By default, the SELinux boolean virt_sandbox_use_all_caps is enabled.
This setting is disabled as containers should not run with privileges.
To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_all_caps off