diff --git a/src/exec_pty.c b/src/exec_pty.c
index 9e960f55d..232da0654 100644
--- a/src/exec_pty.c
+++ b/src/exec_pty.c
@@ -121,6 +121,9 @@ cleanup(int gotsignal)
 {
     if (!tq_empty(&io_plugins))
 	term_restore(io_fds[SFD_USERTTY], 0);
+#ifdef HAVE_SELINUX
+    selinux_restore_tty();
+#endif
 }
 
 /*
diff --git a/src/selinux.c b/src/selinux.c
index 0c70710ea..3a40d5a3b 100644
--- a/src/selinux.c
+++ b/src/selinux.c
@@ -66,7 +66,6 @@ static struct selinux_state {
  *
  * Returns zero on success, non-zero otherwise
  */
-/* XXX - should also be called as part of cleanup() */
 int
 selinux_restore_tty(void)
 {
@@ -91,9 +90,14 @@ selinux_restore_tty(void)
 	warning("unable to restore context for %s", se_state.ttyn);
 
 skip_relabel:
-    if (se_state.ttyfd != -1)
+    if (se_state.ttyfd != -1) {
 	close(se_state.ttyfd);
-    freecon(chk_tty_context);
+	se_state.ttyfd = -1;
+    }
+    if (chk_tty_context != NULL) {
+	freecon(chk_tty_context);
+	chk_tty_context = NULL;
+    }
     return retval;
 }