diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
index 7138d50a..64719cf2 100644
--- a/src/libpriv/rpmostree-core.c
+++ b/src/libpriv/rpmostree-core.c
@@ -2944,12 +2944,14 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
       const char *user = rpmfiFUser (fi) ?: "root";
       const char *group = rpmfiFGroup (fi) ?: "root";
       const char *fcaps = rpmfiFCaps (fi) ?: '\0';
+      const gboolean have_fcaps = fcaps[0] != '\0';
       rpm_mode_t mode = rpmfiFMode (fi);
       rpmfileAttrs fattrs = rpmfiFFlags (fi);
       const gboolean is_ghost = fattrs & RPMFILE_GHOST;
 
       if (g_str_equal (user, "root") &&
-          g_str_equal (group, "root"))
+          g_str_equal (group, "root") &&
+          !have_fcaps)
         continue;
 
       /* In theory, RPMs could contain block devices or FIFOs; we would normally
@@ -3057,7 +3059,7 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
         return glnx_throw_errno_prefix (error, "fchownat(%s)", fn);
 
       /* the chown clears away file caps, so reapply it here */
-      if (fcaps[0] != '\0')
+      if (have_fcaps)
         {
           g_autoptr(GVariant) xattrs = rpmostree_fcap_to_xattr_variant (fcaps);
           if (!glnx_dfd_name_set_all_xattrs (tmprootfs_dfd, fn, xattrs,
diff --git a/tests/compose-tests/libbasic-test.sh b/tests/compose-tests/libbasic-test.sh
index 9881bcac..e3364326 100644
--- a/tests/compose-tests/libbasic-test.sh
+++ b/tests/compose-tests/libbasic-test.sh
@@ -42,6 +42,10 @@ ostree --repo=${repobuild} ls ${treeref} /usr/bin/su > su.txt
 assert_file_has_content su.txt '^-04[71][0-7][0-7]'
 echo "ok setuid"
 
+ostree --repo=${repobuild} ls -X ${treeref} /usr/bin/ping > ping.txt
+assert_file_has_content_literal ping.txt "b'security.capability', [byte"
+echo "ok fcaps"
+
 # https://github.com/projectatomic/rpm-ostree/issues/669
 ostree --repo=${repobuild} ls  ${treeref} /tmp > ls.txt
 assert_file_has_content ls.txt 'l00777 0 0      0 /tmp -> sysroot/tmp'
diff --git a/tests/composedata/fedora-base.json b/tests/composedata/fedora-base.json
index 96345ca0..4d73993c 100644
--- a/tests/composedata/fedora-base.json
+++ b/tests/composedata/fedora-base.json
@@ -4,7 +4,7 @@
     "repos": ["fedora"],
 
     "packages": ["kernel", "nss-altfiles", "systemd", "ostree", "selinux-policy-targeted", "chrony",
-                 "tuned"],
+                 "tuned", "iputils"],
 
     "packages-aarch64": ["grub2-efi", "ostree-grub2",
                          "efibootmgr", "shim"],