diff --git a/gnu/services.scm b/gnu/services.scm
index 9b7f2641b7..8a4002e072 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -665,9 +665,14 @@ (define (cleanup-gexp _)
            (delete-file-recursively "/var/run")
            (delete-file-recursively "/run")
 
+           ;; Note: The second argument to 'mkdir' is and'ed with umask,
+           ;; hence the 'chmod' calls.
            (mkdir "/tmp" #o1777)
+           (chmod "/tmp" #o1777)
            (mkdir "/var/run" #o755)
-           (mkdir "/run" #o755))))))
+           (chmod "/var/run" #o755)
+           (mkdir "/run" #o755)
+           (chmod "/var/run" #o755))))))
 
 (define cleanup-service-type
   ;; Service that cleans things up in /tmp and similar.
diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm
index 715b9036f9..e1a676ecd4 100644
--- a/gnu/tests/base.scm
+++ b/gnu/tests/base.scm
@@ -296,6 +296,10 @@ (define (user-owned? file)
                                     (operating-system-user-accounts os))))
               (stat:perms (marionette-eval `(stat ,root-home) marionette))))
 
+          (test-equal "permissions on /tmp"
+            #o1777
+            (stat:perms (marionette-eval '(lstat "/tmp") marionette)))
+
           (test-equal "ownership and permissions of /var/empty"
             '(0 0 #o555)
             (let ((st (marionette-eval `(stat "/var/empty") marionette)))