diff --git a/zygote.te b/zygote.te
index 3350ce34386a9299183aeb8ad9e658f524127c5d..743af36d4a75c980c9c289e6814915229a41792d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -6,6 +6,8 @@ init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
 allow zygote self:capability { dac_override setgid setuid };
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;