diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.privsep-selinux	2012-08-01 15:36:33.397565915 +0200
+++ openssh-5.9p1/session.c	2012-08-02 18:18:15.038094629 +0200
@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw)
 		/* Permanently switch to the desired uid. */
 		permanently_set_uid(pw);
 #endif
+
+#ifdef WITH_SELINUX
+		if (options.chroot_directory == NULL ||
+		    strcasecmp(options.chroot_directory, "none") == 0) {
+			ssh_selinux_copy_context();
+		}
+#endif
 	}
 
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.privsep-selinux	2012-08-01 16:09:22.949423356 +0200
+++ openssh-5.9p1/sshd.c	2012-08-02 18:07:22.912225684 +0200
@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt)
 	do_setusercontext(authctxt->pw);
 
  skip:
+#ifdef WITH_SELINUX
+	/* switch SELinux content for root too */
+	if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL ||
+	    strcasecmp(options.chroot_directory, "none") == 0)) {
+		ssh_selinux_copy_context();
+	}
+#endif
+
 	/* It is safe now to apply the key state */
 	monitor_apply_keystate(pmonitor);