Sometimes content is created in /run during boot that ends up mislabeled. We sometimes here, every time I boot, this file gets created with the wrong label.
This can happen if initramfs is creating content before systemd has loaded policy. This means the content would get created with var_run_t as the label.
Well I was looking at tmpfs.d and it has a cool feature.
Recursively set the access mode, group and user, and restore the SELinux security context of a file or directory
if it exists, as well as of its subdirectories and the files contained therein (if applicable). Lines of this type
accept shell-style globs in place of normal path names. Does not follow symlinks.
One hack you could try, would be to add /run to the tmpfiles.d directory and systemd will relabel all of the content in /run when the system reboots.
echo "Z /run — — — — —" > /etc/tmpfiles.d/relabelrun.conf
Of course if the content gets created after the tmpfs runs with the wrong label, you are out of luck, or enabled the old service restorecond...