BTW it's funny that for all the "years of development" involved in SELinux policies, they haven't noticed that CAP_DAC_OVERRIDE is a superset of CAP_DAC_READ_SEARCH privilege and have been blindly creating policies and modifying code to add capability support that requires CAP_DAC_OVERRIDE (a full override of DAC) when only CAP_DAC_READ_SEARCH is needed.
It reminds me of the Schopenhauer quote: "All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident."
And again (as the pattern seems to be) upstream is only a decade behind ;)