diff --git a/internal/distro/rhel90/distro.go b/internal/distro/rhel90/distro.go
index 253beb070..8911ef16e 100644
--- a/internal/distro/rhel90/distro.go
+++ b/internal/distro/rhel90/distro.go
@@ -7,6 +7,7 @@ import (
 	"math/rand"
 	"path"
 	"sort"
+	"strings"
 
 	"github.com/osbuild/osbuild-composer/internal/blueprint"
 	"github.com/osbuild/osbuild-composer/internal/disk"
@@ -52,7 +53,9 @@ const (
 	blueprintPkgsKey = "blueprint"
 )
 
-var mountpointAllowList = []string{"/", "/var", "/var/*", "/home", "/opt", "/srv", "/usr"}
+var mountpointAllowList = []string{
+	"/", "/var", "/opt", "/srv", "/usr", "/app", "/data", "/home",
+}
 
 type distribution struct {
 	name             string
@@ -424,10 +427,17 @@ func (t *imageType) sources(packages []rpmmd.PackageSpec, ostreeCommits []ostree
 
 func isMountpointAllowed(mountpoint string) bool {
 	for _, allowed := range mountpointAllowList {
-		// check if the path and its subdirectories
-		// is in the allow list
 		match, _ := path.Match(allowed, mountpoint)
-		if mountpoint == "/" || match {
+		if match {
+			return true
+		}
+		// ensure that only clean mountpoints
+		// are valid
+		if strings.Contains(mountpoint, "//") {
+			return false
+		}
+		match = strings.HasPrefix(mountpoint, allowed+"/")
+		if allowed != "/" && match {
 			return true
 		}
 	}
diff --git a/internal/distro/rhel90/distro_test.go b/internal/distro/rhel90/distro_test.go
index 87355f63d..3c1f8b8a4 100644
--- a/internal/distro/rhel90/distro_test.go
+++ b/internal/distro/rhel90/distro_test.go
@@ -2,6 +2,7 @@ package rhel90_test
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -620,6 +621,10 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
 					MinSize:    1024,
 					Mountpoint: "/var/log",
 				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/log/audit",
+				},
 			},
 		},
 	}
@@ -628,9 +633,7 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
 		for _, imgTypeName := range arch.ListImageTypes() {
 			imgType, _ := arch.GetImageType(imgTypeName)
 			_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
-			if imgTypeName == "edge-commit" || imgTypeName == "edge-container" {
-				assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
-			} else if imgTypeName == "edge-installer" {
+			if strings.HasPrefix(imgTypeName, "edge-") {
 				continue
 			} else {
 				assert.NoError(t, err)
@@ -639,6 +642,78 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
 	}
 }
 
+func TestDistro_MountpointsWithArbitraryDepthAllowed(t *testing.T) {
+	r9distro := rhel90.New()
+	bp := blueprint.Blueprint{
+		Customizations: &blueprint.Customizations{
+			Filesystem: []blueprint.FilesystemCustomization{
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a/b",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a/b/c",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a/b/c/d",
+				},
+			},
+		},
+	}
+	for _, archName := range r9distro.ListArches() {
+		arch, _ := r9distro.GetArch(archName)
+		for _, imgTypeName := range arch.ListImageTypes() {
+			imgType, _ := arch.GetImageType(imgTypeName)
+			_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
+			if strings.HasPrefix(imgTypeName, "edge-") {
+				continue
+			} else {
+				assert.NoError(t, err)
+			}
+		}
+	}
+}
+
+func TestDistro_DirtyMountpointsNotAllowed(t *testing.T) {
+	r9distro := rhel90.New()
+	bp := blueprint.Blueprint{
+		Customizations: &blueprint.Customizations{
+			Filesystem: []blueprint.FilesystemCustomization{
+				{
+					MinSize:    1024,
+					Mountpoint: "//",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var//",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var//log/audit/",
+				},
+			},
+		},
+	}
+	for _, archName := range r9distro.ListArches() {
+		arch, _ := r9distro.GetArch(archName)
+		for _, imgTypeName := range arch.ListImageTypes() {
+			imgType, _ := arch.GetImageType(imgTypeName)
+			_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
+			if strings.HasPrefix(imgTypeName, "edge-") {
+				continue
+			} else {
+				assert.EqualError(t, err, "The following custom mountpoints are not supported [\"//\" \"/var//\" \"/var//log/audit/\"]")
+			}
+		}
+	}
+}
+
 func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
 	r9distro := rhel90.New()
 	bp := blueprint.Blueprint{
@@ -648,6 +723,10 @@ func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
 					MinSize:    1024,
 					Mountpoint: "/variable",
 				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/variable/log/audit",
+				},
 			},
 		},
 	}
@@ -661,7 +740,7 @@ func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
 			} else if imgTypeName == "edge-installer" {
 				continue
 			} else {
-				assert.EqualError(t, err, "The following custom mountpoints are not supported [\"/variable\"]")
+				assert.EqualError(t, err, "The following custom mountpoints are not supported [\"/variable\" \"/variable/log/audit\"]")
 			}
 		}
 	}