diff --git a/.github/workflows/_integration_tests.yml b/.github/workflows/_integration_tests.yml
index a2121dc3a..f38d421da 100644
--- a/.github/workflows/_integration_tests.yml
+++ b/.github/workflows/_integration_tests.yml
@@ -106,7 +106,7 @@ jobs:
           direct-download-roaming-network,
           dns-failsafe, # Uses the default DNS control method
           dns-nm,
-          # linux-group,  # Stub, doesn't run Firezone code yet. Broken too, see <https://github.com/firezone/firezone/issues/4669>
+          linux-group,  # Stub, doesn't run Firezone code yet.
           relay-graceful-shutdown,
           relayed-curl-api-down,
           relayed-curl-api-restart,
diff --git a/scripts/tests/linux-group.sh b/scripts/tests/linux-group.sh
index 891c532c2..c78f029e1 100755
--- a/scripts/tests/linux-group.sh
+++ b/scripts/tests/linux-group.sh
@@ -10,6 +10,12 @@ FZ_GROUP="firezone"
 SERVICE_NAME=firezone-client
 export RUST_LOG=info
 
+function print_debug_info {
+    systemctl status "$SERVICE_NAME"
+}
+
+trap print_debug_info EXIT
+
 # Copy the Linux Client out of its container
 docker compose exec client cat firezone-linux-client > "$BINARY_NAME"
 chmod u+x "$BINARY_NAME"
diff --git a/scripts/tests/systemd/firezone-client.service b/scripts/tests/systemd/firezone-client.service
index 04f6a7cc8..72653cdfd 100644
--- a/scripts/tests/systemd/firezone-client.service
+++ b/scripts/tests/systemd/firezone-client.service
@@ -3,7 +3,8 @@ Description=Firezone Client
 
 [Service]
 AmbientCapabilities=CAP_NET_ADMIN
-CapabilityBoundingSet=CAP_NET_ADMIN
+# TODO: Get rid of `CAP_CHOWN` here by asking systemd to make our runtime dir on our behalf
+CapabilityBoundingSet=CAP_CHOWN CAP_NET_ADMIN
 DeviceAllow=/dev/net/tun
 LockPersonality=true
 MemoryDenyWriteExecute=true