diff --git a/rsyslog-8.2102.0-capabilities-drop-credential.patch b/rsyslog-8.2102.0-capabilities-drop-credential.patch
new file mode 100644
index 0000000..2faf05c
--- /dev/null
+++ b/rsyslog-8.2102.0-capabilities-drop-credential.patch
@@ -0,0 +1,67 @@
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-02-17 11:52:17.460043970 +0100
++++ rsyslog-8.2102.0/runtime/rsconf.c	2023-02-17 12:00:49.881602881 +0100
+@@ -33,9 +33,6 @@
+ #include <sys/resource.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-#ifdef ENABLE_LIBCAPNG
+-	#include <cap-ng.h>
+-#endif
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
+-#ifndef ENABLE_LIBCAPNG
++
+ 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
+ 				"could not set requested group id: %s via setgid()", szBuf);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
+-#else
+-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+-	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
+-	if (res) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
+-		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+-	}
+-#endif
+ 
+ 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
+ 				iUid, szBuf);
+ 	}
+ 
+-#ifndef ENABLE_LIBCAPNG
++
+ 	res = setuid(iUid);
+-	// res = setuid(cnf->globals.uidDropPriv);
+-#else
+-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+-	res = capng_change_id(iUid, -1, capng_flags);
+-#endif
+ 
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-02-17 11:52:00.011011019 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-02-17 11:58:37.322491823 +0100
+@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
+ 		CAP_LEASE,
+ 		CAP_NET_ADMIN,
+ 		CAP_NET_BIND_SERVICE,
+-		CAP_PERFMON,
+ 		CAP_SETGID,
+ 		CAP_SETUID,
++		CAP_DAC_OVERRIDE,
+ 		CAP_SYS_ADMIN,
+ 		CAP_SYS_CHROOT,
+ 		CAP_SYS_RESOURCE,
diff --git a/rsyslog.spec b/rsyslog.spec
index 6cad4e7..22d6245 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -5,7 +5,7 @@
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
 Version: 8.2102.0
-Release: 109%{?dist}
+Release: 110%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -36,6 +36,7 @@ Patch14: rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
 Patch15: rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch
 Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
 Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
+Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -287,6 +288,7 @@ mv build doc
 %patch15 -p1 -b .extra-ca-files-doc
 %patch16 -p1 -b .libcap-ng
 %patch17 -p1 -b .imklog-leak
+%patch18 -p1 -b .capabilities-drop-credential
 
 pushd ..
 %patch9 -p1 -b .openssl-compatibility
@@ -552,6 +554,13 @@ done
 
 
 %changelog
+* Fri Feb 17 2023 Attila Lakatos <alakatos@redhat.com> -8.2102.0-110
+- Do not preserve capabilities when changing credentials
+  resolves: rhbz#2169748
+- Remove unnecessary capability CAP_PERFMON
+- Add CAP_DAC_OVERRIDE to bypass file read and write permission checks
+  resolves: rhbz#2158659
+
 * Mon Jan 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-109
 - Make rsyslog-relp require librelp>= 1.9.0
   resolves: rhbz#2124440