There is a libcap-ng package fix that broke it, I believe it is
reverted for now, and we are working to figure out a proper fix to make
SELinux Sandbox and libcap-ng play well together.
I just saw that it has NOT been reverted and it was even pushed to stable!
Now that it is in stable already I guess my comment here is not useful
Should I file a bug against the selinux or the libcap-ng part?
As a workaround I downgraded and added the following line to my yum.conf:
I find it quite sad that no one seems to care about the broken sandbox
functionality at all.