diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index ede0e443..3753c2a4 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -309,6 +309,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
         parser.add_option("-l", "--level", dest="level", 
                           help=_("MCS/MLS level for the sandbox"))
 
+        parser.add_option("-C", "--capabilities",
+                         action="store_true", dest="usecaps", default=False,
+                         help="Allow apps requiring capabilities to run within the sandbox.")
+
         self.__parser=parser
 
         self.__options, cmds = parser.parse_args()
@@ -389,6 +393,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
     def __execute(self):
            try:
                   cmds = [ SEUNSHARE,  "-Z", self.__execcon ]
+                  if self.__options.usecaps == True:
+                         cmds.append('-C')
                   if self.__mount:
                          cmds +=  [ "-t", self.__tmpdir, "-h", self.__homedir ]
 
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index c2ec78da..e3b7ea70 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -3,11 +3,11 @@
 sandbox \- Run cmd under an SELinux sandbox
 .SH SYNOPSIS
 .B sandbox
-[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
 
 .br
 .B sandbox
-[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
 .br
 .SH DESCRIPTION
 .PP
@@ -59,6 +59,9 @@ Default to /usr/bin/matchbox-window-manager.
 \fB\-X\fR 
 Create an X based Sandbox for gui apps, temporary files for
 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+.TP
+\fB\-C\fR
+Use capabilities within the sandbox.  By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
 .PP
 .SH "SEE ALSO"
 .TP
diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
index d3eff967..a9b846b7 100644
--- a/policycoreutils/sandbox/seunshare.8
+++ b/policycoreutils/sandbox/seunshare.8
@@ -3,7 +3,7 @@
 seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
 .SH SYNOPSIS
 .B seunshare
-[ -v ] [ -c ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [ -c ] [ -C ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
 .br
 .SH DESCRIPTION
 .PP
@@ -21,6 +21,9 @@ Use alternate temporary directory to mount on /tmp.  tmpdir must be owned by the
 \fB\-c --cgroups\fR
 Use cgroups to control this copy of seunshare.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
 .TP
+\fB\-C --capabilities\fR
+Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
+.TP
 \fB\-Z\ context
 Use alternate SELinux context while runing the executable.
 .TP
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index e6e13037..3df271a3 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -40,19 +40,21 @@
 #endif
 
 #define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [-t tmpdir] [-h homedir] [-Z context] -- executable [args]")
 
 static int verbose = 0;
 
+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
+
 /**
  * This function will drop all capabilities.
  */
 static int drop_caps()
 {
-	if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
+	if (capng_have_capabilities(cap_set) == CAPNG_NONE)
 		return 0;
-	capng_clear(CAPNG_SELECT_BOTH);
-	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
+	capng_clear(cap_set);
+	if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
 		fprintf(stderr, _("Failed to drop all capabilities\n"));
 		return -1;
 	}
@@ -180,6 +182,7 @@ int main(int argc, char **argv) {
 		{"tmpdir", 1, 0, 't'},
 		{"verbose", 1, 0, 'v'},
 		{"context", 1, 0, 'Z'},
+		{"capabilities", 1, 0, 'C'},
 		{NULL, 0, 0, 0}
 	};
 
@@ -202,8 +205,7 @@ int main(int argc, char **argv) {
 	}
 
 	while (1) {
-		clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options,
-				     &flag_index);
+		clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
 		if (clflag == -1)
 			break;
 
@@ -226,6 +228,9 @@ int main(int argc, char **argv) {
 		case 'v':
 			verbose = 1;
 			break;
+		case 'C':
+			cap_set = CAPNG_SELECT_CAPS;
+			break;
 		case 'Z':
 			scontext = strdup(optarg);
 			break;