diff --git a/build.py b/build.py
index c1edd9c633b6c3bd521fd05197d31c75151ea30e..b4a1b09be9d5908edac622f96c6c71e02fc7efb8 100755
--- a/build.py
+++ b/build.py
@@ -406,11 +406,9 @@ def run_install(args):
             print('info: consider setting the TARBALLS environment variable '
                   'to a stable writable location to avoid loosing '
                   'cached tarballs')
-        # Note: we must expose /gnu/store because /etc/ssl/certs
-        # contains certs that are symlinks to store items.
         command = ['guix', 'shell', '--manifest=guix/manifest.scm',
-                   '--expose=/gnu/store', '--expose=/etc/ssl/certs',
-                   '--expose=/usr/bin/env',
+                   '--symlink=/usr/bin/env=bin/env',
+                   '--symlink=/etc/ssl/certs=etc/ssl/certs',
                    '--container', '--network'] + share_tarballs_args \
             + ['--'] + command
 
diff --git a/extras/packaging/gnu-linux/Makefile b/extras/packaging/gnu-linux/Makefile
index d6beffbde2f704f229e910e589eac35fa22cb3de..2df676314d7f3b9a0be38d7ec3086cd3d213cf75 100644
--- a/extras/packaging/gnu-linux/Makefile
+++ b/extras/packaging/gnu-linux/Makefile
@@ -98,9 +98,9 @@ guix-share-tarball-arg = $${TARBALLS:+"--share=$$TARBALLS"}
 portable-release-tarball: has-guix-p
 	guix shell --container --network \
           --preserve=TARBALLS $(guix-share-tarball-arg) \
-          --expose=/usr/bin/env \
-          --expose=$$SSL_CERT_DIR=/etc/ssl/certs \
-          --manifest=$(CURDIR)/extras/packaging/gnu-linux/guix/minimal-manifest.scm \
+          --symlink=/usr/bin/env=bin/env \
+          --symlink=/etc/ssl/certs=etc/ssl/certs \
+          --manifest=extras/packaging/gnu-linux/guix/minimal-manifest.scm \
           -- $(MAKE) -f extras/packaging/gnu-linux/Makefile release-tarball
 
 daemon/contrib/native/Makefile: