selinux: relabel /run the same way as /dev after loading the policy since they both come pre-filled and unlabelled

src/mount-setup.c

@@ -243,8 +243,10 @@ int mount_setup(void) {
          * appropriate labels, after mounting. The other virtual API
          * file systems do not need. */
 
-        if (unlink("/dev/.systemd-relabel-devtmpfs") >= 0)
+        if (unlink("/dev/.systemd-relabel-run-dev") >= 0) {
                 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+        }
 
         /* Create a few default symlinks, which are normally created
          * bei udevd, but some scripts might need them before we start

src/selinux-setup.c

@@ -43,9 +43,9 @@ int selinux_setup(char *const argv[]) {
                return 0;
 
        /* Before we load the policy we create a flag file to ensure
-        * that after the reexec we iterate through /dev to relabel
+        * that after the reexec we iterate through /run and /dev to
-        * things. */
+        * relabel things. */
-       touch("/dev/.systemd-relabel-devtmpfs");
+       touch("/dev/.systemd-relabel-run-dev");
 
        if (selinux_init_load_policy(&enforce) == 0) {
                log_debug("Successfully loaded SELinux policy, reexecuting.");
@@ -60,7 +60,7 @@ int selinux_setup(char *const argv[]) {
        } else {
                log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");
 
-               unlink("/dev/.systemd-relabel-devtmpfs");
+               unlink("/dev/.systemd-relabel-run-dev");
 
                if (enforce > 0)
                        return -EIO;