The fix would have been simpler and I made the simpler change. - run the set and verify permissions stuff all the time - include verify not mode caps always - do not define %caps to contain anything, as it will be set by the permissions code. we also approved less than there is in the .specfile. /usr/bin/cdrecord root:root 755 +capabilities cap_sys_resource,cap_sys_nice,cap_ipc_lock,cap_sys_rawio=ep # no special privileges are needed for cd reading. /usr/bin/readcd root:root 755 /usr/bin/cdda2wav root:root 755