diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index f504db7d05..4d7ec2781a 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -53,6 +53,10 @@
 #include <stdarg.h>
 #include <sys/utsname.h>
 
+#if WITH_CAPNG
+# include <cap-ng.h>
+#endif
+
 #define VIR_FROM_THIS VIR_FROM_QEMU
 
 VIR_LOG_INIT("qemu.qemu_capabilities");
@@ -4521,6 +4525,12 @@ virQEMUCapsInitQMPCommandRun(virQEMUCapsInitQMPCommandPtr cmd,
                                     NULL);
     virCommandAddEnvPassCommon(cmd->cmd);
     virCommandClearCaps(cmd->cmd);
+#if WITH_CAPNG
+    /* QEMU might run into permission issues, e.g. /dev/sev (0600), overriding
+     * it just for probing is okay from security POV */
+    virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE);
+#endif
+
     virCommandSetGID(cmd->cmd, cmd->runGid);
     virCommandSetUID(cmd->cmd, cmd->runUid);
 
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index d965068369..6d49416704 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -771,6 +771,23 @@ virExec(virCommandPtr cmd)
             goto fork_error;
     }
 
+#if WITH_CAPNG
+    if (strstr(cmd->args[0], "qemu")) {
+        VIR_WARN("INHERITABLE CAPS: '%s'",
+                 capng_print_caps_text(CAPNG_PRINT_BUFFER,
+                                       CAPNG_INHERITABLE));
+        VIR_WARN("EFFECTIVE CAPS: '%s'",
+                 capng_print_caps_text(CAPNG_PRINT_BUFFER,
+                                       CAPNG_EFFECTIVE));
+        VIR_WARN("PERMITTED CAPS: '%s'",
+                 capng_print_caps_text(CAPNG_PRINT_BUFFER,
+                                       CAPNG_PERMITTED));
+        VIR_WARN("BOUNDING CAPS: '%s'",
+                 capng_print_caps_text(CAPNG_PRINT_BUFFER,
+                                       CAPNG_BOUNDING_SET));
+    }
+#endif
+
     /* Close logging again to ensure no FDs leak to child */
     virLogReset();