diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5d092488bd4..876faa7f558 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -148,6 +148,12 @@ static const MountEntry protect_system_yes_table[] = {
         { "/usr",                READONLY,     false },
         { "/boot",               READONLY,     true  },
         { "/efi",                READONLY,     true  },
+#if HAVE_SPLIT_USR
+        { "/lib",                READONLY,     true  },
+        { "/lib64",              READONLY,     true  },
+        { "/bin",                READONLY,     true  },
+        { "/sbin",               READONLY,     true  },
+#endif
 };
 
 /* ProtectSystem=full includes ProtectSystem=yes */
@@ -156,6 +162,12 @@ static const MountEntry protect_system_full_table[] = {
         { "/boot",               READONLY,     true  },
         { "/efi",                READONLY,     true  },
         { "/etc",                READONLY,     false },
+#if HAVE_SPLIT_USR
+        { "/lib",                READONLY,     true  },
+        { "/lib64",              READONLY,     true  },
+        { "/bin",                READONLY,     true  },
+        { "/sbin",               READONLY,     true  },
+#endif
 };
 
 /*
diff --git a/src/udev/udev.conf b/src/udev/udev.conf
index 47d14330022..0d812d4a656 100644
--- a/src/udev/udev.conf
+++ b/src/udev/udev.conf
@@ -1,3 +1,6 @@
 # see udev.conf(5) for details
+#
+# udevd is also started in the initrd.  When this file is modified you might
+# also want to rebuild the initrd, so that it will include the modified configuration.
 
 #udev_log="info"