core: do not set nosuid mount option when SELinux is enabled

The mount option has special meaning when SELinux is enabled. To make
NoNewPrivileges=yes not break SELinux enabled systems, let's not set the
mount flag on such systems.

man/systemd.exec.xml

@@ -676,9 +676,10 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         <varname>SystemCallFilter=</varname>, or
         <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden
         by them, <command>systemctl show</command> shows the original value of this setting. In case the
-        service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID
-        flag. Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">
-        No New Privileges Flag</ulink>.</para></listitem>
+        service will be run in a new mount namespace anyway and SELinux is disabled, all file systems
+        are mounted with <constant>MS_NOSUID</constant> flag. Also see
+        <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New
+        Privileges Flag</ulink>.</para></listitem>
       </varlistentry>
 
       <varlistentry>

src/core/execute.c

@@ -3191,7 +3191,7 @@ static int apply_mount_namespace(
                         .proc_subset = context->proc_subset,
                         .private_ipc = context->private_ipc || context->ipc_namespace_path,
                         /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
-                        .mount_nosuid = context->no_new_privileges,
+                        .mount_nosuid = context->no_new_privileges && !mac_selinux_use(),
                 };
         } else if (!context->dynamic_user && root_dir)
                 /*