diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 6977e7a23..42a04006b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -245,6 +245,10 @@ term_relabelto_all_ptys(sshd_t)
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
+ifdef(`distro_debian',`
+	allow sshd_t self:process { getcap setcap };
+')
+
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
 	# ioctl is necessary for logout() processing for utmp entry and for w to