diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
index 8ed66fc07..9b8c45a2e 100644
--- a/systemd/gssproxy.service.in
+++ b/systemd/gssproxy.service.in
@@ -54,10 +54,7 @@ PrivateMounts=yes
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
-# NoNewPrivileges=yes
-# NoNewPrivileges: If it is true, it breaks the ability
-#   to open a socket under /var/lib/gssproxy when selinux enabled.
-#   So it is commented out here.
+NoNewPrivileges=yes
 CapabilityBoundingSet=CAP_DAC_OVERRIDE
 IPAddressDeny=any
 UMask=0177