diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 59808477d1..1d4fa3756d 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5732,7 +5732,7 @@ int exec_invoke(
 
         /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly
          * excepted from either whole sandboxing or just setresuid() itself. */
-        needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
+        needs_setuid = needs_sandboxing && !FLAGS_SET(command->flags, EXEC_COMMAND_NO_SETUID);
 
         uint64_t capability_ambient_set = context->capability_ambient_set;
 
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index 891fa3cd8e..6f78346036 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -19,8 +19,10 @@ int mac_selinux_setup(bool *loaded_policy) {
         int r;
 
         r = dlopen_libselinux();
-        if (r < 0)
-                return log_debug_errno(r, "No SELinux library available, skipping setup: %m");
+        if (r < 0) {
+                log_debug_errno(r, "No SELinux library available, skipping setup.");
+                return 0;
+        }
 
         mac_selinux_disable_logging();