diff --git a/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support.patch b/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support.patch
new file mode 100644
index 0000000..d7693ad
--- /dev/null
+++ b/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support.patch
@@ -0,0 +1,191 @@
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2023-07-14 09:32:51.781256794 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2023-07-14 09:34:34.061315870 +0200
+@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
+ 	{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
+ 	{ "debug.files", eCmdHdlrArray, 0 },
+-	{ "debug.whitelist", eCmdHdlrBinary, 0 }
++	{ "debug.whitelist", eCmdHdlrBinary, 0 },
++	{ "libcapng.default", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk paramblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
+ 		if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
+ 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 			setWorkDir(NULL, cstr);
++		} else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
++#ifdef ENABLE_LIBCAPNG
++			loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
++#else
++			LogError(0, RS_RET_ERR, "rsyslog wasn't "
++				"compiled with libcap-ng support.");
++#endif
+ 		} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
+ 			const int val = (int) cnfparamvals[i].val.d.n;
+ 			fjson_global_do_case_sensitive_comparison(val);
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-07-14 09:32:56.923259764 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.c	2023-07-14 09:34:47.722323759 +0200
+@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
+ 
+ static void cnfSetDefaults(rsconf_t *pThis)
+ {
++#ifdef ENABLE_LIBCAPNG
++	pThis->globals.bAbortOnFailedLibcapngSetup = 1;
++#endif
+ 	pThis->globals.bAbortOnUncleanConfig = 0;
+ 	pThis->globals.bReduceRepeatMsgs = 0;
+ 	pThis->globals.bDebugPrintTemplateList = 1;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2023-07-14 09:33:02.575263028 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.h	2023-07-14 09:35:29.265347750 +0200
+@@ -61,6 +61,9 @@ struct queuecnf_s {
+  * be re-set as often as the user likes).
+  */
+ struct globals_s {
++#ifdef ENABLE_LIBCAPNG
++	int bAbortOnFailedLibcapngSetup;
++#endif
+ 	int bDebugPrintTemplateList;
+ 	int bDebugPrintModuleList;
+ 	int bDebugPrintCfSysLineHandlerList;
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-07-14 09:29:13.038130459 +0200
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-07-14 09:31:58.575226065 +0200
+@@ -1557,6 +1557,88 @@ initAll(int argc, char **argv)
+ 	resetErrMsgsFlag();
+ 	localRet = rsconf.Load(&ourConf, ConfFile);
+ 
++#ifdef ENABLE_LIBCAPNG
++	/*
++	 * Drop capabilities to the necessary set
++	 */
++	int capng_rc, capng_failed = 0;
++	typedef struct capabilities_s {
++		int capability; /* capability code */
++		const char *name; /* name of the capability to be displayed */
++		sbool present; /* is the capability present that is needed by rsyslog? if so we do not drop it */
++	} capabilities_t;
++
++	capabilities_t capabilities[] = {
++		#define CAP_FIELD(code) { code, #code,  0 }
++		CAP_FIELD(CAP_BLOCK_SUSPEND),
++		CAP_FIELD(CAP_CHOWN),
++		CAP_FIELD(CAP_IPC_LOCK),
++		CAP_FIELD(CAP_LEASE),
++		CAP_FIELD(CAP_NET_ADMIN),
++		CAP_FIELD(CAP_NET_BIND_SERVICE),
++		CAP_FIELD(CAP_DAC_OVERRIDE),
++		CAP_FIELD(CAP_SETGID),
++		CAP_FIELD(CAP_SETUID),
++		CAP_FIELD(CAP_SYS_ADMIN),
++		CAP_FIELD(CAP_SYS_CHROOT),
++		CAP_FIELD(CAP_SYS_RESOURCE),
++		CAP_FIELD(CAP_SYSLOG)
++		#undef CAP_FIELD
++	};
++
++	if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
++		/* Examine which capabilities are available to us, so we do not try to
++		   drop something that is not present. We need to do this in two steps,
++		   because capng_clear clears the capability set. In the second step,
++		   we add back those caps, which were present before clearing the selected
++		   posix capabilities set.
++		*/
++		unsigned long caps_len = sizeof(capabilities) / sizeof(capabilities_t);
++		for (unsigned long i = 0; i < caps_len; i++) {
++			if (capng_have_capability(CAPNG_EFFECTIVE, capabilities[i].capability)) {
++				capabilities[i].present = 1;
++			}
++		}
++
++		capng_clear(CAPNG_SELECT_BOTH);
++
++		for (unsigned long i = 0; i < caps_len; i++) {
++			if (capabilities[i].present) {
++				DBGPRINTF("The %s capability is present, "
++					"will try to preserve it.\n", capabilities[i].name);
++				if ((capng_rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++				capabilities[i].capability)) != 0) {
++					LogError(0, RS_RET_LIBCAPNG_ERR,
++							"could not update the internal posix capabilities settings "
++							"based on the options passed to it, capng_update=%d", capng_rc);
++					capng_failed = 1;
++				}
++			} else {
++				DBGPRINTF("The %s capability is not present, "
++					"will not try to preserve it.\n", capabilities[i].name);
++			}
++		}
++
++		if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++			LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not transfer the specified internal posix capabilities "
++				"settings to the kernel, capng_apply=%d", capng_rc);
++			capng_failed = 1;
++		}
++
++		if (capng_failed) {
++			DBGPRINTF("Capabilities were not dropped successfully.\n");
++			if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
++				ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
++			}
++		} else {
++			DBGPRINTF("Capabilities were dropped successfully\n");
++		}
++	} else {
++		DBGPRINTF("No capabilities to drop\n");
++	}
++#endif
++
+ 	if(fp_rs_full_conf_output != NULL) {
+ 		if(fp_rs_full_conf_output != stdout) {
+ 			fclose(fp_rs_full_conf_output);
+@@ -2147,45 +2229,6 @@ main(int argc, char **argv)
+ 		bProcessInternalMessages = 1;
+ 	dbgClassInit();
+ 
+-#ifdef ENABLE_LIBCAPNG
+-	/*
+-	 * Drop capabilities to the necessary set
+-	 */
+-	int capng_rc;
+-	capng_clear(CAPNG_SELECT_BOTH);
+-
+-	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-		CAP_BLOCK_SUSPEND,
+-		CAP_CHOWN,
+-		CAP_IPC_LOCK,
+-		CAP_LEASE,
+-		CAP_NET_ADMIN,
+-		CAP_NET_BIND_SERVICE,
+-		CAP_SETGID,
+-		CAP_SETUID,
+-		CAP_DAC_OVERRIDE,
+-		CAP_NET_RAW,
+-		CAP_SYS_ADMIN,
+-		CAP_SYS_CHROOT,
+-		CAP_SYS_RESOURCE,
+-		CAP_SYSLOG,
+-		-1
+-	)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not update the internal posix capabilities settings "
+-				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
+-		exit(-1);
+-	}
+-
+-	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-			"could not transfer  the  specified  internal posix  capabilities "
+-			"settings to the kernel, capng_apply=%d\n", capng_rc);
+-		exit(-1);
+-	}
+-	DBGPRINTF("Capabilities were dropped successfully\n");
+-#endif
+-
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");
diff --git a/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch b/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch
new file mode 100644
index 0000000..0adefd1
--- /dev/null
+++ b/SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch
@@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-07-28 10:58:34.763191141 +0200
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-07-28 10:59:14.867276818 +0200
+@@ -1571,6 +1571,7 @@ initAll(int argc, char **argv)
+ 	capabilities_t capabilities[] = {
+ 		#define CAP_FIELD(code) { code, #code,  0 }
+ 		CAP_FIELD(CAP_BLOCK_SUSPEND),
++		CAP_FIELD(CAP_NET_RAW),
+ 		CAP_FIELD(CAP_CHOWN),
+ 		CAP_FIELD(CAP_IPC_LOCK),
+ 		CAP_FIELD(CAP_LEASE),
diff --git a/SPECS/rsyslog.spec b/SPECS/rsyslog.spec
index f0da4e9..c42ba92 100644
--- a/SPECS/rsyslog.spec
+++ b/SPECS/rsyslog.spec
@@ -5,7 +5,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 113%{?dist}
+Release: 113%{?dist}.1
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -38,6 +38,8 @@ Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
 Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
 Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch
 Patch19: rsyslog-8.2102.0-capabilities-capnetraw.patch
+Patch20: rsyslog-8.2102.0-libcapng-no-cap-support.patch
+Patch21: rsyslog-8.2102.0-libcapng-no-cap-support2.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -293,6 +295,8 @@ mv build doc
 %patch17 -p1 -b .imklog-leak
 %patch18 -p1 -b .capabilities-drop-credential
 %patch19 -p1 -b .capabilities-capnetraw
+%patch20 -p1
+%patch21 -p1
 
 pushd ..
 %patch9 -p1 -b .openssl-compatibility
@@ -558,6 +562,10 @@ done
 
 
 %changelog
+* Fri Jul 14 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-113.1
+- Do not drop capabilities if we don't have any
+- resolves: rhbz#2225088
+
 * Tue Mar 07 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-113
 - Do not allow having selinux-policy < 38.1.3-1
   resolves: rhbz#2176386