Fedora

Permissions to run systemd service for selinux?

I'm trying to make consul.service run like this :

[Unit]
Description=Consul service discovery agent
Requires=network-online.target
After=network.target

[Service]
User=consul
Group=consul
PIDFile=/run/consul.pid
Restart=on-failure
Environment=GOMAXPROCS=2
ExecStart=/usr/local/bin/consul agent $OPTIONS -config-dir=/etc/consul.d
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGINT
TimeoutStopSec=5

[Install]
WantedBy=multi-user.target

It seems to be a simple service, but it does not start on fedora 28.
Journal -u consul logs :

Oct 17 10:20:06 consul1 systemd[16572]: consul.service: Failed to execute command: Permission denied
Oct 17 10:20:06 consul1 systemd[16572]: consul.service: Failed at step EXEC spawning /usr/local/bin/consul: Permission denied
Oct 17 10:20:06 consul1 systemd[1]: consul.service: Main process exited, code=exited, status=203/EXEC
Oct 17 10:20:06 consul1 systemd[1]: consul.service: Failed with result 'exit-code'.
Oct 17 10:20:07 consul1 systemd[1]: consul.service: Service hold-off time over, scheduling restart.
Oct 17 10:20:07 consul1 systemd[1]: consul.service: Scheduled restart job, restart counter is at 4.

Logs cat /var/log/audit/audit.log :

type=AVC msg=audit(1539778184.232:1302): avc:  denied  { execute } for  pid=16884 comm="(consul)" name="consul" dev="vda1" ino=1019 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=file permissive=0

UPD1 policy consul from turnip

[[email protected] ~]# ls -Z /usr/bin/consul 
system_u:object_r:bin_t:s0 /usr/bin/consul

downloaded consul policy

[[email protected] ~]# ls -Z /tmp/consul
unconfined_u:object_r:user_tmp_t:s0 /tmp/consul

Is it possible to somehow give rights to run a separate service? Of course, we will not disable selinux.
Crutch - put consul from turnip and replace the binary with a new one works with this service config.