diff --git a/Makefile.am b/Makefile.am
index bf7d1556f0e..895465dc969 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -748,6 +748,7 @@ nodist_selinux_policy_DATA = etc/guix-daemon.cil
 
 # AppArmor profiles.
 nodist_apparmor_profile_DATA =	\
+  etc/apparmor.d/guix		\
   etc/apparmor.d/guix-daemon
 
 nodist_apparmor_profile_tunables_DATA = \
diff --git a/etc/apparmor.d/guix b/etc/apparmor.d/guix
new file mode 100644
index 00000000000..f1442cf5d3f
--- /dev/null
+++ b/etc/apparmor.d/guix
@@ -0,0 +1,12 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+include <tunables/guix>
+
+# There’s no point in confining the guix executable, since it can run
+# any user code and so everything is expected.  We just need to
+# explicitely enable userns for systems with the
+# kernel.apparmor_restrict_unprivileged_userns sysctl.
+profile guix @{guix_storedir}/{*-guix-command,*-guix-*/bin/guix} flags=(unconfined) {
+  userns,
+}
\ No newline at end of file