[all variants] 12.04 qemu bridged network with cap_net_admin instead of sudo

On Xubuntu 12.04 64-bit host, I'm trying to run a Win7 Pro 64-bit guest using bridged networking. It works if I sudo my shell script, but not if I try to take advantage of capabilities to avoid the need for sudo.

$ getcap /usr/bin/qemu-system-x86_64/usr/bin/qemu-system-x86_64 = cap_net_admin+ei
$ grep cap_net_admin /etc/security/capability.conf
cap_net_admin me
$ cat /etc/networks/interfaces # irrelevant stuff snipped
auto eth0
iface eth0 inet manual
auto tun0
iface tun0 inet manual
auto br0
iface br0 inet dhcp
bridge_ports eth0 tun0
bridge_stp off
bridge_maxwait 0
bridge_fd 0
$ cat ~/bin/run-win7
#!/bin/sh
exec /usr/bin/qemu-system-x86_64 -machine pc -cpu qemu64 \
-smp cores=1,threads=2 -m 2G \
-hda /extra2/me/win7c.disk \
-cdrom /dev/cdrom \
-soundhw hda \
-name polywin7 \
-display sdl -no-frame -vga vmware \
-net nic,macaddr=a4:17:31:ab:bd:df -net tap \
-rtc base=localtime \
-enable-kvm
$ ~/bin/run-win7
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
SIOCSIFFLAGS: Permission denied
can't add tap0 to bridge br0: Operation not permitted
/etc/qemu-ifup: could not launch network script
qemu-system-x86_64: -net tap: Device 'tap' could not be initialized
$


On the other hand, if I do
$ sudo ~/bin/run-win7

... and supply my password, everything works fine. I'd rather not use root if I can avoid it. What am I missing?
(Or are capabilities not yet ready for prime time?)

Thank you.

--coastwatcher