diff --git a/src/core/namespace.c b/src/core/namespace.c
index 05175e9552..3eb171c702 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -100,6 +100,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
         { "/sys/kernel/debug",   READONLY,     true  },
         { "/sys/kernel/tracing", READONLY,     true  },
         { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
+        { "/sys/fs/selinux",     READWRITE,    true  },
 };
 
 /* ProtectKernelModules= option */