diff --git a/src/core/execute.c b/src/core/execute.c
index d5107288a1..666bdc4bc1 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4105,6 +4105,10 @@ int exec_spawn(Unit *unit,
         if (!line)
                 return log_oom();
 
+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
         log_struct(LOG_DEBUG,
                    LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
                    "EXECUTABLE=%s", command->path,
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index 8c7c7046e7..b2052578eb 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -656,6 +656,10 @@ static void event_run(Manager *manager, struct event *event) {
         /* Re-enable the debug message for the next batch of events */
         log_children_max_reached = true;
 
+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
         /* start new worker and pass initial device */
         worker_spawn(manager, event);
 }