diff --git a/ChangeLog b/ChangeLog
index 9622f1944..d1a0cd0fd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,8 @@
    openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
    Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
    ok djm@
+ - (dtucker) [platform.c platform.h session.c] Add a platform hook to run
+   after the user's groups are established and move the selinux calls into it.
 
 20101025
  - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with
diff --git a/platform.c b/platform.c
index c894190b2..730e7b718 100644
--- a/platform.c
+++ b/platform.c
@@ -1,4 +1,4 @@
-/* $Id: platform.c,v 1.4 2010/11/05 01:03:05 dtucker Exp $ */
+/* $Id: platform.c,v 1.5 2010/11/05 01:36:15 dtucker Exp $ */
 
 /*
  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
@@ -57,9 +57,18 @@ platform_post_fork_child(void)
 #endif
 }
 
+/*
+ * This gets called before switching UIDs, and is called even when sshd is
+ * not running as root.
+ */
 void
 platform_setusercontext(struct passwd *pw)
 {
+#ifdef WITH_SELINUX
+	/* Cache selinux status for later use */
+	(void)ssh_selinux_enabled();
+#endif
+
 #ifdef USE_SOLARIS_PROJECTS
 	/* if solaris projects were detected, set the default now */
 	if (getuid() == 0 || geteuid() == 0)
@@ -67,6 +76,18 @@ platform_setusercontext(struct passwd *pw)
 #endif
 }
 
+/*
+ * This gets called after we've established the user's groups, and is only
+ * called if sshd is running as root.
+ */
+void
+platform_setusercontext_post_groups(struct passwd *pw)
+{
+#ifdef WITH_SELINUX
+	ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
+}
+
 char *
 platform_krb5_get_principal_name(const char *pw_name)
 {
diff --git a/platform.h b/platform.h
index f0cdd8037..be66d55c6 100644
--- a/platform.h
+++ b/platform.h
@@ -1,4 +1,4 @@
-/* $Id: platform.h,v 1.5 2010/11/05 01:03:05 dtucker Exp $ */
+/* $Id: platform.h,v 1.6 2010/11/05 01:36:15 dtucker Exp $ */
 
 /*
  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
@@ -25,6 +25,7 @@ void platform_pre_fork(void);
 void platform_post_fork_parent(pid_t child_pid);
 void platform_post_fork_child(void);
 void platform_setusercontext(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *);
 char *platform_get_krb5_client(const char *);
 char *platform_krb5_get_principal_name(const char *);
 
diff --git a/session.c b/session.c
index ab32bb55f..7994dd60b 100644
--- a/session.c
+++ b/session.c
@@ -1471,11 +1471,6 @@ do_setusercontext(struct passwd *pw)
 
 	platform_setusercontext(pw);
 
-#ifdef WITH_SELINUX
-	/* Cache selinux status for later use */
-	(void)ssh_selinux_enabled();
-#endif
-
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1554,9 +1549,7 @@ do_setusercontext(struct passwd *pw)
 		}
 #endif /* HAVE_SETPCRED */
 
-#ifdef WITH_SELINUX
-		ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
+		platform_setusercontext_post_groups(pw);
 
 		if (options.chroot_directory != NULL &&
 		    strcasecmp(options.chroot_directory, "none") != 0) {