diff --git a/internal/pipewire/pipewire_test.go b/internal/pipewire/pipewire_test.go
index 1ba7285..0b65b86 100644
--- a/internal/pipewire/pipewire_test.go
+++ b/internal/pipewire/pipewire_test.go
@@ -680,9 +680,6 @@ func TestContext(t *testing.T) {
 	}); err != nil {
 		t.Fatalf("SecurityContext.Create: error = %v", err)
 	}
-	if err := ctx.GetCore().Sync(); err != nil {
-		t.Fatalf("Sync: error = %v", err)
-	}
 
 	// none of these should change
 	if coreInfo := ctx.GetCore().Info; !reflect.DeepEqual(coreInfo, &wantCoreInfo0) {
diff --git a/internal/pipewire/securitycontext.go b/internal/pipewire/securitycontext.go
index 21123f1..ec19a64 100644
--- a/internal/pipewire/securitycontext.go
+++ b/internal/pipewire/securitycontext.go
@@ -111,17 +111,39 @@ func (registry *Registry) GetSecurityContext() (securityContext *SecurityContext
 }
 
 // Create queues a [SecurityContextCreate] message for the PipeWire server.
-func (securityContext *SecurityContext) Create(listenFd, closeFd int, props SPADict) error {
-	if err := securityContext.checkDestroy(); err != nil {
-		return err
+func (securityContext *SecurityContext) Create(listenFd, closeFd int, props SPADict) (err error) {
+	if err = securityContext.checkDestroy(); err != nil {
+		return
+	}
+
+	asCoreError := securityContext.ctx.expectsCoreError(securityContext.ID, &err)
+	if err != nil {
+		return
 	}
 
 	// queued in reverse based on upstream behaviour, unsure why
 	offset := securityContext.ctx.queueFiles(closeFd, listenFd)
-	return securityContext.ctx.writeMessage(
+	if err = securityContext.ctx.writeMessage(
 		securityContext.ID,
 		&SecurityContextCreate{ListenFd: offset + 1, CloseFd: offset + 0, Properties: &props},
-	)
+	); err != nil {
+		return
+	}
+	if err = securityContext.ctx.GetCore().Sync(); err == nil {
+		return nil
+	}
+
+	if coreError := asCoreError(); coreError == nil {
+		return
+	} else {
+		switch syscall.Errno(-coreError.Result) {
+		case syscall.EPERM:
+			return &PermissionError{securityContext.ID, coreError.Message}
+
+		default:
+			return coreError
+		}
+	}
 }
 
 // securityContextCloser holds onto resources associated to the security context.
diff --git a/internal/system/pipewire.go b/internal/system/pipewire.go
index d04cae4..2026b2b 100644
--- a/internal/system/pipewire.go
+++ b/internal/system/pipewire.go
@@ -63,9 +63,6 @@ func (p *pipewireOp) apply(sys *I) (err error) {
 		{Key: pipewire.PW_KEY_ACCESS, Value: "restricted"},
 	}); err != nil {
 		return newOpError("pipewire", err, false)
-	} else if err = ctx.GetCore().Sync(); err != nil {
-		_ = p.scc.Close()
-		return newOpError("pipewire", err, false)
 	}
 
 	if err = sys.chmod(p.dst.String(), 0); err != nil {