diff -up ./src/exec.c.tty2 ./src/exec.c
--- ./src/exec.c.tty2	2018-04-29 21:59:24.000000000 +0200
+++ ./src/exec.c	2021-07-02 13:34:53.803816249 +0200
@@ -99,19 +99,11 @@ restore_nproc(void)
  * Returns true on success and false on failure.
  */
 static bool
-exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
+exec_setup(struct command_details *details)
 {
     bool ret = false;
     debug_decl(exec_setup, SUDO_DEBUG_EXEC)
 
-#ifdef HAVE_SELINUX
-    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
-	if (selinux_setup(details->selinux_role, details->selinux_type,
-	    ptyname ? ptyname : user_details.tty, ptyfd) == -1)
-	    goto done;
-    }
-#endif
-
     /* Restore coredumpsize resource limit before running. */
     if (sudo_conf_disable_coredump())
 	disable_coredump(true);
@@ -141,7 +133,7 @@ exec_setup(struct command_details *detai
 #endif /* HAVE_PRIV_SET */
 
 #ifdef HAVE_GETUSERATTR
-	if (aix_prep_user(details->pw->pw_name, ptyname ? ptyname : user_details.tty) != 0) {
+	if (aix_prep_user(details->pw->pw_name, details->tty) != 0) {
 	    /* error message displayed by aix_prep_user */
 	    goto done;
 	}
@@ -262,7 +254,7 @@ exec_cmnd(struct command_details *detail
     debug_decl(exec_cmnd, SUDO_DEBUG_EXEC)
 
     restore_signals();
-    if (exec_setup(details, NULL, -1) == true) {
+    if (exec_setup(details) == true) {
 	/* headed for execve() */
 	if (details->closefrom >= 0) {
 	    int fd, maxfd;
diff -up ./src/exec_monitor.c.tty2 ./src/exec_monitor.c
--- ./src/exec_monitor.c.tty2	2021-07-02 10:07:33.951025634 +0200
+++ ./src/exec_monitor.c	2021-07-02 13:34:00.388475413 +0200
@@ -549,10 +549,26 @@ exec_monitor(struct command_details *det
     if (pipe2(errpipe, O_CLOEXEC) != 0)
 	sudo_fatal(U_("unable to create pipe"));
 
+#ifdef HAVE_SELINUX
+    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
+        if (selinux_setup(details->selinux_role, details->selinux_type,
+                          details->tty, io_fds[SFD_SLAVE]) == -1)
+            goto bad;
+        }
+#endif
+
     mc.cmnd_pid = sudo_debug_fork();
     switch (mc.cmnd_pid) {
     case -1:
 	sudo_warn(U_("unable to fork"));
+
+#ifdef HAVE_SELINUX
+    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
+        if (selinux_restore_tty() != 0)
+            sudo_warnx(U_("unable to restore tty label"));
+        }
+#endif
+
 	goto bad;
     case 0:
 	/* child */
diff -up ./src/exec_nopty.c.tty2 ./src/exec_nopty.c
--- ./src/exec_nopty.c.tty2	2018-04-29 21:59:31.000000000 +0200
+++ ./src/exec_nopty.c	2021-07-02 10:07:33.951025634 +0200
@@ -371,6 +371,17 @@ exec_nopty(struct command_details *detai
 	debug_return;
     }
 
+#ifdef HAVE_SELINUX
+    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
+        if (selinux_setup(details->selinux_role, details->selinux_type,
+		details->tty, -1) == -1) {
+	    cstat->type = CMD_ERRNO;
+	    cstat->val = errno;
+	    debug_return;
+	}
+    }
+#endif
+
     ec.cmnd_pid = sudo_debug_fork();
     switch (ec.cmnd_pid) {
     case -1:
diff -up ./src/exec_pty.c.tty2 ./src/exec_pty.c
--- ./src/exec_pty.c.tty2	2021-07-02 10:07:33.940025770 +0200
+++ ./src/exec_pty.c	2021-07-02 13:40:49.569392687 +0200
@@ -95,7 +95,7 @@ struct io_buffer {
 };
 SLIST_HEAD(io_buffer_list, io_buffer);
 
-static char slavename[PATH_MAX];
+static char ptyname[PATH_MAX];
 int io_fds[6] = { -1, -1, -1, -1, -1, -1};
 static bool foreground, pipeline;
 static bool tty_initialized;
@@ -123,7 +123,7 @@ pty_cleanup(void)
     if (io_fds[SFD_USERTTY] != -1)
 	sudo_term_restore(io_fds[SFD_USERTTY], false);
     if (utmp_user != NULL)
-	utmp_logout(slavename, 0);
+	utmp_logout(ptyname, 0);
 
     debug_return;
 }
@@ -131,7 +131,7 @@ pty_cleanup(void)
 /*
  * Allocate a pty if /dev/tty is a tty.
  * Fills in io_fds[SFD_USERTTY], io_fds[SFD_MASTER], io_fds[SFD_SLAVE]
- * and slavename globals.
+ * and ptyname globals.
  */
 static bool
 pty_setup(struct command_details *details, const char *tty)
@@ -146,14 +146,17 @@ pty_setup(struct command_details *detail
     }
 
     if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
-	slavename, sizeof(slavename), details->euid))
+	ptyname, sizeof(ptyname), details->euid))
 	sudo_fatal(U_("unable to allocate pty"));
 
+    /* Update tty name in command details (used by SELinux and AIX). */
+    details->tty = ptyname;
+
     /* Add entry to utmp/utmpx? */
     if (ISSET(details->flags, CD_SET_UTMP)) {
 	utmp_user =
 	    details->utmp_user ? details->utmp_user : user_details.username;
-	utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
+	utmp_login(tty, ptyname, io_fds[SFD_SLAVE], utmp_user);
     }
 
     sudo_debug_printf(SUDO_DEBUG_INFO,
@@ -172,8 +175,8 @@ pty_make_controlling(void)
 	if (ioctl(io_fds[SFD_SLAVE], TIOCSCTTY, NULL) != 0)
 	    return -1;
 #else
-	/* Set controlling tty by reopening slave. */
-	int fd = open(slavename, O_RDWR);
+	/* Set controlling tty by reopening pty slave. */
+	int fd = open(ptyname, O_RDWR);
 	if (fd == -1)
 	    return -1;
 	close(fd);
@@ -787,7 +790,7 @@ pty_close(struct command_status *cstat)
 
     /* Update utmp */
     if (utmp_user != NULL)
-	utmp_logout(slavename, cstat->type == CMD_WSTATUS ? cstat->val : 0);
+	utmp_logout(ptyname, cstat->type == CMD_WSTATUS ? cstat->val : 0);
 
     /* Close pty master. */
     if (io_fds[SFD_MASTER] != -1)
diff -up ./src/selinux.c.tty2 ./src/selinux.c
--- ./src/selinux.c.tty2	2021-07-02 10:07:33.950025646 +0200
+++ ./src/selinux.c	2021-07-02 10:07:33.952025622 +0200
@@ -123,10 +123,11 @@ selinux_restore_tty(void)
 	goto skip_relabel;
     }
 
-    if (strcmp(chk_tty_context, se_state.new_tty_context) == 0) {
+    if (strcmp(chk_tty_context, se_state.new_tty_context) != 0) {
 	sudo_warnx(U_("%s changed labels"), se_state.ttyn);
-	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: tty label changed, skipping",
-	    __func__);
+	sudo_debug_printf(SUDO_DEBUG_INFO,
+	    "%s: not restoring tty label, expected %s, have %s",
+	    __func__, se_state.new_tty_context, chk_tty_context);
 	goto skip_relabel;
     }
 
@@ -173,6 +174,7 @@ relabel_tty(const char *ttyn, int ptyfd)
 	    __func__);
 	debug_return_int(0);
     }
+    sudo_debug_printf(SUDO_DEBUG_INFO, "%s: relabeling tty %s", __func__, ttyn);
 
     /* If sudo is not allocating a pty for the command, open current tty. */
     if (ptyfd == -1) {
@@ -345,8 +347,9 @@ bad:
 }
 
 /* 
- * Set the exec and tty contexts in preparation for fork/exec.
- * Must run as root, before the uid change.
+ * Determine the exec and tty contexts in preparation for fork/exec.
+ * Must run as root, before forking the child process.
+ * Sets the tty context but not the exec context (which happens later).
  * If ptyfd is not -1, it indicates we are running
  * in a pty and do not need to reset std{in,out,err}.
  * Returns 0 on success and -1 on failure.
diff -up ./src/sudo.c.tty2 ./src/sudo.c
--- ./src/sudo.c.tty2	2018-04-29 21:59:31.000000000 +0200
+++ ./src/sudo.c	2021-07-02 10:07:33.952025622 +0200
@@ -277,6 +277,7 @@ main(int argc, char *argv[], char *envp[
 	    }
 	    /* Setup command details and run command/edit. */
 	    command_info_to_details(command_info, &command_details);
+	    command_details.tty = user_details.tty;
 	    command_details.argv = argv_out;
 	    command_details.envp = user_env_out;
 	    if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
diff -up ./src/sudo.h.tty2 ./src/sudo.h
--- ./src/sudo.h.tty2	2018-04-29 21:59:24.000000000 +0200
+++ ./src/sudo.h	2021-07-02 10:07:33.952025622 +0200
@@ -162,6 +162,7 @@ struct command_details {
     const char *selinux_role;
     const char *selinux_type;
     const char *utmp_user;
+    const char *tty;
     char **argv;
     char **envp;
 #ifdef HAVE_PRIV_SET