diff --git a/runas.te b/runas.te
index 97f31f72834b819344f4cdbff0bf2c7555718511..e51515d9893c208a723d03bae0afb1006c7680ed 100644
--- a/runas.te
+++ b/runas.te
@@ -25,3 +25,11 @@ security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:capability ~{ setuid setgid };
+neverallow runas self:capability2 *;