diff --git a/data/boot.service b/data/boot.service
index 2496143b..ef8b8a38 100644
--- a/data/boot.service
+++ b/data/boot.service
@@ -6,7 +6,7 @@ ConditionPathExists=/etc/snapper/configs/root
 Type=oneshot
 ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot"
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
diff --git a/data/cleanup.service b/data/cleanup.service
index f2180d0c..b4f5f240 100644
--- a/data/cleanup.service
+++ b/data/cleanup.service
@@ -9,7 +9,7 @@ ExecStart=/usr/lib/snapper/systemd-helper --cleanup
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
diff --git a/data/snapperd.service b/data/snapperd.service
index bb725850..206ed312 100644
--- a/data/snapperd.service
+++ b/data/snapperd.service
@@ -7,7 +7,7 @@ Type=dbus
 BusName=org.opensuse.Snapper
 ExecStart=/usr/sbin/snapperd
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
index 143e5dcb..ef0893bd 100644
--- a/data/systemd-sandboxing.txt
+++ b/data/systemd-sandboxing.txt
@@ -19,3 +19,5 @@ ProtectHome=true breaks diff for LVM.
 SystemCallFilter=@mount breaks almost everything with older systemd,
 e.g. on SLE15 SP1.
 
+CapabilityBoundingSet=CAP_FOWNER is needed if for home directories.
+
diff --git a/data/timeline.service b/data/timeline.service
index 5302fcd7..44005103 100644
--- a/data/timeline.service
+++ b/data/timeline.service
@@ -7,7 +7,7 @@ Documentation=man:snapper(8) man:snapper-configs(5)
 Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --timeline
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
diff --git a/package/snapper.changes b/package/snapper.changes
index 6938a90b..4e322258 100644
--- a/package/snapper.changes
+++ b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue May 04 08:35:28 CEST 2021 - aschnell@suse.com
+
+- fixed systemd sandboxing (bsc#1185596)
+
 -------------------------------------------------------------------
 Wed Apr 28 10:17:14 CEST 2021 - aschnell@suse.com