1 files changed, 15 insertions, 14 deletions

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 4f53cafcc..d1d98f636 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -848,20 +848,6 @@ int sandbox(void* sandbox_arg) {
         if (arg_private_dev)
                 fs_private_dev();
 
-        if (arg_private_etc) {
-                if (cfg.chrootdir)
-                        fwarning("private-etc feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-etc feature is disabled in overlay\n");
-                else {
-                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
-                        fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
-                        // create /etc/ld.so.preload file again
-                        if (need_preload)
-                                fs_trace_preload();
-                }
-        }
-
         if (arg_private_opt) {
                 if (cfg.chrootdir)
                         fwarning("private-opt feature is disabled in chroot\n");
@@ -964,6 +950,21 @@ int sandbox(void* sandbox_arg) {
         else if (arg_disable_mnt)
                 fs_mnt(0);
 
+        // Install new /etc last, so we can use it as long as possible
+        if (arg_private_etc) {
+                if (cfg.chrootdir)
+                        fwarning("private-etc feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fwarning("private-etc feature is disabled in overlay\n");
+                else {
+                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+                        fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
+                        // create /etc/ld.so.preload file again
+                        if (need_preload)
+                                fs_trace_preload();
+                }
+        }
+
         //****************************
         // apply the profile file
         //****************************