+++ This bug was initially created as a clone of Bug #1965330 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.



Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully


Additional info: