/crates/lib/src/store/mod.rs b/crates/lib/src/store/mod.rs
index bd3e8c5aa..989a21399 100644
--- a/crates/lib/src/store/mod.rs
+++ b/crates/lib/src/store/mod.rs
@@ -42,7 +42,7 @@ pub(crate) struct Storage {
     pub physical_root: Dir,
 
     /// The OSTree storage
-    pub sysroot: SysrootLock,
+    ostree: SysrootLock,
     /// The composefs storage
     pub composefs: OnceCell<Arc<ComposefsRepository>>,
     /// The containers-image storage used foR LBIs
@@ -81,7 +81,7 @@ impl Deref for Storage {
     type Target = SysrootLock;
 
     fn deref(&self) -> &Self::Target {
-        &self.sysroot
+        &self.ostree
     }
 }
 
@@ -116,7 +116,7 @@ impl Storage {
 
         Ok(Self {
             physical_root,
-            sysroot,
+            ostree: sysroot,
             run,
             composefs: Default::default(),
             store,
@@ -124,14 +124,25 @@ impl Storage {
         })
     }
 
+    /// Access the underlying ostree repository
+    pub(crate) fn get_ostree(&self) -> Result<&SysrootLock> {
+        Ok(&self.ostree)
+    }
+
+    /// Access the underlying ostree repository
+    pub(crate) fn get_ostree_cloned(&self) -> Result<ostree::Sysroot> {
+        let r = self.get_ostree()?;
+        Ok((*r).clone())
+    }
+
     /// Access the image storage; will automatically initialize it if necessary.
     pub(crate) fn get_ensure_imgstore(&self) -> Result<&crate::imgstorage::Storage> {
         if let Some(imgstore) = self.imgstore.get() {
             return Ok(imgstore);
         }
-        let sysroot_dir = crate::utils::sysroot_dir(&self.sysroot)?;
+        let sysroot_dir = crate::utils::sysroot_dir(&self.ostree)?;
 
-        let sepolicy = if self.sysroot.booted_deployment().is_none() {
+        let sepolicy = if self.ostree.booted_deployment().is_none() {
             // fallback to policy from container root
             // this should only happen during cleanup of a broken install
             tracing::trace!("falling back to container root's selinux policy");
@@ -141,8 +152,8 @@ impl Storage {
             // load the sepolicy from the booted ostree deployment so the imgstorage can be
             // properly labeled with /var/lib/container/storage labels
             tracing::trace!("loading sepolicy from booted ostree deployment");
-            let dep = self.sysroot.booted_deployment().unwrap();
-            let dep_fs = deployment_fd(&self.sysroot, &dep)?;
+            let dep = self.ostree.booted_deployment().unwrap();
+            let dep_fs = deployment_fd(&self.ostree, &dep)?;
             lsm::new_sepolicy_at(&dep_fs)?
         };
 
@@ -167,7 +178,7 @@ impl Storage {
 
         // Bootstrap verity off of the ostree state. In practice this means disabled by
         // default right now.
-        let ostree_repo = &self.sysroot.repo();
+        let ostree_repo = &self.ostree.repo();
         let ostree_verity = ostree_ext::fsverity::is_verity_enabled(ostree_repo)?;
         if !ostree_verity.enabled {
             tracing::debug!("Setting insecure mode for composefs repo");
@@ -182,7 +193,7 @@ impl Storage {
     #[context("Updating storage root mtime")]
     pub(crate) fn update_mtime(&self) -> Result<()> {
         let sysroot_dir =
-            crate::utils::sysroot_dir(&self.sysroot).context("Reopen sysroot directory")?;
+            crate::utils::sysroot_dir(&self.ostree).context("Reopen sysroot directory")?;
 
         sysroot_dir
             .update_timestamps(std::path::Path::new(BOOTC_ROOT))