diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 96d18dd93b..b17635c5d2 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -676,9 +676,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         <varname>SystemCallFilter=</varname>, or
         <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden
         by them, <command>systemctl show</command> shows the original value of this setting. In case the
-        service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID
-        flag. Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">
-        No New Privileges Flag</ulink>.</para></listitem>
+        service will be run in a new mount namespace anyway and SELinux is disabled, all file systems
+        are mounted with <constant>MS_NOSUID</constant> flag. Also see
+        <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New
+        Privileges Flag</ulink>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/core/execute.c b/src/core/execute.c
index dcf683f68b..a83b1b5694 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3191,7 +3191,7 @@ static int apply_mount_namespace(
                         .proc_subset = context->proc_subset,
                         .private_ipc = context->private_ipc || context->ipc_namespace_path,
                         /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
-                        .mount_nosuid = context->no_new_privileges,
+                        .mount_nosuid = context->no_new_privileges && !mac_selinux_use(),
                 };
         } else if (!context->dynamic_user && root_dir)
                 /*