diff --git a/session.c b/session.c

index 436ea48..49c9321 100644

--- a/session.c

+++ b/session.c

@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)

 #endif

 	}

+#ifdef WITH_SELINUX

+	if (options.chroot_directory == NULL ||

+	    strcasecmp(options.chroot_directory, "none") == 0) {

+		ssh_selinux_copy_context();

+	}

+#endif

+

 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)

 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);

 }

@@ -1670,7 +1677,9 @@ do_child(Session *s, const char *command

 		/* When PAM is enabled we rely on it to do the nologin check */

 		if (!options.use_pam)

 			do_nologin(pw);

-		do_setusercontext(pw);

+		/* We are already separated */

+		if (!use_privsep)

+			do_setusercontext(pw);

 		/*

 		 * PAM session modules in do_setusercontext may have

 		 * generated messages, so if this in an interactive

@@ -1791,8 +1800,8 @@ do_child(Session *s, const char *command

 		optind = optreset = 1;

 		__progname = argv[0];

 #ifdef WITH_SELINUX

-		if (options.chroot_directory == NULL ||

-		    strcasecmp(options.chroot_directory, "none") == 0) {

+		if (!use_privsep &&

+		    (options.chroot_directory == NULL || strcasecmp(options.chroot_directory, "none") == 0)) {

 			ssh_selinux_copy_context();

 		}

 #endif