diff --git a/infra/image/shcontainer b/infra/image/shcontainer
index c92cbf192465068dec5b318a4673563c73e344f0..018fac8c207e58d203206b47fd0aa4bcd10b1d12 100644
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,13 +4,18 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 
+. "${SCRIPTDIR}/shdefaults"
+
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 
 container_create() {
     local name=${1}
     local image=${2}
     shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}")
     for opt in "$@"
     do
         [ -z "${opt}" ] && continue
diff --git a/infra/image/shdefaults b/infra/image/shdefaults
new file mode 100644
index 0000000000000000000000000000000000000000..86c50ab490e922b3a0412309c70c2d13561cb095
--- /dev/null
+++ b/infra/image/shdefaults
@@ -0,0 +1,8 @@
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+)