diff --git a/apparmor/session-lockdown/no-deny b/apparmor/session-lockdown/no-deny
index 5baa1ef12dca2bc5e58cd81d907a7184a94f6cf7..dc53b787bc7594a2ff810508195237d660d8cdc1 100755
--- a/apparmor/session-lockdown/no-deny
+++ b/apparmor/session-lockdown/no-deny
@@ -20,6 +20,8 @@ import subprocess
 import sys
 
 ORDINARY_USER = 'user'
+ORDINARY_UID = subprocess.check_output(['id', '-u', ORDINARY_USER],
+        universal_newlines=True).strip()
 
 def stdmsg(*x):
     print(*x)
@@ -135,7 +137,18 @@ def before_reboot():
     open('/var/log/audit/audit.log', 'w').close()
 
 def after_reboot():
-    log_subprocess('sudo', '-u', ORDINARY_USER, 'systemd-run', '--user',
+    log_subprocess('sudo', '-u', ORDINARY_USER,
+            # We hard-code this to bootstrap the right environment for
+            # systemd-run to be able to talk to systemd --user, because
+            # sudo itself doesn't set up this variable via the PAM stack.
+            'env', 'XDG_RUNTIME_DIR=/run/user/{}'.format(ORDINARY_UID),
+
+            # Running under systemd-run means we pull in the rest of the
+            # environment under which a realistic user process would run,
+            # so pactl is running in a less precarious environment.
+            'systemd-run', '--user',
+
+            # We run this for its side-effect, namely starting pulseaudio.
             'pactl', 'stat')
     log_subprocess('aa-status')